Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1581472
MD5:492132729eb10b285b0d97e5e73ecefb
SHA1:6a6eb7ff3c801766a868ddd1f32d3eb6a9c7844c
SHA256:8355bd295c468007f6700cd1f969dc90c794f733158ef8f858a1180a2ee2cbaa
Tags:ksarcftp-comLegionLoadermsiRobotDropperuser-aachum
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6536 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 2076 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6596 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 6644 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5068 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 3012 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6596, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6644, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6596, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6644, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6596, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6644, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.148.171, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6596, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6596, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6644, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6596, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6644, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T20:46:18.298927+010028292021A Network Trojan was detected192.168.2.549704172.67.148.171443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2753F4D1-C403-44D4-ACA2-30DC047F2282}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.148.171:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000000.2228881483.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233030615.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000000.2231178384.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000000.2228881483.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi
Source: Binary string: ucrtbase.pdbUGP source: setup.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSIE281.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000000.2231178384.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB2A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,11_2_00007FF8BFB2A330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49704 -> 172.67.148.171:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: ksarcftp.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: ksarcftp.comContent-Length: 71Cache-Control: no-cache
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: setup.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: setup.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: setup.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: setup.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: setup.msiString found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msiString found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000004.00000002.2178864411.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: setup.msiString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000004.00000002.2178864411.0000000004721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2178864411.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000B.00000002.2233030615.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000004.00000002.2178864411.0000000004721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBsq
Source: setup.msiString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2178864411.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2178864411.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: classes_nocoops.jsa.1.drString found in binary or memory: https://java.oracle.com/
Source: setup.msiString found in binary or memory: https://ksarcftp.com/updater.phpx
Source: powershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 172.67.148.171:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\70d7c1.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE176.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE242.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE281.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE2B1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE2F1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE330.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE370.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI197.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{2753F4D1-C403-44D4-ACA2-30DC047F2282}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDAE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDBF.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\70d7c4.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\70d7c4.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIE176.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_000000014001222011_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_000000014000839011_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_0000000140007FC011_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BA4F750811_2_00007FF8BA4F7508
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB360D011_2_00007FF8BFB360D0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB5288011_2_00007FF8BFB52880
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB2E8B011_2_00007FF8BFB2E8B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB2D81011_2_00007FF8BFB2D810
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB2C78011_2_00007FF8BFB2C780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB4478011_2_00007FF8BFB44780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB38FB011_2_00007FF8BFB38FB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB43F0011_2_00007FF8BFB43F00
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB3DF1011_2_00007FF8BFB3DF10
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB4071011_2_00007FF8BFB40710
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB5B69811_2_00007FF8BFB5B698
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB3CDF011_2_00007FF8BFB3CDF0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB5BDA011_2_00007FF8BFB5BDA0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB595A811_2_00007FF8BFB595A8
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB52D7011_2_00007FF8BFB52D70
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB3BCD011_2_00007FF8BFB3BCD0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB544E011_2_00007FF8BFB544E0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB46C8411_2_00007FF8BFB46C84
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB3644011_2_00007FF8BFB36440
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB3946011_2_00007FF8BFB39460
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB40C6011_2_00007FF8BFB40C60
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB4547011_2_00007FF8BFB45470
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB3ABB011_2_00007FF8BFB3ABB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB4633811_2_00007FF8BFB46338
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB4434011_2_00007FF8BFB44340
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB5A27C11_2_00007FF8BFB5A27C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB4220811_2_00007FF8BFB42208
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB5F9DA11_2_00007FF8BFB5F9DA
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB2F9B011_2_00007FF8BFB2F9B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal64.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_0000000140010BE0 GetLastError,FormatMessageA,11_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB2A7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,11_2_00007FF8BFB2A7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML17A9.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF9CE24BF9B59E8434.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EFJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2753F4D1-C403-44D4-ACA2-30DC047F2282}Jump to behavior
Source: setup.msiStatic file information: File size 60149751 > 1048576
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000000.2228881483.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233030615.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000000.2231178384.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000000.2228881483.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi
Source: Binary string: ucrtbase.pdbUGP source: setup.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSIE281.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000000.2231178384.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSIDBF.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE176.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE242.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE281.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE2B1.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE2F1.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE330.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE370.tmp.1.drStatic PE information: section name: .fptable
Source: MSI197.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06E614DB push eax; iretd 4_2_06E614F1
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE2F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDBF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE242.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE2B1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE370.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE176.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI197.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE330.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE281.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE370.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI197.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDBF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE330.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE176.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE242.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE2F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE2B1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE281.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB5C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00007FF8BFB5C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3777Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1121Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE370.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE176.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE2F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI197.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIDBF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE330.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE242.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE2B1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE281.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep count: 3777 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2780Thread sleep count: 1121 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5660Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1308Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB2A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,11_2_00007FF8BFB2A330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: VirtualMachineError.java
Source: setup.msiBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/common/JVMCIError
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: 7jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <"()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError
Source: classes_nocoops.jsa.1.drBinary or memory string: org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: %jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: ;jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/runtime/JVMCI
Source: classes_nocoops.jsa.1.drBinary or memory string: )()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: UG#java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: #()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 8_2_00007FF7BCF82ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF7BCF82ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 8_2_00007FF7BCF83074 SetUnhandledExceptionFilter,8_2_00007FF7BCF83074
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 8_2_00007FF7BCF82ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF7BCF82ECC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 8_2_00007FF7BCF82984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF7BCF82984
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_0000000140011F24 SetUnhandledExceptionFilter,11_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8B9844568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF8B9844568
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BA50004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF8BA50004C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 11_2_00007FF8BFB72CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF8BFB72CDC

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\psse55.ps1" -propfile "c:\users\user\appdata\local\temp\msie42.txt" -scriptfile "c:\users\user\appdata\local\temp\scre43.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scre44.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\psse55.ps1" -propfile "c:\users\user\appdata\local\temp\msie42.txt" -scriptfile "c:\users\user\appdata\local\temp\scre43.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scre44.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,11_2_00007FF8BFB4EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 8_2_00007FF7BCF82DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_00007FF7BCF82DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
DLL Side-Loading		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		11
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets111
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync121
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581472 Sample: setup.msi Startdate: 27/12/2024 Architecture: WINDOWS Score: 64 49 ksarcftp.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 Sigma detected: Suspicious Script Execution From Temp Folder 2->59 61 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->61 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSIE370.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIE330.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSIE2F1.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 ksarcftp.com 172.67.148.171, 443, 49704 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\Temp\scrE43.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\Temp\pssE55.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\Temp\msiE42.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI197.tmp0%ReversingLabs
C:\Windows\Installer\MSIDBF.tmp0%ReversingLabs
C:\Windows\Installer\MSIE176.tmp0%ReversingLabs
C:\Windows\Installer\MSIE242.tmp0%ReversingLabs
C:\Windows\Installer\MSIE281.tmp0%ReversingLabs
C:\Windows\Installer\MSIE2B1.tmp0%ReversingLabs
C:\Windows\Installer\MSIE2F1.tmp0%ReversingLabs
C:\Windows\Installer\MSIE330.tmp0%ReversingLabs
C:\Windows\Installer\MSIE370.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://java.oracle.com/0%Avira URL Cloudsafe
https://ksarcftp.com/updater.php0%Avira URL Cloudsafe
https://ksarcftp.com/updater.phpx0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ksarcftp.com
172.67.148.171
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://ksarcftp.com/updater.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2178864411.0000000004876000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2178864411.0000000004876000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000004.00000002.2178864411.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/powershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://java.oracle.com/classes_nocoops.jsa.1.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.2181397849.0000000005788000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.micksetup.msifalse
                      		high
                      http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000B.00000002.2233030615.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                        		high
                        https://aka.ms/winui2/webview2download/Reload():setup.msifalse
                          		high
                          https://ksarcftp.com/updater.phpxsetup.msifalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2178864411.0000000004721000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/pscore6lBsqpowershell.exe, 00000004.00000002.2178864411.0000000004721000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2178864411.0000000004876000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                172.67.148.171
                                		ksarcftp.comUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1581472
                                Start date and time:2024-12-27 20:45:15 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:14
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:setup.msi
                                Detection:MAL
                                Classification:mal64.evad.winMSI@17/91@1/1
                                EGA Information:
                                • Successful, ratio: 33.3%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 15
                                • Number of non-executed functions: 206
                                Cookbook Comments:
                                • Found application associated with file extension: .msi

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target ImporterREDServer.exe, PID 6188 because there are no executed function
                                • Execution Graph export aborted for target powershell.exe, PID 6644 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • VT rate limit hit for: setup.msi

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                14:46:19API Interceptor4x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                172.67.148.171TrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                  Altamareagroup Inv.xlsxGet hashmaliciousUnknownBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ksarcftp.comTrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUSsearch.htaGet hashmaliciousUnknownBrowse
                                    • 172.67.153.170
                                    http://bitstampweb.0532tg.comGet hashmaliciousUnknownBrowse
                                    • 172.67.133.12
                                    https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=enGet hashmaliciousUnknownBrowse
                                    • 172.66.0.145
                                    SET_UP.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.152.152
                                    !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                    • 104.21.89.250
                                    @Setup.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.208.58
                                    Full_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                    • 172.67.204.41
                                    http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4uGet hashmaliciousHTMLPhisherBrowse
                                    • 104.21.18.132
                                    http://resources.onestart.ai/onestart_installer_130.0.6723.134.exeGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
                                    • 172.67.12.83

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19search.htaGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171
                                    TrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171
                                    JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                    • 172.67.148.171
                                    T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                    • 172.67.148.171
                                    EB2UOXRNsE.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171
                                    gshv2.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171
                                    DOTA2#U89c6#U8ddd#U63d2#U4ef6.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171
                                    n5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171
                                    InExYnlM0N.lnkGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171
                                    K9esyY0r4G.lnkGet hashmaliciousUnknownBrowse
                                    • 172.67.148.171

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeTrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                      b8ygJBG5cb.msiGet hashmaliciousUnknownBrowse
                                        setup.msiGet hashmaliciousUnknownBrowse
                                          installer.msiGet hashmaliciousUnknownBrowse
                                            setup.msiGet hashmaliciousUnknownBrowse
                                              setup.msiGet hashmaliciousUnknownBrowse
                                                installer.msiGet hashmaliciousUnknownBrowse
                                                  E8vC8KRIp1.msiGet hashmaliciousUnknownBrowse
                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                      3gPZmVbozD.msiGet hashmaliciousUnknownBrowse

                                                        Created / dropped Files

                                                        C:\Config.Msi\70d7c3.rbs

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):20661
                                                        Entropy (8bit):5.802029098525051
                                                        Encrypted:false
                                                        SSDEEP:384:ZuPUTadO8M2CQzVZtafi8ULm6sStqrrtltNshBSjNHI8dFo0/sWH8FHRz4RXYgXY:ZuPUTadO8M2CQzVZtafi8ULm6sStqrr4
                                                        MD5:7D05F59280878DB3258952B5EAE6928E
                                                        SHA1:DE03C28D8E2F28AEF1199E61F9BC9682BE19A7D9
                                                        SHA-256:3328165B3360FD779AA7B6AA5BD6299ED159517D8D83358873C590FF500D0C14
                                                        SHA-512:A8D44F8B9B9BA386626AE8C79F78B0AE4C945AC9EC3B0E4D55A2790D942062C3D2F185FD5CCFE4B5F61E55E7B4A918B9FC300642FC222959E250237528520EA8
                                                        Malicious:false
                                                        Preview:...@IXOS.@.....@.u.Y.@.....@.....@.....@.....@.....@......&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}..Cave App..setup.msi.@.....@.....@.....@......icon_24.exe..&.{1CD1875B-5E87-42CE-9389-9C216C5C1759}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{2753F4D1-C403-44D4-A

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1360
                                                        Entropy (8bit):5.413197223328133
                                                        Encrypted:false
                                                        SSDEEP:24:3UWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:EWSU4xymI4RfoUeW+mZ9tK8NWR82jVbR
                                                        MD5:1A8B62C28399515602DCA9C94C2B2490
                                                        SHA1:384EB5E2AFB32EC137CE02833466A20048E2A689
                                                        SHA-256:B5A234A10D8D76E65C18EA63D097512F3D53FC5739EF7A8099AC8B22FA7C9F00
                                                        SHA-512:095BD0CB3027199DDB62FFDA863673CED39884DFE0F9B9BECDF2A1CC6674D27F8AD8D0E965C1F38E4D63140F7E0DCBCA8D443E5A48E543FE0B13DA2FF2ED5CE8
                                                        Malicious:false
                                                        Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bornbboa.ece.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r0opcw1i.jkv.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\msiE42.txt

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):100
                                                        Entropy (8bit):3.0073551160284637
                                                        Encrypted:false
                                                        SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                        MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                        SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                        SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                        SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                        Malicious:true
                                                        Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                        C:\Users\user\AppData\Local\Temp\pssE55.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):6668
                                                        Entropy (8bit):3.5127462716425657
                                                        Encrypted:false
                                                        SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                        MD5:30C30EF2CB47E35101D13402B5661179
                                                        SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                        SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                        SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                        Malicious:true
                                                        Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                        C:\Users\user\AppData\Local\Temp\scrE43.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):254
                                                        Entropy (8bit):3.555045878547657
                                                        Encrypted:false
                                                        SSDEEP:6:QfFok79idK3fOlFogltHN+KiVmMXFVrMTlP1LlG7JidK3falnUOn03AnfInO:QfF3KvogM/XFVrMTQNeFUr3+
                                                        MD5:E8A84AE0A0597E0C4FBB7FA36F7D0CA7
                                                        SHA1:B97096DF7801FA5F91542F0F9A70616DD5D49B03
                                                        SHA-256:9F2D8F053895BF9377A4686714833304E87A4E926B7581599D44B45380B5DFDE
                                                        SHA-512:83960868B8DBFFEF2B3EE557AD89BB18CF80043FEB2A7BFDB0630F32A1870585158E4F4B367C72BBFDD760A586E5D1FEB73192C0E769507A6ED81E90BF4925EB
                                                        Malicious:true
                                                        Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.a.v.o.i.j.g.

                                                        C:\Users\user\AppData\Roaming\Microsoft\Installer\{2753F4D1-C403-44D4-ACA2-30DC047F2282}\icon_24.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                        Category:dropped
                                                        Size (bytes):195906
                                                        Entropy (8bit):4.669224805215773
                                                        Encrypted:false
                                                        SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                        MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                        SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                        SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                        SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                        Malicious:false
                                                        Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):310928
                                                        Entropy (8bit):6.001677789306043
                                                        Encrypted:false
                                                        SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                        MD5:147B71C906F421AC77F534821F80A0C6
                                                        SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                        SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                        SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: TrdIE26br9.msi, Detection: malicious, Browse
                                                        • Filename: b8ygJBG5cb.msi, Detection: malicious, Browse
                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                        • Filename: installer.msi, Detection: malicious, Browse
                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                        • Filename: setup.msi, Detection: malicious, Browse
                                                        • Filename: installer.msi, Detection: malicious, Browse
                                                        • Filename: E8vC8KRIp1.msi, Detection: malicious, Browse
                                                        • Filename: installer.msi, Detection: malicious, Browse
                                                        • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):117496
                                                        Entropy (8bit):6.136079902481222
                                                        Encrypted:false
                                                        SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                        MD5:F67792E08586EA936EBCAE43AAB0388D
                                                        SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                        SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                        SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):506008
                                                        Entropy (8bit):6.4284173495366845
                                                        Encrypted:false
                                                        SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                        MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                        SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                        SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                        SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.596101286914553
                                                        Encrypted:false
                                                        SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                        MD5:919E653868A3D9F0C9865941573025DF
                                                        SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                        SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                        SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.640081558424349
                                                        Encrypted:false
                                                        SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                        MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                        SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                        SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                        SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11712
                                                        Entropy (8bit):6.6023398138369505
                                                        Encrypted:false
                                                        SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                        MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                        SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                        SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                        SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.614262942006268
                                                        Encrypted:false
                                                        SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                        MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                        SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                        SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                        SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.654155040985372
                                                        Encrypted:false
                                                        SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                        MD5:94788729C9E7B9C888F4E323A27AB548
                                                        SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                        SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                        SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):15304
                                                        Entropy (8bit):6.548897063441128
                                                        Encrypted:false
                                                        SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                        MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                        SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                        SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                        SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11712
                                                        Entropy (8bit):6.622041192039296
                                                        Encrypted:false
                                                        SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                        MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                        SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                        SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                        SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.730719514840594
                                                        Encrypted:false
                                                        SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                        MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                        SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                        SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                        SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.626458901834476
                                                        Encrypted:false
                                                        SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                        MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                        SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                        SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                        SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.577869728469469
                                                        Encrypted:false
                                                        SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                        MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                        SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                        SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                        SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11712
                                                        Entropy (8bit):6.6496318655699795
                                                        Encrypted:false
                                                        SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                        MD5:A038716D7BBD490378B26642C0C18E94
                                                        SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                        SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                        SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12736
                                                        Entropy (8bit):6.587452239016064
                                                        Encrypted:false
                                                        SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                        MD5:D75144FCB3897425A855A270331E38C9
                                                        SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                        SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                        SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):14280
                                                        Entropy (8bit):6.658205945107734
                                                        Encrypted:false
                                                        SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                        MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                        SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                        SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                        SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.621310788423453
                                                        Encrypted:false
                                                        SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                        MD5:808F1CB8F155E871A33D85510A360E9E
                                                        SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                        SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                        SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.7263193693903345
                                                        Encrypted:false
                                                        SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                        MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                        SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                        SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                        SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12744
                                                        Entropy (8bit):6.601327134572443
                                                        Encrypted:false
                                                        SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                        MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                        SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                        SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                        SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):14272
                                                        Entropy (8bit):6.519411559704781
                                                        Encrypted:false
                                                        SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                        MD5:E173F3AB46096482C4361378F6DCB261
                                                        SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                        SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                        SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.659079053710614
                                                        Encrypted:false
                                                        SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                        MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                        SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                        SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                        SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11200
                                                        Entropy (8bit):6.7627840671368835
                                                        Encrypted:false
                                                        SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                        MD5:0233F97324AAAA048F705D999244BC71
                                                        SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                        SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                        SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.590253878523919
                                                        Encrypted:false
                                                        SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                        MD5:E1BA66696901CF9B456559861F92786E
                                                        SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                        SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                        SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.672720452347989
                                                        Encrypted:false
                                                        SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                        MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                        SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                        SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                        SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):13760
                                                        Entropy (8bit):6.575688560984027
                                                        Encrypted:false
                                                        SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                        MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                        SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                        SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                        SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.70261983917014
                                                        Encrypted:false
                                                        SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                        MD5:D175430EFF058838CEE2E334951F6C9C
                                                        SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                        SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                        SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12744
                                                        Entropy (8bit):6.599515320379107
                                                        Encrypted:false
                                                        SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                        MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                        SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                        SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                        SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.690164913578267
                                                        Encrypted:false
                                                        SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                        MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                        SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                        SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                        SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.615761482304143
                                                        Encrypted:false
                                                        SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                        MD5:735636096B86B761DA49EF26A1C7F779
                                                        SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                        SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                        SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12744
                                                        Entropy (8bit):6.627282858694643
                                                        Encrypted:false
                                                        SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                        MD5:031DC390780AC08F498E82A5604EF1EB
                                                        SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                        SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                        SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):15816
                                                        Entropy (8bit):6.435326465651674
                                                        Encrypted:false
                                                        SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                        MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                        SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                        SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                        SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.5874576656353145
                                                        Encrypted:false
                                                        SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                        MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                        SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                        SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                        SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):13768
                                                        Entropy (8bit):6.645869978118917
                                                        Encrypted:false
                                                        SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                        MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                        SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                        SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                        SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):61176
                                                        Entropy (8bit):5.850944458899023
                                                        Encrypted:false
                                                        SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                        MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                        SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                        SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                        SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):127224
                                                        Entropy (8bit):6.217127607919178
                                                        Encrypted:false
                                                        SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                        MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                        SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                        SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                        SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):418040
                                                        Entropy (8bit):6.1735291180760505
                                                        Encrypted:false
                                                        SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                        MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                        SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                        SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                        SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):698104
                                                        Entropy (8bit):6.463466021766765
                                                        Encrypted:false
                                                        SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                        MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                        SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                        SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                        SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):31480
                                                        Entropy (8bit):5.969706735107452
                                                        Encrypted:false
                                                        SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                        MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                        SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                        SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                        SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):103672
                                                        Entropy (8bit):5.851546804507911
                                                        Encrypted:false
                                                        SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                        MD5:129051E3B7B8D3CC55559BEDBED09486
                                                        SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                        SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                        SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):57488
                                                        Entropy (8bit):6.382541157520703
                                                        Encrypted:false
                                                        SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                        MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                        SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                        SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                        SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):4664568
                                                        Entropy (8bit):6.259383987199329
                                                        Encrypted:false
                                                        SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                        MD5:A6A89F55416DB79D9E13B82685A04D60
                                                        SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                        SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                        SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):215288
                                                        Entropy (8bit):6.050529290720027
                                                        Encrypted:false
                                                        SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                        MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                        SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                        SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                        SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ghiuoqfj.rar

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:RAR archive data, v5
                                                        Category:dropped
                                                        Size (bytes):403118
                                                        Entropy (8bit):7.999643520983025
                                                        Encrypted:true
                                                        SSDEEP:6144:N3Yo8XxB1kuy3pkbUUdDkL2QBkhowis11fFB/Y4Sz+8lj6rveo4+MG8:N3h+nry3pDUdDkMbp19FC4Sz+JeopM5
                                                        MD5:3EF3382E39E1854CFE06C82AA6F222F9
                                                        SHA1:226A9D645383009A7BBDA4801B8DB4A9FD084EC2
                                                        SHA-256:20A027C7D3CCADC45DC149F3795EE3F09B5AE2060CAF09527906AEE56246C515
                                                        SHA-512:D433ADE3B3E00C437A525FB1785D316EA5FD55B54EEFCEB53FD378D24EB518DB010C4B4000428F6612DC0CEDB5D61B5F8FC8BD3C65B4F77B3C8AFDC29C2AC8D4
                                                        Malicious:false
                                                        Preview:Rar!....K...!......lQ.o.yM....84.QX.......,.....%=]I........r..4..3.T..a...(5....|{...2..x![j.m..J..,.7h...u.5......rT.?....n.. .u$..{^RP......0...e..L.4.4W.T..m...+.).W..=......{'.i.z/;. ..k..8.. j.^=....vo[.`.0........5L..c....1$.m...Q+=].a.A.W..../..7elI4..q+<...f68Vh.i.e>...L.3..#..n..S._.n......$.?.R.............(zia.-.e...k..y...o....W....n.`G...hQ..R......u.^..2..o.G.y..:........,.4.<...vNH@...'.g....9...&.0J.,{9.X..(.5...."U4...AP..hR[...[N..s.A..&....~....>.W..8..s...hI..26'9.A....j|..R...o.5.....'f&.ta...6.......M.,.e..;...-...i8O..4."..O>".K[./u.;..%.B.7o!Q..&....|.f0.#..*.]SA...T.#..j.L.h.+..<.C....f..b...`.3..Hw.b..].'.......m....89.91.cj$9\...!..u.+.&.LePc..w.i..T..'..Ulf.....4mjg89;*.@...M._..... ....l.s.....U"..:OO..`<.........~h.9p!.)....A.]....]...k'~...y.. .2T....*...P|c..8.*......M[....Dq...0....+..&.n.j..k..M.z..L.a.....{Y.|..M.........<*.DVn..A+.-..Q>...Oj.-e.7.....?l.(...S..S/.........cm...s.k..'.......Z#..}......

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):566704
                                                        Entropy (8bit):6.494428734965787
                                                        Encrypted:false
                                                        SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                        MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                        SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                        SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                        SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):22
                                                        Entropy (8bit):3.879664004902594
                                                        Encrypted:false
                                                        SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                        MD5:D9324699E54DC12B3B207C7433E1711C
                                                        SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                        SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                        SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                        Malicious:false
                                                        Preview:@echo off..Start "" %1

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes.jsa

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):12124160
                                                        Entropy (8bit):4.1175508751036585
                                                        Encrypted:false
                                                        SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                        MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                        SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                        SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                        SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                        Malicious:false
                                                        Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes_nocoops.jsa

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):12124160
                                                        Entropy (8bit):4.117842215789484
                                                        Encrypted:false
                                                        SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                        MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                        SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                        SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                        SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                        Malicious:false
                                                        Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.datatransfer.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):51389
                                                        Entropy (8bit):7.916683616123071
                                                        Encrypted:false
                                                        SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                        MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                        SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                        SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                        SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.desktop.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):12133334
                                                        Entropy (8bit):7.944474086295981
                                                        Encrypted:false
                                                        SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                        MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                        SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                        SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                        SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.instrument.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):41127
                                                        Entropy (8bit):7.961466748192397
                                                        Encrypted:false
                                                        SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                        MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                        SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                        SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                        SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.logging.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):113725
                                                        Entropy (8bit):7.928841651831531
                                                        Encrypted:false
                                                        SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                        MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                        SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                        SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                        SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.management.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):896846
                                                        Entropy (8bit):7.923431656723031
                                                        Encrypted:false
                                                        SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                        MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                        SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                        SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                        SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):639224
                                                        Entropy (8bit):6.219852228773659
                                                        Encrypted:false
                                                        SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                        MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                        SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                        SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                        SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):98224
                                                        Entropy (8bit):6.452201564717313
                                                        Encrypted:false
                                                        SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                        MD5:F34EB034AA4A9735218686590CBA2E8B
                                                        SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                        SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                        SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):37256
                                                        Entropy (8bit):6.297533243519742
                                                        Encrypted:false
                                                        SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                        MD5:135359D350F72AD4BF716B764D39E749
                                                        SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                        SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                        SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\70d7c1.msi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1CD1875B-5E87-42CE-9389-9C216C5C1759}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 27 06:19:13 2024, Last Saved Time/Date: Fri Dec 27 06:19:13 2024, Last Printed: Fri Dec 27 06:19:13 2024, Number of Pages: 450
                                                        Category:dropped
                                                        Size (bytes):60149751
                                                        Entropy (8bit):7.204136470826186
                                                        Encrypted:false
                                                        SSDEEP:786432:oGZHjVmrjV7eIAte9OTZcoZ4sdUuzt/NCaY2ksClN:oGNVmrjV7eIv9OTZxRjVCa1t4
                                                        MD5:492132729EB10B285B0D97E5E73ECEFB
                                                        SHA1:6A6EB7FF3C801766A868DDD1F32D3EB6A9C7844C
                                                        SHA-256:8355BD295C468007F6700CD1F969DC90C794F733158EF8F858A1180A2EE2CBAA
                                                        SHA-512:947A2DD7CE693263D7AD12B58AA8C076A9353E2CFFFF8EEA31A77B159B63186F75A07E55790AAC03FD0CEB6CAC6B00EB11A8D464F04D2D042FCF9C88AC4E390C
                                                        Malicious:false
                                                        Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                        C:\Windows\Installer\70d7c4.msi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1CD1875B-5E87-42CE-9389-9C216C5C1759}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 27 06:19:13 2024, Last Saved Time/Date: Fri Dec 27 06:19:13 2024, Last Printed: Fri Dec 27 06:19:13 2024, Number of Pages: 450
                                                        Category:dropped
                                                        Size (bytes):60149751
                                                        Entropy (8bit):7.204136470826186
                                                        Encrypted:false
                                                        SSDEEP:786432:oGZHjVmrjV7eIAte9OTZcoZ4sdUuzt/NCaY2ksClN:oGNVmrjV7eIv9OTZxRjVCa1t4
                                                        MD5:492132729EB10B285B0D97E5E73ECEFB
                                                        SHA1:6A6EB7FF3C801766A868DDD1F32D3EB6A9C7844C
                                                        SHA-256:8355BD295C468007F6700CD1F969DC90C794F733158EF8F858A1180A2EE2CBAA
                                                        SHA-512:947A2DD7CE693263D7AD12B58AA8C076A9353E2CFFFF8EEA31A77B159B63186F75A07E55790AAC03FD0CEB6CAC6B00EB11A8D464F04D2D042FCF9C88AC4E390C
                                                        Malicious:false
                                                        Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                        C:\Windows\Installer\MSI197.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):380520
                                                        Entropy (8bit):6.512348002260683
                                                        Encrypted:false
                                                        SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                        MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                        SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                        SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                        SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIDAE.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):216221
                                                        Entropy (8bit):4.956331166366309
                                                        Encrypted:false
                                                        SSDEEP:1536:BCh39WTN1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykXO:BS39S1Z0vZXJZYDFufyXbJNCc0
                                                        MD5:C75712F7F2ABB6713E2FD645C7E97A93
                                                        SHA1:00C508A63E42CEB7921AF1B2B3B483DB60F77A9E
                                                        SHA-256:D55B3BFEA1343395FFA774FEFC43DBFD660966929631568C15CE5005918BFD63
                                                        SHA-512:66DAB7E27DA6FE0D3C71733B37DF1078469B0BF6D51E00EC2498B4AA5F990B3DDA8F80CCA4CC8B966C5DC36C6B5B854E32D95F11281CA71FBCC3D93306D1A3D0
                                                        Malicious:false
                                                        Preview:...@IXOS.@.....@.u.Y.@.....@.....@.....@.....@.....@......&.{2753F4D1-C403-44D4-ACA2-30DC047F2282}..Cave App..setup.msi.@.....@.....@.....@......icon_24.exe..&.{1CD1875B-5E87-42CE-9389-9C216C5C1759}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}?.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}3.21:\Software\Weqos Apps Industries\Cave App\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}J.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}Q.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll.@.......@.....@.....@......&.{DE2

                                                        C:\Windows\Installer\MSIDBF.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):787808
                                                        Entropy (8bit):6.693392695195763
                                                        Encrypted:false
                                                        SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                        MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                        SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                        SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                        SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIE176.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIE242.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIE281.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIE2B1.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIE2F1.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1201504
                                                        Entropy (8bit):6.4557937684843365
                                                        Encrypted:false
                                                        SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                        MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                        SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                        SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                        SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIE330.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIE370.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\SourceHash{2753F4D1-C403-44D4-ACA2-30DC047F2282}

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.1620411249979392
                                                        Encrypted:false
                                                        SSDEEP:12:JSbX72FjpAGiLIlHVRpMh/7777777777777777777777777vDHFio38b1p3Xl0i5:JjQI5cR3S6F
                                                        MD5:FA0A341A934B0B4C288CB213F44DCB93
                                                        SHA1:5F4F59A4D03568DE4B13D110CC48046676F77B88
                                                        SHA-256:F2AD4968D0E3CE99C7A2AF1FCE78F97AC0CF531F5BBF638883B88A38678D93EA
                                                        SHA-512:373A7CED1405A84BE3B4CD1FF2AFBCBF0DB4E9D8D6C33A955F7220A751EB7FFDD109DB7DB95FC9F81ABE2181981DA148C05EC1419AF69A2229A9E98005C8BDC3
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5727392900063215
                                                        Encrypted:false
                                                        SSDEEP:48:08PhhuRc06WXJ8jT5cpCWWYcSAErCyIS8cZZMUXocwS8coT/:Lhh1fjTecWQ5wCnOvXJwO
                                                        MD5:C44723CB35C1F935688E184E1B2CCBCB
                                                        SHA1:4673C05CA9DF1CE4CC3040E71FE58E0DCB8B633C
                                                        SHA-256:2BC6AE83E444050B2CCC34DEBF70BA0C2B3A84D302A8A91723D34BA0B40BECB5
                                                        SHA-512:5B7E8ABEF077CCCEDBC89AA3EE5BA6FD27D98F96A32352F331098BBF70737425CB93F28E10EA1DB0FFD0D572AD8B5100AA2AF4D89DB42ECC9915C1D0E7492FD5
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):364484
                                                        Entropy (8bit):5.365501016451548
                                                        Encrypted:false
                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauz:zTtbmkExhMJCIpEw
                                                        MD5:CCB5B7948084E856CC285229553B717E
                                                        SHA1:9C0B6D1C12032817E032AC6179B02A18BC76CE14
                                                        SHA-256:94DCCF6DEDBEB33E3A5023E0256E01C9AD616208978650F54C7DADBABC62E1DE
                                                        SHA-512:22BCBFCAA334CB972A0525576B5FEE1C3E847BA8FD51277A2C15762C7609A8FF4C9FE3BE1CE44C82A87AF26627F5339F06659624BF856F88A1A17D582EA3EFC3
                                                        Malicious:false
                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                        C:\Windows\Temp\~DF06AC4986AAD100EF.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):1.25915180126723
                                                        Encrypted:false
                                                        SSDEEP:48:WqZuvfI+CFXJXT5EV2pCWWYcSAErCyIS8cZZMUXocwS8coT/:1ZJvTuV2cWQ5wCnOvXJwO
                                                        MD5:6DFD7F823D50012913B4AB24A177A192
                                                        SHA1:84194041C7C2520B83BE7C4F81E18E27500DC74A
                                                        SHA-256:8BF541ABB0FCBCFE422ADC2164E2F7AD3386776AA0FBC21BF9788E20609E3BDE
                                                        SHA-512:D51754E94022A87E1FDC528673DBE641588D37F793FD425956FBF7191BAAC079109BB673AFC1F7B59C1588BC7C1FC2BC34F41E3068F7D1D3F5D83B07F118FFAE
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF0CCAE0A2CD61A5E7.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):0.06934804277901167
                                                        Encrypted:false
                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOioLzfEVByIEyVky6l3X:2F0i8n0itFzDHFio38bU3X
                                                        MD5:A9E3D1711B8FC519F928F0D759DC9E82
                                                        SHA1:C14F640EAB19CE852A8FB7DF2A24D04D90A0FB64
                                                        SHA-256:B441E84ACA41D2659A5E697171D81604D3036A7C50039922818938689A041998
                                                        SHA-512:74986D9464CC72E8DD371BE7EB996D99367E0C5DBC4888C6DF396387F155975AF9D515F8C101040D8F040CB1EA0FB2A19D6650B7497F8740180FF9B53A8716D8
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF16B80C36530A9F27.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5727392900063215
                                                        Encrypted:false
                                                        SSDEEP:48:08PhhuRc06WXJ8jT5cpCWWYcSAErCyIS8cZZMUXocwS8coT/:Lhh1fjTecWQ5wCnOvXJwO
                                                        MD5:C44723CB35C1F935688E184E1B2CCBCB
                                                        SHA1:4673C05CA9DF1CE4CC3040E71FE58E0DCB8B633C
                                                        SHA-256:2BC6AE83E444050B2CCC34DEBF70BA0C2B3A84D302A8A91723D34BA0B40BECB5
                                                        SHA-512:5B7E8ABEF077CCCEDBC89AA3EE5BA6FD27D98F96A32352F331098BBF70737425CB93F28E10EA1DB0FFD0D572AD8B5100AA2AF4D89DB42ECC9915C1D0E7492FD5
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF183A42DA24BED0A9.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF3F8DD853A439138E.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):1.25915180126723
                                                        Encrypted:false
                                                        SSDEEP:48:WqZuvfI+CFXJXT5EV2pCWWYcSAErCyIS8cZZMUXocwS8coT/:1ZJvTuV2cWQ5wCnOvXJwO
                                                        MD5:6DFD7F823D50012913B4AB24A177A192
                                                        SHA1:84194041C7C2520B83BE7C4F81E18E27500DC74A
                                                        SHA-256:8BF541ABB0FCBCFE422ADC2164E2F7AD3386776AA0FBC21BF9788E20609E3BDE
                                                        SHA-512:D51754E94022A87E1FDC528673DBE641588D37F793FD425956FBF7191BAAC079109BB673AFC1F7B59C1588BC7C1FC2BC34F41E3068F7D1D3F5D83B07F118FFAE
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF88806672F3450E9B.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5727392900063215
                                                        Encrypted:false
                                                        SSDEEP:48:08PhhuRc06WXJ8jT5cpCWWYcSAErCyIS8cZZMUXocwS8coT/:Lhh1fjTecWQ5wCnOvXJwO
                                                        MD5:C44723CB35C1F935688E184E1B2CCBCB
                                                        SHA1:4673C05CA9DF1CE4CC3040E71FE58E0DCB8B633C
                                                        SHA-256:2BC6AE83E444050B2CCC34DEBF70BA0C2B3A84D302A8A91723D34BA0B40BECB5
                                                        SHA-512:5B7E8ABEF077CCCEDBC89AA3EE5BA6FD27D98F96A32352F331098BBF70737425CB93F28E10EA1DB0FFD0D572AD8B5100AA2AF4D89DB42ECC9915C1D0E7492FD5
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF8F13F2B2BB0FA09C.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF9CE24BF9B59E8434.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):73728
                                                        Entropy (8bit):0.14019107687927612
                                                        Encrypted:false
                                                        SSDEEP:24:rqBTx0FcwipV0Fca0FcSAEV0yjCyIipV0FcZVQwGaPZMU80BWj+odvl:2BTIcwS8c/cSAErCyIS8cZZMUXBWjX9
                                                        MD5:E7B75814CC3C3DF4214A3FACBE83FB80
                                                        SHA1:D49D4D3785F62072EA274D901B78A687214D6F67
                                                        SHA-256:BD80764C7CD82905C97C879DF85BFB23E3D63325DD7849661603B8D37BCA2BA5
                                                        SHA-512:DC8B5ADE206AECB315A51BEC7AADB2B4542353BF38165DD493C1E37AA2AE0AADB22743990089997FB254BAAB113A9EC1C27AF97E26D72C68693F5876A2EF4CC6
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFA882B173F90BE992.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFAE6D2D52DAC22967.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFBA60AEF8DCACF1D4.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):1.25915180126723
                                                        Encrypted:false
                                                        SSDEEP:48:WqZuvfI+CFXJXT5EV2pCWWYcSAErCyIS8cZZMUXocwS8coT/:1ZJvTuV2cWQ5wCnOvXJwO
                                                        MD5:6DFD7F823D50012913B4AB24A177A192
                                                        SHA1:84194041C7C2520B83BE7C4F81E18E27500DC74A
                                                        SHA-256:8BF541ABB0FCBCFE422ADC2164E2F7AD3386776AA0FBC21BF9788E20609E3BDE
                                                        SHA-512:D51754E94022A87E1FDC528673DBE641588D37F793FD425956FBF7191BAAC079109BB673AFC1F7B59C1588BC7C1FC2BC34F41E3068F7D1D3F5D83B07F118FFAE
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFD0153C75AC2EE766.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):638
                                                        Entropy (8bit):4.751962275036146
                                                        Encrypted:false
                                                        SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                        MD5:15CA959638E74EEC47E0830B90D0696E
                                                        SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                        SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                        SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                        Malicious:false
                                                        Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                        Static File Info

                                                        General

                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1CD1875B-5E87-42CE-9389-9C216C5C1759}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 27 06:19:13 2024, Last Saved Time/Date: Fri Dec 27 06:19:13 2024, Last Printed: Fri Dec 27 06:19:13 2024, Number of Pages: 450
                                                        Entropy (8bit):7.204136470826186
                                                        TrID:
                                                        • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                        • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                        File name:setup.msi
                                                        File size:60'149'751 bytes
                                                        MD5:492132729eb10b285b0d97e5e73ecefb
                                                        SHA1:6a6eb7ff3c801766a868ddd1f32d3eb6a9c7844c
                                                        SHA256:8355bd295c468007f6700cd1f969dc90c794f733158ef8f858a1180a2ee2cbaa
                                                        SHA512:947a2dd7ce693263d7ad12b58aa8c076a9353e2cffff8eea31a77b159b63186f75a07e55790aac03fd0ceb6cac6b00eb11a8d464f04d2d042fcf9c88ac4e390c
                                                        SSDEEP:786432:oGZHjVmrjV7eIAte9OTZcoZ4sdUuzt/NCaY2ksClN:oGNVmrjV7eIv9OTZxRjVCa1t4
                                                        TLSH:E6D76C01B3FA4148F2F75EB17EBA85A5947ABD521B30C0EF1244A60E1B71BC25BB1763
                                                        File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                        File Icon

                                                        Icon Hash:2d2e3797b32b2b99

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-27T20:46:18.298927+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.549704172.67.148.171443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 27, 2024 20:46:16.979896069 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:16.979942083 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:16.980043888 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:16.982505083 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:16.982537985 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:18.248905897 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:18.248982906 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:18.296376944 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:18.296391964 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:18.296633005 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:18.296823025 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:18.298804998 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:18.298902035 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:18.298913002 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:19.056932926 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:19.057003975 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:19.057156086 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:19.057437897 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:19.057437897 CET49704443192.168.2.5172.67.148.171
                                                        Dec 27, 2024 20:46:19.057462931 CET44349704172.67.148.171192.168.2.5
                                                        Dec 27, 2024 20:46:19.058948994 CET49704443192.168.2.5172.67.148.171

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 27, 2024 20:46:16.746701956 CET6024953192.168.2.51.1.1.1
                                                        Dec 27, 2024 20:46:16.974939108 CET53602491.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 27, 2024 20:46:16.746701956 CET192.168.2.51.1.1.10x232bStandard query (0)ksarcftp.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 27, 2024 20:46:16.974939108 CET1.1.1.1192.168.2.50x232bNo error (0)ksarcftp.com172.67.148.171A (IP address)IN (0x0001)false
                                                        Dec 27, 2024 20:46:16.974939108 CET1.1.1.1192.168.2.50x232bNo error (0)ksarcftp.com104.21.95.219A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • ksarcftp.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549704172.67.148.1714436596C:\Windows\SysWOW64\msiexec.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-27 19:46:18 UTC190OUTPOST /updater.php HTTP/1.1
                                                        Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                        User-Agent: AdvancedInstaller
                                                        Host: ksarcftp.com
                                                        Content-Length: 71
                                                        Cache-Control: no-cache
                                                        2024-12-27 19:46:18 UTC71OUTData Raw: 44 61 74 65 3d 32 37 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 34 25 33 41 34 36 25 33 41 31 35 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                        Data Ascii: Date=27%2F12%2F2024&Time=14%3A46%3A15&BuildVersion=8.9.9&SoroqVins=True
                                                        2024-12-27 19:46:19 UTC829INHTTP/1.1 500 Internal Server Error
                                                        Date: Fri, 27 Dec 2024 19:46:18 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: no-store
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WWJbZzy8XC0mT2L%2ButaCohBEmoEoG47YKJAOmOjNKUL5JJ1EIWzoarYlKm3X0uItL4lpW3kGD%2BQq%2BeF4XbEZhfQDp9CtOb%2Fh2QnY99oaruxk1zIfJE2qku3wpUr5sAQ%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8f8bd0e1b8884376-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1715&rtt_var=650&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=921&delivery_rate=1675272&cwnd=248&unsent_bytes=0&cid=a2c810df2de00d1a&ts=819&x=0"
                                                        2024-12-27 19:46:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:14:46:04
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\msiexec.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                        Imagebase:0x7ff735a40000
                                                        File size:69'632 bytes
                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:14:46:04
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\msiexec.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                        Imagebase:0x7ff735a40000
                                                        File size:69'632 bytes
                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:3
                                                        Start time:14:46:07
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding DEC726E82F6015554683B39B972D58EF
                                                        Imagebase:0x260000
                                                        File size:59'904 bytes
                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:14:46:18
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE55.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE42.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE43.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE44.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                        Imagebase:0x2c0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:14:46:18
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:14:46:24
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
                                                        Imagebase:0x7ff786b40000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:14:46:24
                                                        Start date:27/12/2024
                                                        Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
                                                        Imagebase:0x7ff7bcf80000
                                                        File size:57'488 bytes
                                                        MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, ReversingLabs
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:14:46:24
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:14:46:24
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:14:46:25
                                                        Start date:27/12/2024
                                                        Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
                                                        Imagebase:0x140000000
                                                        File size:117'496 bytes
                                                        MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, ReversingLabs
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:14:46:25
                                                        Start date:27/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 06E61B50 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2184602555.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6e60000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $sq$$sq$$sq
                                                          • API String ID: 0-2087541542
                                                          • Opcode ID: 0dafac55773fada439db41f1a7345a30f5f91640bd08670a3272408ce5068b72
                                                          • Instruction ID: 0003cfddea4e2c54106e3d20b913804c75c7e37cfe478c24b56a8dd8282f0141
                                                          • Opcode Fuzzy Hash: 0dafac55773fada439db41f1a7345a30f5f91640bd08670a3272408ce5068b72
                                                          • Instruction Fuzzy Hash: 30511571B44348DFDB9A8F6EC8506EA7BE2AF80394F149076F4068B292DB34CD40C791
                                                          Function 06E61B35 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2184602555.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6e60000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $sq$$sq
                                                          • API String ID: 0-1184984226
                                                          • Opcode ID: 8e9cd71c7118e25dcc55fa3c28ded18a81ab85f2e9b3e45c1499aede96e6ca61
                                                          • Instruction ID: d20ab820dfed9d45951a7d76689915a68b3e354df556cac9683d1e6be1301ed2
                                                          • Opcode Fuzzy Hash: 8e9cd71c7118e25dcc55fa3c28ded18a81ab85f2e9b3e45c1499aede96e6ca61
                                                          • Instruction Fuzzy Hash: AF31BE30E84345DFDBAA8F2ED544AE9B7F1AF41295F08A1B6F4068B295E334C941CB91
                                                          Function 02738460 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0798eaeb3f9a5f1c565489298fda08576545b9ba50ae5d65cd365fc8269c6310
                                                          • Instruction ID: 3367a6c9450224226c6196f113ee82dba2d5ae47ecc47f0b50f36a507026ee55
                                                          • Opcode Fuzzy Hash: 0798eaeb3f9a5f1c565489298fda08576545b9ba50ae5d65cd365fc8269c6310
                                                          • Instruction Fuzzy Hash: 57A17C31A10218DFDB15DFA4C984AADBBB3FF84310F258558E806AF356DB34AD49CB81
                                                          Function 02738BB0 Relevance: .2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 984b4639e37f852a7f43ee0346f445e086dc4ecddd721994fd0a92d4c8036651
                                                          • Instruction ID: f457964fad1edd2513e0391965027b2e4845ba632832ef07a7ca3f8e49472481
                                                          • Opcode Fuzzy Hash: 984b4639e37f852a7f43ee0346f445e086dc4ecddd721994fd0a92d4c8036651
                                                          • Instruction Fuzzy Hash: 4D71DE70A00649CFCB15DF68C884A9EBBF6FF85304F248969E416DB352DB71AC46CB91
                                                          Function 02738D1E Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20c6e870d9e090fcef514e9703ecddb833fe3e178062912d4338270eb4f5abe9
                                                          • Instruction ID: 6161567465599b68a4726ad8f75cc02717ae9cbbc55e6b4916cc64fdc791ab7a
                                                          • Opcode Fuzzy Hash: 20c6e870d9e090fcef514e9703ecddb833fe3e178062912d4338270eb4f5abe9
                                                          • Instruction Fuzzy Hash: D4714970E01258DFDB19DFA5D494BADBBF2BF88304F248469E402AB252DF30AC45CB51
                                                          Function 02738941 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d572e3fb214cbe12549055b1ac006619959d04f4419330cebff54ceb58e832a
                                                          • Instruction ID: ccb0f5260b5d9e907ce8102cca5830b89b24ff6c65be71dc549ec445ddd29b40
                                                          • Opcode Fuzzy Hash: 6d572e3fb214cbe12549055b1ac006619959d04f4419330cebff54ceb58e832a
                                                          • Instruction Fuzzy Hash: 0A519D70A002018FDB19EB74C855BAE7BB7EF89750F186469E412EB3A1CF349C41CB91
                                                          Function 02738B9B Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f684fed77692e581f7d3eea35d4f185d79bb778dbc12af888a33e038949009f5
                                                          • Instruction ID: 6a4d1ca87dc59a499ef4439836e4f89f4c28de33bdef5bbb47fbdc615d17cbff
                                                          • Opcode Fuzzy Hash: f684fed77692e581f7d3eea35d4f185d79bb778dbc12af888a33e038949009f5
                                                          • Instruction Fuzzy Hash: 37418C70E01248DFDB19DFA5C8947ADBBB2BF89304F14856DE002AB752DB70AC45CB51
                                                          Function 02733D08 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1dae490a1394b2acbebdf355938d9d58116a454e6e5222105bfbd1271226f9bb
                                                          • Instruction ID: 0703603747397311bcb74cafe42d52dcbeca4026d9ca0afe49eded751b284250
                                                          • Opcode Fuzzy Hash: 1dae490a1394b2acbebdf355938d9d58116a454e6e5222105bfbd1271226f9bb
                                                          • Instruction Fuzzy Hash: 414108B4A005059FCB16CF99C494AEEFBB1FF48314B15829AD815AB366C736EC51CBA0
                                                          Function 02733A78 Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9bb879db55bc63ac2002a43ae6efa03cf4bb68f7a7017ec6b9d7a05f6080350
                                                          • Instruction ID: 65c8d3a1efba3ca03bde872a880d17c93da477afcbb601a93e1d85581355ac80
                                                          • Opcode Fuzzy Hash: b9bb879db55bc63ac2002a43ae6efa03cf4bb68f7a7017ec6b9d7a05f6080350
                                                          • Instruction Fuzzy Hash: BB313C307096508F8779EE2C8050566BBE2FF8624134589EDD0CADF756DE20FD05CB96
                                                          Function 0269D006 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2176514432.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_269d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c490d09a61a646bded294256061c5a07cfcce9bbcf7c04ef52f678bca7ec483f
                                                          • Instruction ID: ae41fbb394f72c9f787367b07dc60fb19e359fca634720f682cbf4ae59a21ce1
                                                          • Opcode Fuzzy Hash: c490d09a61a646bded294256061c5a07cfcce9bbcf7c04ef52f678bca7ec483f
                                                          • Instruction Fuzzy Hash: B60152714093C09FD7124F25DD84B52BFA8EF52224F19809BE9488F293C6695C45C771
                                                          Function 0269D01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2176514432.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_269d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2626530f0cb4c4fa9b504982afe0f827621848ec17ac7ac23edcd807bbf7fb90
                                                          • Instruction ID: b85934f93301ad10fa023045563d9d1bed95840061b4f5fb99fc86daa8ec74ba
                                                          • Opcode Fuzzy Hash: 2626530f0cb4c4fa9b504982afe0f827621848ec17ac7ac23edcd807bbf7fb90
                                                          • Instruction Fuzzy Hash: C901A7714093849AEB145E29CDC4B66FF9CDF51364F18C52AED484B242CB799842C6B1
                                                          Function 027388D5 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2177123929.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2730000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e64b7cb5afa9319df5dbebbc05c9a178180250760b1c2bf8fc99f4f953079dd6
                                                          • Instruction ID: f59b5499599930e5fe598b6e14518a6594c3ac4d06a4baeb791e21c329626025
                                                          • Opcode Fuzzy Hash: e64b7cb5afa9319df5dbebbc05c9a178180250760b1c2bf8fc99f4f953079dd6
                                                          • Instruction Fuzzy Hash: 96F03070B402068FDB14DBA4C5A5B6E7BB2EF40344F105918E102AF395CF785D48CBC1

                                                          Non-executed Functions

                                                          Function 06E61658 Relevance: 15.3, Strings: 12, Instructions: 279COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2184602555.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6e60000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 84Vk$84Vk$tPsq$tPsq$tPsq$tPsq$$sq$$sq$$sq$$sq$Nk$Nk
                                                          • API String ID: 0-2300889552
                                                          • Opcode ID: b78b87a6a005808f9bfebc89b8430fec65c20549a1518f76e4c850e798b6625d
                                                          • Instruction ID: 7b860291fc706e169ab02d7a65eff7d3fac5582e280748393332b35f7ee123b4
                                                          • Opcode Fuzzy Hash: b78b87a6a005808f9bfebc89b8430fec65c20549a1518f76e4c850e798b6625d
                                                          • Instruction Fuzzy Hash: 05915D35B483548FDB52977ED8006EAFBE2AFC6294B1880ABF545CB291CE31DC41C7A1
                                                          Function 06E60898 Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2184602555.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6e60000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$$sq$$sq$$sq
                                                          • API String ID: 0-737313894
                                                          • Opcode ID: 57e2900376f297ee82896ea262bc53080f1f6a8d6a681cb32cb007b0455903aa
                                                          • Instruction ID: c95a81032d69964445f632d10f9e52572d85860bbf14570304e0ad994d17b70b
                                                          • Opcode Fuzzy Hash: 57e2900376f297ee82896ea262bc53080f1f6a8d6a681cb32cb007b0455903aa
                                                          • Instruction Fuzzy Hash: ED416B31F48324CFEF558B6A95402ABFBB2EFC52A8F14906BE915CB252CB35C841C791
                                                          Function 06E60E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2184602555.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6e60000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4Uk$4Uk$$sq$$sq$$sq
                                                          • API String ID: 0-1613977061
                                                          • Opcode ID: 04dd425c3b53c47ef387f865eeb10d0669b2e2711aeac2aa46357b4dd26d821d
                                                          • Instruction ID: 1289f3f03c19d249542aa060d1660a919c380344e64a319d2f8162a58127e1da
                                                          • Opcode Fuzzy Hash: 04dd425c3b53c47ef387f865eeb10d0669b2e2711aeac2aa46357b4dd26d821d
                                                          • Instruction Fuzzy Hash: B2113A317543759BEFB4562B99106BBA7D68FC0695B24903BFA02C7282EF35C841C3B5
                                                          Function 06E604D1 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2184602555.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_6e60000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$$sq$$sq
                                                          • API String ID: 0-148891389
                                                          • Opcode ID: 72196df1bfcb90005357a7558d5641a0e2ef3eefbac25b844c9b4782e7014d9c
                                                          • Instruction ID: 29706a32de5b24673f2984d7a4f98d42d483e8120b614080054bd1152875520e
                                                          • Opcode Fuzzy Hash: 72196df1bfcb90005357a7558d5641a0e2ef3eefbac25b844c9b4782e7014d9c
                                                          • Instruction Fuzzy Hash: 6201A221B4D3E44FDB7B126918311A5AFB25FC329036A11DBD281CB293CE298D45C3A3

                                                          Execution Graph

                                                          Execution Coverage:3.4%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:1.7%
                                                          Total number of Nodes:701
                                                          Total number of Limit Nodes:1
                                                          execution_graph 2502 7ff7bcf8191a 2503 7ff7bcf818a0 2502->2503 2504 7ff7bcf8194d 2502->2504 2507 7ff7bcf81dd0 2503->2507 2510 7ff7bcf820c0 21 API calls 2503->2510 2511 7ff7bcf81d76 2503->2511 2505 7ff7bcf820c0 21 API calls 2504->2505 2505->2503 2506 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2508 7ff7bcf81d87 2506->2508 2509 7ff7bcf81450 6 API calls 2507->2509 2509->2511 2510->2503 2511->2506 2512 7ff7bcf8291a 2513 7ff7bcf83020 __scrt_is_managed_app GetModuleHandleW 2512->2513 2514 7ff7bcf82921 2513->2514 2515 7ff7bcf82960 _exit 2514->2515 2516 7ff7bcf82925 2514->2516 2938 7ff7bcf87559 2941 7ff7bcf84158 2938->2941 2942 7ff7bcf84182 2941->2942 2943 7ff7bcf84170 2941->2943 2945 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2942->2945 2943->2942 2944 7ff7bcf84178 2943->2944 2947 7ff7bcf84180 2944->2947 2948 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2944->2948 2946 7ff7bcf84187 2945->2946 2946->2947 2949 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2946->2949 2950 7ff7bcf841a7 2948->2950 2949->2947 2951 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2950->2951 2952 7ff7bcf841b4 terminate 2951->2952 2517 7ff7bcf81b18 _time64 2518 7ff7bcf81b34 2517->2518 2519 7ff7bcf81bf1 2518->2519 2533 7ff7bcf81ee0 2518->2533 2522 7ff7bcf81c34 BuildCatchObjectHelperInternal 2519->2522 2547 7ff7bcf82230 2519->2547 2523 7ff7bcf81da2 _invalid_parameter_noinfo_noreturn 2522->2523 2525 7ff7bcf818a0 2522->2525 2524 7ff7bcf81da9 WSAGetLastError 2523->2524 2526 7ff7bcf81450 6 API calls 2524->2526 2528 7ff7bcf81dd0 2525->2528 2529 7ff7bcf81d76 2525->2529 2532 7ff7bcf820c0 21 API calls 2525->2532 2526->2529 2527 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2530 7ff7bcf81d87 2527->2530 2531 7ff7bcf81450 6 API calls 2528->2531 2529->2527 2531->2529 2532->2525 2536 7ff7bcf81f25 2533->2536 2546 7ff7bcf81f04 BuildCatchObjectHelperInternal 2533->2546 2534 7ff7bcf82031 2535 7ff7bcf817e0 21 API calls 2534->2535 2537 7ff7bcf82036 2535->2537 2536->2534 2538 7ff7bcf81fa9 2536->2538 2539 7ff7bcf81f74 2536->2539 2541 7ff7bcf81720 Concurrency::cancel_current_task 4 API calls 2537->2541 2544 7ff7bcf82690 5 API calls 2538->2544 2545 7ff7bcf81f92 BuildCatchObjectHelperInternal 2538->2545 2539->2537 2540 7ff7bcf82690 5 API calls 2539->2540 2540->2545 2542 7ff7bcf8203c 2541->2542 2543 7ff7bcf8202a _invalid_parameter_noinfo_noreturn 2543->2534 2544->2545 2545->2543 2545->2546 2546->2519 2548 7ff7bcf823ab 2547->2548 2550 7ff7bcf8225e 2547->2550 2549 7ff7bcf817e0 21 API calls 2548->2549 2551 7ff7bcf823b0 2549->2551 2553 7ff7bcf822e6 2550->2553 2554 7ff7bcf822b1 2550->2554 2556 7ff7bcf822be 2550->2556 2555 7ff7bcf81720 Concurrency::cancel_current_task 4 API calls 2551->2555 2552 7ff7bcf82690 5 API calls 2560 7ff7bcf822cf BuildCatchObjectHelperInternal 2552->2560 2559 7ff7bcf82690 5 API calls 2553->2559 2553->2560 2554->2551 2554->2556 2557 7ff7bcf823b6 2555->2557 2556->2552 2558 7ff7bcf82364 _invalid_parameter_noinfo_noreturn 2561 7ff7bcf82357 BuildCatchObjectHelperInternal 2558->2561 2559->2560 2560->2558 2560->2561 2561->2522 2562 7ff7bcf84024 2569 7ff7bcf8642c 2562->2569 2565 7ff7bcf84031 2581 7ff7bcf86714 2569->2581 2572 7ff7bcf86460 __vcrt_uninitialize_locks DeleteCriticalSection 2573 7ff7bcf8402d 2572->2573 2573->2565 2574 7ff7bcf844ac 2573->2574 2586 7ff7bcf865e8 2574->2586 2582 7ff7bcf86498 __vcrt_FlsAlloc 5 API calls 2581->2582 2583 7ff7bcf8674a 2582->2583 2584 7ff7bcf86444 2583->2584 2585 7ff7bcf8675f InitializeCriticalSectionAndSpinCount 2583->2585 2584->2572 2584->2573 2585->2584 2587 7ff7bcf86498 __vcrt_FlsAlloc 5 API calls 2586->2587 2588 7ff7bcf8660d TlsAlloc 2587->2588 2590 7ff7bcf816a0 2593 7ff7bcf83d50 2590->2593 2592 7ff7bcf816c7 2594 7ff7bcf83d67 2593->2594 2595 7ff7bcf83d5f free 2593->2595 2594->2592 2595->2594 2953 7ff7bcf87260 2954 7ff7bcf87273 2953->2954 2955 7ff7bcf87280 2953->2955 2956 7ff7bcf81e80 _invalid_parameter_noinfo_noreturn 2954->2956 2956->2955 2957 7ff7bcf85860 2958 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2957->2958 2959 7ff7bcf858ad 2958->2959 2960 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2959->2960 2961 7ff7bcf858bb __except_validate_context_record 2960->2961 2962 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2961->2962 2963 7ff7bcf85914 2962->2963 2964 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2963->2964 2965 7ff7bcf8591d 2964->2965 2966 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2965->2966 2967 7ff7bcf85926 2966->2967 2986 7ff7bcf83b18 2967->2986 2970 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2971 7ff7bcf85959 2970->2971 2972 7ff7bcf85aa9 abort 2971->2972 2973 7ff7bcf85991 2971->2973 2974 7ff7bcf83b54 11 API calls 2973->2974 2978 7ff7bcf85a31 2974->2978 2975 7ff7bcf85a5a __GSHandlerCheck_EH 2976 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2975->2976 2977 7ff7bcf85a6d 2976->2977 2979 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2977->2979 2978->2975 2980 7ff7bcf84104 10 API calls 2978->2980 2981 7ff7bcf85a76 2979->2981 2980->2975 2982 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2981->2982 2983 7ff7bcf85a7f 2982->2983 2984 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2983->2984 2985 7ff7bcf85a8e 2984->2985 2987 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2986->2987 2988 7ff7bcf83b29 2987->2988 2989 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2988->2989 2990 7ff7bcf83b34 2988->2990 2989->2990 2991 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2990->2991 2992 7ff7bcf83b45 2991->2992 2992->2970 2992->2971 2993 7ff7bcf81ce0 2994 7ff7bcf82688 5 API calls 2993->2994 2995 7ff7bcf81cea gethostname 2994->2995 2996 7ff7bcf81da9 WSAGetLastError 2995->2996 2997 7ff7bcf81d08 2995->2997 2998 7ff7bcf81450 6 API calls 2996->2998 2999 7ff7bcf82040 22 API calls 2997->2999 3000 7ff7bcf81d76 2998->3000 3003 7ff7bcf818a0 2999->3003 3001 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 3000->3001 3002 7ff7bcf81d87 3001->3002 3003->3000 3004 7ff7bcf81dd0 3003->3004 3006 7ff7bcf820c0 21 API calls 3003->3006 3005 7ff7bcf81450 6 API calls 3004->3005 3005->3000 3006->3003 3010 7ff7bcf8195f 3011 7ff7bcf8196d 3010->3011 3012 7ff7bcf81a23 3011->3012 3013 7ff7bcf81ee0 22 API calls 3011->3013 3014 7ff7bcf82230 22 API calls 3012->3014 3015 7ff7bcf81a67 BuildCatchObjectHelperInternal 3012->3015 3013->3012 3014->3015 3016 7ff7bcf81da2 _invalid_parameter_noinfo_noreturn 3015->3016 3018 7ff7bcf818a0 3015->3018 3017 7ff7bcf81da9 WSAGetLastError 3016->3017 3019 7ff7bcf81450 6 API calls 3017->3019 3021 7ff7bcf81dd0 3018->3021 3022 7ff7bcf81d76 3018->3022 3025 7ff7bcf820c0 21 API calls 3018->3025 3019->3022 3020 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 3023 7ff7bcf81d87 3020->3023 3024 7ff7bcf81450 6 API calls 3021->3024 3022->3020 3024->3022 3025->3018 2596 7ff7bcf859ad 2615 7ff7bcf843d0 2596->2615 2598 7ff7bcf859ba 2599 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2598->2599 2602 7ff7bcf859c3 __GSHandlerCheck_EH 2599->2602 2600 7ff7bcf85a0a RaiseException 2601 7ff7bcf85a29 2600->2601 2618 7ff7bcf83b54 2601->2618 2602->2600 2605 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2606 7ff7bcf85a6d 2605->2606 2607 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2606->2607 2609 7ff7bcf85a76 2607->2609 2611 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2609->2611 2610 7ff7bcf85a5a __GSHandlerCheck_EH 2610->2605 2612 7ff7bcf85a7f 2611->2612 2613 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2612->2613 2614 7ff7bcf85a8e 2613->2614 2630 7ff7bcf843ec 2615->2630 2617 7ff7bcf843d9 2617->2598 2619 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2618->2619 2620 7ff7bcf83b66 2619->2620 2621 7ff7bcf83ba1 abort 2620->2621 2622 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2620->2622 2623 7ff7bcf83b71 2622->2623 2623->2621 2624 7ff7bcf83b8d 2623->2624 2625 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2624->2625 2626 7ff7bcf83b92 2625->2626 2626->2610 2627 7ff7bcf84104 2626->2627 2628 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2627->2628 2629 7ff7bcf84112 2628->2629 2629->2610 2631 7ff7bcf8440b GetLastError 2630->2631 2632 7ff7bcf84404 2630->2632 2644 7ff7bcf86678 2631->2644 2632->2617 2645 7ff7bcf86498 __vcrt_FlsAlloc 5 API calls 2644->2645 2646 7ff7bcf8669f TlsGetValue 2645->2646 2256 7ff7bcf827ec 2279 7ff7bcf82b8c 2256->2279 2259 7ff7bcf82943 2319 7ff7bcf82ecc IsProcessorFeaturePresent 2259->2319 2261 7ff7bcf8280d 2262 7ff7bcf8294d 2261->2262 2268 7ff7bcf8282b __scrt_release_startup_lock 2261->2268 2263 7ff7bcf82ecc 7 API calls 2262->2263 2264 7ff7bcf82958 2263->2264 2266 7ff7bcf82960 _exit 2264->2266 2265 7ff7bcf82850 2267 7ff7bcf828d6 _get_initial_narrow_environment __p___argv __p___argc 2285 7ff7bcf81060 2267->2285 2268->2265 2268->2267 2272 7ff7bcf828ce _register_thread_local_exe_atexit_callback 2268->2272 2272->2267 2274 7ff7bcf82903 2275 7ff7bcf8290d 2274->2275 2276 7ff7bcf82908 _cexit 2274->2276 2315 7ff7bcf82d20 2275->2315 2276->2275 2326 7ff7bcf8316c 2279->2326 2282 7ff7bcf82805 2282->2259 2282->2261 2283 7ff7bcf82bbb __scrt_initialize_crt 2283->2282 2328 7ff7bcf8404c 2283->2328 2286 7ff7bcf81386 2285->2286 2292 7ff7bcf810b4 2285->2292 2355 7ff7bcf81450 __acrt_iob_func 2286->2355 2288 7ff7bcf81399 2313 7ff7bcf83020 GetModuleHandleW 2288->2313 2289 7ff7bcf81289 2289->2286 2290 7ff7bcf8129f 2289->2290 2360 7ff7bcf82688 2290->2360 2292->2289 2294 7ff7bcf81125 strcmp 2292->2294 2296 7ff7bcf81151 strcmp 2292->2296 2305 7ff7bcf8117d strcmp 2292->2305 2311 7ff7bcf81226 strcmp 2292->2311 2293 7ff7bcf812a9 2295 7ff7bcf812b9 GetTempPathA 2293->2295 2302 7ff7bcf81325 2293->2302 2294->2292 2298 7ff7bcf812cb GetLastError 2295->2298 2299 7ff7bcf812e9 strcat_s 2295->2299 2296->2292 2301 7ff7bcf81450 6 API calls 2298->2301 2299->2302 2303 7ff7bcf81304 2299->2303 2306 7ff7bcf812df GetLastError 2301->2306 2369 7ff7bcf823c0 2302->2369 2307 7ff7bcf81450 6 API calls 2303->2307 2304 7ff7bcf81344 __acrt_iob_func fflush __acrt_iob_func fflush 2310 7ff7bcf81312 2304->2310 2305->2292 2306->2310 2307->2310 2310->2288 2311->2292 2312 7ff7bcf81239 atoi 2311->2312 2312->2292 2314 7ff7bcf828ff 2313->2314 2314->2264 2314->2274 2316 7ff7bcf82d31 __scrt_initialize_crt 2315->2316 2317 7ff7bcf82916 2316->2317 2318 7ff7bcf8404c __scrt_initialize_crt 7 API calls 2316->2318 2317->2265 2318->2317 2320 7ff7bcf82ef2 2319->2320 2321 7ff7bcf82f11 RtlCaptureContext RtlLookupFunctionEntry 2320->2321 2322 7ff7bcf82f3a RtlVirtualUnwind 2321->2322 2323 7ff7bcf82f76 2321->2323 2322->2323 2324 7ff7bcf82fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2323->2324 2325 7ff7bcf82ffa 2324->2325 2325->2262 2327 7ff7bcf82bae __scrt_dllmain_crt_thread_attach 2326->2327 2327->2282 2327->2283 2329 7ff7bcf8405e 2328->2329 2330 7ff7bcf84054 2328->2330 2329->2282 2334 7ff7bcf844f4 2330->2334 2335 7ff7bcf84503 2334->2335 2336 7ff7bcf84059 2334->2336 2342 7ff7bcf86630 2335->2342 2338 7ff7bcf86460 2336->2338 2339 7ff7bcf8648b 2338->2339 2340 7ff7bcf8646e DeleteCriticalSection 2339->2340 2341 7ff7bcf8648f 2339->2341 2340->2339 2341->2329 2346 7ff7bcf86498 2342->2346 2347 7ff7bcf864dc 2346->2347 2353 7ff7bcf865b2 TlsFree 2346->2353 2348 7ff7bcf8650a LoadLibraryExW 2347->2348 2349 7ff7bcf865a1 GetProcAddress 2347->2349 2347->2353 2354 7ff7bcf8654d LoadLibraryExW 2347->2354 2350 7ff7bcf8652b GetLastError 2348->2350 2351 7ff7bcf86581 2348->2351 2349->2353 2350->2347 2351->2349 2352 7ff7bcf86598 FreeLibrary 2351->2352 2352->2349 2354->2347 2354->2351 2405 7ff7bcf81010 2355->2405 2357 7ff7bcf8148a __acrt_iob_func 2408 7ff7bcf81000 2357->2408 2359 7ff7bcf814a2 __stdio_common_vfprintf __acrt_iob_func fflush 2359->2288 2363 7ff7bcf82690 2360->2363 2361 7ff7bcf826aa malloc 2362 7ff7bcf826b4 2361->2362 2361->2363 2362->2293 2363->2361 2364 7ff7bcf826ba 2363->2364 2365 7ff7bcf826c5 2364->2365 2410 7ff7bcf82b30 2364->2410 2414 7ff7bcf81720 2365->2414 2368 7ff7bcf826cb 2368->2293 2370 7ff7bcf82688 5 API calls 2369->2370 2371 7ff7bcf823f5 OpenProcess 2370->2371 2372 7ff7bcf8243b GetLastError 2371->2372 2373 7ff7bcf82458 K32GetModuleBaseNameA 2371->2373 2374 7ff7bcf81450 6 API calls 2372->2374 2375 7ff7bcf82492 2373->2375 2376 7ff7bcf82470 GetLastError 2373->2376 2385 7ff7bcf82453 2374->2385 2431 7ff7bcf81800 2375->2431 2377 7ff7bcf81450 6 API calls 2376->2377 2379 7ff7bcf82484 CloseHandle 2377->2379 2379->2385 2381 7ff7bcf825fa 2442 7ff7bcf82660 2381->2442 2382 7ff7bcf824ae 2384 7ff7bcf813c0 6 API calls 2382->2384 2383 7ff7bcf825b3 CloseHandle 2383->2385 2386 7ff7bcf824cf CreateFileA 2384->2386 2385->2381 2387 7ff7bcf825f3 _invalid_parameter_noinfo_noreturn 2385->2387 2388 7ff7bcf8250f GetLastError 2386->2388 2397 7ff7bcf82543 2386->2397 2387->2381 2390 7ff7bcf81450 6 API calls 2388->2390 2393 7ff7bcf82538 CloseHandle 2390->2393 2391 7ff7bcf82550 MiniDumpWriteDump 2394 7ff7bcf8258a CloseHandle CloseHandle 2391->2394 2395 7ff7bcf82576 GetLastError 2391->2395 2393->2385 2394->2385 2396 7ff7bcf8258c 2395->2396 2395->2397 2399 7ff7bcf81450 6 API calls 2396->2399 2397->2391 2397->2394 2399->2394 2400 7ff7bcf813c0 __acrt_iob_func 2401 7ff7bcf81010 fprintf __stdio_common_vfprintf 2400->2401 2402 7ff7bcf813fa __acrt_iob_func 2401->2402 2501 7ff7bcf81000 2402->2501 2404 7ff7bcf81412 __stdio_common_vfprintf __acrt_iob_func fflush 2404->2304 2409 7ff7bcf81000 2405->2409 2407 7ff7bcf81036 __stdio_common_vfprintf 2407->2357 2408->2359 2409->2407 2411 7ff7bcf82b3e std::bad_alloc::bad_alloc 2410->2411 2420 7ff7bcf83f84 2411->2420 2413 7ff7bcf82b4f 2415 7ff7bcf8172e Concurrency::cancel_current_task 2414->2415 2416 7ff7bcf83f84 Concurrency::cancel_current_task 2 API calls 2415->2416 2417 7ff7bcf8173f 2416->2417 2425 7ff7bcf83cc0 2417->2425 2421 7ff7bcf83fa3 2420->2421 2422 7ff7bcf83fc0 RtlPcToFileHeader 2420->2422 2421->2422 2423 7ff7bcf83fd8 2422->2423 2424 7ff7bcf83fe7 RaiseException 2422->2424 2423->2424 2424->2413 2426 7ff7bcf8176d 2425->2426 2427 7ff7bcf83ce1 2425->2427 2426->2368 2427->2426 2427->2427 2428 7ff7bcf83cf6 malloc 2427->2428 2429 7ff7bcf83d07 2428->2429 2430 7ff7bcf83d23 free 2428->2430 2429->2430 2430->2426 2432 7ff7bcf81863 WSAStartup 2431->2432 2433 7ff7bcf81850 2431->2433 2435 7ff7bcf8185c 2432->2435 2440 7ff7bcf8187f 2432->2440 2434 7ff7bcf81450 6 API calls 2433->2434 2434->2435 2436 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2435->2436 2438 7ff7bcf81d87 2436->2438 2437 7ff7bcf81dd0 2439 7ff7bcf81450 6 API calls 2437->2439 2438->2382 2438->2383 2439->2435 2440->2435 2440->2437 2451 7ff7bcf820c0 2440->2451 2443 7ff7bcf82669 2442->2443 2444 7ff7bcf81334 2443->2444 2445 7ff7bcf829c0 IsProcessorFeaturePresent 2443->2445 2444->2304 2444->2400 2446 7ff7bcf829d8 2445->2446 2496 7ff7bcf82a94 RtlCaptureContext 2446->2496 2452 7ff7bcf820e9 2451->2452 2453 7ff7bcf82218 2451->2453 2455 7ff7bcf82144 2452->2455 2457 7ff7bcf8216c 2452->2457 2458 7ff7bcf82137 2452->2458 2475 7ff7bcf817e0 2453->2475 2466 7ff7bcf82690 2455->2466 2456 7ff7bcf8221d 2460 7ff7bcf81720 Concurrency::cancel_current_task 4 API calls 2456->2460 2462 7ff7bcf82690 5 API calls 2457->2462 2464 7ff7bcf82155 BuildCatchObjectHelperInternal 2457->2464 2458->2455 2458->2456 2463 7ff7bcf82223 2460->2463 2461 7ff7bcf821e0 _invalid_parameter_noinfo_noreturn 2465 7ff7bcf821d3 BuildCatchObjectHelperInternal 2461->2465 2462->2464 2464->2461 2464->2465 2465->2440 2467 7ff7bcf826aa malloc 2466->2467 2468 7ff7bcf8269b 2467->2468 2469 7ff7bcf826b4 2467->2469 2468->2467 2470 7ff7bcf826ba 2468->2470 2469->2464 2471 7ff7bcf826c5 2470->2471 2472 7ff7bcf82b30 Concurrency::cancel_current_task 2 API calls 2470->2472 2473 7ff7bcf81720 Concurrency::cancel_current_task 4 API calls 2471->2473 2472->2471 2474 7ff7bcf826cb 2473->2474 2474->2464 2488 7ff7bcf834d4 2475->2488 2493 7ff7bcf833f8 2488->2493 2491 7ff7bcf83f84 Concurrency::cancel_current_task 2 API calls 2492 7ff7bcf834f6 2491->2492 2494 7ff7bcf83cc0 __std_exception_copy 2 API calls 2493->2494 2495 7ff7bcf8342c 2494->2495 2495->2491 2497 7ff7bcf82aae RtlLookupFunctionEntry 2496->2497 2498 7ff7bcf829eb 2497->2498 2499 7ff7bcf82ac4 RtlVirtualUnwind 2497->2499 2500 7ff7bcf82984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2498->2500 2499->2497 2499->2498 2501->2404 2648 7ff7bcf874a7 2651 7ff7bcf85cc0 2648->2651 2656 7ff7bcf85c38 2651->2656 2654 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2655 7ff7bcf85ce0 2654->2655 2657 7ff7bcf85c5a 2656->2657 2659 7ff7bcf85ca3 2656->2659 2658 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2657->2658 2657->2659 2658->2659 2659->2654 2659->2655 3026 7ff7bcf85f75 3034 7ff7bcf85e35 __GSHandlerCheck_EH 3026->3034 3027 7ff7bcf85f92 3028 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3027->3028 3029 7ff7bcf85f97 3028->3029 3030 7ff7bcf85fa2 3029->3030 3031 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3029->3031 3032 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 3030->3032 3031->3030 3033 7ff7bcf85fb5 3032->3033 3034->3027 3035 7ff7bcf83bd0 __GSHandlerCheck_EH 10 API calls 3034->3035 3035->3034 3036 7ff7bcf87372 3037 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3036->3037 3038 7ff7bcf87389 3037->3038 3039 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3038->3039 3040 7ff7bcf873a4 3039->3040 3041 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3040->3041 3042 7ff7bcf873ad 3041->3042 3043 7ff7bcf85414 __GSHandlerCheck_EH 31 API calls 3042->3043 3044 7ff7bcf873f3 3043->3044 3045 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3044->3045 3046 7ff7bcf873f8 3045->3046 2663 7ff7bcf87130 2664 7ff7bcf87168 __GSHandlerCheckCommon 2663->2664 2665 7ff7bcf87194 2664->2665 2667 7ff7bcf83c00 2664->2667 2668 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2667->2668 2669 7ff7bcf83c42 2668->2669 2670 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2669->2670 2671 7ff7bcf83c4f 2670->2671 2672 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2671->2672 2673 7ff7bcf83c58 __GSHandlerCheck_EH 2672->2673 2676 7ff7bcf85414 2673->2676 2677 7ff7bcf85443 __except_validate_context_record 2676->2677 2678 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2677->2678 2679 7ff7bcf85448 2678->2679 2680 7ff7bcf85498 2679->2680 2685 7ff7bcf855b2 __GSHandlerCheck_EH 2679->2685 2691 7ff7bcf83ca9 2679->2691 2681 7ff7bcf8559f 2680->2681 2689 7ff7bcf854f3 __GSHandlerCheck_EH 2680->2689 2680->2691 2716 7ff7bcf83678 2681->2716 2682 7ff7bcf855f7 2682->2691 2723 7ff7bcf849a4 2682->2723 2685->2682 2685->2691 2720 7ff7bcf83bbc 2685->2720 2686 7ff7bcf856a2 abort 2688 7ff7bcf85543 2692 7ff7bcf85cf0 2688->2692 2689->2686 2689->2688 2691->2665 2776 7ff7bcf83ba8 2692->2776 2694 7ff7bcf85d40 __GSHandlerCheck_EH 2695 7ff7bcf85d5b 2694->2695 2696 7ff7bcf85d72 2694->2696 2698 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2695->2698 2697 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2696->2697 2699 7ff7bcf85d77 2697->2699 2700 7ff7bcf85d60 2698->2700 2701 7ff7bcf85d6a 2699->2701 2703 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2699->2703 2700->2701 2702 7ff7bcf85fd0 abort 2700->2702 2704 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2701->2704 2705 7ff7bcf85d82 2703->2705 2714 7ff7bcf85d96 __GSHandlerCheck_EH 2704->2714 2706 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2705->2706 2706->2701 2707 7ff7bcf85f92 2708 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2707->2708 2709 7ff7bcf85f97 2708->2709 2710 7ff7bcf85fa2 2709->2710 2711 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2709->2711 2712 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2710->2712 2711->2710 2713 7ff7bcf85fb5 2712->2713 2713->2691 2714->2707 2779 7ff7bcf83bd0 2714->2779 2717 7ff7bcf8368a 2716->2717 2718 7ff7bcf85cf0 __GSHandlerCheck_EH 19 API calls 2717->2718 2719 7ff7bcf836a5 2718->2719 2719->2691 2721 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2720->2721 2722 7ff7bcf83bc5 2721->2722 2722->2682 2724 7ff7bcf84a01 __GSHandlerCheck_EH 2723->2724 2725 7ff7bcf84a09 2724->2725 2726 7ff7bcf84a20 2724->2726 2727 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2725->2727 2728 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2726->2728 2736 7ff7bcf84a0e 2727->2736 2729 7ff7bcf84a25 2728->2729 2731 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2729->2731 2729->2736 2730 7ff7bcf84e99 abort 2732 7ff7bcf84a30 2731->2732 2733 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2732->2733 2733->2736 2734 7ff7bcf84b54 __GSHandlerCheck_EH 2735 7ff7bcf84def 2734->2735 2749 7ff7bcf84b90 __GSHandlerCheck_EH 2734->2749 2735->2730 2738 7ff7bcf84ded 2735->2738 2818 7ff7bcf84ea0 2735->2818 2736->2730 2736->2734 2737 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2736->2737 2740 7ff7bcf84ac0 2737->2740 2739 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2738->2739 2741 7ff7bcf84e30 2739->2741 2743 7ff7bcf84e37 2740->2743 2746 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2740->2746 2741->2730 2741->2743 2742 7ff7bcf84dd4 __GSHandlerCheck_EH 2742->2738 2751 7ff7bcf84e81 2742->2751 2745 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2743->2745 2747 7ff7bcf84e43 2745->2747 2748 7ff7bcf84ad0 2746->2748 2747->2691 2750 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2748->2750 2749->2742 2761 7ff7bcf83bbc 10 API calls BuildCatchObjectHelperInternal 2749->2761 2796 7ff7bcf852d0 2749->2796 2810 7ff7bcf848d0 2749->2810 2752 7ff7bcf84ad9 2750->2752 2753 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2751->2753 2782 7ff7bcf83be8 2752->2782 2755 7ff7bcf84e86 2753->2755 2756 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2755->2756 2757 7ff7bcf84e8f terminate 2756->2757 2757->2730 2758 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2760 7ff7bcf84b16 2758->2760 2760->2734 2762 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2760->2762 2761->2749 2763 7ff7bcf84b22 2762->2763 2764 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2763->2764 2765 7ff7bcf84b2b 2764->2765 2785 7ff7bcf85fd8 2765->2785 2769 7ff7bcf84b3f 2792 7ff7bcf860c8 2769->2792 2771 7ff7bcf84e7b terminate 2771->2751 2773 7ff7bcf84b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2773->2771 2774 7ff7bcf83f84 Concurrency::cancel_current_task 2 API calls 2773->2774 2775 7ff7bcf84e7a 2774->2775 2775->2771 2777 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2776->2777 2778 7ff7bcf83bb1 2777->2778 2778->2694 2780 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2779->2780 2781 7ff7bcf83bde 2780->2781 2781->2714 2783 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2782->2783 2784 7ff7bcf83bf6 2783->2784 2784->2730 2784->2758 2786 7ff7bcf860bf abort 2785->2786 2791 7ff7bcf86003 2785->2791 2787 7ff7bcf84b3b 2787->2734 2787->2769 2788 7ff7bcf83bbc 10 API calls BuildCatchObjectHelperInternal 2788->2791 2789 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2789->2791 2791->2787 2791->2788 2791->2789 2834 7ff7bcf85190 2791->2834 2793 7ff7bcf86135 2792->2793 2795 7ff7bcf860e5 Is_bad_exception_allowed 2792->2795 2793->2773 2794 7ff7bcf83ba8 10 API calls BuildCatchObjectHelperInternal 2794->2795 2795->2793 2795->2794 2797 7ff7bcf852fd 2796->2797 2809 7ff7bcf8538d 2796->2809 2798 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2797->2798 2799 7ff7bcf85306 2798->2799 2800 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2799->2800 2801 7ff7bcf8531f 2799->2801 2799->2809 2800->2801 2802 7ff7bcf8534c 2801->2802 2803 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2801->2803 2801->2809 2804 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2802->2804 2803->2802 2805 7ff7bcf85360 2804->2805 2806 7ff7bcf85379 2805->2806 2807 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2805->2807 2805->2809 2808 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2806->2808 2807->2806 2808->2809 2809->2749 2811 7ff7bcf8490d __GSHandlerCheck_EH 2810->2811 2812 7ff7bcf84933 2811->2812 2848 7ff7bcf8480c 2811->2848 2814 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2812->2814 2815 7ff7bcf84945 2814->2815 2857 7ff7bcf83838 RtlUnwindEx 2815->2857 2819 7ff7bcf85169 2818->2819 2820 7ff7bcf84ef4 2818->2820 2821 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2819->2821 2822 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2820->2822 2823 7ff7bcf85175 2821->2823 2824 7ff7bcf84ef9 2822->2824 2823->2738 2825 7ff7bcf84f0e EncodePointer 2824->2825 2826 7ff7bcf84f60 __GSHandlerCheck_EH 2824->2826 2827 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2825->2827 2826->2819 2828 7ff7bcf85189 abort 2826->2828 2833 7ff7bcf84f82 __GSHandlerCheck_EH 2826->2833 2829 7ff7bcf84f1e 2827->2829 2829->2826 2881 7ff7bcf834f8 2829->2881 2831 7ff7bcf83ba8 10 API calls BuildCatchObjectHelperInternal 2831->2833 2832 7ff7bcf848d0 __GSHandlerCheck_EH 21 API calls 2832->2833 2833->2819 2833->2831 2833->2832 2835 7ff7bcf851bd 2834->2835 2847 7ff7bcf8524c 2834->2847 2836 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2835->2836 2837 7ff7bcf851c6 2836->2837 2838 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2837->2838 2839 7ff7bcf851df 2837->2839 2837->2847 2838->2839 2840 7ff7bcf8520b 2839->2840 2841 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2839->2841 2839->2847 2842 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2840->2842 2841->2840 2843 7ff7bcf8521f 2842->2843 2844 7ff7bcf85238 2843->2844 2845 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2843->2845 2843->2847 2846 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2844->2846 2845->2844 2846->2847 2847->2791 2849 7ff7bcf8482f 2848->2849 2860 7ff7bcf84608 2849->2860 2851 7ff7bcf84840 2852 7ff7bcf84845 __AdjustPointer 2851->2852 2853 7ff7bcf84881 __AdjustPointer 2851->2853 2855 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2852->2855 2856 7ff7bcf84864 BuildCatchObjectHelperInternal 2852->2856 2854 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2853->2854 2853->2856 2854->2856 2855->2856 2856->2812 2858 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2857->2858 2859 7ff7bcf8394e 2858->2859 2859->2749 2861 7ff7bcf84635 2860->2861 2863 7ff7bcf8463e 2860->2863 2862 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2861->2862 2862->2863 2864 7ff7bcf83ba8 BuildCatchObjectHelperInternal 10 API calls 2863->2864 2865 7ff7bcf8465d 2863->2865 2872 7ff7bcf846c2 __AdjustPointer BuildCatchObjectHelperInternal 2863->2872 2864->2865 2866 7ff7bcf846aa 2865->2866 2867 7ff7bcf846ca 2865->2867 2865->2872 2869 7ff7bcf847e9 abort abort 2866->2869 2866->2872 2868 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2867->2868 2871 7ff7bcf8474a 2867->2871 2867->2872 2868->2871 2870 7ff7bcf8480c 2869->2870 2873 7ff7bcf84608 BuildCatchObjectHelperInternal 10 API calls 2870->2873 2871->2872 2874 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2871->2874 2872->2851 2875 7ff7bcf84840 2873->2875 2874->2872 2876 7ff7bcf84881 __AdjustPointer 2875->2876 2878 7ff7bcf84845 __AdjustPointer 2875->2878 2877 7ff7bcf84864 BuildCatchObjectHelperInternal 2876->2877 2879 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2876->2879 2877->2851 2878->2877 2880 7ff7bcf83bbc BuildCatchObjectHelperInternal 10 API calls 2878->2880 2879->2877 2880->2877 2882 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2881->2882 2883 7ff7bcf83524 2882->2883 2883->2826 2884 7ff7bcf843b0 2885 7ff7bcf843ca 2884->2885 2886 7ff7bcf843b9 2884->2886 2886->2885 2887 7ff7bcf843c5 free 2886->2887 2887->2885 3054 7ff7bcf82970 3057 7ff7bcf82da0 3054->3057 3058 7ff7bcf82979 3057->3058 3059 7ff7bcf82dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3057->3059 3059->3058 3060 7ff7bcf8756f 3061 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3060->3061 3062 7ff7bcf8757d 3061->3062 3063 7ff7bcf87588 3062->3063 3064 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3062->3064 3064->3063 2888 7ff7bcf8733c _seh_filter_exe 2892 7ff7bcf81d39 2893 7ff7bcf81d40 2892->2893 2893->2893 2898 7ff7bcf818a0 2893->2898 2902 7ff7bcf82040 2893->2902 2895 7ff7bcf81d76 2896 7ff7bcf82660 __GSHandlerCheck_EH 8 API calls 2895->2896 2899 7ff7bcf81d87 2896->2899 2897 7ff7bcf81dd0 2900 7ff7bcf81450 6 API calls 2897->2900 2898->2895 2898->2897 2901 7ff7bcf820c0 21 API calls 2898->2901 2900->2895 2901->2898 2903 7ff7bcf820a2 2902->2903 2906 7ff7bcf82063 BuildCatchObjectHelperInternal 2902->2906 2904 7ff7bcf82230 22 API calls 2903->2904 2905 7ff7bcf820b5 2904->2905 2905->2898 2906->2898 2910 7ff7bcf872c0 2911 7ff7bcf872d3 2910->2911 2912 7ff7bcf872e0 2910->2912 2914 7ff7bcf81e80 2911->2914 2915 7ff7bcf81e93 2914->2915 2917 7ff7bcf81eb7 2914->2917 2916 7ff7bcf81ed8 _invalid_parameter_noinfo_noreturn 2915->2916 2915->2917 2917->2912 3068 7ff7bcf82700 3069 7ff7bcf82710 3068->3069 3081 7ff7bcf82bd8 3069->3081 3071 7ff7bcf82ecc 7 API calls 3072 7ff7bcf827b5 3071->3072 3073 7ff7bcf82734 _RTC_Initialize 3078 7ff7bcf82797 3073->3078 3089 7ff7bcf82e64 InitializeSListHead 3073->3089 3078->3071 3080 7ff7bcf827a5 3078->3080 3082 7ff7bcf82be9 3081->3082 3083 7ff7bcf82c1b 3081->3083 3084 7ff7bcf82c58 3082->3084 3087 7ff7bcf82bee __scrt_release_startup_lock 3082->3087 3083->3073 3085 7ff7bcf82ecc 7 API calls 3084->3085 3086 7ff7bcf82c62 3085->3086 3087->3083 3088 7ff7bcf82c0b _initialize_onexit_table 3087->3088 3088->3083 2918 7ff7bcf848c7 abort 2919 7ff7bcf874d6 2920 7ff7bcf83b54 11 API calls 2919->2920 2923 7ff7bcf874e9 2920->2923 2921 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2922 7ff7bcf8752e 2921->2922 2924 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2922->2924 2925 7ff7bcf84104 10 API calls 2923->2925 2927 7ff7bcf8751a __GSHandlerCheck_EH 2923->2927 2926 7ff7bcf8753b 2924->2926 2925->2927 2928 7ff7bcf843d0 _CreateFrameInfo 10 API calls 2926->2928 2927->2921 2929 7ff7bcf87548 2928->2929 3090 7ff7bcf87411 3091 7ff7bcf87495 3090->3091 3092 7ff7bcf87429 3090->3092 3092->3091 3093 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3092->3093 3094 7ff7bcf87476 3093->3094 3095 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3094->3095 3096 7ff7bcf8748b terminate 3095->3096 3096->3091 3125 7ff7bcf81510 3126 7ff7bcf83cc0 __std_exception_copy 2 API calls 3125->3126 3127 7ff7bcf81539 3126->3127 2930 7ff7bcf81550 2931 7ff7bcf83d50 __std_exception_destroy free 2930->2931 2932 7ff7bcf81567 2931->2932 2933 7ff7bcf827d0 2937 7ff7bcf83074 SetUnhandledExceptionFilter 2933->2937 3097 7ff7bcf83090 3098 7ff7bcf830c4 3097->3098 3099 7ff7bcf830a8 3097->3099 3099->3098 3104 7ff7bcf841c0 3099->3104 3103 7ff7bcf830e2 3105 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3104->3105 3106 7ff7bcf830d6 3105->3106 3107 7ff7bcf841d4 3106->3107 3108 7ff7bcf843d0 _CreateFrameInfo 10 API calls 3107->3108 3109 7ff7bcf841dd 3108->3109 3109->3103 3113 7ff7bcf87090 3115 7ff7bcf870d2 __GSHandlerCheckCommon 3113->3115 3114 7ff7bcf870fa 3115->3114 3117 7ff7bcf83d78 3115->3117 3118 7ff7bcf83da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 3117->3118 3119 7ff7bcf83e99 3118->3119 3120 7ff7bcf83e64 RtlUnwindEx 3118->3120 3119->3114 3120->3118

                                                          Executed Functions

                                                          Function 00007FF7BCF81060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 7ff7bcf81060-7ff7bcf810ae 1 7ff7bcf81386-7ff7bcf81394 call 7ff7bcf81450 0->1 2 7ff7bcf810b4-7ff7bcf810c6 0->2 7 7ff7bcf81399 1->7 3 7ff7bcf810d0-7ff7bcf810d6 2->3 5 7ff7bcf810dc-7ff7bcf810df 3->5 6 7ff7bcf8127f-7ff7bcf81283 3->6 10 7ff7bcf810ed 5->10 11 7ff7bcf810e1-7ff7bcf810e5 5->11 6->3 9 7ff7bcf81289-7ff7bcf81299 6->9 8 7ff7bcf8139e-7ff7bcf813b7 7->8 9->1 12 7ff7bcf8129f-7ff7bcf812b7 call 7ff7bcf82688 9->12 14 7ff7bcf810f0-7ff7bcf810fc 10->14 11->10 13 7ff7bcf810e7-7ff7bcf810eb 11->13 26 7ff7bcf8132a-7ff7bcf81336 call 7ff7bcf823c0 12->26 27 7ff7bcf812b9-7ff7bcf812c9 GetTempPathA 12->27 13->10 16 7ff7bcf81104-7ff7bcf8110b 13->16 17 7ff7bcf810fe-7ff7bcf81102 14->17 18 7ff7bcf81110-7ff7bcf81113 14->18 20 7ff7bcf8127b 16->20 17->14 17->16 21 7ff7bcf81125-7ff7bcf81136 strcmp 18->21 22 7ff7bcf81115-7ff7bcf81119 18->22 20->6 24 7ff7bcf8113c-7ff7bcf8113f 21->24 25 7ff7bcf81267-7ff7bcf8126e 21->25 22->21 23 7ff7bcf8111b-7ff7bcf8111f 22->23 23->21 23->25 29 7ff7bcf81151-7ff7bcf81162 strcmp 24->29 30 7ff7bcf81141-7ff7bcf81145 24->30 28 7ff7bcf81276 25->28 41 7ff7bcf81338-7ff7bcf81344 call 7ff7bcf813c0 26->41 42 7ff7bcf81346 26->42 32 7ff7bcf812cb-7ff7bcf812e7 GetLastError call 7ff7bcf81450 GetLastError 27->32 33 7ff7bcf812e9-7ff7bcf81302 strcat_s 27->33 28->20 36 7ff7bcf81258-7ff7bcf81265 29->36 37 7ff7bcf81168-7ff7bcf8116b 29->37 30->29 34 7ff7bcf81147-7ff7bcf8114b 30->34 52 7ff7bcf81313-7ff7bcf81323 call 7ff7bcf82680 32->52 39 7ff7bcf81325 33->39 40 7ff7bcf81304-7ff7bcf81312 call 7ff7bcf81450 33->40 34->29 34->36 36->20 43 7ff7bcf8117d-7ff7bcf8118e strcmp 37->43 44 7ff7bcf8116d-7ff7bcf81171 37->44 39->26 40->52 49 7ff7bcf8134b-7ff7bcf81384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff7bcf82680 41->49 42->49 50 7ff7bcf81247-7ff7bcf81256 43->50 51 7ff7bcf81194-7ff7bcf81197 43->51 44->43 48 7ff7bcf81173-7ff7bcf81177 44->48 48->43 48->50 49->8 50->28 57 7ff7bcf81199-7ff7bcf8119d 51->57 58 7ff7bcf811a5-7ff7bcf811af 51->58 52->8 57->58 61 7ff7bcf8119f-7ff7bcf811a3 57->61 62 7ff7bcf811b0-7ff7bcf811bb 58->62 61->58 63 7ff7bcf811c3-7ff7bcf811d2 61->63 64 7ff7bcf811bd-7ff7bcf811c1 62->64 65 7ff7bcf811d7-7ff7bcf811da 62->65 63->28 64->62 64->63 66 7ff7bcf811ec-7ff7bcf811f6 65->66 67 7ff7bcf811dc-7ff7bcf811e0 65->67 69 7ff7bcf81200-7ff7bcf8120b 66->69 67->66 68 7ff7bcf811e2-7ff7bcf811e6 67->68 68->20 68->66 70 7ff7bcf8120d-7ff7bcf81211 69->70 71 7ff7bcf81215-7ff7bcf81218 69->71 70->69 72 7ff7bcf81213 70->72 73 7ff7bcf8121a-7ff7bcf8121e 71->73 74 7ff7bcf81226-7ff7bcf81237 strcmp 71->74 72->20 73->74 75 7ff7bcf81220-7ff7bcf81224 73->75 74->20 76 7ff7bcf81239-7ff7bcf81245 atoi 74->76 75->20 75->74 76->20
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                          • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                          • API String ID: 2647627392-2367407095
                                                          • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                          • Instruction ID: aa9decc814d2f850056bcf28dcf4d2fe6842325be072d4e4a0416fcba7cb4678
                                                          • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                          • Instruction Fuzzy Hash: C2A19853D0C682CDFF61AB28A608279E7A4EB67756F84C2B1CB5E6259DDE3CD444C320
                                                          Function 00007FF7BCF827EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                          • String ID:
                                                          • API String ID: 2308368977-0
                                                          • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                          • Instruction ID: cf71c77e8459bdcf012c6fe1c0bdf4f0629b55b2097a2ffc943588679a30e855
                                                          • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                          • Instruction Fuzzy Hash: 03311D13A08103C9EA14BB2896193B99351AF63787FD490B5DB4D672AFDE2DB4488270
                                                          Function 00007FF7BCF81450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                          • String ID: [createdump]
                                                          • API String ID: 3735572767-2657508301
                                                          • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                          • Instruction ID: f29753996e980a3e2a0c413b134f2767e93cbf5031b9a31cdbcd0ad95bb28807
                                                          • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                          • Instruction Fuzzy Hash: F9018F22A18B41C7EA10AB54F90816AE364FB96BD2F808134DB8D1376ADF3CD455C320

                                                          Non-executed Functions

                                                          Function 00007FF7BCF82ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                          • Instruction ID: 0e62d6d4492ec4b4803d7cce968bcd40304ddcfd60f1258121df84c85b2a9383
                                                          • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                          • Instruction Fuzzy Hash: 42318F73618A81CAEB609F64E8443E9B361FB55345F808039DB4E57A98EF38D548C720
                                                          Function 00007FF7BCF83074 Relevance: .0, Instructions: 2COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                          • Instruction ID: 97cc62b0ba7bc24af6100811647782fcd8f96c35aa4ecfd6a8b03180cfd1b2db
                                                          • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                          • Instruction Fuzzy Hash: 5BA0022391CC02D8E654AB18EA5C131A330FB72306BD085B1D60E610BC9F3CA448D330
                                                          Function 00007FF7BCF823C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BCF8242D
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BCF8243B
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF81475
                                                            • Part of subcall function 00007FF7BCF81450: fprintf.MSPDB140-MSVCRT ref: 00007FF7BCF81485
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF81494
                                                            • Part of subcall function 00007FF7BCF81450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814B3
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814BE
                                                            • Part of subcall function 00007FF7BCF81450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814C7
                                                          • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BCF82466
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BCF82470
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BCF82487
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7BCF825F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                          • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                          • API String ID: 3971781330-1292085346
                                                          • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                          • Instruction ID: 7d0d13538524ef090eff00b0dcfe70adccdd89597b75670401d530a07f3ff2d0
                                                          • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                          • Instruction Fuzzy Hash: 2D61C833608641C9E620AB19E55867EB7A1FB56792F908170DF9E136EDCF3CE441C720
                                                          Function 00007FF7BCF849A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 177 7ff7bcf849a4-7ff7bcf84a07 call 7ff7bcf84518 180 7ff7bcf84a09-7ff7bcf84a12 call 7ff7bcf843d0 177->180 181 7ff7bcf84a20-7ff7bcf84a29 call 7ff7bcf843d0 177->181 186 7ff7bcf84e99-7ff7bcf84e9f abort 180->186 187 7ff7bcf84a18-7ff7bcf84a1e 180->187 188 7ff7bcf84a2b-7ff7bcf84a38 call 7ff7bcf843d0 * 2 181->188 189 7ff7bcf84a3f-7ff7bcf84a42 181->189 187->189 188->189 189->186 191 7ff7bcf84a48-7ff7bcf84a54 189->191 192 7ff7bcf84a56-7ff7bcf84a7d 191->192 193 7ff7bcf84a7f 191->193 195 7ff7bcf84a81-7ff7bcf84a83 192->195 193->195 195->186 197 7ff7bcf84a89-7ff7bcf84a8f 195->197 199 7ff7bcf84b59-7ff7bcf84b6f call 7ff7bcf85724 197->199 200 7ff7bcf84a95-7ff7bcf84a99 197->200 205 7ff7bcf84b75-7ff7bcf84b79 199->205 206 7ff7bcf84def-7ff7bcf84df3 199->206 200->199 202 7ff7bcf84a9f-7ff7bcf84aaa 200->202 202->199 204 7ff7bcf84ab0-7ff7bcf84ab5 202->204 204->199 207 7ff7bcf84abb-7ff7bcf84ac5 call 7ff7bcf843d0 204->207 205->206 208 7ff7bcf84b7f-7ff7bcf84b8a 205->208 210 7ff7bcf84e2b-7ff7bcf84e35 call 7ff7bcf843d0 206->210 211 7ff7bcf84df5-7ff7bcf84dfc 206->211 219 7ff7bcf84acb-7ff7bcf84af1 call 7ff7bcf843d0 * 2 call 7ff7bcf83be8 207->219 220 7ff7bcf84e37-7ff7bcf84e56 call 7ff7bcf82660 207->220 208->206 213 7ff7bcf84b90-7ff7bcf84b94 208->213 210->186 210->220 211->186 215 7ff7bcf84e02-7ff7bcf84e26 call 7ff7bcf84ea0 211->215 217 7ff7bcf84b9a-7ff7bcf84bd1 call 7ff7bcf836d0 213->217 218 7ff7bcf84dd4-7ff7bcf84dd8 213->218 215->210 217->218 231 7ff7bcf84bd7-7ff7bcf84be2 217->231 218->210 223 7ff7bcf84dda-7ff7bcf84de7 call 7ff7bcf83670 218->223 246 7ff7bcf84af3-7ff7bcf84af7 219->246 247 7ff7bcf84b11-7ff7bcf84b1b call 7ff7bcf843d0 219->247 233 7ff7bcf84ded 223->233 234 7ff7bcf84e81-7ff7bcf84e98 call 7ff7bcf843d0 * 2 terminate 223->234 235 7ff7bcf84be6-7ff7bcf84bf6 231->235 233->210 234->186 238 7ff7bcf84bfc-7ff7bcf84c02 235->238 239 7ff7bcf84d2f-7ff7bcf84dce 235->239 238->239 243 7ff7bcf84c08-7ff7bcf84c31 call 7ff7bcf856a8 238->243 239->218 239->235 243->239 252 7ff7bcf84c37-7ff7bcf84c7e call 7ff7bcf83bbc * 2 243->252 246->247 250 7ff7bcf84af9-7ff7bcf84b04 246->250 247->199 256 7ff7bcf84b1d-7ff7bcf84b3d call 7ff7bcf843d0 * 2 call 7ff7bcf85fd8 247->256 250->247 253 7ff7bcf84b06-7ff7bcf84b0b 250->253 263 7ff7bcf84cba-7ff7bcf84cd0 call 7ff7bcf85ab0 252->263 264 7ff7bcf84c80-7ff7bcf84ca5 call 7ff7bcf83bbc call 7ff7bcf852d0 252->264 253->186 253->247 275 7ff7bcf84b54 256->275 276 7ff7bcf84b3f-7ff7bcf84b49 call 7ff7bcf860c8 256->276 272 7ff7bcf84d2b 263->272 273 7ff7bcf84cd2 263->273 280 7ff7bcf84cd7-7ff7bcf84d26 call 7ff7bcf848d0 264->280 281 7ff7bcf84ca7-7ff7bcf84cb3 264->281 272->239 273->252 275->199 282 7ff7bcf84e7b-7ff7bcf84e80 terminate 276->282 283 7ff7bcf84b4f-7ff7bcf84e7a call 7ff7bcf84090 call 7ff7bcf85838 call 7ff7bcf83f84 276->283 280->272 281->264 285 7ff7bcf84cb5 281->285 282->234 283->282 285->263
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 695522112-393685449
                                                          • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                          • Instruction ID: 10d63b82e95fc9da5fb553a9018b197c0c7d65c9ba0c4d3faab13e5dcf9479aa
                                                          • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                          • Instruction Fuzzy Hash: 39E1C233D08682CEE710AF28D5583ADBBA0FB26749F908175DB8D6765ADF38E085C710
                                                          Function 00007FF7BCF813C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                          • String ID: [createdump]
                                                          • API String ID: 3735572767-2657508301
                                                          • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                          • Instruction ID: 780892dd210cdd4bdaf0681d0540c05530036fa16d09272ffb6fb0b977e3e515
                                                          • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                          • Instruction Fuzzy Hash: 95018432A18B41C7E710AB54F908169E360FB957D2F808134DB4D13769DF3CD494C320
                                                          Function 00007FF7BCF81800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • WSAStartup.WS2_32 ref: 00007FF7BCF8186C
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF81475
                                                            • Part of subcall function 00007FF7BCF81450: fprintf.MSPDB140-MSVCRT ref: 00007FF7BCF81485
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF81494
                                                            • Part of subcall function 00007FF7BCF81450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814B3
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814BE
                                                            • Part of subcall function 00007FF7BCF81450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                          • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                          • API String ID: 3378602911-3973674938
                                                          • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                          • Instruction ID: 6cb7e6272190596a9543f02ec5f062c1a017f9fc6c87e3f433d6610922ad3a7f
                                                          • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                          • Instruction Fuzzy Hash: B0312623A08A81CAEB55AF1999597F9A751BB67386FC4C1B2DF4D23289CF3CE044C310
                                                          Function 00007FF7BCF86498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF7BCF8669F,?,?,?,00007FF7BCF8441E,?,?,?,00007FF7BCF843D9), ref: 00007FF7BCF8651D
                                                          • GetLastError.KERNEL32(?,00000000,00007FF7BCF8669F,?,?,?,00007FF7BCF8441E,?,?,?,00007FF7BCF843D9,?,?,?,?,00007FF7BCF83524), ref: 00007FF7BCF8652B
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00007FF7BCF8669F,?,?,?,00007FF7BCF8441E,?,?,?,00007FF7BCF843D9,?,?,?,?,00007FF7BCF83524), ref: 00007FF7BCF86555
                                                          • FreeLibrary.KERNEL32(?,00000000,00007FF7BCF8669F,?,?,?,00007FF7BCF8441E,?,?,?,00007FF7BCF843D9,?,?,?,?,00007FF7BCF83524), ref: 00007FF7BCF8659B
                                                          • GetProcAddress.KERNEL32(?,00000000,00007FF7BCF8669F,?,?,?,00007FF7BCF8441E,?,?,?,00007FF7BCF843D9,?,?,?,?,00007FF7BCF83524), ref: 00007FF7BCF865A7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                          • Instruction ID: 849fca181acb2fac1b65b8f11cc70dac3f877fc57a4880ace696f15f458d506f
                                                          • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                          • Instruction Fuzzy Hash: 1531B823A19A02C9EE11BB499908575A3D4FF26B61F998574DF1D2A7CCDF3CE0448320
                                                          Function 00007FF7BCF81B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 360 7ff7bcf81b18-7ff7bcf81b32 _time64 361 7ff7bcf81b34-7ff7bcf81b37 360->361 362 7ff7bcf81b80-7ff7bcf81ba8 360->362 363 7ff7bcf81b40-7ff7bcf81b68 361->363 362->362 364 7ff7bcf81baa-7ff7bcf81bd8 362->364 363->363 365 7ff7bcf81b6a-7ff7bcf81b71 363->365 366 7ff7bcf81bfa-7ff7bcf81c32 364->366 367 7ff7bcf81bda-7ff7bcf81bf5 call 7ff7bcf81ee0 364->367 365->364 369 7ff7bcf81c64-7ff7bcf81c78 call 7ff7bcf82230 366->369 370 7ff7bcf81c34-7ff7bcf81c43 366->370 367->366 377 7ff7bcf81c7d-7ff7bcf81c88 369->377 373 7ff7bcf81c48-7ff7bcf81c62 call 7ff7bcf868c0 370->373 374 7ff7bcf81c45 370->374 373->377 374->373 379 7ff7bcf81cbb-7ff7bcf81cde 377->379 380 7ff7bcf81c8a-7ff7bcf81c98 377->380 383 7ff7bcf81d55-7ff7bcf81d70 379->383 381 7ff7bcf81c9a-7ff7bcf81cad 380->381 382 7ff7bcf81cb3-7ff7bcf81cb6 call 7ff7bcf82680 380->382 381->382 384 7ff7bcf81da2-7ff7bcf81dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff7bcf81450 call 7ff7bcf82680 381->384 382->379 388 7ff7bcf81d76 383->388 389 7ff7bcf818a0-7ff7bcf818a3 383->389 390 7ff7bcf81d78-7ff7bcf81da1 call 7ff7bcf82660 384->390 388->390 392 7ff7bcf818a5-7ff7bcf818b7 389->392 393 7ff7bcf818f3-7ff7bcf818fe 389->393 398 7ff7bcf818b9-7ff7bcf818c8 392->398 399 7ff7bcf818e2-7ff7bcf818ee call 7ff7bcf820c0 392->399 395 7ff7bcf81904-7ff7bcf81915 393->395 396 7ff7bcf81dd0-7ff7bcf81dde call 7ff7bcf81450 393->396 395->383 396->390 403 7ff7bcf818cd-7ff7bcf818dd 398->403 404 7ff7bcf818ca 398->404 399->383 403->383 404->403
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: _time64
                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                          • API String ID: 1670930206-4114407318
                                                          • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                          • Instruction ID: 6601d3e89c19c414eeb676f727d49165ced83b12cc7e07dd3ce344803fe4c8d9
                                                          • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                          • Instruction Fuzzy Hash: FC51C363A18B818AEB00DB2CD5483E9A7A1EB627D1F808275DB5D277ADDF3CE041D750
                                                          Function 00007FF7BCF84EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: EncodePointerabort
                                                          • String ID: MOC$RCC
                                                          • API String ID: 1188231555-2084237596
                                                          • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                          • Instruction ID: 1d9acc6369e8eb7fb1c47d43b3281f8046a60b903e930277330297e198e33ee7
                                                          • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                          • Instruction Fuzzy Hash: C091D373A08B82CEE710DB68E5842ADBBB0FB15789F548129EB8D27758DF38D155C700
                                                          Function 00007FF7BCF85414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 459 7ff7bcf85414-7ff7bcf85461 call 7ff7bcf863f4 call 7ff7bcf843d0 464 7ff7bcf8548e-7ff7bcf85492 459->464 465 7ff7bcf85463-7ff7bcf85469 459->465 466 7ff7bcf85498-7ff7bcf8549b 464->466 467 7ff7bcf855b2-7ff7bcf855c7 call 7ff7bcf85724 464->467 465->464 468 7ff7bcf8546b-7ff7bcf8546e 465->468 469 7ff7bcf854a1-7ff7bcf854d1 466->469 470 7ff7bcf85680 466->470 480 7ff7bcf855c9-7ff7bcf855cc 467->480 481 7ff7bcf855d2-7ff7bcf855d8 467->481 472 7ff7bcf85480-7ff7bcf85483 468->472 473 7ff7bcf85470-7ff7bcf85474 468->473 469->470 475 7ff7bcf854d7-7ff7bcf854de 469->475 476 7ff7bcf85685-7ff7bcf856a1 470->476 472->464 474 7ff7bcf85485-7ff7bcf85488 472->474 473->474 478 7ff7bcf85476-7ff7bcf8547e 473->478 474->464 474->470 475->470 479 7ff7bcf854e4-7ff7bcf854e8 475->479 478->464 478->472 482 7ff7bcf854ee-7ff7bcf854f1 479->482 483 7ff7bcf8559f-7ff7bcf855ad call 7ff7bcf83678 479->483 480->470 480->481 484 7ff7bcf855da-7ff7bcf855de 481->484 485 7ff7bcf85647-7ff7bcf8567b call 7ff7bcf849a4 481->485 487 7ff7bcf85556-7ff7bcf85559 482->487 488 7ff7bcf854f3-7ff7bcf85508 call 7ff7bcf84520 482->488 483->470 484->485 490 7ff7bcf855e0-7ff7bcf855e7 484->490 485->470 487->483 492 7ff7bcf8555b-7ff7bcf85563 487->492 497 7ff7bcf856a2-7ff7bcf856a7 abort 488->497 501 7ff7bcf8550e-7ff7bcf85511 488->501 490->485 491 7ff7bcf855e9-7ff7bcf855f0 490->491 491->485 495 7ff7bcf855f2-7ff7bcf85605 call 7ff7bcf83bbc 491->495 496 7ff7bcf85569-7ff7bcf85593 492->496 492->497 495->485 507 7ff7bcf85607-7ff7bcf85645 495->507 496->497 500 7ff7bcf85599-7ff7bcf8559d 496->500 503 7ff7bcf85546-7ff7bcf85551 call 7ff7bcf85cf0 500->503 504 7ff7bcf8553a-7ff7bcf8553d 501->504 505 7ff7bcf85513-7ff7bcf85538 501->505 503->470 504->497 508 7ff7bcf85543 504->508 505->504 507->476 508->503
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __except_validate_context_recordabort
                                                          • String ID: csm$csm
                                                          • API String ID: 746414643-3733052814
                                                          • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                          • Instruction ID: 4012d065ea694e2b077daaefe2b046fb7b38e5abbe770d4c693b29ae9d22f1e0
                                                          • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                          • Instruction Fuzzy Hash: E771B433608681CFEB209F599558679BBA0FB52B9AF84C171DB4D1BA8DDF2CD450C710
                                                          Function 00007FF7BCF8195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                          • API String ID: 0-4114407318
                                                          • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                          • Instruction ID: 4acc6de720bfa753c0a4d352dc433467be51ced935efd27bfe6adb99e5a05421
                                                          • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                          • Instruction Fuzzy Hash: A9511923A18B85CAD710DB2DE5487AAA761EB927D1F808275EB9D2379DCF3CD041D710
                                                          Function 00007FF7BCF85860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: CreateFrameInfo__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2558813199-1018135373
                                                          • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                          • Instruction ID: e4a2e9d433581c1dfd1bf5b7750e87f4733970b75b85aded2cb35ccea969d306
                                                          • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                          • Instruction Fuzzy Hash: D5518F33A18742CBE620AB19E18426EB7B4F79AB91F544174DB8D17B59DF7CD060CB10
                                                          Function 00007FF7BCF817E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00007FF7BCF817EB
                                                          • WSAStartup.WS2_32 ref: 00007FF7BCF8186C
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF81475
                                                            • Part of subcall function 00007FF7BCF81450: fprintf.MSPDB140-MSVCRT ref: 00007FF7BCF81485
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF81494
                                                            • Part of subcall function 00007FF7BCF81450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814B3
                                                            • Part of subcall function 00007FF7BCF81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814BE
                                                            • Part of subcall function 00007FF7BCF81450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7BCF814C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                          • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                          • API String ID: 1412700758-3183687674
                                                          • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                          • Instruction ID: 8588324147090f4635a665931eb4ef22c1b977a5b6eb9e8cbbe8dcefbd0ec5ba
                                                          • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                          • Instruction Fuzzy Hash: C901F523A08981D9F761AF16ED497EAA350BB5A795F808071EF0D16659CE3CD486C700
                                                          Function 00007FF7BCF81CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastgethostname
                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                          • API String ID: 3782448640-4114407318
                                                          • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                          • Instruction ID: c157938916fd4c0106312541aaca5ec51bf2b1407399256eb3b9f71ec5ae1015
                                                          • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                          • Instruction Fuzzy Hash: 2D11EE13A08542CEEA44BB15A9593F693909F57766FC09275DB5F372DECE3CE0414360
                                                          Function 00007FF7BCF84158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: terminate
                                                          • String ID: MOC$RCC$csm
                                                          • API String ID: 1821763600-2671469338
                                                          • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                          • Instruction ID: 04cb5887b41ed348c805a478c4e3329676cf911c172b7742415a36b82c63b9af
                                                          • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                          • Instruction Fuzzy Hash: 91F0F937D08506CBD3647B98A34916CBB74EF65B06F99D0B1C7082625ADF7CE460D611
                                                          Function 00007FF7BCF820C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF7BCF818EE), ref: 00007FF7BCF821E0
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BCF8221E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID: Invalid process id '%d' error %d
                                                          • API String ID: 73155330-4244389950
                                                          • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                          • Instruction ID: 1e8a3d62007be7eaa63c180214e029861128861b1682b3335dc8c72cfff19fff
                                                          • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                          • Instruction Fuzzy Hash: D431F623709B81DAEE10AF1996482A9E3A1EB16BD2F948671DF5D177DDCE7CF0508320
                                                          Function 00007FF7BCF83F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BCF8173F), ref: 00007FF7BCF83FC8
                                                          • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BCF8173F), ref: 00007FF7BCF8400E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2231034807.00007FF7BCF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7BCF80000, based on PE: true
                                                          • Associated: 00000008.00000002.2230780438.00007FF7BCF80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231060536.00007FF7BCF88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231081246.00007FF7BCF8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000008.00000002.2231112476.00007FF7BCF8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_7ff7bcf80000_createdump.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                          • Instruction ID: ac5d2944a27864b73e64576162693e5849c21c730397cc7faa1d4e99b0b5c7ba
                                                          • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                          • Instruction Fuzzy Hash: F4116D32618B41C2EB249B19F504269B7A0FB99B85F588270EF8D17B68DF3DC455C750

                                                          Non-executed Functions

                                                          Function 00007FF8BFB5C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                          • API String ID: 667068680-295688737
                                                          • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                          • Instruction ID: 2d347c529e42894829a7ddc8123178f0abeca0ea4a98088312a667f0c1efbdf0
                                                          • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                          • Instruction Fuzzy Hash: E9A1A5A4E09F0795EA04AB9CBC645743BA5FF48BC5B94A035CA1E47224EF7CB189C390
                                                          Function 00007FF8BA4F7508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                          • API String ID: 2943138195-2884338863
                                                          • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                          • Instruction ID: 62fb5f9a30765cd415d465d952b6a60e4236578b6f3c75953a340177f9311e02
                                                          • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                          • Instruction Fuzzy Hash: 55926F72A1C78286EB51CB68E4802AEB7A0FB85384F502175FF8E47A99DF7DD544CB40
                                                          Function 00007FF8BFB5F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                          • Instruction ID: 0f6c66821a3226b9a08d7d06444f79728a07e91386e79913eab2eb0931dcbbce
                                                          • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                          • Instruction Fuzzy Hash: 22A24A26619B8982EB14CB9EE8903A9BB60FB89FC0F548036DB8D43B65DF7DD445C700
                                                          Function 00007FF8BFB52D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memchr.VCRUNTIME140 ref: 00007FF8BFB530AA
                                                          • memchr.VCRUNTIME140 ref: 00007FF8BFB53470
                                                          • memchr.VCRUNTIME140 ref: 00007FF8BFB536A5
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB5410D
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB54114
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB5411B
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB54122
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB54129
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB54130
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB54137
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB5413E
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB54145
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB5414C
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB542D3
                                                            • Part of subcall function 00007FF8BFB31DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8BFB2C320), ref: 00007FF8BFB31DFB
                                                            • Part of subcall function 00007FF8BFB31DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FF8BFB2C320), ref: 00007FF8BFB31E08
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                          • String ID: 0123456789-
                                                          • API String ID: 3572500260-3850129594
                                                          • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                          • Instruction ID: e88e9b89de18fa9900456b44544c59e839b711fe6f321c2d7e2d6e1ffe104128
                                                          • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                          • Instruction Fuzzy Hash: 86E2AA23A09A8589EB408BADD4A43BC3B62FB44BD8F589131DB5E077A5DF7DE495C300
                                                          Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                            • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                            • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                            • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                            • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                            • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                            • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                          • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                          • OpenEventA.KERNEL32 ref: 0000000140008454
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                          • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                            • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                            • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                            • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                            • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                            • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                            • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                            • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                          • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                          • CloseHandle.KERNEL32 ref: 0000000140008554
                                                          • CloseHandle.KERNEL32 ref: 0000000140008561
                                                          • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                          • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                          • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                          • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                          • String ID:
                                                          • API String ID: 1089015687-0
                                                          • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                          • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                          • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                          • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                          Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                          • String ID:
                                                          • API String ID: 2074253140-0
                                                          • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                          • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                          • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                          • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                          Function 00007FF8BFB5B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: iswdigit$btowclocaleconv
                                                          • String ID: 0$0
                                                          • API String ID: 240710166-203156872
                                                          • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                          • Instruction ID: 50984704cee1ed424ed53ac226a1f3d1226c6cfd4ab44d3f835676f3f7d2fc4e
                                                          • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                          • Instruction Fuzzy Hash: 52812773A1854686E7218F6DD8607BA77A1FF94B89F089135DB8A462A0EF3CF845C700
                                                          Function 00007FF8BFB2C780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789-+Ee
                                                          • API String ID: 0-1347306980
                                                          • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                          • Instruction ID: 75039b5f4190511ce5ea5515150e31e98178389af302c3d1895fdf48a3297fe0
                                                          • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                          • Instruction Fuzzy Hash: EDC29C66A09A8189EB518FADD49027D3BA1EB45FD4F949031CF5E077A5CF3DE86AC300
                                                          Function 00007FF8BFB5A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchr$isdigit$localeconv
                                                          • String ID: 0$0123456789abcdefABCDEF
                                                          • API String ID: 1981154758-1185640306
                                                          • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                          • Instruction ID: 4cbc1223638adbd5557c20f1d997b34cfda509e9a94bb64ef6dbd6fad022de72
                                                          • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                          • Instruction Fuzzy Hash: C2914A22A0C59646F7258F68E82077EBF94FB45BC8F48A036CF8A57685DA3CF945C740
                                                          Function 00007FF8BFB2D810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                          • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                          • API String ID: 2141594249-3606100449
                                                          • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                          • Instruction ID: 7d3725260d345346ea68365f7af21a93fe48fdc3424817d65c1f08a964763877
                                                          • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                          • Instruction Fuzzy Hash: 16D29D36A09A8289EB518FAEC59017C3B61FB45FC4B949531DBAE077A1CF3DE856C310
                                                          Function 00007FF8BFB40C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Find_elem.LIBCPMT ref: 00007FF8BFB41660
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB42011
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB42018
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB4201F
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB421CE
                                                            • Part of subcall function 00007FF8BFB31DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8BFB2C320), ref: 00007FF8BFB31DFB
                                                            • Part of subcall function 00007FF8BFB31DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FF8BFB2C320), ref: 00007FF8BFB31E08
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                          • String ID: 0123456789-
                                                          • API String ID: 2779821303-3850129594
                                                          • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                          • Instruction ID: 796c7170bd1db7462345784fdc5b8a21982255a6439f6567f66d5de3e360d877
                                                          • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                          • Instruction Fuzzy Hash: CCE2BC22A09A8685EB518FADD59067D3BB4FB44BC4F949036EB4E47BA4CF3DD881C700
                                                          Function 00007FF8BFB42208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Find_elem.LIBCPMT ref: 00007FF8BFB42C08
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB435B9
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB435C0
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB435C7
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB43776
                                                            • Part of subcall function 00007FF8BFB31DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8BFB2C320), ref: 00007FF8BFB31DFB
                                                            • Part of subcall function 00007FF8BFB31DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FF8BFB2C320), ref: 00007FF8BFB31E08
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                          • String ID: 0123456789-
                                                          • API String ID: 2779821303-3850129594
                                                          • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                          • Instruction ID: 18a2b53ede10f10de4afae2e960cf983426c93c64078536702f5954e4eaa31d4
                                                          • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                          • Instruction Fuzzy Hash: C0E29B26A19A8685EB508FADD59067D3BB0FB44BC4F589035EB8E47BA5CF3CD881D700
                                                          Function 00007FF8BFB5BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: iswdigit$localeconv
                                                          • String ID: 0$0$0123456789abcdefABCDEF
                                                          • API String ID: 2634821343-613610638
                                                          • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                          • Instruction ID: 073af6bb60e08b5d57b1df47e634229fe677adfd78dd8ed623e5f9b0a5c6e314
                                                          • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                          • Instruction Fuzzy Hash: BD812863E0866687EB658F68D86067A77A1FB54B84F0C9035DF8E47684EB3CF845C780
                                                          Function 00007FF8BFB2A330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                          • String ID: .$.
                                                          • API String ID: 479945582-3769392785
                                                          • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                          • Instruction ID: 4af2e30161a49d316b4a716d6eaa012689fa6ed2943f80108fee4831705b6f4d
                                                          • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                          • Instruction Fuzzy Hash: 4A418632A1868185EA10DFADE8446BDBB65FB857E4F904235EBAD03AD4DF7CD485C700
                                                          Function 00007FF8BFB3BCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789-+Ee
                                                          • API String ID: 0-1347306980
                                                          • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                          • Instruction ID: 2bab1cd3c1c29cf357b921a2716110bc3e234de3b511d8e086dc9a8cf469f6c9
                                                          • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                          • Instruction Fuzzy Hash: 76C269A6A89A8685EB608F9ED55017D37A0FB44FC4B949031DF9E077A4CF3DE8A5D300
                                                          Function 00007FF8BFB3ABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789-+Ee
                                                          • API String ID: 0-1347306980
                                                          • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                          • Instruction ID: 2ec6c8b23b30c2e0cb617164dc17a22e50158e4f036974a4fa13f26f52639203
                                                          • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                          • Instruction Fuzzy Hash: 50C28D26A89A8685EB548F9ED45027D77A1FB40FC4BA49031DF5E077A9CF3DE8A5C300
                                                          Function 00007FF8BFB46C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB46EF7
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB46F89
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB4702C
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB474E8
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB4753A
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB47581
                                                            • Part of subcall function 00007FF8BFB4EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8BFB3923E), ref: 00007FF8BFB4EC08
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                          • Instruction ID: 018ee37dad6cd890254511956fd6cd2489cda88e93c4848c492d6b45e15f00c6
                                                          • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                          • Instruction Fuzzy Hash: 51529062A18B8685EB10CFADD5445BD6761FB84BD8F609132EB8D07B99EF3CE584C340
                                                          Function 00007FF8BFB46338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB465AB
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB4663D
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB466E0
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB46B9C
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB46BEE
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB46C35
                                                            • Part of subcall function 00007FF8BFB4EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8BFB3923E), ref: 00007FF8BFB4EC08
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                          • Instruction ID: 58561255cd204cb196b88d2ed1d6d30dbfa5ea8a30f4e39d073971725447ff91
                                                          • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                          • Instruction Fuzzy Hash: 32528162A18B8685EB108FADD5441BDA772FB94BD8F509136DB8D03B99EF3CE584C340
                                                          Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 1799700165-0
                                                          • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                          • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                          • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                          • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                          Function 00007FF8BFB3DF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                          • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                          • API String ID: 1825414929-3606100449
                                                          • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                          • Instruction ID: 0b24ba589bc6b92a775431143566c74c762c0ab6745ad197993228cee0bd127a
                                                          • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                          • Instruction Fuzzy Hash: A6D26836A89A8685EB618F9ED59017D3761FB40FC4B949032DB5E077A0DF3DE89AC310
                                                          Function 00007FF8BFB3CDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                          • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                          • API String ID: 1825414929-3606100449
                                                          • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                          • Instruction ID: 9a111ae7d68518b6561db5ea26358908743355e8e06e1516147396bc28e8679b
                                                          • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                          • Instruction Fuzzy Hash: 8DD26B26A89A8A85EB518F9ED59017C37A1FB58FC4B949031DF5E077A0CF3DE896C310
                                                          Function 00007FF8BFB38FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                          • String ID:
                                                          • API String ID: 1326169664-0
                                                          • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                          • Instruction ID: cc2eb2dbd691ee853069bdd40fcf54c9740f83cc5b256d2a28f86fe9262c53ca
                                                          • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                          • Instruction Fuzzy Hash: 89E17922B49B8695FB10DBA9D8405AC7372FB48BC8B514136DF9D27B98DF38E44AC300
                                                          Function 00007FF8BFB39460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                          • String ID:
                                                          • API String ID: 1326169664-0
                                                          • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                          • Instruction ID: fba6295242c2c48bfa6d878ab7e4867d1cdd23dca3584ac0644c31b4fdae585a
                                                          • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                          • Instruction Fuzzy Hash: 17E15A22B49B5685FB10DFA9D8405AC6772EB88BD8B514136DF9D27B98DF38E44AC300
                                                          Function 00007FF8BFB2E8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                          • String ID: 0123456789ABCDEFabcdef-+Xx
                                                          • API String ID: 2740501399-2799312399
                                                          • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                          • Instruction ID: 75e900865858fa24fd91d1673f4163a8a763b472a46f920c00b542ceaeb8d620
                                                          • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                          • Instruction Fuzzy Hash: F5528D22B09A8689FB518FAEC19017C3BA1BB05BD4B949531CF5E17795CF3DE866D300
                                                          Function 00007FF8BFB44780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB57600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF8BFB23887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8BFB5760F
                                                            • Part of subcall function 00007FF8BFB2F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FF8BFB54C66,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE66), ref: 00007FF8BFB2F6FC
                                                          • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE88), ref: 00007FF8BFB45245
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE88), ref: 00007FF8BFB4525A
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE88), ref: 00007FF8BFB45268
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Gettnames_lock_localesrealloc
                                                          • String ID:
                                                          • API String ID: 3705959680-0
                                                          • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                          • Instruction ID: 77790bb9f5deaa62aa43671afde6a7c4ac00050b31681b023097d6f519291d21
                                                          • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                          • Instruction Fuzzy Hash: F3826B61A09A0285FB55EFADDD902B93BA1BF54BC0F445039EB0E87796EF3CE5918700
                                                          Function 00007FF8BFB45470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB57600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF8BFB23887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8BFB5760F
                                                            • Part of subcall function 00007FF8BFB2F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FF8BFB54C66,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE66), ref: 00007FF8BFB2F6FC
                                                          • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE77), ref: 00007FF8BFB45F35
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE77), ref: 00007FF8BFB45F4A
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE77), ref: 00007FF8BFB45F58
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Gettnames_lock_localesrealloc
                                                          • String ID:
                                                          • API String ID: 3705959680-0
                                                          • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                          • Instruction ID: dfa4dceb04d1a363cb88e71651ce75f46794db67f6bb60ccc79607ed3861a19a
                                                          • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                          • Instruction Fuzzy Hash: BA824B61E09A0285EB51EFADDD906B93BA1BF44BC0F446039EB0E47796EF3CE5918740
                                                          Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID: GetLastError() = 0x%X
                                                          • API String ID: 3479602957-3384952017
                                                          • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                          • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                          • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                          • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                          Function 00007FF8BFB544E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB51E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB51F72
                                                            • Part of subcall function 00007FF8BFB57600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF8BFB23887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8BFB5760F
                                                          • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE66,?,?,?,?,?,?,?,00007FF8BFB2F7E7), ref: 00007FF8BFB54BCF
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE66,?,?,?,?,?,?,?,00007FF8BFB2F7E7), ref: 00007FF8BFB54BE4
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FF8BFB2FE66,?,?,?,?,?,?,?,00007FF8BFB2F7E7), ref: 00007FF8BFB54BF3
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                          • String ID:
                                                          • API String ID: 962949324-0
                                                          • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                          • Instruction ID: c829d9dc08bd030cf855276702ca8a4919196830830a1c70234621dc4591fdd3
                                                          • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                          • Instruction Fuzzy Hash: BE325E65A09A0285FB46AFADDC611B93BA5FF547C4B486035EB0E473A6EF3CF5818700
                                                          Function 00007FF8BFB43F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB442AD
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB442FB
                                                            • Part of subcall function 00007FF8BFB4EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8BFB3923E), ref: 00007FF8BFB4EC08
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                          • Instruction ID: 41558a8232c8a1e7edcdd03ba11724bf0955e6371d5cefd6d14b4a1af15a6bfe
                                                          • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                          • Instruction Fuzzy Hash: 57D15922B09B8685FB04CFA9D9502AC67B2EB48BD8F444136DF5D27B99DF38E459C340
                                                          Function 00007FF8BFB44340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB446ED
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB4473B
                                                            • Part of subcall function 00007FF8BFB4EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8BFB3923E), ref: 00007FF8BFB4EC08
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                          • Instruction ID: e5c5645a0321258829bbb39da99ea6b9c4a4c905cb1c5fa492d5a5b020af7aa1
                                                          • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                          • Instruction Fuzzy Hash: C9D15922B09B8685FB04CFA9D9502AC6372EB48BD8F444536DF9D27B99DF38E459C340
                                                          Function 00007FF8BFB360D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                          • String ID:
                                                          • API String ID: 1654775311-0
                                                          • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                          • Instruction ID: b399d48099f4c6a806e715d29233ad5901ab7ce2c58040b002d9020f2ae29ea6
                                                          • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                          • Instruction Fuzzy Hash: 40A1BD62F8969285FB109BE9D850ABC2BB2BB15BD8F554039DF5D1BB85DF38E481C300
                                                          Function 00007FF8BFB36440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                          • String ID:
                                                          • API String ID: 1654775311-0
                                                          • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                          • Instruction ID: 504d26d5c08b51dfc416baa693a700dec86e27f10b336c8744a3bb683e6d1488
                                                          • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                          • Instruction Fuzzy Hash: 1DA1A062F886A685FB108BE9D850ABC3BB2BB05BD8F554039DF5D1BB94DF38A451C300
                                                          Function 00007FF8BFB2A7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$DiskFreeSpace_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 1915456417-0
                                                          • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                          • Instruction ID: 88590328a2cd0278f995e2b604ce57fcdb808ea13e028330cd4ce5f5ba38ed36
                                                          • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                          • Instruction Fuzzy Hash: 22414A22B14B4598FB00CFA5D8406AC3BB9BB48BA8F945625CF5D67B98DF38D085C340
                                                          Function 00007FF8BFB4EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale___lc_locale_name_func
                                                          • String ID:
                                                          • API String ID: 3366915261-0
                                                          • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                          • Instruction ID: 5a8bc2000bcf9f932707b62627410d9429839334d17f967abb0062aba4971580
                                                          • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                          • Instruction Fuzzy Hash: B0F08532E2C04386E3A84FACE669B382360FB84385F400032E34F433A4CF6EE5449741
                                                          Function 00007FF8BFB40710 Relevance: .4, Instructions: 410COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                          • Instruction ID: 52824eebd7ca1e606bbc824714f3db87fc4806b92b1124680e8a61d1e72cfbd2
                                                          • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                          • Instruction Fuzzy Hash: 21022126A09A4689EF608FADC55037937A1EB44FC8F649036DB4E5B7A5CF3DD886C310
                                                          Function 00007FF8BFB52880 Relevance: .4, Instructions: 391COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                          • Instruction ID: 61c447f5ba8930146ab1840bf83b2ed845b5e95566ebbb9a1b1b639212935ae3
                                                          • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                          • Instruction Fuzzy Hash: F0024E66A0AA4689EB518FADC46037D37A1AB44FD8F549131CB4E47BA5DF3DE882C310
                                                          Function 00007FF8BFB2F9B0 Relevance: .3, Instructions: 331COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _lock_locales
                                                          • String ID:
                                                          • API String ID: 3756862740-0
                                                          • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                          • Instruction ID: 18b803c33e7d61c489646b31711bb404cee6c119fc0b7b8badf9d0cb644834de
                                                          • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                          • Instruction Fuzzy Hash: FEE16B61B09B0285FB56AFADAC505B92BA0FF80BC0F945135DB4E437AADE3CB5428740
                                                          Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.VCRUNTIME140 ref: 000000014000475B
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                            • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                          • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                            • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                          • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                          • API String ID: 2423274481-1946953090
                                                          • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                          • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                          • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                          • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                          Function 00007FF8BA4F8C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                          • API String ID: 2943138195-1388207849
                                                          • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                          • Instruction ID: 9b29a1f380a5b1b591fb14d01ad42b59c4b2a6d689dbe1940e663b85ebc57d7a
                                                          • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                          • Instruction Fuzzy Hash: 0EF17D72F0861698FB658BACD8942BC37B0BB153C4F4065B5CF0D56AA9DF7EA648C340
                                                          Function 00007FF8BA4FC3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: `anonymous namespace'
                                                          • API String ID: 2943138195-3062148218
                                                          • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                          • Instruction ID: 884484f0c11f1843e1910347fe3fe9e91196f0f6ae6f5567bfba68dbcd1d7e42
                                                          • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                          • Instruction Fuzzy Hash: 6BE17A72A08B8699EB20CF68E8801ED77A0FB45784F44A076EF4D17B65DF79E664C700
                                                          Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                          • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                          • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                          • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                          • String ID: (
                                                          • API String ID: 703713002-3887548279
                                                          • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                          • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                          • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                          • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                          Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                          • String ID: [NOT FOUND ] %s
                                                          • API String ID: 2350601386-3340296899
                                                          • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                          • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                          • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                          • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                          Function 00007FF8BA4FA83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                          • Instruction ID: ae7fca47a68f37e752e7f72db9610b5d5acaa4decd75a36f2ebe1a7efc6e6370
                                                          • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                          • Instruction Fuzzy Hash: 5BF16B72B08A829AEB11DFA8D4901EC37B1EB4478CB4490B6EF4D67B99DF39D519C340
                                                          Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                          • String ID:
                                                          • API String ID: 1818695170-0
                                                          • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                          • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                          • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                          • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                          Function 00007FF8BA4FD20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                          • API String ID: 2943138195-2309034085
                                                          • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                          • Instruction ID: fe427a242d3059ed7621ab1b6fe41db92eaa5930ae732e1e4436e5f8e45c825d
                                                          • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                          • Instruction Fuzzy Hash: EDE18F62E0C69284FB259B6CD9941BC27A0AF457CCF5421B6CF0E1BBA9DF3EA505C341
                                                          Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                          • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                          • API String ID: 140832405-680935841
                                                          • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                          • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                          • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                          • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                          Function 00007FF8BA4F2CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 3436797354-393685449
                                                          • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                          • Instruction ID: e491f3b73101b2068d1e4bffd42c4910f0f9082be1077b4d87ce4fe8130ed34c
                                                          • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                          • Instruction Fuzzy Hash: 60D1A332A08B418AEB60DF69D4802AD7BA4FB45BD8F102176EF8D57B59CF39E594C700
                                                          Function 00007FF8BFB226E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                          • String ID:
                                                          • API String ID: 3420081407-0
                                                          • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                          • Instruction ID: a0c5207dce46f1f63a9744c7200bcd5159de5189b185b591518580043dd9ceb3
                                                          • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                          • Instruction Fuzzy Hash: 9BA19F62A0868286FB318FA8D4103BE7B91AF45BE4F844631DB5D9AFD4DF7CE8458341
                                                          Function 00007FF8BFB3692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A87E), ref: 00007FF8BFB36971
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A87E), ref: 00007FF8BFB3698E
                                                          • _Maklocstr.LIBCPMT ref: 00007FF8BFB369AA
                                                          • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A87E), ref: 00007FF8BFB369B3
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A87E), ref: 00007FF8BFB369D0
                                                          • _Maklocstr.LIBCPMT ref: 00007FF8BFB369EC
                                                          • _Maklocstr.LIBCPMT ref: 00007FF8BFB36A01
                                                            • Part of subcall function 00007FF8BFB24D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D72
                                                            • Part of subcall function 00007FF8BFB24D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D98
                                                            • Part of subcall function 00007FF8BFB24D50: memmove.VCRUNTIME140(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24DB0
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8BFB369DB
                                                          • :AM:am:PM:pm, xrefs: 00007FF8BFB369FA
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8BFB36999
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                          • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 269533641-35662545
                                                          • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                          • Instruction ID: ef08ee53def5427dd8f8c95974a0c28711114bb58db4958f5298df3dfc281d71
                                                          • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                          • Instruction Fuzzy Hash: 30219E32A18B4182EB00DF69E8512A977A1FB98FC4F848235DB5D43756EF3CE585C780
                                                          Function 00007FF8BFB22B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                          • String ID:
                                                          • API String ID: 1733283546-0
                                                          • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                          • Instruction ID: c159a450ccde6e8e60e4e4b4c0e968d0ce521f6f5622732f8c58b0708a942f2b
                                                          • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                          • Instruction Fuzzy Hash: 77915A32B08B8286FB208F9994407697BA1FB44BE4F944235EB5D97F98DF7CE4458710
                                                          Function 00007FF8BFB59350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                          • String ID:
                                                          • API String ID: 3166507417-0
                                                          • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                          • Instruction ID: ebc68b1f9faa6c54a96eefe86c86e53f936c963a93f5e25cc10fba3ab9603bea
                                                          • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                          • Instruction Fuzzy Hash: 78618D22F086429AFB11DBEAD4A15FD2721AB587C8F504136DF0D67A99DE3CF94AC700
                                                          Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                          • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                          • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                          • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                          • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                          • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                          • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                          • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                          • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                          • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                            • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                            • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                            • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                            • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                          • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                          • String ID:
                                                          • API String ID: 2702579277-0
                                                          • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                          • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                          • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                          • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                          Function 00007FF8BFB69BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                          • Instruction ID: 15ddf95763c9eea3fbc3c0e7936bdf899735a32656b116677a80cf9d774ee0c9
                                                          • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                          • Instruction Fuzzy Hash: 98919D22B18A4696EF648B9DD4817B97B60FB84FC4F948036CB4E47BA5DF2DD44AC300
                                                          Function 00007FF8BA4FE350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                          • API String ID: 0-3207858774
                                                          • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                          • Instruction ID: 05f96f3a0172d475b59c68dcfdd814f942ccffc169cb121411f88615afe801a3
                                                          • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                          • Instruction Fuzzy Hash: A2918E32A08A8689FB258F68D9912FC37A1AB45BC5F8860B5DF4D037A5DF3DE605C340
                                                          Function 00007FF8BA4FA13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+$Name::operator+=
                                                          • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                          • API String ID: 179159573-1464470183
                                                          • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                          • Instruction ID: 34a42dafe427ab1446ace25463ecac0ef8943e9de731dce18b17b348dad8a4f3
                                                          • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                          • Instruction Fuzzy Hash: 5A513A32F1865699FB14CBA8E8805BC37B0BB153C8F505175EF0D56A58DF7AE549C700
                                                          Function 00007FF8BFB5B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                          • String ID:
                                                          • API String ID: 3781602613-0
                                                          • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                          • Instruction ID: 702721301169e480fe69aa2cfe63fa15a3a5a960bff9ab7f30b21f09db4b6e20
                                                          • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                          • Instruction Fuzzy Hash: 7E617E22F085429AFB11DEEAD8A05FD2721AB547C8F508536DF0D67A9ADF3CF54A8700
                                                          Function 00007FF8BA4F88E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                          • Instruction ID: 7c15732a4babf7209c410afca2585ed22c7c9dd26b9f764c1e34940991014e17
                                                          • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                          • Instruction Fuzzy Hash: 71614962F04B6698FB10DBA8D8801EC37B1FB44788B406476DF4D6BA99EFB9D549C340
                                                          Function 00007FF8B98412D0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$AdjustPointermemmove
                                                          • String ID:
                                                          • API String ID: 338301193-0
                                                          • Opcode ID: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                          • Instruction ID: 00534809c7163f4de5d43a37d30a3b9f0189ad5a7b53695da261ecdd86a3cb5a
                                                          • Opcode Fuzzy Hash: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                          • Instruction Fuzzy Hash: 02518B32B0AAC381FA66DF59958663C63A5AF65FC4F09C43ADB4D06B84DF2CE8418740
                                                          Function 00007FF8B9841650 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 211107550-393685449
                                                          • Opcode ID: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                          • Instruction ID: 91c344f13dad493c6e389bd4061fd0f46460a95cb2973428ece46cbd6aa580a4
                                                          • Opcode Fuzzy Hash: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                          • Instruction Fuzzy Hash: 85E19C72A08AC38AEB219F69D4812AD7BA0FF54788F154136DB8D57796DF38E485C700
                                                          Function 00007FF8BA4F31A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 211107550-393685449
                                                          • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                          • Instruction ID: fa27ed1b9841d97ac660d2e9dabb3fb723ee9277e500f3d16f7a5474117b6140
                                                          • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                          • Instruction Fuzzy Hash: 5DE18D72A086828AE720DF68D4802ED7BA1FB44B88F156176DFAD47795CF39F485CB00
                                                          Function 00007FF8BFB5A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchrtolower$_errnoisspace
                                                          • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 3508154992-2692187688
                                                          • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                          • Instruction ID: 968469135190ed8e14a5b12618ec1fe5018467f77b9e444346f05fe6b1e00352
                                                          • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                          • Instruction Fuzzy Hash: 1E51F712A0D6C645FB619FAC98213B9AB98AB46BD0F4C4032CF9D57395DE3CF8439310
                                                          Function 00007FF8BA4FBE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                          • API String ID: 2943138195-2239912363
                                                          • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                          • Instruction ID: f4b9645026e172c896cdf13ce28ea28496f8c37e94e38307b153848752879674
                                                          • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                          • Instruction Fuzzy Hash: C3518D62E18B868CFB11CB68D8812BC77B0BB1A784F4490B5DF4D52B94DFBD9145C710
                                                          Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_CEvent_
                                                          • API String ID: 2242036409-942587184
                                                          • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                          • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                          • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                          • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                          Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_SEvent_
                                                          • API String ID: 2242036409-1609572862
                                                          • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                          • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                          • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                          • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                          Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_CmdMap_
                                                          • API String ID: 2242036409-3276274529
                                                          • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                          • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                          • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                          • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                          Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_DMap_
                                                          • API String ID: 2242036409-2879874026
                                                          • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                          • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                          • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                          • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                          Function 00007FF8BFB26C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 1099746521-1866435925
                                                          • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                          • Instruction ID: 9ef62bc75bca12edc4d71f2d0c6d2c2cdac0f09cb849518cff8cb41845a598ac
                                                          • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                          • Instruction Fuzzy Hash: 2721E551E1850A95FB04E79CD8816FD2B12EF543C0FE8403AD74E46DA6EF2DD549C740
                                                          Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                            • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                            • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                          • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                          • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                          • String ID: MRDH$SideCarLut
                                                          • API String ID: 916663099-3852011117
                                                          • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                          • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                          • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                          • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                          Function 00007FF8BFB69940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                          • Instruction ID: 3788e6374cbf3969a11ca2eafb17b8581ccf35a4dcee6311f917cf0fbcd30c53
                                                          • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                          • Instruction Fuzzy Hash: 95616D22A08A4696EB64CB9DD4913B9BBA0FB84FC4F588036CB4E477A5DF3DD446C300
                                                          Function 00007FF8BFB343F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 1428583292-1866435925
                                                          • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                          • Instruction ID: 5bc71f0e354e0f19b08ed73259c73994a6430b5bb035ac89ff83adadf36331e3
                                                          • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                          • Instruction Fuzzy Hash: 8171AB72A98A82D9EB14CFA9E4802A937A0FB44BC8F954032EB4D47B58DF3DD595C700
                                                          Function 00007FF8BA4F5F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                          • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                          • API String ID: 1852475696-928371585
                                                          • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                          • Instruction ID: 9772d764ee1eeb90e9efa930190b784653b7b80433a045b663068f4d5f874855
                                                          • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                          • Instruction Fuzzy Hash: 9D51B072A0DA8696EE20CB58E8906B9A360FF54BC4F405476EF4E47665DF3DE205C301
                                                          Function 00007FF8BFB696E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::ios_base::failure::failure.LIBCPMT ref: 00007FF8BFB698D3
                                                          • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8BFB5C678), ref: 00007FF8BFB698E4
                                                          • std::ios_base::failure::failure.LIBCPMT ref: 00007FF8BFB69927
                                                          • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8BFB5C678), ref: 00007FF8BFB69938
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                          • Instruction ID: 9484bb73cf174b0345f8ebc76b6fde800ba68d0b1d031484596426b1e66ecdac
                                                          • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                          • Instruction Fuzzy Hash: 80617B22A08A4695EB64CB9DD4913B9BB60FF84FD8F548036CB4E477A5DF2DD446C340
                                                          Function 00007FF8BFB59E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchrtolower$_errnoisspace
                                                          • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 3508154992-4256519037
                                                          • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                          • Instruction ID: 7fcd79377d30b2c70adc74ee5c4ddf81a48a6856d0ac9739d68f3bb5eb8ebacc
                                                          • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                          • Instruction Fuzzy Hash: 7351E222A0D79646F7618FA8A8203B9BB94AF85BD4F484035DF9D42794DE3CF8468700
                                                          Function 00007FF8BA4FE148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+$Name::operator+=
                                                          • String ID: {for
                                                          • API String ID: 179159573-864106941
                                                          • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                          • Instruction ID: 1d4004d2fc94471dd0fbb173b3c0cecf422795355bcfa8da8b74b158cb418acb
                                                          • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                          • Instruction Fuzzy Hash: 74516B72A08A85A9EB118F68D5853ED33A1FB45788F8490B1EF4C07BA5EF7DD654C340
                                                          Function 00007FF8BFB2B280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                          • Instruction ID: 26afe89f6e2773ffd7507f5c8cf922cb583b46ed45527e757b288b008794a1fa
                                                          • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                          • Instruction Fuzzy Hash: 10515E62A08A4A81EB50DB9DD4C02AD6B60FF44FC4FA48536DB5E837B5DF2DD946C300
                                                          Function 00007FF8B9843558 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF8B9843717,?,?,00000000,00007FF8B9843548,?,?,?,?,00007FF8B98432C9), ref: 00007FF8B98435DD
                                                          • GetLastError.KERNEL32(?,?,?,00007FF8B9843717,?,?,00000000,00007FF8B9843548,?,?,?,?,00007FF8B98432C9), ref: 00007FF8B98435EB
                                                          • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B9843717,?,?,00000000,00007FF8B9843548,?,?,?,?,00007FF8B98432C9), ref: 00007FF8B9843604
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF8B9843717,?,?,00000000,00007FF8B9843548,?,?,?,?,00007FF8B98432C9), ref: 00007FF8B9843616
                                                          • FreeLibrary.KERNEL32(?,?,?,00007FF8B9843717,?,?,00000000,00007FF8B9843548,?,?,?,?,00007FF8B98432C9), ref: 00007FF8B984365C
                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF8B9843717,?,?,00000000,00007FF8B9843548,?,?,?,?,00007FF8B98432C9), ref: 00007FF8B9843668
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                          • String ID: api-ms-
                                                          • API String ID: 916704608-2084034818
                                                          • Opcode ID: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                          • Instruction ID: ac8a371f1e8fe3ea3bbbeb1b1009899803d29b0362967798557ed11f85653aee
                                                          • Opcode Fuzzy Hash: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                          • Instruction Fuzzy Hash: 4C31D421B1AB8392EE29DF0AA9006792394BF49BE0F5A4536DF1D4B390EF3CE4458700
                                                          Function 00007FF8BA4F68AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA4F6A6B,?,?,00000000,00007FF8BA4F689C,?,?,?,?,00007FF8BA4F65E5), ref: 00007FF8BA4F6931
                                                          • GetLastError.KERNEL32(?,?,?,00007FF8BA4F6A6B,?,?,00000000,00007FF8BA4F689C,?,?,?,?,00007FF8BA4F65E5), ref: 00007FF8BA4F693F
                                                          • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BA4F6A6B,?,?,00000000,00007FF8BA4F689C,?,?,?,?,00007FF8BA4F65E5), ref: 00007FF8BA4F6958
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA4F6A6B,?,?,00000000,00007FF8BA4F689C,?,?,?,?,00007FF8BA4F65E5), ref: 00007FF8BA4F696A
                                                          • FreeLibrary.KERNEL32(?,?,?,00007FF8BA4F6A6B,?,?,00000000,00007FF8BA4F689C,?,?,?,?,00007FF8BA4F65E5), ref: 00007FF8BA4F69B0
                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF8BA4F6A6B,?,?,00000000,00007FF8BA4F689C,?,?,?,?,00007FF8BA4F65E5), ref: 00007FF8BA4F69BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                          • String ID: api-ms-
                                                          • API String ID: 916704608-2084034818
                                                          • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                          • Instruction ID: b68cbdaf8252b24a2d9913bd9636fb9d6568150b3fb17fbdfc3e19abcd8191ca
                                                          • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                          • Instruction Fuzzy Hash: 7331C421B1AA8291EE21DB0AAC009B5A3A4FF45BE0F595576EF6D07394EF3DE244C700
                                                          Function 00007FF8BFB512C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB51309
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB51326
                                                          • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB5134B
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB51368
                                                            • Part of subcall function 00007FF8BFB24D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D72
                                                            • Part of subcall function 00007FF8BFB24D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D98
                                                            • Part of subcall function 00007FF8BFB24D50: memmove.VCRUNTIME140(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24DB0
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8BFB51373
                                                          • :AM:am:PM:pm, xrefs: 00007FF8BFB51392
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8BFB51331
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                          • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 2607222871-35662545
                                                          • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                          • Instruction ID: c8dbdab25ab037e8812f5f018d1861ef433e34de6c2cd00e20035ceefffd18b3
                                                          • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                          • Instruction Fuzzy Hash: 2B218E36A04B4182EB10DF69E8502A977A1FB98FC4F888235DB5D03766EF3CE585C340
                                                          Function 00007FF8BFB36A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB36A5E
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB36A7B
                                                          • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB36A9B
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB36AB8
                                                            • Part of subcall function 00007FF8BFB24DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24DF9
                                                            • Part of subcall function 00007FF8BFB24DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24E28
                                                            • Part of subcall function 00007FF8BFB24DD0: memmove.VCRUNTIME140(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24E3F
                                                          Strings
                                                          • :AM:am:PM:pm, xrefs: 00007FF8BFB36AD4
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8BFB36A86
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FF8BFB36AC3
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                          • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 2607222871-3743323925
                                                          • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                          • Instruction ID: 6f163b34a055c0fe1b2a3dc42b42e8a2458d403d514253b1c263bfb0c44f1a07
                                                          • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                          • Instruction Fuzzy Hash: 3C213E22A08B4282EB10DF69E554279B7B1FB99BC4F445234DB4E43756EF7CE584C740
                                                          Function 00007FF8BA4F27CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$AdjustPointer
                                                          • String ID:
                                                          • API String ID: 1501936508-0
                                                          • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                          • Instruction ID: 82cac3866b1415afb923d697a20e9e5c65f0bd6ca70ff49010469223d765836f
                                                          • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                          • Instruction Fuzzy Hash: A951AC21E0EA83C2FA698B5D9484A796794FF59FC0F09A5B6DF4E07394CF2EE4418301
                                                          Function 00007FF8BA4F25E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$AdjustPointer
                                                          • String ID:
                                                          • API String ID: 1501936508-0
                                                          • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                          • Instruction ID: 1f1a1d4aec024ed1681bfc00f5ff5e283afffb5f0a41864c6b078aafac08280a
                                                          • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                          • Instruction Fuzzy Hash: 74519D61A0EA4282FE659B5C998463963D4FF64FC4F09A4B6DF4E06794DF2EE442C301
                                                          Function 00007FF8BFB590D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                          • String ID:
                                                          • API String ID: 578106097-0
                                                          • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                          • Instruction ID: 9366bc6aa057874e842d076032c61398712c35bc41321ff1da0501a3f5886948
                                                          • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                          • Instruction Fuzzy Hash: 2461D222B1CA4282EB11EFA9E4915AE7760FB947C4F504136EF4E53685DE3DF54A8B00
                                                          Function 00007FF8BFB59950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                          • String ID:
                                                          • API String ID: 578106097-0
                                                          • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                          • Instruction ID: 3044a0aff643118898051458d08172701e4e9a75e34d41c7b7dccfb3553537fa
                                                          • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                          • Instruction Fuzzy Hash: B161D326B1C64686E751DFE9E4A05BE6720FB857C4F500132EF4E13A85DE3CF54A8700
                                                          Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                            • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                            • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                          • memcpy.VCRUNTIME140 ref: 000000014000C3C8
                                                          • memcpy.VCRUNTIME140 ref: 000000014000C427
                                                            • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                            • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                          • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                          • API String ID: 1244713665-103080910
                                                          • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                          • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                          • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                          • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                          Function 00007FF8BA4F5520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHeader_local_unwind
                                                          • String ID: MOC$RCC$csm$csm
                                                          • API String ID: 2627209546-1441736206
                                                          • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                          • Instruction ID: da9796ef3b364f76a154498942de6c79a2f18ab354f60db23379577dd00cbc7f
                                                          • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                          • Instruction Fuzzy Hash: 08518D72A0965286FB609F2D944137D76A0FF84BD4F1460B2EF5D46399DF3EE4418B02
                                                          Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                          • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                          • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                          • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                          • String ID:
                                                          • API String ID: 1492985063-0
                                                          • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                          • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                          • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                          • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                          Function 00007FF8BFB2BA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BB38
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BB48
                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BB5D
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BB91
                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BB9B
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BBAB
                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BBBB
                                                            • Part of subcall function 00007FF8BFB725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25AF8), ref: 00007FF8BFB725C6
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                          • String ID:
                                                          • API String ID: 1468981775-0
                                                          • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                          • Instruction ID: 5096ebabcc00d4dc693d8ed51b641b73cabe946602a7f0b29036498c7873c17e
                                                          • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                          • Instruction Fuzzy Hash: 6E41D862B08A8191EE04EF9AE5482BDBB51FB44BD4F948536EF1D0BB9ADE7CD041C740
                                                          Function 00007FF8BFB358B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2924853686-1866435925
                                                          • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                          • Instruction ID: ed59ea08230f6e1e9b5add7705470795651dcb0f61623de18bb62df370f7a7e2
                                                          • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                          • Instruction Fuzzy Hash: BF41BE72A54B4696EB54CFA8E4407AC33A0FB14BD8F545131CB4C47A59DF3CE6A4C740
                                                          Function 00007FF8BFB32FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread$xtime_get
                                                          • String ID:
                                                          • API String ID: 1104475336-0
                                                          • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                          • Instruction ID: 6d547ed241637e818ec10ef3c30f6e261a41f08d80bea3345f0b27d32c695aff
                                                          • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                          • Instruction Fuzzy Hash: CB410E32A88646D6EB60CB9DD48477A77A0EB44BC5F584035CB9E43AA0DF3DE895C701
                                                          Function 00007FF8BFB43B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8BFB43B56
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • _Maklocstr.LIBCPMT ref: 00007FF8BFB43BCF
                                                          • _Maklocstr.LIBCPMT ref: 00007FF8BFB43BE5
                                                          • _Getvals.LIBCPMT ref: 00007FF8BFB43C8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                          • String ID: false$true
                                                          • API String ID: 2626534690-2658103896
                                                          • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                          • Instruction ID: b8bc41193b318fb617d5d02b31faac4696eeee92da9b9e2ccd1e92d08305916a
                                                          • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                          • Instruction Fuzzy Hash: 74415C27B08B4199E710CFB8E4501ED33B1FB88788B445226EF4D27A59EF38D556C740
                                                          Function 00007FF8BA4FD740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: NameName::atol
                                                          • String ID: `template-parameter$void
                                                          • API String ID: 2130343216-4057429177
                                                          • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                          • Instruction ID: 712c35853cca7ca69013686aa1371969bc953e1757353c9696879c335072c55b
                                                          • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                          • Instruction Fuzzy Hash: 66412822B08B96C8FB149BA8D8912EC23B1BB097C8F546176DF0D17A69DF7DA505C340
                                                          Function 00007FF8BA4F8624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                          • API String ID: 2943138195-2211150622
                                                          • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                          • Instruction ID: 038db81f392ab2f40e182af45a036e37b12ea7ae3fc8b809eefd9d80348e5e14
                                                          • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                          • Instruction Fuzzy Hash: FD415A72A08B8AC8FB228F68EC802AC37A0BB09788F449171DF4D17764DF7DA544C740
                                                          Function 00007FF8BA4FA31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: char $int $long $short $unsigned
                                                          • API String ID: 2943138195-3894466517
                                                          • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                          • Instruction ID: a018c58dd5cf36ccad3e2d9a19771e528a7dbeadb6358261d56c62b3f349e681
                                                          • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                          • Instruction Fuzzy Hash: 7A413832E18A56C9EB268FACE8841BC37B1BB09784F549175DF0C56B68DF3DA648C700
                                                          Function 00007FF8BFB2C0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                          • String ID:
                                                          • API String ID: 3009415009-0
                                                          • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                          • Instruction ID: 17ee58b6771b4e9e580d753d5004a0e409d2b50b0de1cef8731e69947c02965c
                                                          • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                          • Instruction Fuzzy Hash: 8CE16A62B09B8685FB11DBA9D4406AD2B71FB48BD8F904136DF9D27B99DF38D44AC300
                                                          Function 00007FF8BFB500EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Dunscale$_errno
                                                          • String ID:
                                                          • API String ID: 2900277114-0
                                                          • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                          • Instruction ID: 4e08b6dbb27015eec03edf5e4bcc425525fab704b9cb6d2bda0703aa1745dbe9
                                                          • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                          • Instruction Fuzzy Hash: 4BA1BF32A0864B9AEF10DEAE85901BD7761FF593D8F544230EB4A135D6EF3DB0969700
                                                          Function 00007FF8BFB586F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Dunscale$_errno
                                                          • String ID:
                                                          • API String ID: 2900277114-0
                                                          • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                          • Instruction ID: 6e51b81a3e6a3406e496a36ccd29fb47cf5f3b0f4186e7168e33fde94d84f3f5
                                                          • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                          • Instruction Fuzzy Hash: 8AA1D227D18E8A86E711DEB885601BE2362FF567D9F505235EB4E2B595EF3CF0928300
                                                          Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                          • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                          • API String ID: 2665656946-1215215629
                                                          • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                          • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                          • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                          • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                          Function 00007FF8BFB28F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: fgetc
                                                          • String ID:
                                                          • API String ID: 2807381905-0
                                                          • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                          • Instruction ID: 0a78db0217b8e989d0fa6a5560febb6824e1dcd61a9d24f61b34d000f57c7b53
                                                          • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                          • Instruction Fuzzy Hash: 1C915937605A85C8EB10CFA9C4943AC3BA1FB48B98F951632EB5E87B99DF39D454C300
                                                          Function 00007FF8BFB5B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                          • String ID:
                                                          • API String ID: 3490103321-0
                                                          • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                          • Instruction ID: c0bfb771e0ad98e759beaf44a788988a885c697bd9cbd745e6ba43d5361510ed
                                                          • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                          • Instruction Fuzzy Hash: 1E61D422B1CA4286E711EFA9E4915BE6760FB957C4F504136EF4E23A95DF3CF44A8B00
                                                          Function 00007FF8BFB5B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                          • String ID:
                                                          • API String ID: 3490103321-0
                                                          • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                          • Instruction ID: 8f5fd9218c7296f616ec292c2d07795ba6051099de7b488ecf1c92b0240938bb
                                                          • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                          • Instruction Fuzzy Hash: 0461F526B1CA4286E711DEE9E4A05BEA720FB853C4F504532EF4E17699DF7CF5498B00
                                                          Function 00007FF8BFB29A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 2016347663-0
                                                          • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                          • Instruction ID: 04263b2e46b49895af60d6800e023b60604e1fdd706f008f6a8ce1ce2a04599d
                                                          • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                          • Instruction Fuzzy Hash: F641076571874991EE149B9AE5082AD7B51EB08FE0F944732DF6D0BBD9DE3CE041D300
                                                          Function 00007FF8BFB2A000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHandle$CloseCreateInformation
                                                          • String ID:
                                                          • API String ID: 1240749428-0
                                                          • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                          • Instruction ID: ffbf43468b088ff00b3a4f4465b64b1258f63d5daba2eef2371b5559fa1a6759
                                                          • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                          • Instruction Fuzzy Hash: 3741C332F086418AF760CFB8E8507BE3BB0AB487A8F415735DE5C42A94DF38E5958740
                                                          Function 00007FF8BA4F62D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                          • String ID:
                                                          • API String ID: 3741236498-0
                                                          • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                          • Instruction ID: 5bef1a064aed80a8f28baf6c0608df276b61c1e4e8cbf435fb1aefcdb8574a70
                                                          • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                          • Instruction Fuzzy Hash: AD31F622B197D180EB15DF2AA804569B3A4FF09FD4B595676EF2D03390EE3EE442C300
                                                          Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                          • String ID:
                                                          • API String ID: 2153537742-0
                                                          • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                          • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                          • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                          • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                          Function 00007FF8BFB22F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8BFB25F96), ref: 00007FF8BFB22F59
                                                          • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25F96), ref: 00007FF8BFB22F6B
                                                          • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8BFB25F96), ref: 00007FF8BFB22F7A
                                                          • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8BFB25F96), ref: 00007FF8BFB22FE0
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8BFB25F96), ref: 00007FF8BFB22FEE
                                                          • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF8BFB25F96), ref: 00007FF8BFB23001
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                          • String ID:
                                                          • API String ID: 490008815-0
                                                          • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                          • Instruction ID: c7a66b375dfee062c9b206f9be3334e8b9864d4fed3a5bc1dffee3a9b7d062d5
                                                          • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                          • Instruction Fuzzy Hash: 69212A22D18B8583E7018F79D50527837A0FBA9B88F15A224CF9C16226EF39E6E5C350
                                                          Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$FileUnmapView
                                                          • String ID:
                                                          • API String ID: 260491571-0
                                                          • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                          • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                          • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                          • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                          Function 00007FF8B9841B3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 2889003569-2084237596
                                                          • Opcode ID: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                          • Instruction ID: fd835f911e5e7341da8ec9a6b3cbcbdcf26b506c2089a67c8bdfbcb59b576687
                                                          • Opcode Fuzzy Hash: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                          • Instruction Fuzzy Hash: 20917C73B08B928AE7118F69E8802AD7BA0FF54788F10812AEB4D17B55DF38D195CB00
                                                          Function 00007FF8BA4F38A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 2889003569-2084237596
                                                          • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                          • Instruction ID: 0fa13c0fcad4a9e340d2b055a3ea3a293e1e9433891be5e68edb326bbc03c0b9
                                                          • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                          • Instruction Fuzzy Hash: 7C919D73A087818AE750CB69E8802ED7BA0FB447C8F14516AEF8D57B59DF39E195CB00
                                                          Function 00007FF8BA4FBB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                          • API String ID: 2943138195-757766384
                                                          • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                          • Instruction ID: b5588483874c2d8ef9f0391d9d7008e4dedade09e45e2d4ca0b12decc1d827ed
                                                          • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                          • Instruction Fuzzy Hash: E6717D71A0CB86C8EB248F5DD9801BC66A0BB167C0F4495B9DF4D07A68DFBEE251C300
                                                          Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                            • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                            • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                          • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                          • API String ID: 3207467095-2931640462
                                                          • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                          • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                          • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                          • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                          Function 00007FF8BA4F3690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 2889003569-2084237596
                                                          • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                          • Instruction ID: e2d2553951cdb8a202595983ec623fdf2ed9c622b8aa6ae544373d099d10b40b
                                                          • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                          • Instruction Fuzzy Hash: E7613576A08A858AEB24CF69D4803ED77A0FB48BC8F146266EF5D13B58DF39E155C700
                                                          Function 00007FF8BFB59CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB59122), ref: 00007FF8BFB59CFA
                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB59122), ref: 00007FF8BFB59D0B
                                                          • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB59122), ref: 00007FF8BFB59D64
                                                          • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB59122), ref: 00007FF8BFB59E14
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: isspace$isalnumisxdigit
                                                          • String ID: (
                                                          • API String ID: 3355161242-3887548279
                                                          • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                          • Instruction ID: 96cabfd5a2abf17de6dba11bec7added5f7507187df680a2d8296366e22b3a87
                                                          • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                          • Instruction Fuzzy Hash: DF41D757E0C1D256FF214FB9A9B13F56B929F22BC4F089030CB9807196DE1EF80A8710
                                                          Function 00007FF8BFB5BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB5B212), ref: 00007FF8BFB5BBFE
                                                          • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB5B212), ref: 00007FF8BFB5BC0F
                                                          • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB5B212), ref: 00007FF8BFB5BC76
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: iswspace$iswxdigit
                                                          • String ID: (
                                                          • API String ID: 3812816871-3887548279
                                                          • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                          • Instruction ID: 51c4b1d879737c5ae093715237b4a4f59c6fdcc20b2e6d59357111a79fdd4382
                                                          • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                          • Instruction Fuzzy Hash: 36518066E0855385EB689BAAD9213F973A1EF20BC4F49C031EB99464D4EFBDF841C310
                                                          Function 00007FF8BFB439E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FF8BFB3A22C), ref: 00007FF8BFB43A25
                                                            • Part of subcall function 00007FF8BFB2B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB51347,?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB2B7BF
                                                            • Part of subcall function 00007FF8BFB2B794: memmove.VCRUNTIME140(?,?,00000000,00007FF8BFB51347,?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB2B7DB
                                                          • _Getvals.LIBCPMT ref: 00007FF8BFB43A61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                          • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                          • API String ID: 3031888307-3573081731
                                                          • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                          • Instruction ID: 26966acdd7391f42bc6568052686113f2e39eea9ef47461dc9b12e36dbf11ab6
                                                          • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                          • Instruction Fuzzy Hash: 3841AB73A08B8297E724CF6A969056E7BA0FB44781B0C4235DB8943E21DF78F572DB00
                                                          Function 00007FF8BFB43CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8BFB43CE2
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • _Maklocstr.LIBCPMT ref: 00007FF8BFB43D5B
                                                          • _Maklocstr.LIBCPMT ref: 00007FF8BFB43D71
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                          • String ID: false$true
                                                          • API String ID: 309754672-2658103896
                                                          • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                          • Instruction ID: 727793036b58ff557af6c1e0c002e12d95f505c5953dcb7416af09259f868101
                                                          • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                          • Instruction Fuzzy Hash: 14416627B18B459AE710CFB4E4501ED33B0FB88788B445126EF4E27A59EF38D5A9C790
                                                          Function 00007FF8BFB283E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                          • Instruction ID: d8ed891481f534827decb21ab24c185fc72bde29113a9d5b0f2ca445a3bbfe0d
                                                          • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                          • Instruction Fuzzy Hash: B021DE62A1868692EB14DBA9E6403BD6B60FF547C4FD40032E75D47AA6DF3CE1A5C300
                                                          Function 00007FF8BFB28D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                          • Instruction ID: 7dfecc498af83a6d197262d7b8b03767a160b7e5275da43d9b3d2bd461d45453
                                                          • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                          • Instruction Fuzzy Hash: 1AF0AD62A1850A96EB18D798D8816F92B21FB907C4FE44436D30E0A9A6EF3DE14AC740
                                                          Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                          • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                          • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                          • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                          • String ID:
                                                          • API String ID: 3275830057-0
                                                          • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                          • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                          • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                          • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                          Function 00007FF8BFB34A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: fgetwc
                                                          • String ID:
                                                          • API String ID: 2948136663-0
                                                          • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                          • Instruction ID: 87dd367b8f45d476d693a5669d16682d0a5f7902891395e50c71f4771dcde0b7
                                                          • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                          • Instruction Fuzzy Hash: B3814977645A81C8EB64CFA9C0903AC33A1FB48B88F951636EB4E47B99DF3AD454C300
                                                          Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 2665656946-0
                                                          • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                          • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                          • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                          • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                          Function 00007FF8BFB2B90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2B9D3
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2B9E1
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BA1A
                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BA24
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BFB51347), ref: 00007FF8BFB2BA32
                                                            • Part of subcall function 00007FF8BFB725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25AF8), ref: 00007FF8BFB725C6
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
                                                          • String ID:
                                                          • API String ID: 3042321802-0
                                                          • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                          • Instruction ID: 8681831fdeba2c41cb8aa2f6e8c5bd3bb804a29378396e8b4eb966c82987f891
                                                          • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                          • Instruction Fuzzy Hash: EB31C921B18A8681EE149F9AE5043BE7B51FB05BD0F988535DF5D0BB96DE7CE0818300
                                                          Function 00007FF8BA4F9FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: NameName::$Name::operator+
                                                          • String ID:
                                                          • API String ID: 826178784-0
                                                          • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                          • Instruction ID: f77950c7affc77bb613fedd65c22b0f91cc2f08a575658af3b83bce2cefdb59f
                                                          • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                          • Instruction Fuzzy Hash: 74414A22A08A56DCEB10CF69E8901BC33A4BB56BC4B5490B2EF5D13795DF3EE959C300
                                                          Function 00007FF8BFB24C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB32160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF8BFB24C3E,?,?,00000000,00007FF8BFB25B5B), ref: 00007FF8BFB3216F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25B5B), ref: 00007FF8BFB24C47
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25B5B), ref: 00007FF8BFB24C5B
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25B5B), ref: 00007FF8BFB24C6F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25B5B), ref: 00007FF8BFB24C83
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25B5B), ref: 00007FF8BFB24C97
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25B5B), ref: 00007FF8BFB24CAB
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$setlocale
                                                          • String ID:
                                                          • API String ID: 294139027-0
                                                          • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                          • Instruction ID: 3c4862dec1333418d8904db59a98fdc745f75dd61334e05039a92014c1b4a39f
                                                          • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                          • Instruction Fuzzy Hash: 1611F322A16A4585FB1A9FEDC0A573D27A1EF48F88F181535CB0A09959CF6DA8D4D380
                                                          Function 00007FF8BFB33380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$abortfputcfputs
                                                          • String ID:
                                                          • API String ID: 2697642930-0
                                                          • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                          • Instruction ID: 7e75bf3932e2a1e431270670266cc97d5c2e0790771320e0a4e3e1ba1edff0e7
                                                          • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                          • Instruction Fuzzy Hash: BBE0ECA8A1864286F7086BE9EC59B386B279F48BD2F242038CB1F46364CE2C64884311
                                                          Function 00007FF8BFB4C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                          • String ID: %.0Lf$0123456789-
                                                          • API String ID: 4032823789-3094241602
                                                          • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                          • Instruction ID: 42b456a465bb72099fc3042edafc68ff98740212a71430332f356750a7bc8cde
                                                          • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                          • Instruction Fuzzy Hash: C1716862B19B5689EB00CFA9D9552AC3771EB48FC8F404036DF5D17BA8DE38D45AC340
                                                          Function 00007FF8BFB56E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                          • String ID: 0123456789-
                                                          • API String ID: 2457263114-3850129594
                                                          • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                          • Instruction ID: 79159051a11562d5d53ca202b18b922448b1b8a4d0093a7efe89d1ca06593939
                                                          • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                          • Instruction Fuzzy Hash: AD716D22B19B8589FB11CBA9D4602AC7B71EB59BD8F440139DF5D17BA9CE3CE45AC300
                                                          Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                          • String ID: gfffffff$gfffffff
                                                          • API String ID: 3668304517-161084747
                                                          • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                          • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                          • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                          • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                          Function 00007FF8BFB570C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                          • String ID: %.0Lf
                                                          • API String ID: 1248405305-1402515088
                                                          • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                          • Instruction ID: 8d2a92a19d1d6545fdc8b1fff363d6c8d2c51fed6772a5ed6835311cf6e40a83
                                                          • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                          • Instruction Fuzzy Hash: 33618022B08B8585EB01DBBAE8502AD7771EB49BD4F544135EF8D27B69DE3CE046C300
                                                          Function 00007FF8B98420B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8B984349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF8B9841222), ref: 00007FF8B98434DC
                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B984222F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort
                                                          • String ID: $csm$csm
                                                          • API String ID: 4206212132-1512788406
                                                          • Opcode ID: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                          • Instruction ID: e8e679692a7030b95b33a17a3a797556bf9d2c2c3f8c9b286bd3a399cf702468
                                                          • Opcode Fuzzy Hash: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                          • Instruction Fuzzy Hash: 5D718C32A0C6D286DB618F2994507B9BBA0EF05BD9F148136DF4C5BB99DB3CE491CB00
                                                          Function 00007FF8BA4F4044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BA4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA4F239E), ref: 00007FF8BA4F671E
                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA4F41C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort
                                                          • String ID: $csm$csm
                                                          • API String ID: 4206212132-1512788406
                                                          • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                          • Instruction ID: 15dfb630bfac97b1b940e7b7a43d05d1cccc7f2ecdaea4aa0c8181246838aaa6
                                                          • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                          • Instruction Fuzzy Hash: C271AD36A086818ADB608F2994847BD7BA0FB45BC9F04A576DF8C47A89CF3DE491C741
                                                          Function 00007FF8BA4F3E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BA4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA4F239E), ref: 00007FF8BA4F671E
                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA4F3F13
                                                          • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BA4F3F23
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                          • String ID: csm$csm
                                                          • API String ID: 4108983575-3733052814
                                                          • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                          • Instruction ID: 330db02e097b43fb1db3d00d0d80c30dfc64ba76df10671c727825188da7642d
                                                          • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                          • Instruction Fuzzy Hash: 3A517F329086828AEB748F1994842A877A0FB54BD5F146176EF9D47BD5CF3EF590C700
                                                          Function 00007FF8BFB22500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Exception$RaiseThrowabort
                                                          • String ID: csm
                                                          • API String ID: 3758033050-1018135373
                                                          • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                          • Instruction ID: 81fc02f339d34b262ca473707a6fd2e9e4c68dde998f83d69f88ac4d1304b3a3
                                                          • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                          • Instruction Fuzzy Hash: EC515A23904BC586EB21CF68C8502AC37A0FB58B98F559326DB5D47BA6DF39E6D5C300
                                                          Function 00007FF8BFB2F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8BFB2F8D4
                                                          • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8BFB2F8E6
                                                          • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8BFB2F96B
                                                            • Part of subcall function 00007FF8BFB24D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D72
                                                            • Part of subcall function 00007FF8BFB24D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D98
                                                            • Part of subcall function 00007FF8BFB24D50: memmove.VCRUNTIME140(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24DB0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: setlocale$freemallocmemmove
                                                          • String ID: bad locale name
                                                          • API String ID: 4085402405-1405518554
                                                          • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                          • Instruction ID: 4478a4e15f780b96b801b7d41f637cc9932e7b85045c4c5e7f0e6bd611486fe7
                                                          • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                          • Instruction Fuzzy Hash: 3231D7A2F0864281FB55CB9EE44017EAB91EF84BC0F988036DB5D4B799DE3CE8819340
                                                          Function 00007FF8BFB438A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FF8BFB3A07C), ref: 00007FF8BFB438E1
                                                            • Part of subcall function 00007FF8BFB2B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB51347,?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB2B7BF
                                                            • Part of subcall function 00007FF8BFB2B794: memmove.VCRUNTIME140(?,?,00000000,00007FF8BFB51347,?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB2B7DB
                                                            • Part of subcall function 00007FF8BFB367B0: _Maklocstr.LIBCPMT ref: 00007FF8BFB367E0
                                                            • Part of subcall function 00007FF8BFB367B0: _Maklocstr.LIBCPMT ref: 00007FF8BFB367FF
                                                            • Part of subcall function 00007FF8BFB367B0: _Maklocstr.LIBCPMT ref: 00007FF8BFB3681E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                          • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                          • API String ID: 2504686060-3573081731
                                                          • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                          • Instruction ID: 2c7f07036e38b71b6a2ab55944594550f65bd31ce4e023ffbf1755202c88330f
                                                          • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                          • Instruction Fuzzy Hash: 5541BF73A08B8297E724CF69D69056D7BA1FB84781B084235DB8A83A11DF78F576DB00
                                                          Function 00007FF8BFB5430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FF8BFB52278), ref: 00007FF8BFB5434D
                                                            • Part of subcall function 00007FF8BFB2B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB51347,?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB2B7BF
                                                            • Part of subcall function 00007FF8BFB2B794: memmove.VCRUNTIME140(?,?,00000000,00007FF8BFB51347,?,?,?,?,?,?,?,?,?,00007FF8BFB5243E), ref: 00007FF8BFB2B7DB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                          • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                          • API String ID: 462457024-3573081731
                                                          • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                          • Instruction ID: 4b52aa501a4b5703dc9b470a83dbe8762f8e6f54d4d2dfd0d2ebcc0adc6e2b5e
                                                          • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                          • Instruction Fuzzy Hash: B641AF72A08B8297E728CF69D5A156E7BA0FB84B81B044235DB8943E11DF3CF572CB00
                                                          Function 00007FF8BA4FA714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: NameName::
                                                          • String ID: %lf
                                                          • API String ID: 1333004437-2891890143
                                                          • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                          • Instruction ID: ffa2314b883020d3031e77d32de97594abb5dcfff64032f2cca3e7f4aa6ace14
                                                          • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                          • Instruction Fuzzy Hash: 6B31923290C68585EB30CB28F8502BA73A4FB85BC4F4491B1EF9E47655CF3DD6058740
                                                          Function 00007FF8BFB2A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileFindNext$wcscpy_s
                                                          • String ID: .
                                                          • API String ID: 544952861-248832578
                                                          • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                          • Instruction ID: a6d12ca8f1df53e283fb20f8d2db402538870c0c73086efc02e17d15d387cdc9
                                                          • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                          • Instruction Fuzzy Hash: 0C21D862A0C68182FB709F99E8043BEB7A4EB49BC4F844131DB8D43684DF3CE445CB00
                                                          Function 00007FF8BFB26C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set
                                                          • API String ID: 1099746521-3882152299
                                                          • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                          • Instruction ID: 6b8e96d881e9fe0f8ccfb2f2efe61e870d665228f71c1702109f932a7a15115b
                                                          • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                          • Instruction Fuzzy Hash: E901D662E2D64691FB18E6ADD8415BD1B13EF907C4FA8813AD70E06D9ADE3DE5068340
                                                          Function 00007FF8B9841268 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8B984349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF8B9841222), ref: 00007FF8B98434DC
                                                          • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B98412A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abortterminate
                                                          • String ID: MOC$RCC$csm
                                                          • API String ID: 661698970-2671469338
                                                          • Opcode ID: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                          • Instruction ID: 23f1cf7f9d3d0154378579ed290f924fe44f0b404890fef70b24ceb5f80430dc
                                                          • Opcode Fuzzy Hash: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                          • Instruction Fuzzy Hash: 5AF06236A18697C2EB51AF29E6851AC37A4EF58BC8F099131D74897352CF3CD890CB41
                                                          Function 00007FF8BA4F2400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8BA4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA4F239E), ref: 00007FF8BA4F671E
                                                          • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA4F243E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abortterminate
                                                          • String ID: MOC$RCC$csm
                                                          • API String ID: 661698970-2671469338
                                                          • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                          • Instruction ID: f07654fe1d3e8353e175badaeae75100a0d1cbb6da06d7e055d70da04cb0cff4
                                                          • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                          • Instruction Fuzzy Hash: BBF06236918687C2EB505F69E18106D76B5FF48B84F1960B2DF5C07252CF7DE490CB41
                                                          Function 00007FF8BA4FE9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __C_specific_handler.LIBVCRUNTIME ref: 00007FF8BA4FE9F0
                                                            • Part of subcall function 00007FF8BA4FEC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BA4FECF0
                                                            • Part of subcall function 00007FF8BA4FEC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BA4FE9F5), ref: 00007FF8BA4FED3F
                                                            • Part of subcall function 00007FF8BA4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA4F239E), ref: 00007FF8BA4F671E
                                                          • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA4FEA1A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                          • String ID: csm$f
                                                          • API String ID: 2451123448-629598281
                                                          • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                          • Instruction ID: a245af8ca6d3cda1382c0915f5c457deca1991276954f3cc98087a4ce9287516
                                                          • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                          • Instruction Fuzzy Hash: 49E09B35D1C38281E7256BA5B28213D66E5FF15BD5F14A0B7DF4C07647CE7EE4908601
                                                          Function 00007FF8BA4F9CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                          • Instruction ID: 7768a3de1839547477a1cefd9133439411ded4fa02fcd70c23279d5b99e94bad
                                                          • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                          • Instruction Fuzzy Hash: 04918F22E0879689FB618BA8D8503FC3BB0BB05788F54A0B5DF4D176A6DF7DA945C340
                                                          Function 00007FF8BA4FA44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+$NameName::
                                                          • String ID:
                                                          • API String ID: 168861036-0
                                                          • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                          • Instruction ID: 9cffca1515fbeb45e18573e1b229e05782763366cefbfcb11a126b2938b2de80
                                                          • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                          • Instruction Fuzzy Hash: 76515872A1865688EB21CF68E8803BD37A0BB45788F54A071DF0E07B95DF7EE549C340
                                                          Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
                                                          • String ID:
                                                          • API String ID: 3533975685-0
                                                          • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                          • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                          • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                          • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                          Function 00007FF8BFB36DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8BFB367E5), ref: 00007FF8BFB36EA1
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8BFB367E5), ref: 00007FF8BFB36EF2
                                                          • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8BFB367E5), ref: 00007FF8BFB36EFC
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8BFB36F3D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 2016347663-0
                                                          • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                          • Instruction ID: c8106f359c1fa27d8c1d7431867058ba402e25cc02af09c93b6f18fa2f237dbf
                                                          • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                          • Instruction Fuzzy Hash: F2411222B8865691EE14DB9AE10457E6356EB08BE4F584639EF7D0BBD8EE3CE045C300
                                                          Function 00007FF8BFB29BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 2016347663-0
                                                          • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                          • Instruction ID: c7ad759410726c752970d322fbc397fe6cb6dbcaf5cc8868aa2fae2777428618
                                                          • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                          • Instruction Fuzzy Hash: B031F361B0864A81EE149F9EE54426DA765EF04BE4F944231DF7D0BBE5DE7CE0419300
                                                          Function 00007FF8BFB4FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_movx$Xp_setw_errnoldexpmemmove
                                                          • String ID:
                                                          • API String ID: 2295688418-0
                                                          • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                          • Instruction ID: 3e5deb067eb3148069d87ff9af275f7ca204c39204c425831b873760dfb247b5
                                                          • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                          • Instruction Fuzzy Hash: 8541D522A1CA8786F7519BAE90512BA7360FF887C0F544631EB8D137A6DF3CF9058B40
                                                          Function 00007FF8BFB23160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                          • String ID:
                                                          • API String ID: 2234106055-0
                                                          • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                          • Instruction ID: bdd17c6c417aa37381d7b6ff104b1af611cfa2eaf1ac9e1916cb55882fe3b5ea
                                                          • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                          • Instruction Fuzzy Hash: E3319123A0C78182F7219B9AA85427DAFA1EB90BD2F5C4035DF8A47B99DE3CE455C710
                                                          Function 00007FF8BFB23020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                          • String ID:
                                                          • API String ID: 3857474680-0
                                                          • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                          • Instruction ID: 9e5d8087e0307e0a16c16b5d69904182804294cfaf5b1a5c0243a52c6b3bfa92
                                                          • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                          • Instruction Fuzzy Hash: A331D323A0C64182F7114B59945437EAF91EB94BD1F5C4035DB8D07799DE2CE895CB20
                                                          Function 00007FF8BA4FC87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                          • Instruction ID: 6117543a8d1b338a056ac23febee25351e34b3accb3daf7a39f90397053c6193
                                                          • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                          • Instruction Fuzzy Hash: 6E416372A08B858AFB01CFA8E8813AC37A0FB48B88F549065EF8D57759DF7D9541C300
                                                          Function 00007FF8BFB5AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FF8BFB4E921), ref: 00007FF8BFB5AFB7
                                                          • memmove.VCRUNTIME140(?,00000000,?,?,?,00007FF8BFB4E921), ref: 00007FF8BFB5AFDB
                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FF8BFB4E921), ref: 00007FF8BFB5AFE8
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FF8BFB4E921), ref: 00007FF8BFB5B05B
                                                            • Part of subcall function 00007FF8BFB22E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8BFB22E5A
                                                            • Part of subcall function 00007FF8BFB22E30: LCMapStringEx.KERNEL32 ref: 00007FF8BFB22E9E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: String___lc_locale_name_funcfreemallocmemmovewcsnlen
                                                          • String ID:
                                                          • API String ID: 1076354707-0
                                                          • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                          • Instruction ID: eb73523784b956cf81a6022f50097c7a8fa23a708fc0857d2cf2ac25e826d3b4
                                                          • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                          • Instruction Fuzzy Hash: E321F661B18BD285EA209F5AA41097AAB94FB45FE4F584235DF7D17BE4DF3CE4428300
                                                          Function 00007FF8BFB2ABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _wfsopen$fclosefseek
                                                          • String ID:
                                                          • API String ID: 1261181034-0
                                                          • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                          • Instruction ID: 8afe1bf30aee8a8d058b0e91c682d8f4219691dd9f5c514c6a5181da34bf8e44
                                                          • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                          • Instruction Fuzzy Hash: C531D525B1864542FB69CB5EA844A7EAB95EF84FC4F885534CF0E43B94DE3CE8418740
                                                          Function 00007FF8BFB2AAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _fsopen$fclosefseek
                                                          • String ID:
                                                          • API String ID: 410343947-0
                                                          • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                          • Instruction ID: c486932a5d951716822c1cc0331ee9459a0fe0209460a2d0634753abc84f04fd
                                                          • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                          • Instruction Fuzzy Hash: F331C329B2874541FB688B9AA459A7DAB96EF84FC4F885134CF0E43790DE3CE941C700
                                                          Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                          • String ID:
                                                          • API String ID: 4174221723-0
                                                          • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                          • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                          • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                          • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                          Function 00007FF8BFB5A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FF8BFB5576B), ref: 00007FF8BFB5A604
                                                          • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FF8BFB5576B), ref: 00007FF8BFB5A60E
                                                            • Part of subcall function 00007FF8BFB226E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8BFB22728
                                                            • Part of subcall function 00007FF8BFB226E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8BFB2274E
                                                            • Part of subcall function 00007FF8BFB226E0: GetCPInfo.KERNEL32 ref: 00007FF8BFB22792
                                                          • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FF8BFB5576B), ref: 00007FF8BFB5A631
                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF8BFB5576B), ref: 00007FF8BFB5A66F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                          • String ID:
                                                          • API String ID: 3421985146-0
                                                          • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                          • Instruction ID: 7200b45d5dea21dedccc4d93341b0eb6ae2c6bc681b77e5b28b9e1b6324338f4
                                                          • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                          • Instruction Fuzzy Hash: AB215032A0878286EB508F6A9950129FB99FB84FD4B554136DB5D67794CF3CE8018700
                                                          Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                            • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                            • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                          • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                          • API String ID: 1351999747-1487749591
                                                          • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                          • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                          • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                          • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                          Function 00007FF8BFB5B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                          • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                          • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                          • String ID:
                                                          • API String ID: 3203701943-0
                                                          • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                          • Instruction ID: 26dd2d3b4aecc14dc41abcb65cdf39ef4a8447b43b0b37bace79654a30555d7e
                                                          • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                          • Instruction Fuzzy Hash: AF0104A2E14B9586EF058FBED804428BBA0FB58BC8B18D235DB5E87314DB3CD1C28700
                                                          Function 00007FF8BFB58620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$FormatFreeLocalMessage
                                                          • String ID: unknown error
                                                          • API String ID: 725469203-3078798498
                                                          • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                          • Instruction ID: 0c703ee05b254506c918dbd5e7665d0b268f676b7d2090c9af2d6707e4c36a6e
                                                          • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                          • Instruction Fuzzy Hash: EF116A2260878586E7209F69E55136DBBA0FB89BCCF488134DB8C0BB9ACF7CE5548740
                                                          Function 00007FF8BFB22468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: malloc
                                                          • String ID: MOC$RCC$csm
                                                          • API String ID: 2803490479-2671469338
                                                          • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                          • Instruction ID: 2a553f95bca0bc0b5a28994be9032c21d04d484aae3d00303eb6da747c408561
                                                          • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                          • Instruction Fuzzy Hash: 4F018421E0814286FB649F9D954417D3BA1EF48BC4F985031DB2D87F85CE2CA981C702
                                                          Function 00007FF8BFB4C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                          • String ID: 0123456789-
                                                          • API String ID: 4032823789-3850129594
                                                          • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                          • Instruction ID: 0a852455c61166178655ba432a561d9951871a69ce604f40ebb0d811b425ed85
                                                          • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                          • Instruction Fuzzy Hash: 18716862B09B5689EB00CFA9E9542AC3771EB48FC8F444036DF4E17BA9DE38D44AC354
                                                          Function 00007FF8BFB4C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                          • String ID: %.0Lf
                                                          • API String ID: 296878162-1402515088
                                                          • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                          • Instruction ID: 69874de6925c8884b76a21ddf0b4e5b784e183d0f0c03a2deb9f4ae581015fbd
                                                          • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                          • Instruction Fuzzy Hash: 6A717F62B09B8685EB11CBA9E9402AD77B1EF94BD8F104136EF8D67B69DF38D045C340
                                                          Function 00007FF8BFB4CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                          • String ID: %.0Lf
                                                          • API String ID: 296878162-1402515088
                                                          • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                          • Instruction ID: 1fb2216c2b459341edffe8da99bb5a0a3f7529c7f5de680a070c3c9767fb1404
                                                          • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                          • Instruction Fuzzy Hash: 92717E62B08B8685EB01CBAAE9402AD77B1EF84BD8F104136DF4D27B69DF38D045C340
                                                          Function 00007FF8BFB58F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: rand_s
                                                          • String ID: invalid random_device value
                                                          • API String ID: 863162693-3926945683
                                                          • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                          • Instruction ID: ad7d58cf9afcd421918c92be336f77a1c96f3d8aa0e80f9e6920a2adb50d7f3a
                                                          • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                          • Instruction Fuzzy Hash: 15510522D18F8685F3529F7C84611BA6364BF263C4F184B32E71E365A5DF2DF49A8340
                                                          Function 00007FF8B9842590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF8B984349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF8B9841222), ref: 00007FF8B98434DC
                                                          • _CreateFrameInfo.LIBVCRUNTIME ref: 00007FF8B9842666
                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B98426C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CreateFrameInfo
                                                          • String ID: csm
                                                          • API String ID: 2697087660-1018135373
                                                          • Opcode ID: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                          • Instruction ID: b6a7bd6a5cc506cc585f9c43089f7fa16a1f74e69e5580b8f319679920be08c7
                                                          • Opcode Fuzzy Hash: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                          • Instruction Fuzzy Hash: 2D513872618B8287E620AF2AE54026E77A4FF88BD4F101535EB8D07B56CF38E4618B00
                                                          Function 00007FF8BA4F4710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CreateFrameInfo
                                                          • String ID: csm
                                                          • API String ID: 2697087660-1018135373
                                                          • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                          • Instruction ID: c51b387c68497fe731712f7505acb9d7083ca093b5675155ae373ad9d1376dbc
                                                          • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                          • Instruction Fuzzy Hash: FD514A36A1878186E620AB29E48026EB7E5FB88BD0F142575EF8D07B55CF3DE461CB00
                                                          Function 00007FF8BFB57330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                          • String ID: !%x
                                                          • API String ID: 1195835417-1893981228
                                                          • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                          • Instruction ID: 9dcbd4524c587040d33a6b50c12a777452dcbfdb1e142f7596b0ccca75e850ac
                                                          • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                          • Instruction Fuzzy Hash: CE419A22F18A9589FB00CBA9D8507EC2B71BB487D8F544532EF5D27B89DF3CA1858300
                                                          Function 00007FF8BFB232D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8BFB23305
                                                            • Part of subcall function 00007FF8BFB725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB25AF8), ref: 00007FF8BFB725C6
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB257FA,?,?,?,00007FF8BFB24438), ref: 00007FF8BFB232FE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                          • String ID: ios_base::failbit set
                                                          • API String ID: 1934640635-3924258884
                                                          • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                          • Instruction ID: cd0573562900d7cf0d274ec3a626f59156a33cbb71571dad185fb47e5b6a51bb
                                                          • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                          • Instruction Fuzzy Hash: 1721DB22B09B8185DA60CB55E4802AEF7A5FB48BE0F984631EF9C43B99EF3CD5558700
                                                          Function 00007FF8BA4F9BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: void$void
                                                          • API String ID: 2943138195-3746155364
                                                          • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                          • Instruction ID: 52f99e66f8ffe66ee2ae678250937f7ad4ec854e196d271eb540e8685a197805
                                                          • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                          • Instruction Fuzzy Hash: E1313562E18A9988FB11CBA8E8910EC37B0BB48788B445576EF4E63B59DF389148C750
                                                          Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                          • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                          • API String ID: 1654775311-1428855073
                                                          • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                          • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                          • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                          • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                          Function 00007FF8BFB2F1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF8BFB2C744), ref: 00007FF8BFB2F1D4
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B0
                                                            • Part of subcall function 00007FF8BFB5B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0B8
                                                            • Part of subcall function 00007FF8BFB5B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0C1
                                                            • Part of subcall function 00007FF8BFB5B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8BFB26093), ref: 00007FF8BFB5B0DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                          • String ID: false$true
                                                          • API String ID: 2502581279-2658103896
                                                          • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                          • Instruction ID: 0bff9bf0b561e15538ad3b09db097c8c0d65e2e6240c983fb0b214ef6687f63d
                                                          • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                          • Instruction Fuzzy Hash: E0216066608B8581E720DF69E4503AE3BA0FB98BE8F984536DB8C07769DF3CD155C780
                                                          Function 00007FF8BA4F604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHeader$ExceptionRaise
                                                          • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                          • API String ID: 3685223789-3176238549
                                                          • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                          • Instruction ID: b28a162a6dc1716958e671cf52358c791136c53167b57ea4750c0721ae034884
                                                          • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                          • Instruction Fuzzy Hash: 23015E61A2DA86D2EE50DB5CE890178A320FF907C4F806471EF4E076A9EF7DE504C701
                                                          Function 00007FF8B98431C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                          • Instruction ID: 086b239ad3a8a08452528902ff266c72ade6026d6490051f74debf6586ef2b55
                                                          • Opcode Fuzzy Hash: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                          • Instruction Fuzzy Hash: FD111932608B8682EA218F19F54026977A0FF88BC4F584231DB8D07754DF3CD955C700
                                                          Function 00007FF8BA4F63F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                          • Instruction ID: 824b6b956589b0f35db6f655c91f02f1497a1854502559e3d88e4f99d40fcd18
                                                          • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                          • Instruction Fuzzy Hash: 21114F32618B8182EB618F19F840269B7A5FB88BC4F685271EF8D07768EF3DD951C700
                                                          Function 00007FF8BFB26330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8BFB2633D
                                                            • Part of subcall function 00007FF8BFB24D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D72
                                                            • Part of subcall function 00007FF8BFB24D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D98
                                                            • Part of subcall function 00007FF8BFB24D50: memmove.VCRUNTIME140(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24DB0
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB2635A
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8BFB26365
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getmonthsmallocmemmove
                                                          • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                          • API String ID: 794196016-4232081075
                                                          • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                          • Instruction ID: 523c6732eaaa59db7a9946104bd2b43d44bedc0a3acae300df304dac83a4fa2a
                                                          • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                          • Instruction Fuzzy Hash: 36E03921A15B4292EE009B9AF58436967A0EB18BC0F881034DB1E02755DF3CE4E4C740
                                                          Function 00007FF8BFB262C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8BFB262CD
                                                            • Part of subcall function 00007FF8BFB24D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D72
                                                            • Part of subcall function 00007FF8BFB24D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24D98
                                                            • Part of subcall function 00007FF8BFB24D50: memmove.VCRUNTIME140(?,?,?,00007FF8BFB32124,?,?,?,00007FF8BFB243DB,?,?,?,00007FF8BFB25B31), ref: 00007FF8BFB24DB0
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB262EA
                                                          Strings
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8BFB262F5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getdaysmallocmemmove
                                                          • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 2126063425-3283725177
                                                          • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                          • Instruction ID: 076962a967454bb93f51f19154681fcd254494fdcb824743e3c39ca80ebde0e3
                                                          • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                          • Instruction Fuzzy Hash: F2E01221B14B8292EE049B96F594769A7A0FF48BC0F949434DB2D07755EF3CE4E4C700
                                                          Function 00007FF8BFB26A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8BFB26A3D
                                                            • Part of subcall function 00007FF8BFB24DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24DF9
                                                            • Part of subcall function 00007FF8BFB24DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24E28
                                                            • Part of subcall function 00007FF8BFB24DD0: memmove.VCRUNTIME140(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24E3F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB26A5A
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FF8BFB26A65
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getmonthsmallocmemmove
                                                          • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                          • API String ID: 794196016-2030377133
                                                          • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                          • Instruction ID: d4c06feffd1ebcfb545dfa8cc41cfefbb20770665ec86d77e358e2daa7fc4ae3
                                                          • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                          • Instruction Fuzzy Hash: A7E03222A18B4292EA409B8AF58426967A0FB48BC0F886034DB0E02B51EF3CE4A48300
                                                          Function 00007FF8BFB269E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8BFB269ED
                                                            • Part of subcall function 00007FF8BFB24DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24DF9
                                                            • Part of subcall function 00007FF8BFB24DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24E28
                                                            • Part of subcall function 00007FF8BFB24DD0: memmove.VCRUNTIME140(?,?,00000000,00007FF8BFB36AB5,?,?,?,?,?,?,?,?,?,00007FF8BFB3A96E), ref: 00007FF8BFB24E3F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB26A0A
                                                          Strings
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8BFB26A15
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getdaysmallocmemmove
                                                          • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 2126063425-3283725177
                                                          • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                          • Instruction ID: d3c599cf087ab5120a613aec94486fd2f0db3b9d7cbbb58921f34dfc73cbaa20
                                                          • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                          • Instruction Fuzzy Hash: 51E06522B18B8292EE109B8AF98436967A0EF48BD0F985034DB0E03B55DF3CE4E48700
                                                          Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow
                                                          • String ID:
                                                          • API String ID: 432778473-0
                                                          • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                          • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                          • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                          • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                          Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2232604615.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000B.00000002.2232586886.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232625238.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232647507.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2232684094.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 2822070131-0
                                                          • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                          • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                          • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                          • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                          Function 00007FF8B98433DC Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00007FF8B984329D,?,?,?,?,00007FF8B984411A,?,?,?,?,?), ref: 00007FF8B98433FB
                                                          • SetLastError.KERNEL32(?,?,?,00007FF8B984329D,?,?,?,?,00007FF8B984411A,?,?,?,?,?), ref: 00007FF8B9843483
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233318861.00007FF8B9841000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233285631.00007FF8B9840000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233337532.00007FF8B9845000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233357698.00007FF8B9848000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233378302.00007FF8B9849000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8b9840000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID:
                                                          • API String ID: 1452528299-0
                                                          • Opcode ID: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                          • Instruction ID: ebac281514c129be9fc089e0836e80a86dbd0f97c369875f31ff55f87d1c4c0d
                                                          • Opcode Fuzzy Hash: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                          • Instruction Fuzzy Hash: 89117C64F1979393FA199F2DB90017822A1AF59BE0F08463ADB6E433D4EF3CA8018650
                                                          Function 00007FF8BA4F672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00007FF8BA4F65B9,?,?,?,?,00007FF8BA4FFB22,?,?,?,?,?), ref: 00007FF8BA4F674B
                                                          • SetLastError.KERNEL32(?,?,?,00007FF8BA4F65B9,?,?,?,?,00007FF8BA4FFB22,?,?,?,?,?), ref: 00007FF8BA4F67D4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233417531.00007FF8BA4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BA4F0000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233401002.00007FF8BA4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233440751.00007FF8BA501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233474968.00007FF8BA506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233497658.00007FF8BA507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8ba4f0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID:
                                                          • API String ID: 1452528299-0
                                                          • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                          • Instruction ID: cdb93d060e9afad4fcf753a90e5b41fd0b274c2f138d791f748d88dfc6827e8a
                                                          • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                          • Instruction Fuzzy Hash: 78117F24E0D292C2FA248B69AC54234A2D2BF49BE0F1456B5DF6E077E5DE7DF8418700
                                                          Function 00007FF8BFB51DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                          • Instruction ID: 6af5be5eb4d4059c965a13af39c4b4cf51fc42491159f078f8445aa6126e86ea
                                                          • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                          • Instruction Fuzzy Hash: 92F03726A28B4296EB449B9AE9A41287764FB88FD0F144031CB5E03B30DF2CE4A58300
                                                          Function 00007FF8BFB38CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                          • Instruction ID: 72b546c1e3ca401ab25b0f159f3865a32c7c8d3560e2d0c2c135fc43fee0b3a8
                                                          • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                          • Instruction Fuzzy Hash: E1F0E722B28B4296EB449B9AE9A456877A0FB88BD0F145031CB5E43B74DF6CE4A58300
                                                          Function 00007FF8BFB38C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                          • Instruction ID: 80304e86be243bd402acdf14b22116af5f401a82475d048cc1e187239209d82f
                                                          • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                          • Instruction Fuzzy Hash: 14F0E732A29B4296EB449B9AE9A45687760FF88BD0F545031CB5E43B70DF6CE4A58300
                                                          Function 00007FF8BFB38A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2233532083.00007FF8BFB21000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8BFB20000, based on PE: true
                                                          • Associated: 0000000B.00000002.2233515940.00007FF8BFB20000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233612486.00007FF8BFB75000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233646193.00007FF8BFBA3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233662959.00007FF8BFBA4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2233682973.00007FF8BFBA7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7ff8bfb20000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                          • Instruction ID: 8e6c68f12810a62b4e42e8365a896f601f6cf252d8b2c93e2b61d8bfbeb4b43e
                                                          • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                          • Instruction Fuzzy Hash: 94E02666E25A4186FF149FAAD8A44386774FF98F99B192032CF2F46274DE68D8D58300