Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TrdIE26br9.msi

Overview

General Information

Sample name:TrdIE26br9.msi
renamed because original name is a hash value
Original sample name:4c7ac25ba29f5145cbe26cf5288df14d2fe0265ff72d3f82461841a7b3d8a266.msi
Analysis ID:1581422
MD5:84640d89ab5445b9e88e0a0be2e413be
SHA1:9eb26f282e7fad090ccddef5b30b68041c3c7e70
SHA256:4c7ac25ba29f5145cbe26cf5288df14d2fe0265ff72d3f82461841a7b3d8a266
Tags:ksarcftp-comLegionLoadermsiRobotDropperuser-johnk3r
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7276 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TrdIE26br9.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7312 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7416 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7612 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 7944 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 7868 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7416, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7612, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7416, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7612, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7416, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7612, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.148.171, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7416, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7416, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7612, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7416, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7612, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T15:33:18.762395+010028292021A Network Trojan was detected192.168.2.449731172.67.148.171443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.2% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E52209FF-3DAE-46C4-A504-19BF26FB4B22}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.148.171:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1869961299.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: TrdIE26br9.msi
Source: Binary string: ucrtbase.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1875456233.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: TrdIE26br9.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000000.1872768852.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1869961299.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: TrdIE26br9.msi
Source: Binary string: ucrtbase.pdbUGP source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: TrdIE26br9.msi, MSI98F1.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: TrdIE26br9.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000000.1872768852.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: TrdIE26br9.msi, MSIC317.tmp.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: TrdIE26br9.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: TrdIE26br9.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: TrdIE26br9.msi, MSIC317.tmp.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: TrdIE26br9.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4CA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE1A4CA330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49731 -> 172.67.148.171:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: ksarcftp.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: ksarcftp.comContent-Length: 71Cache-Control: no-cache
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: TrdIE26br9.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: TrdIE26br9.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: TrdIE26br9.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: TrdIE26br9.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: TrdIE26br9.msiString found in binary or memory: http://ocsp.digicert.com0K
Source: TrdIE26br9.msiString found in binary or memory: http://ocsp.digicert.com0N
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1815193666.00000000054E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: TrdIE26br9.msiString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1815193666.0000000005391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1815193666.00000000054E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000A.00000002.1875456233.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1815193666.0000000005391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: TrdIE26br9.msiString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1815193666.00000000054E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1815193666.00000000057ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: classes_nocoops.jsa.1.drString found in binary or memory: https://java.oracle.com/
Source: TrdIE26br9.msiString found in binary or memory: https://ksarcftp.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: TrdIE26br9.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownHTTPS traffic detected: 172.67.148.171:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\608fba.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI98F1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI99AD.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A2B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A6B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9AAA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9ADA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9B0A.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB848.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E52209FF-3DAE-46C4-A504-19BF26FB4B22}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC2F7.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC317.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\608fbd.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\608fbd.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI98F1.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_000000014001222010_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_000000014000839010_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140007FC010_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A45750810_2_00007FFE1A457508
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4FA27C10_2_00007FFE1A4FA27C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E633810_2_00007FFE1A4E6338
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4DABB010_2_00007FFE1A4DABB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E434010_2_00007FFE1A4E4340
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4F288010_2_00007FFE1A4F2880
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4CE8B010_2_00007FFE1A4CE8B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4D60D010_2_00007FFE1A4D60D0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4CF9B010_2_00007FFE1A4CF9B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E220810_2_00007FFE1A4E2208
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4FF9DA10_2_00007FFE1A4FF9DA
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4FB69810_2_00007FFE1A4FB698
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4DDF1010_2_00007FFE1A4DDF10
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E071010_2_00007FFE1A4E0710
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E3F0010_2_00007FFE1A4E3F00
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4CC78010_2_00007FFE1A4CC780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E478010_2_00007FFE1A4E4780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4D8FB010_2_00007FFE1A4D8FB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4CD81010_2_00007FFE1A4CD810
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E6C8410_2_00007FFE1A4E6C84
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4D644010_2_00007FFE1A4D6440
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E547010_2_00007FFE1A4E5470
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4D946010_2_00007FFE1A4D9460
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4E0C6010_2_00007FFE1A4E0C60
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4DBCD010_2_00007FFE1A4DBCD0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4F44E010_2_00007FFE1A4F44E0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4F95A810_2_00007FFE1A4F95A8
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4FBDA010_2_00007FFE1A4FBDA0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4F2D7010_2_00007FFE1A4F2D70
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4DCDF010_2_00007FFE1A4DCDF0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs TrdIE26br9.msi
Source: TrdIE26br9.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs TrdIE26br9.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal68.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140010BE0 GetLastError,FormatMessageA,10_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4CA7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,10_2_00007FFE1A4CA7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLCCB3.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF34DCF28558319B12.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TrdIE26br9.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E52209FF-3DAE-46C4-A504-19BF26FB4B22}Jump to behavior
Source: TrdIE26br9.msiStatic file information: File size 60151249 > 1048576
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1869961299.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: TrdIE26br9.msi
Source: Binary string: ucrtbase.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1875456233.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: TrdIE26br9.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000000.1872768852.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1869961299.00007FF742A68000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: TrdIE26br9.msi
Source: Binary string: ucrtbase.pdbUGP source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: TrdIE26br9.msi, MSI98F1.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: TrdIE26br9.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000000.1872768852.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: TrdIE26br9.msi, MSIC317.tmp.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: TrdIE26br9.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: TrdIE26br9.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: TrdIE26br9.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: TrdIE26br9.msi, MSIC317.tmp.1.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: TrdIE26br9.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: TrdIE26br9.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: TrdIE26br9.msi
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSIC317.tmp.1.drStatic PE information: section name: .fptable
Source: MSI98F1.tmp.1.drStatic PE information: section name: .fptable
Source: MSI99AD.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9A2B.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9A6B.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9AAA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9ADA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9B0A.tmp.1.drStatic PE information: section name: .fptable
Source: MSIB848.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03755462 pushad ; retf 0007h3_2_03755469
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0375BDA2 push esp; ret 3_2_0375BDB3
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A6B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI99AD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9AAA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A2B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC317.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9B0A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB848.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9ADA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI98F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9AAA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A2B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC317.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9ADA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9B0A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB848.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI98F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI99AD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9A6B.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4FC0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00007FFE1A4FC0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3912Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1406Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9ADA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9A6B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI99AD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9AAA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9A2B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC317.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9B0A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB848.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI98F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep count: 3912 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep count: 1406 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A4CA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE1A4CA330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: VirtualMachineError.java
Source: TrdIE26br9.msiBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/common/JVMCIError
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: 7jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <"()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError
Source: classes_nocoops.jsa.1.drBinary or memory string: org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: %jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: ;jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/runtime/JVMCI
Source: classes_nocoops.jsa.1.drBinary or memory string: )()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: UG#java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: #()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF742A62ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF742A62ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF742A62984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF742A62984
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF742A62ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF742A62ECC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF742A63074 SetUnhandledExceptionFilter,7_2_00007FF742A63074
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140011F24 SetUnhandledExceptionFilter,10_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A46004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE1A46004C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A512CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE1A512CDC

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssc3bd.ps1" -propfile "c:\users\user\appdata\local\temp\msic3ba.txt" -scriptfile "c:\users\user\appdata\local\temp\scrc3bb.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrc3bc.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssc3bd.ps1" -propfile "c:\users\user\appdata\local\temp\msic3ba.txt" -scriptfile "c:\users\user\appdata\local\temp\scrc3bb.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrc3bc.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,10_2_00007FFE1A4EEFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF742A62DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF742A62DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
DLL Side-Loading		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		11
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets111
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync121
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581422 Sample: TrdIE26br9.msi Startdate: 27/12/2024 Architecture: WINDOWS Score: 68 49 ksarcftp.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 AI detected suspicious sample 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSIC317.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIB848.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI9B0A.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 ksarcftp.com 172.67.148.171, 443, 49731 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scrC3BB.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pssC3BD.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msiC3BA.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI98F1.tmp0%ReversingLabs
C:\Windows\Installer\MSI99AD.tmp0%ReversingLabs
C:\Windows\Installer\MSI9A2B.tmp0%ReversingLabs
C:\Windows\Installer\MSI9A6B.tmp0%ReversingLabs
C:\Windows\Installer\MSI9AAA.tmp0%ReversingLabs
C:\Windows\Installer\MSI9ADA.tmp0%ReversingLabs
C:\Windows\Installer\MSI9B0A.tmp0%ReversingLabs
C:\Windows\Installer\MSIB848.tmp0%ReversingLabs
C:\Windows\Installer\MSIC317.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://ksarcftp.com/updater.phpx0%Avira URL Cloudsafe
https://ksarcftp.com/updater.php0%Avira URL Cloudsafe
https://java.oracle.com/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ksarcftp.com
172.67.148.171
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://ksarcftp.com/updater.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1815193666.00000000054E6000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1815193666.0000000005391000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1815193666.00000000054E6000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000003.00000002.1815193666.00000000057ED000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://java.oracle.com/classes_nocoops.jsa.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Iconpowershell.exe, 00000003.00000002.1817880908.00000000063FB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.mickTrdIE26br9.msifalse
                        		high
                        http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000A.00000002.1875456233.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                          		high
                          https://aka.ms/winui2/webview2download/Reload():TrdIE26br9.msifalse
                            		high
                            https://ksarcftp.com/updater.phpxTrdIE26br9.msifalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1815193666.0000000005391000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1815193666.00000000054E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                172.67.148.171
                                		ksarcftp.comUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1581422
                                Start date and time:2024-12-27 15:32:15 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 20s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:15
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:TrdIE26br9.msi
                                renamed because original name is a hash value
                                Original Sample Name:4c7ac25ba29f5145cbe26cf5288df14d2fe0265ff72d3f82461841a7b3d8a266.msi
                                Detection:MAL
                                Classification:mal68.evad.winMSI@17/91@1/1
                                EGA Information:
                                • Successful, ratio: 33.3%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 14
                                • Number of non-executed functions: 197
                                Cookbook Comments:
                                • Found application associated with file extension: .msi

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target ImporterREDServer.exe, PID 7944 because there are no executed function
                                • Execution Graph export aborted for target powershell.exe, PID 7612 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • VT rate limit hit for: TrdIE26br9.msi

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:33:19API Interceptor4x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                172.67.148.171Altamareagroup Inv.xlsxGet hashmaliciousUnknownBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUSeYAXkcBRfQ.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.11.101
                                  JpzbUfhXi0.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.11.101
                                  o0cabS0OQn.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 172.67.165.185
                                  738KZNfnzz.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.11.101
                                  w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                  • 104.21.11.101
                                  mDuCbT8LnH.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                  • 104.21.11.101
                                  Vq50tK1Nx2.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.66.86
                                  O53VxanH6A.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.165.185
                                  ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.2.51
                                  IzDjbVdHha.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.157.254

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  37f463bf4616ecd445d4a1937da06e19JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                  • 172.67.148.171
                                  T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                  • 172.67.148.171
                                  EB2UOXRNsE.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.148.171
                                  gshv2.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.148.171
                                  DOTA2#U89c6#U8ddd#U63d2#U4ef6.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.148.171
                                  n5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
                                  • 172.67.148.171
                                  InExYnlM0N.lnkGet hashmaliciousUnknownBrowse
                                  • 172.67.148.171
                                  K9esyY0r4G.lnkGet hashmaliciousUnknownBrowse
                                  • 172.67.148.171
                                  vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                  • 172.67.148.171
                                  aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                  • 172.67.148.171

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeb8ygJBG5cb.msiGet hashmaliciousUnknownBrowse
                                    setup.msiGet hashmaliciousUnknownBrowse
                                      installer.msiGet hashmaliciousUnknownBrowse
                                        setup.msiGet hashmaliciousUnknownBrowse
                                          setup.msiGet hashmaliciousUnknownBrowse
                                            installer.msiGet hashmaliciousUnknownBrowse
                                              E8vC8KRIp1.msiGet hashmaliciousUnknownBrowse
                                                installer.msiGet hashmaliciousUnknownBrowse
                                                  3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                                    setup.msiGet hashmaliciousUnknownBrowse

                                                      Created / dropped Files

                                                      C:\Config.Msi\608fbc.rbs

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):20604
                                                      Entropy (8bit):5.832477608002746
                                                      Encrypted:false
                                                      SSDEEP:384:gQShODs/ZJ37Vu0QtDCbZh2HjprczWWckcNpoIr+8adZsE9BrpXaZ5dSsukFk32v:gQShODs/ZJ37Vu0QtDCbZh2HjprczWWQ
                                                      MD5:EFBF18794AADB4BE37441F6CBD964DB1
                                                      SHA1:47AA3B9EB419757B1FF1090D9C8FF7E2B1DBB8BE
                                                      SHA-256:FF5ED5E8F0D5841803A1E3375751E0DC345D5AD15BE09C97F79684A7C756D706
                                                      SHA-512:5A1A7068B8FA78A0CE06BCB9C3E3FF9BBBBAA715A5F3EB3BCFB97EAA44EAF963CFD746FA85DCE2BE86DAA2D51C05752884B44D5E5C141B5753CD53E75658BD07
                                                      Malicious:false
                                                      Preview:...@IXOS.@.....@+L.Y.@.....@.....@.....@.....@.....@......&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}..Cave App..TrdIE26br9.msi.@.....@.....@.....@......icon_24.exe..&.{5C880445-C0CA-44EE-87A3-CD923E22E3E4}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{E52209FF-3DAE-4

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1360
                                                      Entropy (8bit):5.413197223328133
                                                      Encrypted:false
                                                      SSDEEP:24:3UWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:EWSU4xymI4RfoUeW+mZ9tK8NWR82jVbR
                                                      MD5:1A8B62C28399515602DCA9C94C2B2490
                                                      SHA1:384EB5E2AFB32EC137CE02833466A20048E2A689
                                                      SHA-256:B5A234A10D8D76E65C18EA63D097512F3D53FC5739EF7A8099AC8B22FA7C9F00
                                                      SHA-512:095BD0CB3027199DDB62FFDA863673CED39884DFE0F9B9BECDF2A1CC6674D27F8AD8D0E965C1F38E4D63140F7E0DCBCA8D443E5A48E543FE0B13DA2FF2ED5CE8
                                                      Malicious:false
                                                      Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzlqbhi5.pdy.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iakobuc2.544.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\msiC3BA.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):100
                                                      Entropy (8bit):3.0073551160284637
                                                      Encrypted:false
                                                      SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                      MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                      SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                      SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                      SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                      Malicious:true
                                                      Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                      C:\Users\user\AppData\Local\Temp\pssC3BD.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):6668
                                                      Entropy (8bit):3.5127462716425657
                                                      Encrypted:false
                                                      SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                      MD5:30C30EF2CB47E35101D13402B5661179
                                                      SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                      SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                      SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                      Malicious:true
                                                      Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                      C:\Users\user\AppData\Local\Temp\scrC3BB.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):254
                                                      Entropy (8bit):3.555045878547657
                                                      Encrypted:false
                                                      SSDEEP:6:QfFok79idK3fOlFogltHN+KiVmMXFVrMTlP1LlG7JidK3falnUOn03AnfInO:QfF3KvogM/XFVrMTQNeFUr3+
                                                      MD5:E8A84AE0A0597E0C4FBB7FA36F7D0CA7
                                                      SHA1:B97096DF7801FA5F91542F0F9A70616DD5D49B03
                                                      SHA-256:9F2D8F053895BF9377A4686714833304E87A4E926B7581599D44B45380B5DFDE
                                                      SHA-512:83960868B8DBFFEF2B3EE557AD89BB18CF80043FEB2A7BFDB0630F32A1870585158E4F4B367C72BBFDD760A586E5D1FEB73192C0E769507A6ED81E90BF4925EB
                                                      Malicious:true
                                                      Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.a.v.o.i.j.g.

                                                      C:\Users\user\AppData\Roaming\Microsoft\Installer\{E52209FF-3DAE-46C4-A504-19BF26FB4B22}\icon_24.exe

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                      Category:dropped
                                                      Size (bytes):195906
                                                      Entropy (8bit):4.669224805215773
                                                      Encrypted:false
                                                      SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                      MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                      SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                      SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                      SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                      Malicious:false
                                                      Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):310928
                                                      Entropy (8bit):6.001677789306043
                                                      Encrypted:false
                                                      SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                      MD5:147B71C906F421AC77F534821F80A0C6
                                                      SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                      SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                      SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: b8ygJBG5cb.msi, Detection: malicious, Browse
                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                      • Filename: installer.msi, Detection: malicious, Browse
                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                      • Filename: installer.msi, Detection: malicious, Browse
                                                      • Filename: E8vC8KRIp1.msi, Detection: malicious, Browse
                                                      • Filename: installer.msi, Detection: malicious, Browse
                                                      • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                                      • Filename: setup.msi, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):117496
                                                      Entropy (8bit):6.136079902481222
                                                      Encrypted:false
                                                      SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                      MD5:F67792E08586EA936EBCAE43AAB0388D
                                                      SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                      SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                      SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):506008
                                                      Entropy (8bit):6.4284173495366845
                                                      Encrypted:false
                                                      SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                      MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                      SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                      SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                      SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12224
                                                      Entropy (8bit):6.596101286914553
                                                      Encrypted:false
                                                      SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                      MD5:919E653868A3D9F0C9865941573025DF
                                                      SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                      SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                      SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12224
                                                      Entropy (8bit):6.640081558424349
                                                      Encrypted:false
                                                      SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                      MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                      SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                      SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                      SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11712
                                                      Entropy (8bit):6.6023398138369505
                                                      Encrypted:false
                                                      SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                      MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                      SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                      SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                      SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11720
                                                      Entropy (8bit):6.614262942006268
                                                      Encrypted:false
                                                      SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                      MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                      SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                      SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                      SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11720
                                                      Entropy (8bit):6.654155040985372
                                                      Encrypted:false
                                                      SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                      MD5:94788729C9E7B9C888F4E323A27AB548
                                                      SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                      SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                      SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):15304
                                                      Entropy (8bit):6.548897063441128
                                                      Encrypted:false
                                                      SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                      MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                      SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                      SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                      SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11712
                                                      Entropy (8bit):6.622041192039296
                                                      Encrypted:false
                                                      SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                      MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                      SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                      SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                      SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11720
                                                      Entropy (8bit):6.730719514840594
                                                      Encrypted:false
                                                      SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                      MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                      SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                      SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                      SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11720
                                                      Entropy (8bit):6.626458901834476
                                                      Encrypted:false
                                                      SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                      MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                      SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                      SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                      SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12232
                                                      Entropy (8bit):6.577869728469469
                                                      Encrypted:false
                                                      SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                      MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                      SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                      SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                      SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11712
                                                      Entropy (8bit):6.6496318655699795
                                                      Encrypted:false
                                                      SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                      MD5:A038716D7BBD490378B26642C0C18E94
                                                      SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                      SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                      SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12736
                                                      Entropy (8bit):6.587452239016064
                                                      Encrypted:false
                                                      SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                      MD5:D75144FCB3897425A855A270331E38C9
                                                      SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                      SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                      SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):14280
                                                      Entropy (8bit):6.658205945107734
                                                      Encrypted:false
                                                      SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                      MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                      SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                      SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                      SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12224
                                                      Entropy (8bit):6.621310788423453
                                                      Encrypted:false
                                                      SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                      MD5:808F1CB8F155E871A33D85510A360E9E
                                                      SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                      SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                      SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11720
                                                      Entropy (8bit):6.7263193693903345
                                                      Encrypted:false
                                                      SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                      MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                      SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                      SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                      SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12744
                                                      Entropy (8bit):6.601327134572443
                                                      Encrypted:false
                                                      SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                      MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                      SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                      SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                      SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):14272
                                                      Entropy (8bit):6.519411559704781
                                                      Encrypted:false
                                                      SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                      MD5:E173F3AB46096482C4361378F6DCB261
                                                      SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                      SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                      SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12232
                                                      Entropy (8bit):6.659079053710614
                                                      Encrypted:false
                                                      SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                      MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                      SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                      SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                      SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11200
                                                      Entropy (8bit):6.7627840671368835
                                                      Encrypted:false
                                                      SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                      MD5:0233F97324AAAA048F705D999244BC71
                                                      SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                      SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                      SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12224
                                                      Entropy (8bit):6.590253878523919
                                                      Encrypted:false
                                                      SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                      MD5:E1BA66696901CF9B456559861F92786E
                                                      SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                      SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                      SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11720
                                                      Entropy (8bit):6.672720452347989
                                                      Encrypted:false
                                                      SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                      MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                      SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                      SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                      SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):13760
                                                      Entropy (8bit):6.575688560984027
                                                      Encrypted:false
                                                      SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                      MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                      SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                      SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                      SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12232
                                                      Entropy (8bit):6.70261983917014
                                                      Encrypted:false
                                                      SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                      MD5:D175430EFF058838CEE2E334951F6C9C
                                                      SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                      SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                      SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12744
                                                      Entropy (8bit):6.599515320379107
                                                      Encrypted:false
                                                      SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                      MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                      SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                      SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                      SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12232
                                                      Entropy (8bit):6.690164913578267
                                                      Encrypted:false
                                                      SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                      MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                      SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                      SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                      SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):11720
                                                      Entropy (8bit):6.615761482304143
                                                      Encrypted:false
                                                      SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                      MD5:735636096B86B761DA49EF26A1C7F779
                                                      SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                      SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                      SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12744
                                                      Entropy (8bit):6.627282858694643
                                                      Encrypted:false
                                                      SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                      MD5:031DC390780AC08F498E82A5604EF1EB
                                                      SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                      SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                      SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):15816
                                                      Entropy (8bit):6.435326465651674
                                                      Encrypted:false
                                                      SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                      MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                      SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                      SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                      SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):12232
                                                      Entropy (8bit):6.5874576656353145
                                                      Encrypted:false
                                                      SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                      MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                      SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                      SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                      SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):13768
                                                      Entropy (8bit):6.645869978118917
                                                      Encrypted:false
                                                      SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                      MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                      SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                      SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                      SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):61176
                                                      Entropy (8bit):5.850944458899023
                                                      Encrypted:false
                                                      SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                      MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                      SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                      SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                      SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):127224
                                                      Entropy (8bit):6.217127607919178
                                                      Encrypted:false
                                                      SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                      MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                      SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                      SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                      SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):418040
                                                      Entropy (8bit):6.1735291180760505
                                                      Encrypted:false
                                                      SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                      MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                      SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                      SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                      SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):698104
                                                      Entropy (8bit):6.463466021766765
                                                      Encrypted:false
                                                      SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                      MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                      SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                      SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                      SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):31480
                                                      Entropy (8bit):5.969706735107452
                                                      Encrypted:false
                                                      SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                      MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                      SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                      SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                      SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):103672
                                                      Entropy (8bit):5.851546804507911
                                                      Encrypted:false
                                                      SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                      MD5:129051E3B7B8D3CC55559BEDBED09486
                                                      SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                      SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                      SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):57488
                                                      Entropy (8bit):6.382541157520703
                                                      Encrypted:false
                                                      SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                      MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                      SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                      SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                      SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):4664568
                                                      Entropy (8bit):6.259383987199329
                                                      Encrypted:false
                                                      SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                      MD5:A6A89F55416DB79D9E13B82685A04D60
                                                      SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                      SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                      SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):215288
                                                      Entropy (8bit):6.050529290720027
                                                      Encrypted:false
                                                      SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                      MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                      SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                      SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                      SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ghiuoqfj.rar

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:RAR archive data, v5
                                                      Category:dropped
                                                      Size (bytes):404542
                                                      Entropy (8bit):7.9996020689938865
                                                      Encrypted:true
                                                      SSDEEP:12288:YAxn0Lm/dmOXb64f6Oabr0WzYUZ1b78K7P5+rb:5SyVjOppboU77P6b
                                                      MD5:6A57F4D45D1EF4373803F799A8051884
                                                      SHA1:A769E682201B2958C66C362D026A96E2106BC800
                                                      SHA-256:5309917C8910EC3A6A65D2B3E3299F99B4051D4E8D1C504B1A1F042EF24F7F10
                                                      SHA-512:58B0B7B82DB5C65DD3147672BC09C8F08585FF6F47329D7819F19DEB8EBBF9FF9CF53723832FF00EABD4C32298E6F68487733E2F23BC090CCE73566ADCBD15B0
                                                      Malicious:false
                                                      Preview:Rar!......T.!.......z..R.'...Py...zk....8$...=d.T.....gyE.#5Ur..\..Q..I..v.`.h..1...P.I.j.3.=.aU..P.D.r`...w..q=..Vj..U..,.....:.>.Y.0.#..K......k*+.td.b=.QC.Ply}Z"7.t>..q..!U91....i..8.CD.;W..9.o.0..*...8.. ....S....Gg...|..-.vC.....)..+w..Q5..=......z"M......M.HC.NG:D.P.q......W.4....v.|.j_..b..`...i{9.0....eE...>%..1c...w...w._...Hc.y*ic..E=gmV_.......%3...Yc.vnn.)9e."}...U.C.......) ![.....hK.\p1<-......;...O....g/..t.Bc...%q..S...d.^......m..,.0....p\.o\h....H.....L~.m.........0..8U....L..=P.*.h..Q>.(.U.J......~)D.G.......<c.z..../...y.....56.<l4E...5..Lo.B(.nw..2.v.6...[.i..5.*4O.=.,..J..]..e%-+.XkP.-.Ri..)...HhI....K.....A&b.4...w.fqnx.. g....[..^#.'Y...V..I.9.@M.F..#9..::.c.5Fb..2.a..~s>..>.#.b..A.5.2......=....Y...yaXAa`..@....O........C.......k!...mj.....7.5FE..~.>.......\(=.qR....ca.v\...-.A|.|D.K...f..G..8...PEb...6........m.E=Z7$r.Ea.F...8+...t)..f.C......:.+.s.==...<&...+..C.Sq.O+...`(zD.F........6r..'..P.^.........O*

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):566704
                                                      Entropy (8bit):6.494428734965787
                                                      Encrypted:false
                                                      SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                      MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                      SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                      SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                      SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):22
                                                      Entropy (8bit):3.879664004902594
                                                      Encrypted:false
                                                      SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                      MD5:D9324699E54DC12B3B207C7433E1711C
                                                      SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                      SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                      SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                      Malicious:false
                                                      Preview:@echo off..Start "" %1

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes.jsa

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):12124160
                                                      Entropy (8bit):4.1175508751036585
                                                      Encrypted:false
                                                      SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                      MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                      SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                      SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                      SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                      Malicious:false
                                                      Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes_nocoops.jsa

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):12124160
                                                      Entropy (8bit):4.117842215789484
                                                      Encrypted:false
                                                      SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                      MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                      SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                      SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                      SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                      Malicious:false
                                                      Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.datatransfer.jmod

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Java jmod module version 1.0
                                                      Category:dropped
                                                      Size (bytes):51389
                                                      Entropy (8bit):7.916683616123071
                                                      Encrypted:false
                                                      SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                      MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                      SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                      SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                      SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                      Malicious:false
                                                      Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.desktop.jmod

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Java jmod module version 1.0
                                                      Category:dropped
                                                      Size (bytes):12133334
                                                      Entropy (8bit):7.944474086295981
                                                      Encrypted:false
                                                      SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                      MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                      SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                      SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                      SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                      Malicious:false
                                                      Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.instrument.jmod

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Java jmod module version 1.0
                                                      Category:dropped
                                                      Size (bytes):41127
                                                      Entropy (8bit):7.961466748192397
                                                      Encrypted:false
                                                      SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                      MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                      SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                      SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                      SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                      Malicious:false
                                                      Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.logging.jmod

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Java jmod module version 1.0
                                                      Category:dropped
                                                      Size (bytes):113725
                                                      Entropy (8bit):7.928841651831531
                                                      Encrypted:false
                                                      SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                      MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                      SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                      SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                      SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                      Malicious:false
                                                      Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.management.jmod

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Java jmod module version 1.0
                                                      Category:dropped
                                                      Size (bytes):896846
                                                      Entropy (8bit):7.923431656723031
                                                      Encrypted:false
                                                      SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                      MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                      SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                      SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                      SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                      Malicious:false
                                                      Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):639224
                                                      Entropy (8bit):6.219852228773659
                                                      Encrypted:false
                                                      SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                      MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                      SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                      SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                      SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):98224
                                                      Entropy (8bit):6.452201564717313
                                                      Encrypted:false
                                                      SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                      MD5:F34EB034AA4A9735218686590CBA2E8B
                                                      SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                      SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                      SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):37256
                                                      Entropy (8bit):6.297533243519742
                                                      Encrypted:false
                                                      SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                      MD5:135359D350F72AD4BF716B764D39E749
                                                      SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                      SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                      SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\608fba.msi

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {5C880445-C0CA-44EE-87A3-CD923E22E3E4}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 19:19:26 2024, Last Saved Time/Date: Thu Dec 26 19:19:26 2024, Last Printed: Thu Dec 26 19:19:26 2024, Number of Pages: 450
                                                      Category:dropped
                                                      Size (bytes):60151249
                                                      Entropy (8bit):7.204169000284664
                                                      Encrypted:false
                                                      SSDEEP:786432:+GZHjVmrjV7eIAte9OTZOoZ4sdUuzt/NCaY2ksCLT:+GNVmrjV7eIv9OTZbRjVCa1t
                                                      MD5:84640D89AB5445B9E88E0A0BE2E413BE
                                                      SHA1:9EB26F282E7FAD090CCDDEF5B30B68041C3C7E70
                                                      SHA-256:4C7AC25BA29F5145CBE26CF5288DF14D2FE0265FF72D3F82461841A7B3D8A266
                                                      SHA-512:6C3DA2E513E6A5798A75E78668184A5019B451F19E9E7428AEA7F171090E3498A209988777C6F980A82A18334AEC648B489B41FEA6F2E4D21CCEBDB0F4803089
                                                      Malicious:false
                                                      Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                      C:\Windows\Installer\608fbd.msi

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {5C880445-C0CA-44EE-87A3-CD923E22E3E4}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 19:19:26 2024, Last Saved Time/Date: Thu Dec 26 19:19:26 2024, Last Printed: Thu Dec 26 19:19:26 2024, Number of Pages: 450
                                                      Category:dropped
                                                      Size (bytes):60151249
                                                      Entropy (8bit):7.204169000284664
                                                      Encrypted:false
                                                      SSDEEP:786432:+GZHjVmrjV7eIAte9OTZOoZ4sdUuzt/NCaY2ksCLT:+GNVmrjV7eIv9OTZbRjVCa1t
                                                      MD5:84640D89AB5445B9E88E0A0BE2E413BE
                                                      SHA1:9EB26F282E7FAD090CCDDEF5B30B68041C3C7E70
                                                      SHA-256:4C7AC25BA29F5145CBE26CF5288DF14D2FE0265FF72D3F82461841A7B3D8A266
                                                      SHA-512:6C3DA2E513E6A5798A75E78668184A5019B451F19E9E7428AEA7F171090E3498A209988777C6F980A82A18334AEC648B489B41FEA6F2E4D21CCEBDB0F4803089
                                                      Malicious:false
                                                      Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                      C:\Windows\Installer\MSI98F1.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1021792
                                                      Entropy (8bit):6.608727172078022
                                                      Encrypted:false
                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSI99AD.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1021792
                                                      Entropy (8bit):6.608727172078022
                                                      Encrypted:false
                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSI9A2B.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1021792
                                                      Entropy (8bit):6.608727172078022
                                                      Encrypted:false
                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSI9A6B.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1021792
                                                      Entropy (8bit):6.608727172078022
                                                      Encrypted:false
                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSI9AAA.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1201504
                                                      Entropy (8bit):6.4557937684843365
                                                      Encrypted:false
                                                      SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                      MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                      SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                      SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                      SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSI9ADA.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1021792
                                                      Entropy (8bit):6.608727172078022
                                                      Encrypted:false
                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSI9B0A.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1021792
                                                      Entropy (8bit):6.608727172078022
                                                      Encrypted:false
                                                      SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                      MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                      SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                      SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                      SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSIB848.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):380520
                                                      Entropy (8bit):6.512348002260683
                                                      Encrypted:false
                                                      SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                      MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                      SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                      SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                      SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\MSIC2F7.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):216168
                                                      Entropy (8bit):4.955758723186587
                                                      Encrypted:false
                                                      SSDEEP:1536:a5TCN9WT/1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9yk/wu:atk9A1Z0vZXJZYDFufyXbJNCcOu
                                                      MD5:7C51CEEB06B99AB06697CFB6B3925EA7
                                                      SHA1:84F6B81E8B4655AD3B3D88BEF35B48AC1010D7CF
                                                      SHA-256:703DE789A364E7F3A0952708313A1CF11E664CFDF74E26AE39422024C23B405B
                                                      SHA-512:D90A77BBE156D2F07F9F83A2C431817B7F1A7E5DA1E769E4F1DF89B4AAE5A983BAD2455CFFFA21D926E3327EC0EB3FD2D28F09AAD932BC8203E89FAA46CAAD65
                                                      Malicious:false
                                                      Preview:...@IXOS.@.....@*L.Y.@.....@.....@.....@.....@.....@......&.{E52209FF-3DAE-46C4-A504-19BF26FB4B22}..Cave App..TrdIE26br9.msi.@.....@.....@.....@......icon_24.exe..&.{5C880445-C0CA-44EE-87A3-CD923E22E3E4}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}>.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}3.21:\Software\Weqos Apps Industries\Cave App\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}I.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}P.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll.@.......@.....@.....@......&.{D

                                                      C:\Windows\Installer\MSIC317.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):787808
                                                      Entropy (8bit):6.693392695195763
                                                      Encrypted:false
                                                      SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                      MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                      SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                      SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                      SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\SourceHash{E52209FF-3DAE-46C4-A504-19BF26FB4B22}

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):20480
                                                      Entropy (8bit):1.1645150561657183
                                                      Encrypted:false
                                                      SSDEEP:12:JSbX72FjsJMSAGiLIlHVRpZh/7777777777777777777777777vDHFNeH48Sit/z:JmMSQI5tOY6iF
                                                      MD5:028C1F280A4022DA8D1F86C86591B0DD
                                                      SHA1:9E65C9F0F4D50A0FBCB2F610562302737F1B13B5
                                                      SHA-256:42205212450558E96475D94CF1A135FC4406688F23592153C238A3C43AB4BE8B
                                                      SHA-512:46E2135D1877B0A1B413A20B5CFC72E9C3239EA0FBCE4D2D20260AE36662C67C2CB90ADFB817A3B04A2E6A9631128F42B71D6DF5731694C7668A0C430BA60B64
                                                      Malicious:false
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):20480
                                                      Entropy (8bit):1.5733793510894278
                                                      Encrypted:false
                                                      SSDEEP:48:J8PhuuRc06WXJ0FT5MB+JcSAECiCyISCJcZoqMUXeJcwSCJcoThaY:Ehu13FTGd5ECnSxX9wSiaY
                                                      MD5:5621821D03D95264F42FC74690A4D4F0
                                                      SHA1:46BCEB42AA4C2B81DF8B5476858A44CB28B9917D
                                                      SHA-256:60D2EF2B87A18FA069B005CDADFDB0EC48DAC0727556B8714B0BECB8F4447FAF
                                                      SHA-512:49D95A363CA8DDCBB5621CD9F8F7F49875C864FCACD03EA9D48B424F7CB1812333FCE5F3D01283269FE29A374EC20A414C0CD86FF68409918C0D420D368D47F3
                                                      Malicious:false
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):432221
                                                      Entropy (8bit):5.375171191433235
                                                      Encrypted:false
                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauD:zTtbmkExhMJCIpEr+
                                                      MD5:CA32288787F951AA2FEB2FFA7F960A49
                                                      SHA1:0902AEEC04089674F61002150DA61AE334B6867C
                                                      SHA-256:DB2C1874DC199932A58EABAE7BDF0DC56F51F26CAFA69D70FD9AA952D46D5E41
                                                      SHA-512:DAF21A263EB0F89BC6EE14796C700B9C0EA2651FD3A0AFF79DDCADCEAF8AFF4502082171BCF0B8CE6629BFB9A25A9E36F659C16BFB04CD980669054E467E182C
                                                      Malicious:false
                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                      C:\Windows\Temp\~DF1A321F4477520B17.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DF1DD20FF20C38B347.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DF34DCF28558319B12.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):73728
                                                      Entropy (8bit):0.14033607350070926
                                                      Encrypted:false
                                                      SSDEEP:48:MaYWTeJcwSCJcFJcSAECiCyISCJcZoqMUXhB:MaYYwSY5ECnSxXh
                                                      MD5:A50D31EE36EAB2579ACBA89B967064A0
                                                      SHA1:C2E265B5FB4ED7BCAE67EED0EBF2E74515CE1738
                                                      SHA-256:A0DACF755DB0ACE93D5AD05B1616021C6BFC5DA471E3DEA70862B1DC2E64C1D5
                                                      SHA-512:A2D20D29B317F27B3850B61A881AD1F9B0B095B3BEC6AE57613C96D39D2C68879450F95E083F13096C8615C4C6F9D44C7E7990B53864C70BD246966B957089D6
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DF4B6EC31B25633CC8.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DF7CA79BAC4E928E19.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):32768
                                                      Entropy (8bit):1.2599396452148053
                                                      Encrypted:false
                                                      SSDEEP:48:7Vmu0O+CFXJpT5EuB+JcSAECiCyISCJcZoqMUXeJcwSCJcoThaY:Bm2RTumd5ECnSxX9wSiaY
                                                      MD5:7EED80E542987348D1E9A7FD4C87FD5B
                                                      SHA1:DDD8CF14496EA267ED8A1803C1A38C8EF087ED7B
                                                      SHA-256:D40382F77F4131F8ADEA6EA3883DD3D86A32B0FC4D2DAD5BB78DF48A60C7B27D
                                                      SHA-512:B5DB2B21AD227B5FA03F6B661E4FF135B91B1E7164E6727569407B0F0D107CA54EF9168BD6029804BD747B40D9FE79E49E6678DE24EAF215C42144217543C438
                                                      Malicious:false
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DF7D4F798A01F1FFAD.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DF91C59290263B6483.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):32768
                                                      Entropy (8bit):1.2599396452148053
                                                      Encrypted:false
                                                      SSDEEP:48:7Vmu0O+CFXJpT5EuB+JcSAECiCyISCJcZoqMUXeJcwSCJcoThaY:Bm2RTumd5ECnSxX9wSiaY
                                                      MD5:7EED80E542987348D1E9A7FD4C87FD5B
                                                      SHA1:DDD8CF14496EA267ED8A1803C1A38C8EF087ED7B
                                                      SHA-256:D40382F77F4131F8ADEA6EA3883DD3D86A32B0FC4D2DAD5BB78DF48A60C7B27D
                                                      SHA-512:B5DB2B21AD227B5FA03F6B661E4FF135B91B1E7164E6727569407B0F0D107CA54EF9168BD6029804BD747B40D9FE79E49E6678DE24EAF215C42144217543C438
                                                      Malicious:false
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DF983103DB62744C18.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):20480
                                                      Entropy (8bit):1.5733793510894278
                                                      Encrypted:false
                                                      SSDEEP:48:J8PhuuRc06WXJ0FT5MB+JcSAECiCyISCJcZoqMUXeJcwSCJcoThaY:Ehu13FTGd5ECnSxX9wSiaY
                                                      MD5:5621821D03D95264F42FC74690A4D4F0
                                                      SHA1:46BCEB42AA4C2B81DF8B5476858A44CB28B9917D
                                                      SHA-256:60D2EF2B87A18FA069B005CDADFDB0EC48DAC0727556B8714B0BECB8F4447FAF
                                                      SHA-512:49D95A363CA8DDCBB5621CD9F8F7F49875C864FCACD03EA9D48B424F7CB1812333FCE5F3D01283269FE29A374EC20A414C0CD86FF68409918C0D420D368D47F3
                                                      Malicious:false
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DFA714F986529DD987.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DFAA26F49A60887FC7.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):32768
                                                      Entropy (8bit):0.07188343917929232
                                                      Encrypted:false
                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOtyexoHn483dF1gVky6lit/:2F0i8n0itFzDHFNeH48Fit/
                                                      MD5:A2DCB99ACD2254AEAA37F3FA20FE975E
                                                      SHA1:982C70511BE08794532B1899D9261A226A2D7756
                                                      SHA-256:4607F86D81B20A92EA7AB799C9DC68992081CB495139C16069D400BE708C113C
                                                      SHA-512:F1D384FAE8E7531AE50ECCF3B2FB1A2A9D80318B73D35A4373D6E8A0E327C97A95DC213B3E2CD561E181D93334F226A58C2D7D4395F7B673BC531CF24BE3CDF0
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DFC167F70BE5A3FA23.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):20480
                                                      Entropy (8bit):1.5733793510894278
                                                      Encrypted:false
                                                      SSDEEP:48:J8PhuuRc06WXJ0FT5MB+JcSAECiCyISCJcZoqMUXeJcwSCJcoThaY:Ehu13FTGd5ECnSxX9wSiaY
                                                      MD5:5621821D03D95264F42FC74690A4D4F0
                                                      SHA1:46BCEB42AA4C2B81DF8B5476858A44CB28B9917D
                                                      SHA-256:60D2EF2B87A18FA069B005CDADFDB0EC48DAC0727556B8714B0BECB8F4447FAF
                                                      SHA-512:49D95A363CA8DDCBB5621CD9F8F7F49875C864FCACD03EA9D48B424F7CB1812333FCE5F3D01283269FE29A374EC20A414C0CD86FF68409918C0D420D368D47F3
                                                      Malicious:false
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\Temp\~DFD3DB0346E0F1082F.TMP

                                                      Download File
                                                      Process:C:\Windows\System32\msiexec.exe
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):32768
                                                      Entropy (8bit):1.2599396452148053
                                                      Encrypted:false
                                                      SSDEEP:48:7Vmu0O+CFXJpT5EuB+JcSAECiCyISCJcZoqMUXeJcwSCJcoThaY:Bm2RTumd5ECnSxX9wSiaY
                                                      MD5:7EED80E542987348D1E9A7FD4C87FD5B
                                                      SHA1:DDD8CF14496EA267ED8A1803C1A38C8EF087ED7B
                                                      SHA-256:D40382F77F4131F8ADEA6EA3883DD3D86A32B0FC4D2DAD5BB78DF48A60C7B27D
                                                      SHA-512:B5DB2B21AD227B5FA03F6B661E4FF135B91B1E7164E6727569407B0F0D107CA54EF9168BD6029804BD747B40D9FE79E49E6678DE24EAF215C42144217543C438
                                                      Malicious:false
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      \Device\ConDrv

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):638
                                                      Entropy (8bit):4.751962275036146
                                                      Encrypted:false
                                                      SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                      MD5:15CA959638E74EEC47E0830B90D0696E
                                                      SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                      SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                      SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                      Malicious:false
                                                      Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                      Static File Info

                                                      General

                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {5C880445-C0CA-44EE-87A3-CD923E22E3E4}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 19:19:26 2024, Last Saved Time/Date: Thu Dec 26 19:19:26 2024, Last Printed: Thu Dec 26 19:19:26 2024, Number of Pages: 450
                                                      Entropy (8bit):7.204169000284664
                                                      TrID:
                                                      • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                      • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                      File name:TrdIE26br9.msi
                                                      File size:60'151'249 bytes
                                                      MD5:84640d89ab5445b9e88e0a0be2e413be
                                                      SHA1:9eb26f282e7fad090ccddef5b30b68041c3c7e70
                                                      SHA256:4c7ac25ba29f5145cbe26cf5288df14d2fe0265ff72d3f82461841a7b3d8a266
                                                      SHA512:6c3da2e513e6a5798a75e78668184a5019b451f19e9e7428aea7f171090e3498a209988777c6f980a82a18334aec648b489b41fea6f2e4d21ccebdb0f4803089
                                                      SSDEEP:786432:+GZHjVmrjV7eIAte9OTZOoZ4sdUuzt/NCaY2ksCLT:+GNVmrjV7eIv9OTZbRjVCa1t
                                                      TLSH:77D76C01B3FA4148F2F75E717EBA85A594BABD521B30C0EF1244A60E1B71BC25BB1763
                                                      File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                      File Icon

                                                      Icon Hash:2d2e3797b32b2b99

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-27T15:33:18.762395+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449731172.67.148.171443TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 27, 2024 15:33:17.442877054 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:17.442914009 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:17.443006992 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:17.452613115 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:17.452626944 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:18.717807055 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:18.717895031 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:18.758582115 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:18.758600950 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:18.758867979 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:18.758919954 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:18.762233019 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:18.762353897 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:18.762377024 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:19.493196011 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:19.493257046 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:19.493338108 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:19.493797064 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:19.493828058 CET44349731172.67.148.171192.168.2.4
                                                      Dec 27, 2024 15:33:19.493845940 CET49731443192.168.2.4172.67.148.171
                                                      Dec 27, 2024 15:33:19.494723082 CET49731443192.168.2.4172.67.148.171

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 27, 2024 15:33:17.108849049 CET6385053192.168.2.41.1.1.1
                                                      Dec 27, 2024 15:33:17.438188076 CET53638501.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 27, 2024 15:33:17.108849049 CET192.168.2.41.1.1.10xccaaStandard query (0)ksarcftp.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 27, 2024 15:33:17.438188076 CET1.1.1.1192.168.2.40xccaaNo error (0)ksarcftp.com172.67.148.171A (IP address)IN (0x0001)false
                                                      Dec 27, 2024 15:33:17.438188076 CET1.1.1.1192.168.2.40xccaaNo error (0)ksarcftp.com104.21.95.219A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ksarcftp.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449731172.67.148.1714437416C:\Windows\SysWOW64\msiexec.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-12-27 14:33:18 UTC190OUTPOST /updater.php HTTP/1.1
                                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                      User-Agent: AdvancedInstaller
                                                      Host: ksarcftp.com
                                                      Content-Length: 71
                                                      Cache-Control: no-cache
                                                      2024-12-27 14:33:18 UTC71OUTData Raw: 44 61 74 65 3d 32 37 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 30 39 25 33 41 33 33 25 33 41 31 35 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                      Data Ascii: Date=27%2F12%2F2024&Time=09%3A33%3A15&BuildVersion=8.9.9&SoroqVins=True
                                                      2024-12-27 14:33:19 UTC823INHTTP/1.1 500 Internal Server Error
                                                      Date: Fri, 27 Dec 2024 14:33:19 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Cache-Control: no-store
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ShNLGtH5Mvoh2ZLlULLbHQ380aO%2FRo4l1oRo0d4C2jAKoZqnP4KOhKMXIY6KGQdPuC62N9DnrFIwQAFq2kRWP6HgJO6Gi6wIU073rF2DRm8te9tBEXLHPAChqasbE0Q%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8f8a0665cbf072c2-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1769&rtt_var=694&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2825&recv_bytes=921&delivery_rate=1544156&cwnd=164&unsent_bytes=0&cid=d286bcae60c12769&ts=788&x=0"
                                                      2024-12-27 14:33:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:09:33:04
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\System32\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TrdIE26br9.msi"
                                                      Imagebase:0x7ff702d40000
                                                      File size:69'632 bytes
                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:09:33:05
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\System32\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                      Imagebase:0x7ff702d40000
                                                      File size:69'632 bytes
                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:2
                                                      Start time:09:33:07
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding BA277BE0E11E3B22E53916890A37A5C2
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:09:33:18
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC3BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3BA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3BB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3BC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                      Imagebase:0x830000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:09:33:18
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:09:33:25
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
                                                      Imagebase:0x7ff68a8b0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:09:33:25
                                                      Start date:27/12/2024
                                                      Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
                                                      Imagebase:0x7ff742a60000
                                                      File size:57'488 bytes
                                                      MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 0%, ReversingLabs
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:09:33:25
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x800000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:09:33:25
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:09:33:25
                                                      Start date:27/12/2024
                                                      Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
                                                      Imagebase:0x140000000
                                                      File size:117'496 bytes
                                                      MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 0%, ReversingLabs
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:09:33:26
                                                      Start date:27/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 07E11B50 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1820725099.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $^q$$^q$$^q
                                                        • API String ID: 0-831282457
                                                        • Opcode ID: 0b4de890a7ba4550a479e814dfc1df03dd95a1d112c130e1e0d02d753dcee7b3
                                                        • Instruction ID: c6537b9788ae8762605d3880f997a68b2e311112fbb43a0bbd42f54d7fe77283
                                                        • Opcode Fuzzy Hash: 0b4de890a7ba4550a479e814dfc1df03dd95a1d112c130e1e0d02d753dcee7b3
                                                        • Instruction Fuzzy Hash: 4C617BB070520EDFCB29DF69D441AAA7BF2AF85315F14C46AE609CB251DB31CC80C7A1
                                                        Function 07E11B34 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1820725099.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $^q$$^q
                                                        • API String ID: 0-355816377
                                                        • Opcode ID: 600a20aafc9639d65146543eaf3f350df5ec018422cb9125491b710c3fc221eb
                                                        • Instruction ID: 76e9287a498b4749c2d2395e0c6684a9c889f082cae2a6c184b4abe67fc20ae2
                                                        • Opcode Fuzzy Hash: 600a20aafc9639d65146543eaf3f350df5ec018422cb9125491b710c3fc221eb
                                                        • Instruction Fuzzy Hash: 0A41D5B0A0624EDFCF29CF25C485AA97BF2FF42319F1890AAD6058B251D731CC85CB51
                                                        Function 03758478 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814935938.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_3750000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bde3f5492f36ac2aac62c1fd7181ec0233226ab91d6e5b44f5e90e86c9629178
                                                        • Instruction ID: 5f7513269abad7eadd572d7099474ad0b5bdcf85f6687d7481fa7ed920cdccad
                                                        • Opcode Fuzzy Hash: bde3f5492f36ac2aac62c1fd7181ec0233226ab91d6e5b44f5e90e86c9629178
                                                        • Instruction Fuzzy Hash: 3DA16035F00218AFDB18DFA4D944AADB7B6FF84300F154558E806AF369DBB4AD49CB81
                                                        Function 03758BC8 Relevance: .2, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814935938.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_3750000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 94be208115c776657ed6352aa41a67dbcae5fdf7dc86134ccc139a9dd1c67615
                                                        • Instruction ID: 8cfe70feb4fc919975adbc96ca54a25ce2a18093e7b505ced1b5534d66720925
                                                        • Opcode Fuzzy Hash: 94be208115c776657ed6352aa41a67dbcae5fdf7dc86134ccc139a9dd1c67615
                                                        • Instruction Fuzzy Hash: 7C71C030A00209DFCB18DF68D884A9DFBF6BF89314F188569E815DB255DBB1AC46CB90
                                                        Function 03758D36 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814935938.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_3750000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 453b39ec53918dbc586870b773555ad171e24e93f90d54c6355572e6003932e8
                                                        • Instruction ID: 603b97f36e8033624e3a9330b22579856feffe6aa151ec9f8bdd39dd7df607df
                                                        • Opcode Fuzzy Hash: 453b39ec53918dbc586870b773555ad171e24e93f90d54c6355572e6003932e8
                                                        • Instruction Fuzzy Hash: 7C716E30E00208EFDB18DFA4D444BADB7F6BF88304F288569E816AB295DB71AC45CB51
                                                        Function 03758959 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814935938.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_3750000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d37191388b6c6b75773f2de07ee1cd08c04f01ba38ef5b04151a62b69de03f12
                                                        • Instruction ID: 5b7925d60bf63543e76a54b26d73feef988d9c5b5945467ca0bd5d37a40a0579
                                                        • Opcode Fuzzy Hash: d37191388b6c6b75773f2de07ee1cd08c04f01ba38ef5b04151a62b69de03f12
                                                        • Instruction Fuzzy Hash: BF51D3757003449FDB18EB74C854AADBBB6EF89740F185169E802EB3A4CF749C41CBA1
                                                        Function 03758BB3 Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814935938.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_3750000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2c3c7ce0767324b9adb6638e8d08746bdb2be771e2eee199ae636dcddc7d8f8
                                                        • Instruction ID: 44bbea8e408262d423bfb4cd7fd0e814e2b83992fb73192ba4746677df04da8b
                                                        • Opcode Fuzzy Hash: d2c3c7ce0767324b9adb6638e8d08746bdb2be771e2eee199ae636dcddc7d8f8
                                                        • Instruction Fuzzy Hash: 03418D70A002489FDB18DFA9C88469DBBF6BF89304F18856DE405AB395DBB1AC45CF51
                                                        Function 03753A80 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814935938.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_3750000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6bd3add27457df2f73381f5fa55456a859afaf92d4ecc23f7d112873d01d11dd
                                                        • Instruction ID: a4b5ead1e5d13fb6990b7f72a492c6fe9d972600b78cb38a107463f9dc483872
                                                        • Opcode Fuzzy Hash: 6bd3add27457df2f73381f5fa55456a859afaf92d4ecc23f7d112873d01d11dd
                                                        • Instruction Fuzzy Hash: C33172787086418FE3ACDB2C8020729BBF2FB85281315C66DF486CF761DA60FC069B25
                                                        Function 0364D01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814692834.000000000364D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0364D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_364d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0650aca5c23f24a032fedf1d9d9ac7b446ba1224f15f1d515e5b452d980fedb7
                                                        • Instruction ID: 66f54e9ef07c201b6730d6ea6b2c52c26799a681d7c9941279af1e85eaeaf749
                                                        • Opcode Fuzzy Hash: 0650aca5c23f24a032fedf1d9d9ac7b446ba1224f15f1d515e5b452d980fedb7
                                                        • Instruction Fuzzy Hash: B601A271C09340AAE710DE29CE84B67FF9CEF45B24F1CC56AED484B247C6799886C6B1
                                                        Function 0364D006 Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814692834.000000000364D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0364D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_364d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5d11f2020d773c9a541617ccb05c59adbb173f71c38c50aac03c6d28e2252046
                                                        • Instruction ID: ec60ec4b46de99092f42e8633bb222a298078c889d0530bf002b53c626713855
                                                        • Opcode Fuzzy Hash: 5d11f2020d773c9a541617ccb05c59adbb173f71c38c50aac03c6d28e2252046
                                                        • Instruction Fuzzy Hash: C601407140E3C09ED7128B25CD94B52BFB8EF47624F1D84DBD9888F293C2699849C772
                                                        Function 037588ED Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1814935938.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_3750000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3da0a6c9b3338f52bb15aaa298aac6bc1316b1d22a965817c7ff0a67999c6f3
                                                        • Instruction ID: c587391df647b97f0641687b1ee69a16e9467d450adbee8bddf249cb7c78474f
                                                        • Opcode Fuzzy Hash: b3da0a6c9b3338f52bb15aaa298aac6bc1316b1d22a965817c7ff0a67999c6f3
                                                        • Instruction Fuzzy Hash: 03F03074B4030ADFDB14DBA4D595B6E7BB2EF40344F108918E5029F368DB789D488BC1

                                                        Non-executed Functions

                                                        Function 07E11658 Relevance: 15.3, Strings: 12, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1820725099.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 84Xk$84Xk$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Pk$Pk
                                                        • API String ID: 0-925860617
                                                        • Opcode ID: cf4124fa4f3c7bbf71d654c4515d5e3514a7776e0f722d3dc218295b3dbb9a68
                                                        • Instruction ID: 2e8dba8e984dc1d01a62389c347be87b14f0852ba23ec1f91e792c22bbd6b9d4
                                                        • Opcode Fuzzy Hash: cf4124fa4f3c7bbf71d654c4515d5e3514a7776e0f722d3dc218295b3dbb9a68
                                                        • Instruction Fuzzy Hash: 66816DB57053198FD7258B68D815AAABBE1EFC6324F1880ABD645CF351CE31CC85C7A2
                                                        Function 07E10898 Relevance: 10.2, Strings: 8, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1820725099.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                        • API String ID: 0-3732357466
                                                        • Opcode ID: 5fae11d25f2dff2843424992860e49bf932dd25f83358df6026880d05c814579
                                                        • Instruction ID: e8b0ed6bb5eb66974def5efd978df417ceb7f6922edac427231e023b97305c8b
                                                        • Opcode Fuzzy Hash: 5fae11d25f2dff2843424992860e49bf932dd25f83358df6026880d05c814579
                                                        • Instruction Fuzzy Hash: 36515AB170A30ACFDB254A2DD8116AABBF5EFC6214F24847FD445CB241DA32C8C5C7A1
                                                        Function 07E10E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1820725099.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4Wk$4Wk$$^q$$^q$$^q
                                                        • API String ID: 0-3095741987
                                                        • Opcode ID: 329cdc092593ad50923254d1799aa0e578f8344aa928f9a7a89c06895932d33a
                                                        • Instruction ID: 87dc437557847da0550512488f96acf3e3797cd479cc7cc26651acc878b506ff
                                                        • Opcode Fuzzy Hash: 329cdc092593ad50923254d1799aa0e578f8344aa928f9a7a89c06895932d33a
                                                        • Instruction Fuzzy Hash: 51113AF231120A9BDB38556AA8137BB77C68BC9614B14843AE505CB396DF36C8D1C371
                                                        Function 07E104D0 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.1820725099.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_7e10000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$$^q$$^q
                                                        • API String ID: 0-2049395529
                                                        • Opcode ID: bf7b47ebdd1e7cc32c06b50dda87f53dc85dcbbf19520ef1db9582adde434107
                                                        • Instruction ID: 0ebe90348dc012af32e1e1fad7d0accf814f40ff7613cb8e1d20e80f9ffcbc6a
                                                        • Opcode Fuzzy Hash: bf7b47ebdd1e7cc32c06b50dda87f53dc85dcbbf19520ef1db9582adde434107
                                                        • Instruction Fuzzy Hash: 89018F71A4A3864FD72B166818345957FB25F8396072A06DBC081DF3ABCD258D8AC7A3

                                                        Execution Graph

                                                        Execution Coverage:3.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:1.7%
                                                        Total number of Nodes:700
                                                        Total number of Limit Nodes:1
                                                        execution_graph 2489 7ff742a648c7 abort 2490 7ff742a674d6 2501 7ff742a63b54 2490->2501 2493 7ff742a6752e 2495 7ff742a643d0 _CreateFrameInfo 10 API calls 2493->2495 2497 7ff742a6753b 2495->2497 2498 7ff742a643d0 _CreateFrameInfo 10 API calls 2497->2498 2500 7ff742a67548 2498->2500 2499 7ff742a6751a __GSHandlerCheck_EH 2513 7ff742a643d0 2499->2513 2502 7ff742a643d0 _CreateFrameInfo 10 API calls 2501->2502 2503 7ff742a63b66 2502->2503 2504 7ff742a63ba1 abort 2503->2504 2505 7ff742a643d0 _CreateFrameInfo 10 API calls 2503->2505 2507 7ff742a63b71 2505->2507 2506 7ff742a63b8d 2508 7ff742a643d0 _CreateFrameInfo 10 API calls 2506->2508 2507->2504 2507->2506 2509 7ff742a63b92 2508->2509 2509->2499 2510 7ff742a64104 2509->2510 2511 7ff742a643d0 _CreateFrameInfo 10 API calls 2510->2511 2512 7ff742a64112 2511->2512 2512->2499 2516 7ff742a643ec 2513->2516 2515 7ff742a643d9 2515->2493 2517 7ff742a6440b GetLastError 2516->2517 2518 7ff742a64404 2516->2518 2530 7ff742a66678 2517->2530 2518->2515 2531 7ff742a66498 __vcrt_InitializeCriticalSectionEx 5 API calls 2530->2531 2532 7ff742a6669f TlsGetValue 2531->2532 2539 7ff742a61550 2542 7ff742a63d50 2539->2542 2543 7ff742a61567 2542->2543 2544 7ff742a63d5f free 2542->2544 2544->2543 2534 7ff742a627d0 2538 7ff742a63074 SetUnhandledExceptionFilter 2534->2538 2928 7ff742a61590 2929 7ff742a63d50 __std_exception_destroy free 2928->2929 2930 7ff742a615b2 2929->2930 2931 7ff742a61510 2932 7ff742a63cc0 __std_exception_copy 2 API calls 2931->2932 2933 7ff742a61539 2932->2933 2937 7ff742a63090 2938 7ff742a630a8 2937->2938 2939 7ff742a630c4 2937->2939 2938->2939 2944 7ff742a641c0 2938->2944 2943 7ff742a630e2 2945 7ff742a643d0 _CreateFrameInfo 10 API calls 2944->2945 2946 7ff742a630d6 2945->2946 2947 7ff742a641d4 2946->2947 2948 7ff742a643d0 _CreateFrameInfo 10 API calls 2947->2948 2949 7ff742a641dd 2948->2949 2949->2943 2950 7ff742a67090 2951 7ff742a670d2 __GSHandlerCheckCommon 2950->2951 2952 7ff742a670fa 2951->2952 2954 7ff742a63d78 2951->2954 2955 7ff742a63da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2954->2955 2956 7ff742a63e99 2955->2956 2957 7ff742a63e64 RtlUnwindEx 2955->2957 2956->2952 2957->2955 2962 7ff742a67411 2963 7ff742a67429 2962->2963 2964 7ff742a67495 2962->2964 2963->2964 2965 7ff742a643d0 _CreateFrameInfo 10 API calls 2963->2965 2966 7ff742a67476 2965->2966 2967 7ff742a643d0 _CreateFrameInfo 10 API calls 2966->2967 2968 7ff742a6748b terminate 2967->2968 2968->2964 2548 7ff742a6733c _seh_filter_exe 2549 7ff742a61d39 2550 7ff742a61d40 2549->2550 2550->2550 2553 7ff742a618a0 2550->2553 2559 7ff742a62040 2550->2559 2552 7ff742a61d76 2554 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2552->2554 2553->2552 2555 7ff742a61dd0 2553->2555 2558 7ff742a620c0 21 API calls 2553->2558 2556 7ff742a61d87 2554->2556 2557 7ff742a61450 6 API calls 2555->2557 2557->2552 2558->2553 2560 7ff742a620a2 2559->2560 2563 7ff742a62063 BuildCatchObjectHelperInternal 2559->2563 2564 7ff742a62230 2560->2564 2562 7ff742a620b5 2562->2553 2563->2553 2565 7ff742a623ab 2564->2565 2566 7ff742a6225e 2564->2566 2568 7ff742a617e0 21 API calls 2565->2568 2567 7ff742a622be 2566->2567 2571 7ff742a622e6 2566->2571 2572 7ff742a622b1 2566->2572 2570 7ff742a62690 5 API calls 2567->2570 2569 7ff742a623b0 2568->2569 2573 7ff742a61720 Concurrency::cancel_current_task 4 API calls 2569->2573 2577 7ff742a622cf BuildCatchObjectHelperInternal 2570->2577 2576 7ff742a62690 5 API calls 2571->2576 2571->2577 2572->2567 2572->2569 2574 7ff742a623b6 2573->2574 2575 7ff742a62364 _invalid_parameter_noinfo_noreturn 2578 7ff742a62357 BuildCatchObjectHelperInternal 2575->2578 2576->2577 2577->2575 2577->2578 2578->2562 2579 7ff742a672c0 2580 7ff742a672d3 2579->2580 2581 7ff742a672e0 2579->2581 2583 7ff742a61e80 2580->2583 2584 7ff742a61e93 2583->2584 2586 7ff742a61eb7 2583->2586 2585 7ff742a61ed8 _invalid_parameter_noinfo_noreturn 2584->2585 2584->2586 2586->2581 2972 7ff742a62700 2973 7ff742a62710 2972->2973 2985 7ff742a62bd8 2973->2985 2975 7ff742a62ecc 7 API calls 2976 7ff742a627b5 2975->2976 2977 7ff742a62734 _RTC_Initialize 2983 7ff742a62797 2977->2983 2993 7ff742a62e64 InitializeSListHead 2977->2993 2983->2975 2984 7ff742a627a5 2983->2984 2986 7ff742a62be9 2985->2986 2987 7ff742a62c1b 2985->2987 2988 7ff742a62c58 2986->2988 2991 7ff742a62bee __scrt_release_startup_lock 2986->2991 2987->2977 2989 7ff742a62ecc 7 API calls 2988->2989 2990 7ff742a62c62 2989->2990 2991->2987 2992 7ff742a62c0b _initialize_onexit_table 2991->2992 2992->2987 2243 7ff742a627ec 2266 7ff742a62b8c 2243->2266 2246 7ff742a6280d 2249 7ff742a6294d 2246->2249 2255 7ff742a6282b __scrt_release_startup_lock 2246->2255 2247 7ff742a62943 2306 7ff742a62ecc IsProcessorFeaturePresent 2247->2306 2250 7ff742a62ecc 7 API calls 2249->2250 2251 7ff742a62958 2250->2251 2253 7ff742a62960 _exit 2251->2253 2252 7ff742a62850 2254 7ff742a628d6 _get_initial_narrow_environment __p___argv __p___argc 2272 7ff742a61060 2254->2272 2255->2252 2255->2254 2259 7ff742a628ce _register_thread_local_exe_atexit_callback 2255->2259 2259->2254 2261 7ff742a62903 2262 7ff742a6290d 2261->2262 2263 7ff742a62908 _cexit 2261->2263 2302 7ff742a62d20 2262->2302 2263->2262 2313 7ff742a6316c 2266->2313 2269 7ff742a62805 2269->2246 2269->2247 2270 7ff742a62bbb __scrt_initialize_crt 2270->2269 2315 7ff742a6404c 2270->2315 2273 7ff742a61386 2272->2273 2297 7ff742a610b4 2272->2297 2342 7ff742a61450 __acrt_iob_func 2273->2342 2275 7ff742a61399 2300 7ff742a63020 GetModuleHandleW 2275->2300 2276 7ff742a61289 2276->2273 2277 7ff742a6129f 2276->2277 2347 7ff742a62688 2277->2347 2279 7ff742a612a9 2281 7ff742a61325 2279->2281 2282 7ff742a612b9 GetTempPathA 2279->2282 2280 7ff742a61125 strcmp 2280->2297 2356 7ff742a623c0 2281->2356 2285 7ff742a612cb GetLastError 2282->2285 2286 7ff742a612e9 strcat_s 2282->2286 2283 7ff742a61151 strcmp 2283->2297 2288 7ff742a61450 6 API calls 2285->2288 2286->2281 2289 7ff742a61304 2286->2289 2292 7ff742a612df GetLastError 2288->2292 2293 7ff742a61450 6 API calls 2289->2293 2290 7ff742a61344 __acrt_iob_func fflush __acrt_iob_func fflush 2296 7ff742a61312 2290->2296 2291 7ff742a6117d strcmp 2291->2297 2292->2296 2293->2296 2296->2275 2297->2276 2297->2280 2297->2283 2297->2291 2298 7ff742a61226 strcmp 2297->2298 2298->2297 2299 7ff742a61239 atoi 2298->2299 2299->2297 2301 7ff742a628ff 2300->2301 2301->2251 2301->2261 2303 7ff742a62d31 __scrt_initialize_crt 2302->2303 2304 7ff742a62916 2303->2304 2305 7ff742a6404c __scrt_initialize_crt 7 API calls 2303->2305 2304->2252 2305->2304 2307 7ff742a62ef2 2306->2307 2308 7ff742a62f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff742a62f3a RtlVirtualUnwind 2308->2309 2310 7ff742a62f76 2308->2310 2309->2310 2311 7ff742a62fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2310->2311 2312 7ff742a62ffa 2311->2312 2312->2249 2314 7ff742a62bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2270 2316 7ff742a6405e 2315->2316 2317 7ff742a64054 2315->2317 2316->2269 2321 7ff742a644f4 2317->2321 2322 7ff742a64503 2321->2322 2323 7ff742a64059 2321->2323 2329 7ff742a66630 2322->2329 2325 7ff742a66460 2323->2325 2326 7ff742a6648b 2325->2326 2327 7ff742a6646e DeleteCriticalSection 2326->2327 2328 7ff742a6648f 2326->2328 2327->2326 2328->2316 2333 7ff742a66498 2329->2333 2334 7ff742a665b2 TlsFree 2333->2334 2340 7ff742a664dc 2333->2340 2335 7ff742a6650a LoadLibraryExW 2337 7ff742a6652b GetLastError 2335->2337 2338 7ff742a66581 2335->2338 2336 7ff742a665a1 GetProcAddress 2336->2334 2337->2340 2338->2336 2339 7ff742a66598 FreeLibrary 2338->2339 2339->2336 2340->2334 2340->2335 2340->2336 2341 7ff742a6654d LoadLibraryExW 2340->2341 2341->2338 2341->2340 2392 7ff742a61010 2342->2392 2344 7ff742a6148a __acrt_iob_func 2395 7ff742a61000 2344->2395 2346 7ff742a614a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff742a62690 2347->2350 2348 7ff742a626aa malloc 2349 7ff742a626b4 2348->2349 2348->2350 2349->2279 2350->2348 2351 7ff742a626ba 2350->2351 2352 7ff742a626c5 2351->2352 2397 7ff742a62b30 2351->2397 2401 7ff742a61720 2352->2401 2355 7ff742a626cb 2355->2279 2357 7ff742a62688 5 API calls 2356->2357 2358 7ff742a623f5 OpenProcess 2357->2358 2359 7ff742a6243b GetLastError 2358->2359 2360 7ff742a62458 K32GetModuleBaseNameA 2358->2360 2361 7ff742a61450 6 API calls 2359->2361 2362 7ff742a62470 GetLastError 2360->2362 2363 7ff742a62492 2360->2363 2372 7ff742a62453 2361->2372 2365 7ff742a61450 6 API calls 2362->2365 2418 7ff742a61800 2363->2418 2367 7ff742a62484 CloseHandle 2365->2367 2367->2372 2368 7ff742a624ae 2371 7ff742a613c0 6 API calls 2368->2371 2369 7ff742a625b3 CloseHandle 2369->2372 2370 7ff742a625fa 2429 7ff742a62660 2370->2429 2373 7ff742a624cf CreateFileA 2371->2373 2372->2370 2374 7ff742a625f3 _invalid_parameter_noinfo_noreturn 2372->2374 2375 7ff742a62543 2373->2375 2376 7ff742a6250f GetLastError 2373->2376 2374->2370 2379 7ff742a62550 MiniDumpWriteDump 2375->2379 2382 7ff742a6258a CloseHandle CloseHandle 2375->2382 2378 7ff742a61450 6 API calls 2376->2378 2381 7ff742a62538 CloseHandle 2378->2381 2379->2382 2383 7ff742a62576 GetLastError 2379->2383 2381->2372 2382->2372 2383->2375 2385 7ff742a6258c 2383->2385 2386 7ff742a61450 6 API calls 2385->2386 2386->2382 2387 7ff742a613c0 __acrt_iob_func 2388 7ff742a61010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff742a613fa __acrt_iob_func 2388->2389 2488 7ff742a61000 2389->2488 2391 7ff742a61412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2290 2396 7ff742a61000 2392->2396 2394 7ff742a61036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff742a62b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff742a63f84 2398->2407 2400 7ff742a62b4f 2402 7ff742a6172e Concurrency::cancel_current_task 2401->2402 2403 7ff742a63f84 std::_Xinvalid_argument 2 API calls 2402->2403 2404 7ff742a6173f 2403->2404 2412 7ff742a63cc0 2404->2412 2408 7ff742a63fa3 2407->2408 2409 7ff742a63fc0 RtlPcToFileHeader 2407->2409 2408->2409 2410 7ff742a63fd8 2409->2410 2411 7ff742a63fe7 RaiseException 2409->2411 2410->2411 2411->2400 2413 7ff742a6176d 2412->2413 2414 7ff742a63ce1 2412->2414 2413->2355 2414->2413 2415 7ff742a63cf6 malloc 2414->2415 2416 7ff742a63d07 2415->2416 2417 7ff742a63d23 free 2415->2417 2416->2417 2417->2413 2419 7ff742a61863 WSAStartup 2418->2419 2420 7ff742a61850 2418->2420 2422 7ff742a6185c 2419->2422 2427 7ff742a6187f 2419->2427 2421 7ff742a61450 6 API calls 2420->2421 2421->2422 2423 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2422->2423 2424 7ff742a61d87 2423->2424 2424->2368 2424->2369 2425 7ff742a61dd0 2426 7ff742a61450 6 API calls 2425->2426 2426->2422 2427->2422 2427->2425 2438 7ff742a620c0 2427->2438 2430 7ff742a62669 2429->2430 2431 7ff742a61334 2430->2431 2432 7ff742a629c0 IsProcessorFeaturePresent 2430->2432 2431->2290 2431->2387 2433 7ff742a629d8 2432->2433 2483 7ff742a62a94 RtlCaptureContext 2433->2483 2439 7ff742a62218 2438->2439 2442 7ff742a620e9 2438->2442 2462 7ff742a617e0 2439->2462 2441 7ff742a6221d 2447 7ff742a61720 Concurrency::cancel_current_task 4 API calls 2441->2447 2444 7ff742a6216c 2442->2444 2445 7ff742a62137 2442->2445 2446 7ff742a62144 2442->2446 2449 7ff742a62690 5 API calls 2444->2449 2451 7ff742a62155 BuildCatchObjectHelperInternal 2444->2451 2445->2441 2445->2446 2453 7ff742a62690 2446->2453 2450 7ff742a62223 2447->2450 2448 7ff742a621e0 _invalid_parameter_noinfo_noreturn 2452 7ff742a621d3 BuildCatchObjectHelperInternal 2448->2452 2449->2451 2451->2448 2451->2452 2452->2427 2454 7ff742a626aa malloc 2453->2454 2455 7ff742a6269b 2454->2455 2456 7ff742a626b4 2454->2456 2455->2454 2457 7ff742a626ba 2455->2457 2456->2451 2458 7ff742a626c5 2457->2458 2459 7ff742a62b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2460 7ff742a61720 Concurrency::cancel_current_task 4 API calls 2458->2460 2459->2458 2461 7ff742a626cb 2460->2461 2461->2451 2475 7ff742a634d4 2462->2475 2480 7ff742a633f8 2475->2480 2478 7ff742a63f84 std::_Xinvalid_argument 2 API calls 2479 7ff742a634f6 2478->2479 2481 7ff742a63cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff742a6342c 2481->2482 2482->2478 2484 7ff742a62aae RtlLookupFunctionEntry 2483->2484 2485 7ff742a629eb 2484->2485 2486 7ff742a62ac4 RtlVirtualUnwind 2484->2486 2487 7ff742a62984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2485->2487 2486->2484 2486->2485 2488->2391 2590 7ff742a659ad 2591 7ff742a643d0 _CreateFrameInfo 10 API calls 2590->2591 2592 7ff742a659ba 2591->2592 2593 7ff742a643d0 _CreateFrameInfo 10 API calls 2592->2593 2595 7ff742a659c3 __GSHandlerCheck_EH 2593->2595 2594 7ff742a65a0a RaiseException 2596 7ff742a65a29 2594->2596 2595->2594 2597 7ff742a63b54 11 API calls 2596->2597 2601 7ff742a65a31 2597->2601 2598 7ff742a65a5a __GSHandlerCheck_EH 2599 7ff742a643d0 _CreateFrameInfo 10 API calls 2598->2599 2600 7ff742a65a6d 2599->2600 2602 7ff742a643d0 _CreateFrameInfo 10 API calls 2600->2602 2601->2598 2603 7ff742a64104 10 API calls 2601->2603 2604 7ff742a65a76 2602->2604 2603->2598 2605 7ff742a643d0 _CreateFrameInfo 10 API calls 2604->2605 2606 7ff742a65a7f 2605->2606 2607 7ff742a643d0 _CreateFrameInfo 10 API calls 2606->2607 2608 7ff742a65a8e 2607->2608 2609 7ff742a674a7 2612 7ff742a65cc0 2609->2612 2617 7ff742a65c38 2612->2617 2615 7ff742a65ce0 2616 7ff742a643d0 _CreateFrameInfo 10 API calls 2616->2615 2618 7ff742a65ca3 2617->2618 2619 7ff742a65c5a 2617->2619 2618->2615 2618->2616 2619->2618 2620 7ff742a643d0 _CreateFrameInfo 10 API calls 2619->2620 2620->2618 2994 7ff742a65f75 2997 7ff742a65e35 __GSHandlerCheck_EH 2994->2997 2995 7ff742a65f92 2996 7ff742a643d0 _CreateFrameInfo 10 API calls 2995->2996 2998 7ff742a65f97 2996->2998 2997->2995 3003 7ff742a63bd0 __GSHandlerCheck_EH 10 API calls 2997->3003 2999 7ff742a65fa2 2998->2999 3000 7ff742a643d0 _CreateFrameInfo 10 API calls 2998->3000 3001 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2999->3001 3000->2999 3002 7ff742a65fb5 3001->3002 3003->2997 2621 7ff742a643b0 2622 7ff742a643ca 2621->2622 2623 7ff742a643b9 2621->2623 2623->2622 2624 7ff742a643c5 free 2623->2624 2624->2622 2625 7ff742a67130 2626 7ff742a67168 __GSHandlerCheckCommon 2625->2626 2627 7ff742a67194 2626->2627 2629 7ff742a63c00 2626->2629 2630 7ff742a643d0 _CreateFrameInfo 10 API calls 2629->2630 2631 7ff742a63c42 2630->2631 2632 7ff742a643d0 _CreateFrameInfo 10 API calls 2631->2632 2633 7ff742a63c4f 2632->2633 2634 7ff742a643d0 _CreateFrameInfo 10 API calls 2633->2634 2635 7ff742a63c58 __GSHandlerCheck_EH 2634->2635 2638 7ff742a65414 2635->2638 2639 7ff742a65443 __except_validate_context_record 2638->2639 2640 7ff742a643d0 _CreateFrameInfo 10 API calls 2639->2640 2641 7ff742a65448 2640->2641 2642 7ff742a65498 2641->2642 2647 7ff742a655b2 __GSHandlerCheck_EH 2641->2647 2653 7ff742a63ca9 2641->2653 2643 7ff742a6559f 2642->2643 2651 7ff742a654f3 __GSHandlerCheck_EH 2642->2651 2642->2653 2678 7ff742a63678 2643->2678 2644 7ff742a655f7 2644->2653 2685 7ff742a649a4 2644->2685 2647->2644 2647->2653 2682 7ff742a63bbc 2647->2682 2648 7ff742a656a2 abort 2650 7ff742a65543 2654 7ff742a65cf0 2650->2654 2651->2648 2651->2650 2653->2627 2738 7ff742a63ba8 2654->2738 2656 7ff742a65d40 __GSHandlerCheck_EH 2657 7ff742a65d5b 2656->2657 2658 7ff742a65d72 2656->2658 2659 7ff742a643d0 _CreateFrameInfo 10 API calls 2657->2659 2660 7ff742a643d0 _CreateFrameInfo 10 API calls 2658->2660 2661 7ff742a65d60 2659->2661 2662 7ff742a65d77 2660->2662 2663 7ff742a65fd0 abort 2661->2663 2668 7ff742a65d6a 2661->2668 2664 7ff742a643d0 _CreateFrameInfo 10 API calls 2662->2664 2662->2668 2666 7ff742a65d82 2664->2666 2665 7ff742a643d0 _CreateFrameInfo 10 API calls 2676 7ff742a65d96 __GSHandlerCheck_EH 2665->2676 2667 7ff742a643d0 _CreateFrameInfo 10 API calls 2666->2667 2667->2668 2668->2665 2669 7ff742a65f92 2670 7ff742a643d0 _CreateFrameInfo 10 API calls 2669->2670 2671 7ff742a65f97 2670->2671 2672 7ff742a65fa2 2671->2672 2673 7ff742a643d0 _CreateFrameInfo 10 API calls 2671->2673 2674 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2672->2674 2673->2672 2675 7ff742a65fb5 2674->2675 2675->2653 2676->2669 2741 7ff742a63bd0 2676->2741 2679 7ff742a6368a 2678->2679 2680 7ff742a65cf0 __GSHandlerCheck_EH 19 API calls 2679->2680 2681 7ff742a636a5 2680->2681 2681->2653 2683 7ff742a643d0 _CreateFrameInfo 10 API calls 2682->2683 2684 7ff742a63bc5 2683->2684 2684->2644 2686 7ff742a64a01 __GSHandlerCheck_EH 2685->2686 2687 7ff742a64a09 2686->2687 2688 7ff742a64a20 2686->2688 2690 7ff742a643d0 _CreateFrameInfo 10 API calls 2687->2690 2689 7ff742a643d0 _CreateFrameInfo 10 API calls 2688->2689 2691 7ff742a64a25 2689->2691 2698 7ff742a64a0e 2690->2698 2693 7ff742a643d0 _CreateFrameInfo 10 API calls 2691->2693 2691->2698 2692 7ff742a64e99 abort 2694 7ff742a64a30 2693->2694 2695 7ff742a643d0 _CreateFrameInfo 10 API calls 2694->2695 2695->2698 2696 7ff742a64b54 __GSHandlerCheck_EH 2697 7ff742a64def 2696->2697 2732 7ff742a64b90 __GSHandlerCheck_EH 2696->2732 2697->2692 2700 7ff742a64ded 2697->2700 2780 7ff742a64ea0 2697->2780 2698->2692 2698->2696 2699 7ff742a643d0 _CreateFrameInfo 10 API calls 2698->2699 2701 7ff742a64ac0 2699->2701 2702 7ff742a643d0 _CreateFrameInfo 10 API calls 2700->2702 2704 7ff742a64e37 2701->2704 2707 7ff742a643d0 _CreateFrameInfo 10 API calls 2701->2707 2706 7ff742a64e30 2702->2706 2703 7ff742a64dd4 __GSHandlerCheck_EH 2703->2700 2712 7ff742a64e81 2703->2712 2708 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2704->2708 2706->2692 2706->2704 2709 7ff742a64ad0 2707->2709 2710 7ff742a64e43 2708->2710 2711 7ff742a643d0 _CreateFrameInfo 10 API calls 2709->2711 2710->2653 2713 7ff742a64ad9 2711->2713 2714 7ff742a643d0 _CreateFrameInfo 10 API calls 2712->2714 2744 7ff742a63be8 2713->2744 2716 7ff742a64e86 2714->2716 2718 7ff742a643d0 _CreateFrameInfo 10 API calls 2716->2718 2720 7ff742a64e8f terminate 2718->2720 2719 7ff742a643d0 _CreateFrameInfo 10 API calls 2721 7ff742a64b16 2719->2721 2720->2692 2721->2696 2722 7ff742a643d0 _CreateFrameInfo 10 API calls 2721->2722 2723 7ff742a64b22 2722->2723 2724 7ff742a643d0 _CreateFrameInfo 10 API calls 2723->2724 2725 7ff742a64b2b 2724->2725 2747 7ff742a65fd8 2725->2747 2726 7ff742a63bbc 10 API calls BuildCatchObjectHelperInternal 2726->2732 2730 7ff742a64b3f 2754 7ff742a660c8 2730->2754 2732->2703 2732->2726 2758 7ff742a652d0 2732->2758 2772 7ff742a648d0 2732->2772 2733 7ff742a64e7b terminate 2733->2712 2735 7ff742a64b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2735->2733 2736 7ff742a63f84 std::_Xinvalid_argument 2 API calls 2735->2736 2737 7ff742a64e7a 2736->2737 2737->2733 2739 7ff742a643d0 _CreateFrameInfo 10 API calls 2738->2739 2740 7ff742a63bb1 2739->2740 2740->2656 2742 7ff742a643d0 _CreateFrameInfo 10 API calls 2741->2742 2743 7ff742a63bde 2742->2743 2743->2676 2745 7ff742a643d0 _CreateFrameInfo 10 API calls 2744->2745 2746 7ff742a63bf6 2745->2746 2746->2692 2746->2719 2748 7ff742a660bf abort 2747->2748 2753 7ff742a66003 2747->2753 2749 7ff742a64b3b 2749->2696 2749->2730 2750 7ff742a63bbc 10 API calls BuildCatchObjectHelperInternal 2750->2753 2751 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2751->2753 2753->2749 2753->2750 2753->2751 2796 7ff742a65190 2753->2796 2755 7ff742a66135 2754->2755 2756 7ff742a660e5 Is_bad_exception_allowed 2754->2756 2755->2735 2756->2755 2757 7ff742a63ba8 10 API calls BuildCatchObjectHelperInternal 2756->2757 2757->2756 2759 7ff742a652fd 2758->2759 2771 7ff742a6538d 2758->2771 2760 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2759->2760 2761 7ff742a65306 2760->2761 2762 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2761->2762 2763 7ff742a6531f 2761->2763 2761->2771 2762->2763 2764 7ff742a6534c 2763->2764 2765 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2763->2765 2763->2771 2766 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2764->2766 2765->2764 2767 7ff742a65360 2766->2767 2768 7ff742a65379 2767->2768 2769 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2767->2769 2767->2771 2770 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2768->2770 2769->2768 2770->2771 2771->2732 2773 7ff742a6490d __GSHandlerCheck_EH 2772->2773 2774 7ff742a64933 2773->2774 2810 7ff742a6480c 2773->2810 2776 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2774->2776 2777 7ff742a64945 2776->2777 2819 7ff742a63838 RtlUnwindEx 2777->2819 2781 7ff742a65169 2780->2781 2782 7ff742a64ef4 2780->2782 2784 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2781->2784 2783 7ff742a643d0 _CreateFrameInfo 10 API calls 2782->2783 2785 7ff742a64ef9 2783->2785 2786 7ff742a65175 2784->2786 2787 7ff742a64f0e EncodePointer 2785->2787 2788 7ff742a64f60 __GSHandlerCheck_EH 2785->2788 2786->2700 2789 7ff742a643d0 _CreateFrameInfo 10 API calls 2787->2789 2788->2781 2790 7ff742a65189 abort 2788->2790 2793 7ff742a64f82 __GSHandlerCheck_EH 2788->2793 2791 7ff742a64f1e 2789->2791 2791->2788 2843 7ff742a634f8 2791->2843 2793->2781 2794 7ff742a63ba8 10 API calls BuildCatchObjectHelperInternal 2793->2794 2795 7ff742a648d0 __GSHandlerCheck_EH 21 API calls 2793->2795 2794->2793 2795->2793 2797 7ff742a6524c 2796->2797 2798 7ff742a651bd 2796->2798 2797->2753 2799 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2798->2799 2800 7ff742a651c6 2799->2800 2800->2797 2801 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2800->2801 2802 7ff742a651df 2800->2802 2801->2802 2802->2797 2803 7ff742a6520b 2802->2803 2804 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2802->2804 2805 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2803->2805 2804->2803 2806 7ff742a6521f 2805->2806 2806->2797 2807 7ff742a65238 2806->2807 2808 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2806->2808 2809 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2807->2809 2808->2807 2809->2797 2811 7ff742a6482f 2810->2811 2822 7ff742a64608 2811->2822 2813 7ff742a64840 2814 7ff742a64881 __AdjustPointer 2813->2814 2815 7ff742a64845 __AdjustPointer 2813->2815 2816 7ff742a64864 BuildCatchObjectHelperInternal 2814->2816 2817 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2814->2817 2815->2816 2818 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2815->2818 2816->2774 2817->2816 2818->2816 2820 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2819->2820 2821 7ff742a6394e 2820->2821 2821->2732 2823 7ff742a64635 2822->2823 2825 7ff742a6463e 2822->2825 2824 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2823->2824 2824->2825 2826 7ff742a63ba8 BuildCatchObjectHelperInternal 10 API calls 2825->2826 2827 7ff742a6465d 2825->2827 2834 7ff742a646c2 __AdjustPointer BuildCatchObjectHelperInternal 2825->2834 2826->2827 2828 7ff742a646aa 2827->2828 2829 7ff742a646ca 2827->2829 2827->2834 2831 7ff742a647e9 abort abort 2828->2831 2828->2834 2830 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2829->2830 2833 7ff742a6474a 2829->2833 2829->2834 2830->2833 2832 7ff742a6480c 2831->2832 2835 7ff742a64608 BuildCatchObjectHelperInternal 10 API calls 2832->2835 2833->2834 2836 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2833->2836 2834->2813 2837 7ff742a64840 2835->2837 2836->2834 2838 7ff742a64881 __AdjustPointer 2837->2838 2839 7ff742a64845 __AdjustPointer 2837->2839 2840 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2838->2840 2842 7ff742a64864 BuildCatchObjectHelperInternal 2838->2842 2841 7ff742a63bbc BuildCatchObjectHelperInternal 10 API calls 2839->2841 2839->2842 2840->2842 2841->2842 2842->2813 2844 7ff742a643d0 _CreateFrameInfo 10 API calls 2843->2844 2845 7ff742a63524 2844->2845 2845->2788 3004 7ff742a62970 3007 7ff742a62da0 3004->3007 3008 7ff742a62979 3007->3008 3009 7ff742a62dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3007->3009 3009->3008 3017 7ff742a6756f 3018 7ff742a643d0 _CreateFrameInfo 10 API calls 3017->3018 3019 7ff742a6757d 3018->3019 3020 7ff742a67588 3019->3020 3021 7ff742a643d0 _CreateFrameInfo 10 API calls 3019->3021 3021->3020 3022 7ff742a67372 3023 7ff742a643d0 _CreateFrameInfo 10 API calls 3022->3023 3024 7ff742a67389 3023->3024 3025 7ff742a643d0 _CreateFrameInfo 10 API calls 3024->3025 3026 7ff742a673a4 3025->3026 3027 7ff742a643d0 _CreateFrameInfo 10 API calls 3026->3027 3028 7ff742a673ad 3027->3028 3029 7ff742a65414 __GSHandlerCheck_EH 31 API calls 3028->3029 3030 7ff742a673f3 3029->3030 3031 7ff742a643d0 _CreateFrameInfo 10 API calls 3030->3031 3032 7ff742a673f8 3031->3032 2849 7ff742a61b18 _time64 2850 7ff742a61b34 2849->2850 2851 7ff742a61bf1 2850->2851 2865 7ff742a61ee0 2850->2865 2853 7ff742a62230 22 API calls 2851->2853 2854 7ff742a61c34 BuildCatchObjectHelperInternal 2851->2854 2853->2854 2855 7ff742a61da2 _invalid_parameter_noinfo_noreturn 2854->2855 2856 7ff742a618a0 2854->2856 2857 7ff742a61da9 WSAGetLastError 2855->2857 2860 7ff742a61d76 2856->2860 2861 7ff742a61dd0 2856->2861 2864 7ff742a620c0 21 API calls 2856->2864 2858 7ff742a61450 6 API calls 2857->2858 2858->2860 2859 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2862 7ff742a61d87 2859->2862 2860->2859 2863 7ff742a61450 6 API calls 2861->2863 2863->2860 2864->2856 2868 7ff742a61f25 2865->2868 2878 7ff742a61f04 BuildCatchObjectHelperInternal 2865->2878 2866 7ff742a62031 2867 7ff742a617e0 21 API calls 2866->2867 2869 7ff742a62036 2867->2869 2868->2866 2870 7ff742a61fa9 2868->2870 2871 7ff742a61f74 2868->2871 2873 7ff742a61720 Concurrency::cancel_current_task 4 API calls 2869->2873 2875 7ff742a62690 5 API calls 2870->2875 2877 7ff742a61f92 BuildCatchObjectHelperInternal 2870->2877 2871->2869 2872 7ff742a62690 5 API calls 2871->2872 2872->2877 2876 7ff742a6203c 2873->2876 2874 7ff742a6202a _invalid_parameter_noinfo_noreturn 2874->2866 2875->2877 2877->2874 2877->2878 2878->2851 2879 7ff742a6191a 2880 7ff742a618a0 2879->2880 2881 7ff742a6194d 2879->2881 2884 7ff742a61dd0 2880->2884 2887 7ff742a620c0 21 API calls 2880->2887 2888 7ff742a61d76 2880->2888 2882 7ff742a620c0 21 API calls 2881->2882 2882->2880 2883 7ff742a62660 __GSHandlerCheck_EH 8 API calls 2885 7ff742a61d87 2883->2885 2886 7ff742a61450 6 API calls 2884->2886 2886->2888 2887->2880 2888->2883 2889 7ff742a6291a 2890 7ff742a63020 __scrt_is_managed_app GetModuleHandleW 2889->2890 2891 7ff742a62921 2890->2891 2892 7ff742a62925 2891->2892 2893 7ff742a62960 _exit 2891->2893 3033 7ff742a67559 3036 7ff742a64158 3033->3036 3037 7ff742a64170 3036->3037 3038 7ff742a64182 3036->3038 3037->3038 3039 7ff742a64178 3037->3039 3040 7ff742a643d0 _CreateFrameInfo 10 API calls 3038->3040 3042 7ff742a64180 3039->3042 3043 7ff742a643d0 _CreateFrameInfo 10 API calls 3039->3043 3041 7ff742a64187 3040->3041 3041->3042 3044 7ff742a643d0 _CreateFrameInfo 10 API calls 3041->3044 3045 7ff742a641a7 3043->3045 3044->3042 3046 7ff742a643d0 _CreateFrameInfo 10 API calls 3045->3046 3047 7ff742a641b4 terminate 3046->3047 2894 7ff742a64024 2901 7ff742a6642c 2894->2901 2897 7ff742a64031 2913 7ff742a66714 2901->2913 2904 7ff742a6402d 2904->2897 2906 7ff742a644ac 2904->2906 2905 7ff742a66460 __vcrt_uninitialize_locks DeleteCriticalSection 2905->2904 2918 7ff742a665e8 2906->2918 2914 7ff742a66498 __vcrt_InitializeCriticalSectionEx 5 API calls 2913->2914 2915 7ff742a6674a 2914->2915 2916 7ff742a6675f InitializeCriticalSectionAndSpinCount 2915->2916 2917 7ff742a66444 2915->2917 2916->2917 2917->2904 2917->2905 2919 7ff742a66498 __vcrt_InitializeCriticalSectionEx 5 API calls 2918->2919 2920 7ff742a6660d TlsAlloc 2919->2920 3051 7ff742a61ce0 3052 7ff742a62688 5 API calls 3051->3052 3053 7ff742a61cea gethostname 3052->3053 3054 7ff742a61d08 3053->3054 3055 7ff742a61da9 WSAGetLastError 3053->3055 3058 7ff742a62040 22 API calls 3054->3058 3056 7ff742a61450 6 API calls 3055->3056 3057 7ff742a61d76 3056->3057 3060 7ff742a62660 __GSHandlerCheck_EH 8 API calls 3057->3060 3059 7ff742a618a0 3058->3059 3059->3057 3062 7ff742a61dd0 3059->3062 3064 7ff742a620c0 21 API calls 3059->3064 3061 7ff742a61d87 3060->3061 3063 7ff742a61450 6 API calls 3062->3063 3063->3057 3064->3059 3065 7ff742a65860 3066 7ff742a643d0 _CreateFrameInfo 10 API calls 3065->3066 3067 7ff742a658ad 3066->3067 3068 7ff742a643d0 _CreateFrameInfo 10 API calls 3067->3068 3069 7ff742a658bb __except_validate_context_record 3068->3069 3070 7ff742a643d0 _CreateFrameInfo 10 API calls 3069->3070 3071 7ff742a65914 3070->3071 3072 7ff742a643d0 _CreateFrameInfo 10 API calls 3071->3072 3073 7ff742a6591d 3072->3073 3074 7ff742a643d0 _CreateFrameInfo 10 API calls 3073->3074 3075 7ff742a65926 3074->3075 3094 7ff742a63b18 3075->3094 3078 7ff742a643d0 _CreateFrameInfo 10 API calls 3079 7ff742a65959 3078->3079 3080 7ff742a65aa9 abort 3079->3080 3081 7ff742a65991 3079->3081 3082 7ff742a63b54 11 API calls 3081->3082 3086 7ff742a65a31 3082->3086 3083 7ff742a65a5a __GSHandlerCheck_EH 3084 7ff742a643d0 _CreateFrameInfo 10 API calls 3083->3084 3085 7ff742a65a6d 3084->3085 3087 7ff742a643d0 _CreateFrameInfo 10 API calls 3085->3087 3086->3083 3088 7ff742a64104 10 API calls 3086->3088 3089 7ff742a65a76 3087->3089 3088->3083 3090 7ff742a643d0 _CreateFrameInfo 10 API calls 3089->3090 3091 7ff742a65a7f 3090->3091 3092 7ff742a643d0 _CreateFrameInfo 10 API calls 3091->3092 3093 7ff742a65a8e 3092->3093 3095 7ff742a643d0 _CreateFrameInfo 10 API calls 3094->3095 3096 7ff742a63b29 3095->3096 3097 7ff742a643d0 _CreateFrameInfo 10 API calls 3096->3097 3099 7ff742a63b34 3096->3099 3097->3099 3098 7ff742a643d0 _CreateFrameInfo 10 API calls 3100 7ff742a63b45 3098->3100 3099->3098 3100->3078 3100->3079 3101 7ff742a67260 3102 7ff742a67273 3101->3102 3103 7ff742a67280 3101->3103 3104 7ff742a61e80 _invalid_parameter_noinfo_noreturn 3102->3104 3104->3103 3105 7ff742a6195f 3106 7ff742a6196d 3105->3106 3107 7ff742a61a23 3106->3107 3108 7ff742a61ee0 22 API calls 3106->3108 3109 7ff742a62230 22 API calls 3107->3109 3110 7ff742a61a67 BuildCatchObjectHelperInternal 3107->3110 3108->3107 3109->3110 3111 7ff742a61da2 _invalid_parameter_noinfo_noreturn 3110->3111 3112 7ff742a618a0 3110->3112 3113 7ff742a61da9 WSAGetLastError 3111->3113 3116 7ff742a61d76 3112->3116 3117 7ff742a61dd0 3112->3117 3120 7ff742a620c0 21 API calls 3112->3120 3114 7ff742a61450 6 API calls 3113->3114 3114->3116 3115 7ff742a62660 __GSHandlerCheck_EH 8 API calls 3118 7ff742a61d87 3115->3118 3116->3115 3119 7ff742a61450 6 API calls 3117->3119 3119->3116 3120->3112

                                                        Executed Functions

                                                        Function 00007FF742A61060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 7ff742a61060-7ff742a610ae 1 7ff742a610b4-7ff742a610c6 0->1 2 7ff742a61386-7ff742a61394 call 7ff742a61450 0->2 3 7ff742a610d0-7ff742a610d6 1->3 7 7ff742a61399 2->7 5 7ff742a610dc-7ff742a610df 3->5 6 7ff742a6127f-7ff742a61283 3->6 10 7ff742a610ed 5->10 11 7ff742a610e1-7ff742a610e5 5->11 6->3 9 7ff742a61289-7ff742a61299 6->9 8 7ff742a6139e-7ff742a613b7 7->8 9->2 12 7ff742a6129f-7ff742a612b7 call 7ff742a62688 9->12 14 7ff742a610f0-7ff742a610fc 10->14 11->10 13 7ff742a610e7-7ff742a610eb 11->13 26 7ff742a6132a-7ff742a61336 call 7ff742a623c0 12->26 27 7ff742a612b9-7ff742a612c9 GetTempPathA 12->27 13->10 16 7ff742a61104-7ff742a6110b 13->16 17 7ff742a610fe-7ff742a61102 14->17 18 7ff742a61110-7ff742a61113 14->18 20 7ff742a6127b 16->20 17->14 17->16 21 7ff742a61125-7ff742a61136 strcmp 18->21 22 7ff742a61115-7ff742a61119 18->22 20->6 24 7ff742a6113c-7ff742a6113f 21->24 25 7ff742a61267-7ff742a6126e 21->25 22->21 23 7ff742a6111b-7ff742a6111f 22->23 23->21 23->25 29 7ff742a61151-7ff742a61162 strcmp 24->29 30 7ff742a61141-7ff742a61145 24->30 28 7ff742a61276 25->28 41 7ff742a61338-7ff742a61344 call 7ff742a613c0 26->41 42 7ff742a61346 26->42 32 7ff742a612cb-7ff742a612e7 GetLastError call 7ff742a61450 GetLastError 27->32 33 7ff742a612e9-7ff742a61302 strcat_s 27->33 28->20 36 7ff742a61258-7ff742a61265 29->36 37 7ff742a61168-7ff742a6116b 29->37 30->29 34 7ff742a61147-7ff742a6114b 30->34 52 7ff742a61313-7ff742a61323 call 7ff742a62680 32->52 39 7ff742a61304-7ff742a61312 call 7ff742a61450 33->39 40 7ff742a61325 33->40 34->29 34->36 36->20 43 7ff742a6117d-7ff742a6118e strcmp 37->43 44 7ff742a6116d-7ff742a61171 37->44 39->52 40->26 49 7ff742a6134b-7ff742a61384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff742a62680 41->49 42->49 50 7ff742a61247-7ff742a61256 43->50 51 7ff742a61194-7ff742a61197 43->51 44->43 48 7ff742a61173-7ff742a61177 44->48 48->43 48->50 49->8 50->28 57 7ff742a61199-7ff742a6119d 51->57 58 7ff742a611a5-7ff742a611af 51->58 52->8 57->58 61 7ff742a6119f-7ff742a611a3 57->61 62 7ff742a611b0-7ff742a611bb 58->62 61->58 63 7ff742a611c3-7ff742a611d2 61->63 64 7ff742a611bd-7ff742a611c1 62->64 65 7ff742a611d7-7ff742a611da 62->65 63->28 64->62 64->63 66 7ff742a611ec-7ff742a611f6 65->66 67 7ff742a611dc-7ff742a611e0 65->67 69 7ff742a61200-7ff742a6120b 66->69 67->66 68 7ff742a611e2-7ff742a611e6 67->68 68->20 68->66 70 7ff742a6120d-7ff742a61211 69->70 71 7ff742a61215-7ff742a61218 69->71 70->69 72 7ff742a61213 70->72 73 7ff742a6121a-7ff742a6121e 71->73 74 7ff742a61226-7ff742a61237 strcmp 71->74 72->20 73->74 75 7ff742a61220-7ff742a61224 73->75 74->20 76 7ff742a61239-7ff742a61245 atoi 74->76 75->20 75->74 76->20
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                        • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                        • API String ID: 2647627392-2367407095
                                                        • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                        • Instruction ID: 8e41dc314cd59d30b3d27fb09b18aa1966ff06d757bc3be5cc30a6f2efaf00e7
                                                        • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                        • Instruction Fuzzy Hash: 19A1A351F0C682C5FB61BB209408A79EAA4EB45754F884135CECE43795DFBEE468C738
                                                        Function 00007FF742A627EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                        • String ID:
                                                        • API String ID: 2308368977-0
                                                        • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                        • Instruction ID: d81afb8aab4376f42a510f5b30ca1b91074ccf59d2994c1ad60aea8e210af500
                                                        • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                        • Instruction Fuzzy Hash: B2312B21F0C243C1EB14BB619415BB9E291AF81B88FC45035DE8D072D7CFAEA866C279
                                                        Function 00007FF742A61450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                        • String ID: [createdump]
                                                        • API String ID: 3735572767-2657508301
                                                        • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                        • Instruction ID: 851b9623e81d0129ee8cf00c3f4f1fea078cf1e7160f90aa846755478b14c449
                                                        • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                        • Instruction Fuzzy Hash: D1017C21B0CB41C2EB00BB60F80996AE368EB85BD1F804134DE9D03765CF7CD8A9C325

                                                        Non-executed Functions

                                                        Function 00007FF742A62ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                        • Instruction ID: 2a1660701d016b3aa179ff8ad6f64cef46fe52d718fa45be215c2bf2a06c39aa
                                                        • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                        • Instruction Fuzzy Hash: 98316F7270DA81CAEB60AF60E8407EAB365FB84744F80443ADE8E47A94DF79C558C724
                                                        Function 00007FF742A63074 Relevance: .0, Instructions: 2COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                        • Instruction ID: 70ec13b9a946b050a12027c1ae55f32233fed577a2908f605069f63c2c47a481
                                                        • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                        • Instruction Fuzzy Hash: 08A00121A4C802D4E744BB10A854921B224AB50700B822931DC8E410A49FBEA86AC239
                                                        Function 00007FF742A623C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF742A6242D
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF742A6243B
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A61475
                                                          • Part of subcall function 00007FF742A61450: fprintf.MSPDB140-MSVCRT ref: 00007FF742A61485
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A61494
                                                          • Part of subcall function 00007FF742A61450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614B3
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614BE
                                                          • Part of subcall function 00007FF742A61450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614C7
                                                        • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF742A62466
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF742A62470
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF742A62487
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF742A625F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                        • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                        • API String ID: 3971781330-1292085346
                                                        • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                        • Instruction ID: 484d974262c9dde99d72b3bd193b28a132629a3eea45ae4da60f3a03c6f4142e
                                                        • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                        • Instruction Fuzzy Hash: 50619131B0CA42C5E720BB11E464A6AB761FB84794F900530EEDE03AA5CFBEE455C738
                                                        Function 00007FF742A649A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 7ff742a649a4-7ff742a64a07 call 7ff742a64518 180 7ff742a64a09-7ff742a64a12 call 7ff742a643d0 177->180 181 7ff742a64a20-7ff742a64a29 call 7ff742a643d0 177->181 186 7ff742a64a18-7ff742a64a1e 180->186 187 7ff742a64e99-7ff742a64e9f abort 180->187 188 7ff742a64a2b-7ff742a64a38 call 7ff742a643d0 * 2 181->188 189 7ff742a64a3f-7ff742a64a42 181->189 186->189 188->189 189->187 191 7ff742a64a48-7ff742a64a54 189->191 193 7ff742a64a56-7ff742a64a7d 191->193 194 7ff742a64a7f 191->194 196 7ff742a64a81-7ff742a64a83 193->196 194->196 196->187 198 7ff742a64a89-7ff742a64a8f 196->198 199 7ff742a64b59-7ff742a64b6f call 7ff742a65724 198->199 200 7ff742a64a95-7ff742a64a99 198->200 205 7ff742a64b75-7ff742a64b79 199->205 206 7ff742a64def-7ff742a64df3 199->206 200->199 201 7ff742a64a9f-7ff742a64aaa 200->201 201->199 204 7ff742a64ab0-7ff742a64ab5 201->204 204->199 207 7ff742a64abb-7ff742a64ac5 call 7ff742a643d0 204->207 205->206 208 7ff742a64b7f-7ff742a64b8a 205->208 210 7ff742a64e2b-7ff742a64e35 call 7ff742a643d0 206->210 211 7ff742a64df5-7ff742a64dfc 206->211 218 7ff742a64acb-7ff742a64af1 call 7ff742a643d0 * 2 call 7ff742a63be8 207->218 219 7ff742a64e37-7ff742a64e56 call 7ff742a62660 207->219 208->206 212 7ff742a64b90-7ff742a64b94 208->212 210->187 210->219 211->187 214 7ff742a64e02-7ff742a64e26 call 7ff742a64ea0 211->214 216 7ff742a64b9a-7ff742a64bd1 call 7ff742a636d0 212->216 217 7ff742a64dd4-7ff742a64dd8 212->217 214->210 216->217 231 7ff742a64bd7-7ff742a64be2 216->231 217->210 222 7ff742a64dda-7ff742a64de7 call 7ff742a63670 217->222 246 7ff742a64af3-7ff742a64af7 218->246 247 7ff742a64b11-7ff742a64b1b call 7ff742a643d0 218->247 233 7ff742a64ded 222->233 234 7ff742a64e81-7ff742a64e98 call 7ff742a643d0 * 2 terminate 222->234 235 7ff742a64be6-7ff742a64bf6 231->235 233->210 234->187 238 7ff742a64bfc-7ff742a64c02 235->238 239 7ff742a64d2f-7ff742a64dce 235->239 238->239 242 7ff742a64c08-7ff742a64c31 call 7ff742a656a8 238->242 239->217 239->235 242->239 253 7ff742a64c37-7ff742a64c7e call 7ff742a63bbc * 2 242->253 246->247 251 7ff742a64af9-7ff742a64b04 246->251 247->199 255 7ff742a64b1d-7ff742a64b3d call 7ff742a643d0 * 2 call 7ff742a65fd8 247->255 251->247 254 7ff742a64b06-7ff742a64b0b 251->254 263 7ff742a64cba-7ff742a64cd0 call 7ff742a65ab0 253->263 264 7ff742a64c80-7ff742a64ca5 call 7ff742a63bbc call 7ff742a652d0 253->264 254->187 254->247 273 7ff742a64b54 255->273 274 7ff742a64b3f-7ff742a64b49 call 7ff742a660c8 255->274 275 7ff742a64d2b 263->275 276 7ff742a64cd2 263->276 279 7ff742a64cd7-7ff742a64d26 call 7ff742a648d0 264->279 280 7ff742a64ca7-7ff742a64cb3 264->280 273->199 283 7ff742a64e7b-7ff742a64e80 terminate 274->283 284 7ff742a64b4f-7ff742a64e7a call 7ff742a64090 call 7ff742a65838 call 7ff742a63f84 274->284 275->239 276->253 279->275 280->264 282 7ff742a64cb5 280->282 282->263 283->234 284->283
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 695522112-393685449
                                                        • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                        • Instruction ID: b77d63d9297aa2b012ab0490e6450aeb9e4ce19c614b9115d9598927a693b6f4
                                                        • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                        • Instruction Fuzzy Hash: F8E1B072A0CA82CAE720BF24D4806ADB7A0FB54B48F944135DECD47795CFB9E4A1C724
                                                        Function 00007FF742A613C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                        • String ID: [createdump]
                                                        • API String ID: 3735572767-2657508301
                                                        • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                        • Instruction ID: 4583042412e8f50fe81dbed15eb656ca62711b98cb0e91109202e6bdfc205851
                                                        • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                        • Instruction Fuzzy Hash: 4B015A31B0CB4186EB00BB60F8049AAE364EB85BD1F804134DE9D037658FBDD8A8C365
                                                        Function 00007FF742A61800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • WSAStartup.WS2_32 ref: 00007FF742A6186C
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A61475
                                                          • Part of subcall function 00007FF742A61450: fprintf.MSPDB140-MSVCRT ref: 00007FF742A61485
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A61494
                                                          • Part of subcall function 00007FF742A61450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614B3
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614BE
                                                          • Part of subcall function 00007FF742A61450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                        • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                        • API String ID: 3378602911-3973674938
                                                        • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                        • Instruction ID: 6a0ea7217e848054d4bb5dba5d77352976b0fce877ddc1436bf5e24045d66f78
                                                        • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                        • Instruction Fuzzy Hash: B231B162B0C681C6E755BF159858BF9ABA1BB45788F850032DE8D03391CFBDE565C338
                                                        Function 00007FF742A66498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF742A6669F,?,?,?,00007FF742A6441E,?,?,?,00007FF742A643D9), ref: 00007FF742A6651D
                                                        • GetLastError.KERNEL32(?,00000000,00007FF742A6669F,?,?,?,00007FF742A6441E,?,?,?,00007FF742A643D9,?,?,?,?,00007FF742A63524), ref: 00007FF742A6652B
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00007FF742A6669F,?,?,?,00007FF742A6441E,?,?,?,00007FF742A643D9,?,?,?,?,00007FF742A63524), ref: 00007FF742A66555
                                                        • FreeLibrary.KERNEL32(?,00000000,00007FF742A6669F,?,?,?,00007FF742A6441E,?,?,?,00007FF742A643D9,?,?,?,?,00007FF742A63524), ref: 00007FF742A6659B
                                                        • GetProcAddress.KERNEL32(?,00000000,00007FF742A6669F,?,?,?,00007FF742A6441E,?,?,?,00007FF742A643D9,?,?,?,?,00007FF742A63524), ref: 00007FF742A665A7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                        • Instruction ID: ccd164006869dcc2ab0dcd7981ff5033be7808b9a4656bee684b3ccf3f255a21
                                                        • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                        • Instruction Fuzzy Hash: 7B31A121B1E602D5EF11BB029801975A294FF48FA0F9D4635DEAD46398DFBDE464C338
                                                        Function 00007FF742A61B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 360 7ff742a61b18-7ff742a61b32 _time64 361 7ff742a61b34-7ff742a61b37 360->361 362 7ff742a61b80-7ff742a61ba8 360->362 363 7ff742a61b40-7ff742a61b68 361->363 362->362 364 7ff742a61baa-7ff742a61bd8 362->364 363->363 367 7ff742a61b6a-7ff742a61b71 363->367 365 7ff742a61bfa-7ff742a61c32 364->365 366 7ff742a61bda-7ff742a61bf5 call 7ff742a61ee0 364->366 369 7ff742a61c64-7ff742a61c78 call 7ff742a62230 365->369 370 7ff742a61c34-7ff742a61c43 365->370 366->365 367->364 378 7ff742a61c7d-7ff742a61c88 369->378 372 7ff742a61c48-7ff742a61c62 call 7ff742a668c0 370->372 373 7ff742a61c45 370->373 372->378 373->372 379 7ff742a61cbb-7ff742a61cde 378->379 380 7ff742a61c8a-7ff742a61c98 378->380 381 7ff742a61d55-7ff742a61d70 379->381 382 7ff742a61c9a-7ff742a61cad 380->382 383 7ff742a61cb3-7ff742a61cb6 call 7ff742a62680 380->383 387 7ff742a61d76 381->387 388 7ff742a618a0-7ff742a618a3 381->388 382->383 386 7ff742a61da2-7ff742a61dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff742a61450 call 7ff742a62680 382->386 383->379 390 7ff742a61d78-7ff742a61da1 call 7ff742a62660 386->390 387->390 392 7ff742a618f3-7ff742a618fe 388->392 393 7ff742a618a5-7ff742a618b7 388->393 398 7ff742a61904-7ff742a61915 392->398 399 7ff742a61dd0-7ff742a61dde call 7ff742a61450 392->399 396 7ff742a618b9-7ff742a618c8 393->396 397 7ff742a618e2-7ff742a618ee call 7ff742a620c0 393->397 403 7ff742a618cd-7ff742a618dd 396->403 404 7ff742a618ca 396->404 397->381 398->381 399->390 403->381 404->403
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: _time64
                                                        • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                        • API String ID: 1670930206-4114407318
                                                        • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                        • Instruction ID: c29f8eb98fcaa6a69c48b7f77f57cd298dd1942fd41e21cecfd7e509f0ff1090
                                                        • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                        • Instruction Fuzzy Hash: 1051F262B1CB8186EB00EB28E494BADABA5EB417C4F800131DE9D13BA9CF7DD051D764
                                                        Function 00007FF742A64EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: EncodePointerabort
                                                        • String ID: MOC$RCC
                                                        • API String ID: 1188231555-2084237596
                                                        • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                        • Instruction ID: 69de4fb4e3b05ab29a7036e86e2e93b6ca3a39c5e40135c0c731f56e9ec4ce92
                                                        • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                        • Instruction Fuzzy Hash: D491C373B08B82CAE710EB64E8406ADB7A0FB55788F54412AEF8D07754DF79D1A5C720
                                                        Function 00007FF742A65414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 459 7ff742a65414-7ff742a65461 call 7ff742a663f4 call 7ff742a643d0 464 7ff742a6548e-7ff742a65492 459->464 465 7ff742a65463-7ff742a65469 459->465 466 7ff742a65498-7ff742a6549b 464->466 467 7ff742a655b2-7ff742a655c7 call 7ff742a65724 464->467 465->464 468 7ff742a6546b-7ff742a6546e 465->468 469 7ff742a65680 466->469 470 7ff742a654a1-7ff742a654d1 466->470 480 7ff742a655c9-7ff742a655cc 467->480 481 7ff742a655d2-7ff742a655d8 467->481 472 7ff742a65480-7ff742a65483 468->472 473 7ff742a65470-7ff742a65474 468->473 477 7ff742a65685-7ff742a656a1 469->477 470->469 476 7ff742a654d7-7ff742a654de 470->476 472->464 475 7ff742a65485-7ff742a65488 472->475 474 7ff742a65476-7ff742a6547e 473->474 473->475 474->464 474->472 475->464 475->469 476->469 479 7ff742a654e4-7ff742a654e8 476->479 482 7ff742a654ee-7ff742a654f1 479->482 483 7ff742a6559f-7ff742a655ad call 7ff742a63678 479->483 480->469 480->481 484 7ff742a65647-7ff742a6567b call 7ff742a649a4 481->484 485 7ff742a655da-7ff742a655de 481->485 488 7ff742a654f3-7ff742a65508 call 7ff742a64520 482->488 489 7ff742a65556-7ff742a65559 482->489 483->469 484->469 485->484 486 7ff742a655e0-7ff742a655e7 485->486 486->484 491 7ff742a655e9-7ff742a655f0 486->491 497 7ff742a656a2-7ff742a656a7 abort 488->497 501 7ff742a6550e-7ff742a65511 488->501 489->483 492 7ff742a6555b-7ff742a65563 489->492 491->484 495 7ff742a655f2-7ff742a65605 call 7ff742a63bbc 491->495 496 7ff742a65569-7ff742a65593 492->496 492->497 495->484 507 7ff742a65607-7ff742a65645 495->507 496->497 500 7ff742a65599-7ff742a6559d 496->500 503 7ff742a65546-7ff742a65551 call 7ff742a65cf0 500->503 504 7ff742a6553a-7ff742a6553d 501->504 505 7ff742a65513-7ff742a65538 501->505 503->469 504->497 508 7ff742a65543 504->508 505->504 507->477 508->503
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: __except_validate_context_recordabort
                                                        • String ID: csm$csm
                                                        • API String ID: 746414643-3733052814
                                                        • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                        • Instruction ID: 87680527a00be61a67642b6e20856a72ad1fb21676a908734ec8dc3a8f2b105d
                                                        • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                        • Instruction Fuzzy Hash: 4471B03260C682CADB24BF259454A79BBA1FB50BC9F888135DECD07A85CF7DD461C728
                                                        Function 00007FF742A6195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                        • API String ID: 0-4114407318
                                                        • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                        • Instruction ID: a3a7a6558891354771e9295b29a9fce0515a1c46f4bd48cf772feac193f0215a
                                                        • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                        • Instruction Fuzzy Hash: 0551E862B1CB85C6D700EB29E444BAAAB61EB917D0F800135EEDD03B95CF7ED051D764
                                                        Function 00007FF742A65860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: CreateFrameInfo__except_validate_context_record
                                                        • String ID: csm
                                                        • API String ID: 2558813199-1018135373
                                                        • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                        • Instruction ID: c32c2cd1627c29a765408ff1b8286f1decb4c7c1ba6848a6e3030d1a6097ac3f
                                                        • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                        • Instruction Fuzzy Hash: EB51273261CA42C6E720BB25A44066EB7A4FB99B94F580134EF8D07B55CFB9E471CB24
                                                        Function 00007FF742A617E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Xinvalid_argument.LIBCPMT ref: 00007FF742A617EB
                                                        • WSAStartup.WS2_32 ref: 00007FF742A6186C
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A61475
                                                          • Part of subcall function 00007FF742A61450: fprintf.MSPDB140-MSVCRT ref: 00007FF742A61485
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A61494
                                                          • Part of subcall function 00007FF742A61450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614B3
                                                          • Part of subcall function 00007FF742A61450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614BE
                                                          • Part of subcall function 00007FF742A61450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF742A614C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                        • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                        • API String ID: 1412700758-3183687674
                                                        • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                        • Instruction ID: 561b102a5c6b8c27602ee40f3494c085831918596e7bcea95fab3556fbf20d58
                                                        • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                        • Instruction Fuzzy Hash: 5D015222B1C981D5F761FF52EC45BAAA750BB48798F800036EE8D07651CF7DD4A6C724
                                                        Function 00007FF742A61CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastgethostname
                                                        • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                        • API String ID: 3782448640-4114407318
                                                        • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                        • Instruction ID: 2d2cabf00983bcc06be57e350959337f6529c2eb396f49a9bf0a4539fc2f17c1
                                                        • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                        • Instruction Fuzzy Hash: 7B110411B0C242C6E744BB20A854BBAA640DF817A8F801130DEDF072D6CF7ED4A6C338
                                                        Function 00007FF742A64158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: terminate
                                                        • String ID: MOC$RCC$csm
                                                        • API String ID: 1821763600-2671469338
                                                        • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                        • Instruction ID: 14fe249cf5acee0308a22d7c9dc1463c0c670ad12ea29935a389c67aedf42f4c
                                                        • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                        • Instruction Fuzzy Hash: 6DF08C36A0C646C5E3347B51B1414ACB264EF58B44F8C5071DF8816292CFFDE4B1C63A
                                                        Function 00007FF742A620C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF742A618EE), ref: 00007FF742A621E0
                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF742A6221E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                        • String ID: Invalid process id '%d' error %d
                                                        • API String ID: 73155330-4244389950
                                                        • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                        • Instruction ID: aa4d828a9be9b733d7c36d17599ca2581d8df86bf426024161e48584074512a6
                                                        • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                        • Instruction Fuzzy Hash: 4B31BD32B0D682C5EB10BF2595446A9E6A1AB05BD4F980631DF9D07BD5CFBEE064C338
                                                        Function 00007FF742A63F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF742A6173F), ref: 00007FF742A63FC8
                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF742A6173F), ref: 00007FF742A6400E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1873330828.00007FF742A61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF742A60000, based on PE: true
                                                        • Associated: 00000007.00000002.1873285112.00007FF742A60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873354573.00007FF742A68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873380151.00007FF742A6C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000007.00000002.1873400285.00007FF742A6D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ff742a60000_createdump.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                        • Instruction ID: 9f3d7df9984e98c32dc93fa09f0d8be27bd711c9283fe838a94a3a0aab66f4d0
                                                        • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                        • Instruction Fuzzy Hash: B8115B3260CB4182EB11AB25E40066AB7A4FB88B84F584231EECD07B58DF7EC466C714

                                                        Non-executed Functions

                                                        Function 00007FFE1A4FC0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule
                                                        • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                        • API String ID: 667068680-295688737
                                                        • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                        • Instruction ID: 948dad3f9c5ad21ca67adc369749515d4c085e53c420c34681d3af4ca6f3d70f
                                                        • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                        • Instruction Fuzzy Hash: A8A18364B0DF4791EE05DB62B85417423A2FF4AFA5B9890F6C40E07634EF7CA199C3A0
                                                        Function 00007FFE1A457508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                        • API String ID: 2943138195-2884338863
                                                        • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                        • Instruction ID: b6a26b9f7663ff31143d85902616c50452e36a479cdba093dd76eb91f61537e6
                                                        • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                        • Instruction Fuzzy Hash: 3192B5B2B1CB8286E741DB15E4802BEB7A0FB84764F1011B6FA8D43AA9DF7CD554CB40
                                                        Function 00007FFE1A4FF9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2003779279-1866435925
                                                        • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                        • Instruction ID: bf47e5d301371b4d187910532a315da8696d8cc325eb7a466852635368f6cbbd
                                                        • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                        • Instruction Fuzzy Hash: B8A25822709F8582EB14CB2AE4803B9A760FB86FA5F5880B6DA8D43B75DF7DD445C740
                                                        Function 00007FFE1A4F2D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memchr.VCRUNTIME140 ref: 00007FFE1A4F30AA
                                                        • memchr.VCRUNTIME140 ref: 00007FFE1A4F3470
                                                        • memchr.VCRUNTIME140 ref: 00007FFE1A4F36A5
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F410D
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F4114
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F411B
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F4122
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F4129
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F4130
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F4137
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F413E
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F4145
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F414C
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F42D3
                                                          • Part of subcall function 00007FFE1A4D1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE1A4CC320), ref: 00007FFE1A4D1DFB
                                                          • Part of subcall function 00007FFE1A4D1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE1A4CC320), ref: 00007FFE1A4D1E08
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                        • String ID: 0123456789-
                                                        • API String ID: 3572500260-3850129594
                                                        • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                        • Instruction ID: a04eb22df6ffd4fa92942bbdf05e346dd6c7f42df38c1c344653a946373249a4
                                                        • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                        • Instruction Fuzzy Hash: 1BE2AB22B09E8589EB408B2AD4843BC3761FB45FA9F5561B2DA6E077B5DF7DE490C300
                                                        Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                          • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                          • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                          • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                          • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                          • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                          • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                        • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                        • OpenEventA.KERNEL32 ref: 0000000140008454
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                        • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                          • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                          • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                          • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                          • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                          • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                          • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                          • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                        • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                        • CloseHandle.KERNEL32 ref: 0000000140008554
                                                        • CloseHandle.KERNEL32 ref: 0000000140008561
                                                        • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                        • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                        • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                        • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                        • String ID:
                                                        • API String ID: 1089015687-0
                                                        • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                        • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                        • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                        • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                        Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                        • String ID:
                                                        • API String ID: 2074253140-0
                                                        • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                        • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                        • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                        • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                        Function 00007FFE1A4FB698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: iswdigit$btowclocaleconv
                                                        • String ID: 0$0
                                                        • API String ID: 240710166-203156872
                                                        • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                        • Instruction ID: ece2f25dff2b67fbc2666ddb14e6ae45641ed89e290de838980bdd306067d22e
                                                        • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                        • Instruction Fuzzy Hash: C4813D72B189428AE7118F2AD8502B973E1FF91F59F4851B6DE8A461A0DF3CEC56C740
                                                        Function 00007FFE1A4CC780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0123456789-+Ee
                                                        • API String ID: 0-1347306980
                                                        • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                        • Instruction ID: 4d26367f3402b8795f7e3d94e42ee832b8721e78bfd9b8d92de7a2cacea44990
                                                        • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                        • Instruction Fuzzy Hash: 50C25026B09E8189EB518F2BD15027C3761AB55FA4F9480F2DA9D077B9DF3DE866C300
                                                        Function 00007FFE1A4FA27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memchr$isdigit$localeconv
                                                        • String ID: 0$0123456789abcdefABCDEF
                                                        • API String ID: 1981154758-1185640306
                                                        • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                        • Instruction ID: bad1d60db148fc2c51e563f37c5d0ad271a368f334d5d379d9e3784222201308
                                                        • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                        • Instruction Fuzzy Hash: 3A916C72B0C99646E7218B2AD4103BA3BD1FB45F69F58B0F6CF8A47661DA3CE815C740
                                                        Function 00007FFE1A4CD810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                        • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                        • API String ID: 2141594249-3606100449
                                                        • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                        • Instruction ID: c05f5dfb44224d857a122969b560a76982bb5989c16f0840ee8a0e894d1b697f
                                                        • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                        • Instruction Fuzzy Hash: 4FD26F66709E8589EB618F2BC19017C3761BB41FA4B9480F2DA9D077B9DF3DE866C310
                                                        Function 00007FFE1A4E2208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _Find_elem.LIBCPMT ref: 00007FFE1A4E2C08
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E35B9
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E35C0
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E35C7
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E3776
                                                          • Part of subcall function 00007FFE1A4D1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE1A4CC320), ref: 00007FFE1A4D1DFB
                                                          • Part of subcall function 00007FFE1A4D1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE1A4CC320), ref: 00007FFE1A4D1E08
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                        • String ID: 0123456789-
                                                        • API String ID: 2779821303-3850129594
                                                        • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                        • Instruction ID: 62088079501bbc23e453c2352d04ff308f71f9cee2aebe38b9f1d017d8a66cea
                                                        • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                        • Instruction Fuzzy Hash: 74E28D22B09A9589EF508F2AD09067D3BA4FB45FA4F5490B6DA4E077A5CF3DE891C700
                                                        Function 00007FFE1A4E0C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _Find_elem.LIBCPMT ref: 00007FFE1A4E1660
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E2011
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E2018
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E201F
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E21CE
                                                          • Part of subcall function 00007FFE1A4D1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE1A4CC320), ref: 00007FFE1A4D1DFB
                                                          • Part of subcall function 00007FFE1A4D1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE1A4CC320), ref: 00007FFE1A4D1E08
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                        • String ID: 0123456789-
                                                        • API String ID: 2779821303-3850129594
                                                        • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                        • Instruction ID: d012d21b81f0eb91164b2babd04597810f2bf23175890ec8157842683e1afb33
                                                        • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                        • Instruction Fuzzy Hash: 17E29E22B09B8589EB508F2AD0906BD3BB4FB55FA4F5490B6DA4E477A5CF3CD891C700
                                                        Function 00007FFE1A4FBDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: iswdigit$localeconv
                                                        • String ID: 0$0$0123456789abcdefABCDEF
                                                        • API String ID: 2634821343-613610638
                                                        • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                        • Instruction ID: c11c9f07989e014111da23708983e79ff78fc20a06e9080bcd5a2c8dfb019793
                                                        • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                        • Instruction Fuzzy Hash: 94816F62F089564BEB718F2AD8102B93291FB55F55F0890B3DF89476A4DB3CEC56C740
                                                        Function 00007FFE1A4CA330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                        • String ID: .$.
                                                        • API String ID: 479945582-3769392785
                                                        • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                        • Instruction ID: 223f30d3cf90eb215bf0f56ce30f1f7c864fe39dc72b02e190267d12ac383fb0
                                                        • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                        • Instruction Fuzzy Hash: 2341B732B18A4185EB10DF66E4486B97362FB45BB4F9042B6EB9D036E8DF7CD495C700
                                                        Function 00007FFE1A4DABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0123456789-+Ee
                                                        • API String ID: 0-1347306980
                                                        • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                        • Instruction ID: dbec58b9537f78d0b0a104cb3f6c81e2c44ed7e6ae60c562ff25caf755022220
                                                        • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                        • Instruction Fuzzy Hash: 6DC24C26B09E8685EB508F1AD05017D37A1FB65FA4B9494F2DE4E077A4CF3DE8A6D300
                                                        Function 00007FFE1A4DBCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0123456789-+Ee
                                                        • API String ID: 0-1347306980
                                                        • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                        • Instruction ID: 9d57b2511f05cd37cbefb7f952578aff98794bb831d5f8af02a1fbe982b172d2
                                                        • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                        • Instruction Fuzzy Hash: 8DC25C26B09E4285EB508F2BD15017D37A1FB65FA4B9494F2DA4E077A0CF3DE8A5D304
                                                        Function 00007FFE1A4E6338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E65AB
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E663D
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E66E0
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E6B9C
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E6BEE
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E6C35
                                                          • Part of subcall function 00007FFE1A4EEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE1A4D923E), ref: 00007FFE1A4EEC08
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                        • String ID:
                                                        • API String ID: 15630516-0
                                                        • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                        • Instruction ID: cd0da2b1921a4213e4e88d7e7cf99cf4c66ca56e52302dbb35d4f3277e4c360b
                                                        • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                        • Instruction Fuzzy Hash: C4527162B18F8585EB108F2AD4441BDA761FB55FA8F5491B2DB8D03BA9EF3CE590C340
                                                        Function 00007FFE1A4E6C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E6EF7
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E6F89
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E702C
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E74E8
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E753A
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E7581
                                                          • Part of subcall function 00007FFE1A4EEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE1A4D923E), ref: 00007FFE1A4EEC08
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                        • String ID:
                                                        • API String ID: 15630516-0
                                                        • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                        • Instruction ID: 6892b9f332c301b11499d7bae08828ec0b90542ad1432e6468822c9def818971
                                                        • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                        • Instruction Fuzzy Hash: 9B526E62B18F8585EB10CF2AD4441BD6761FB85FA8F5491B2EA8D03BA5EF3CE590C340
                                                        Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1799700165-0
                                                        • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                        • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                        • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                        • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                        Function 00007FFE1A4DDF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                        • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                        • API String ID: 1825414929-3606100449
                                                        • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                        • Instruction ID: 294ff7dff363d99c0e976c011606f4eb522b1fe1dfb7fcf1c4189d6e6dc9ce32
                                                        • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                        • Instruction Fuzzy Hash: BDD25BA6B09E4685EB608F1AD09117C3761FB61FA4B9494B2DB4E077B0CF3DE8A5C310
                                                        Function 00007FFE1A4DCDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                        • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                        • API String ID: 1825414929-3606100449
                                                        • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                        • Instruction ID: 89244fb25fbff086b7c958a1181f293f050cedacf1e83af27bfb4a5172d1be6f
                                                        • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                        • Instruction Fuzzy Hash: 73D25C26B0AE4685EB558F1AD09017C3761FB65FA8B5490F2DA9E077B0CF3DE869C310
                                                        Function 00007FFE1A4D8FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                        • String ID:
                                                        • API String ID: 1326169664-0
                                                        • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                        • Instruction ID: 32daf935725f98f6cc37362aeb3937d7d64cdcb364301dc4b24022c9c4063dd7
                                                        • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                        • Instruction Fuzzy Hash: 73E17926B09F4689FB00CBA6D4401BC6372EB59FA8B5441B6DE4D97BA9DF3CD45AC300
                                                        Function 00007FFE1A4D9460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                        • String ID:
                                                        • API String ID: 1326169664-0
                                                        • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                        • Instruction ID: 9da1bbd920d1a932a7946affb10e9c79120ea28955e52e10d1db106c070cbe77
                                                        • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                        • Instruction Fuzzy Hash: 11E19C26B09F4689EB00CFA6D4401BC6372EB58FA8B5441B6DE4D67BA9DF3CD45AC340
                                                        Function 00007FFE1A4CE8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                        • String ID: 0123456789ABCDEFabcdef-+Xx
                                                        • API String ID: 2740501399-2799312399
                                                        • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                        • Instruction ID: a465d6663efb852aeb552e414984107b1c44ab778731db0e43cc5187c16fc7a6
                                                        • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                        • Instruction Fuzzy Hash: 7F529262B09E8289EB618F2BD09117C3761BB05FA4B9484F2CE5D177A9CF3DE466D300
                                                        Function 00007FFE1A4E4780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4F7600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE1A4C3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1A4F760F
                                                          • Part of subcall function 00007FFE1A4CF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE1A4F4C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE66), ref: 00007FFE1A4CF6FC
                                                        • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE88), ref: 00007FFE1A4E5245
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE88), ref: 00007FFE1A4E525A
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE88), ref: 00007FFE1A4E5268
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$Gettnames_lock_localesrealloc
                                                        • String ID:
                                                        • API String ID: 3705959680-0
                                                        • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                        • Instruction ID: f2f72089e1cb80fb577a6ea749ad3efeae579c9ad8278ffb756cc4633a7747ca
                                                        • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                        • Instruction Fuzzy Hash: FE82F621F0DE0285FB51DF27D8402B927A1AF55FA4F4441FBE90E86AB6EF3CA4618344
                                                        Function 00007FFE1A4E5470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4F7600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE1A4C3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1A4F760F
                                                          • Part of subcall function 00007FFE1A4CF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE1A4F4C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE66), ref: 00007FFE1A4CF6FC
                                                        • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE77), ref: 00007FFE1A4E5F35
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE77), ref: 00007FFE1A4E5F4A
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE77), ref: 00007FFE1A4E5F58
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$Gettnames_lock_localesrealloc
                                                        • String ID:
                                                        • API String ID: 3705959680-0
                                                        • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                        • Instruction ID: ae9addf1d3af91603dd24ac0f5e9b1aa245e4005bf00e01588f0f4055f39b469
                                                        • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                        • Instruction Fuzzy Hash: 6F821A21F0DE0285FB55DF27D8402B927A0AF55FA4F4450FBE90E86AB6EF3CA4618345
                                                        Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatLastMessage
                                                        • String ID: GetLastError() = 0x%X
                                                        • API String ID: 3479602957-3384952017
                                                        • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                        • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                        • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                        • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                        Function 00007FFE1A4F44E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4F1E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F1F72
                                                          • Part of subcall function 00007FFE1A4F7600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE1A4C3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1A4F760F
                                                        • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE66,?,?,?,?,?,?,?,00007FFE1A4CF7E7), ref: 00007FFE1A4F4BCF
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE66,?,?,?,?,?,?,?,00007FFE1A4CF7E7), ref: 00007FFE1A4F4BE4
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE1A4CFE66,?,?,?,?,?,?,?,00007FFE1A4CF7E7), ref: 00007FFE1A4F4BF3
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                        • String ID:
                                                        • API String ID: 962949324-0
                                                        • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                        • Instruction ID: f39875556f301a20a56ad8be67e2e3a05976fe53fff5b8093964089f8182ace9
                                                        • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                        • Instruction Fuzzy Hash: A4322E25F0DE0285FB419F2BD8402F526A1AF45FA5B4460FBEA0D47BB6EE3CE4618354
                                                        Function 00007FFE1A4E4340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E46ED
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E473B
                                                          • Part of subcall function 00007FFE1A4EEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE1A4D923E), ref: 00007FFE1A4EEC08
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                        • String ID:
                                                        • API String ID: 15630516-0
                                                        • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                        • Instruction ID: 060d970113230e3417a82969279cf4db46e1a7538086ae3ef14a5a0bd6170dd6
                                                        • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                        • Instruction Fuzzy Hash: 30D15A22B09F4589FB10CFA6D4402BC6372AB49BA8F4445B2DE5D27BA9DF3CE455C340
                                                        Function 00007FFE1A4E3F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E42AD
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E42FB
                                                          • Part of subcall function 00007FFE1A4EEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE1A4D923E), ref: 00007FFE1A4EEC08
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                        • String ID:
                                                        • API String ID: 15630516-0
                                                        • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                        • Instruction ID: 41490f62483c3f5ea4c096e0c1b9441b89b88065c50a61a8aa65fbf5d26130c0
                                                        • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                        • Instruction Fuzzy Hash: 67D13A22B09F4689FB10CFA6D5442BC6372AB59BA8F4441B2DE4D17BA9DF3CE459C340
                                                        Function 00007FFE1A4D60D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                        • String ID:
                                                        • API String ID: 1654775311-0
                                                        • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                        • Instruction ID: e5123e30c6433cc7175499f8aea539a7058d61e665a448050d2aed0f39cb51ad
                                                        • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                        • Instruction Fuzzy Hash: 36A1E162F18A9285FB108BA6D4502BC77B1BB25FA8F5440B6DE0D17BA5CF3CE4A1C300
                                                        Function 00007FFE1A4D6440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                        • String ID:
                                                        • API String ID: 1654775311-0
                                                        • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                        • Instruction ID: 9ad27f631f54467159de6f2ca9b7d22f158320471d134f6cca240498d728a148
                                                        • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                        • Instruction Fuzzy Hash: 21A1C462F19A9285FB108F66D4506BC67B2BB25FA8F5440B7DE4D17BA4DF3CA4A1C300
                                                        Function 00007FFE1A4CA7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturnmemcpymemmove
                                                        • String ID:
                                                        • API String ID: 1762017149-0
                                                        • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                        • Instruction ID: 1dc1c05777859e14415d0d96203f1b86852363dda65484dfcb2b037eb22f169f
                                                        • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                        • Instruction Fuzzy Hash: 88415F62B04F4198FB00CFA2D4402AC37B6B748BA8F945676DE5D53BA8DF38D195C350
                                                        Function 00007FFE1A4EEFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale___lc_locale_name_func
                                                        • String ID:
                                                        • API String ID: 3366915261-0
                                                        • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                        • Instruction ID: c037d3f7739511a6e20f9140449d4c0a6088654b94aacbd1be9789df428d326b
                                                        • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                        • Instruction Fuzzy Hash: E9F0A032F2C84287E3A84B2AD4587382260FB44B29F4005F3E50F422B0CF6CED54D741
                                                        Function 00007FFE1A4E0710 Relevance: .4, Instructions: 410COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                        • Instruction ID: 53696273bcc0759e2d485a6e3c9856a94d6b673be6574a52ff093ba396928d54
                                                        • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                        • Instruction Fuzzy Hash: 97025E26B49E4689EB608F26C44037D33A1FB94FA8F5490B2CA5E177A5CF3CD896C350
                                                        Function 00007FFE1A4F2880 Relevance: .4, Instructions: 391COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                        • Instruction ID: 5d010346eb0b24ccbba15292ff714e4e6e25dd3d75f25f9d7b957f314a2e632b
                                                        • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                        • Instruction Fuzzy Hash: A7022D22B09E4689EB518E2EC4503BD37A1AB45FA9F54A1B3CA4D473B5CF7DD892C310
                                                        Function 00007FFE1A4CF9B0 Relevance: .3, Instructions: 331COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _lock_locales
                                                        • String ID:
                                                        • API String ID: 3756862740-0
                                                        • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                        • Instruction ID: b8afb8d12bfb7e0aaedbd39b599207b06eddca5aeab3dd9835b4cbd81a6d6127
                                                        • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                        • Instruction Fuzzy Hash: 5DE12F21F0DF0285F756DB2798401B526A1AF51FF4B8441FBE94E47BBAEE3CA9618340
                                                        Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.VCRUNTIME140 ref: 000000014000475B
                                                          • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                          • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                          • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                        • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                          • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                        • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                        • API String ID: 2423274481-1946953090
                                                        • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                        • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                        • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                        • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                        Function 00007FFE1A458C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                        • API String ID: 2943138195-1388207849
                                                        • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                        • Instruction ID: 1f676d6e16aa6a2699a040e0f9f6b17905a11fcb78648cf4b936e6efe7ab4705
                                                        • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                        • Instruction Fuzzy Hash: 3EF19DB2F08E1294F755AB66C8442BC26B0BB01F64F4449F7CA1D97AB9DF3DA664C340
                                                        Function 00007FFE1A45C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: `anonymous namespace'
                                                        • API String ID: 2943138195-3062148218
                                                        • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                        • Instruction ID: aa17e701eec8a89f978f16ee0dc0f4f9a748a799287ea09d2532b3a749971802
                                                        • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                        • Instruction Fuzzy Hash: 90E17AB2B08B8295EB10EF66E8801BD77B0FB44B68F4481B6EA4D57B65DF38D564C700
                                                        Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                        • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                        • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                        • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                        • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                        • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                        • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                        • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                        • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                        • String ID: (
                                                        • API String ID: 703713002-3887548279
                                                        • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                        • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                        • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                        • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                        Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                        • String ID: [NOT FOUND ] %s
                                                        • API String ID: 2350601386-3340296899
                                                        • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                        • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                        • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                        • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                        Function 00007FFE1A45A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                        • Instruction ID: e92beea8d233fa579ddbbb0a83636ca7f0e9fab178687b9a742e8b7c7f0520f8
                                                        • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                        • Instruction Fuzzy Hash: 54F18AB2F08B829AE701EF66D4901FC37B1EB04B58F4480F2EA4D57AA5DE38D569C340
                                                        Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                        • String ID:
                                                        • API String ID: 1818695170-0
                                                        • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                        • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                        • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                        • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                        Function 00007FFE1A45D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                        • API String ID: 2943138195-2309034085
                                                        • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                        • Instruction ID: ecb21210ebae98f05e1b43257bdc6b7954e0f60bbfdf2b840741a93ab9fa900a
                                                        • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                        • Instruction Fuzzy Hash: 8FE19EA2F08E0295FB15FB66C9541BC27A0AF05F64F5401F7CA8D17AB9DE3CA56AC340
                                                        Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                        • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                        • API String ID: 140832405-680935841
                                                        • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                        • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                        • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                        • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                        Function 00007FFE1A452CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 3436797354-393685449
                                                        • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                        • Instruction ID: a6d83e2dcd125bfbc972fd24c4e86497a2278a726ab0540f8e308fdf58788eba
                                                        • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                        • Instruction Fuzzy Hash: F2D15FB2B08B4186EB50AF66D4502BD77A4FB45FA8F0401B6EE4D57769CF38E5A4C700
                                                        Function 00007FFE1A4C26E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                        • String ID:
                                                        • API String ID: 3420081407-0
                                                        • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                        • Instruction ID: 0e09ef0827b134026bc3a502ecda7787e959caa368f55d7bcb697307f56a6a5a
                                                        • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                        • Instruction Fuzzy Hash: 96A1C562B08A8286FB319F22944037A6691EF05FB8F8842F3CA5D167E8DFFDD5548350
                                                        Function 00007FFE1A4D692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA87E), ref: 00007FFE1A4D6971
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA87E), ref: 00007FFE1A4D698E
                                                        • _Maklocstr.LIBCPMT ref: 00007FFE1A4D69AA
                                                        • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA87E), ref: 00007FFE1A4D69B3
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA87E), ref: 00007FFE1A4D69D0
                                                        • _Maklocstr.LIBCPMT ref: 00007FFE1A4D69EC
                                                        • _Maklocstr.LIBCPMT ref: 00007FFE1A4D6A01
                                                          • Part of subcall function 00007FFE1A4C4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D72
                                                          • Part of subcall function 00007FFE1A4C4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D98
                                                          • Part of subcall function 00007FFE1A4C4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4DB0
                                                        Strings
                                                        • :AM:am:PM:pm, xrefs: 00007FFE1A4D69FA
                                                        • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE1A4D6999
                                                        • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE1A4D69DB
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                        • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                        • API String ID: 2460671452-35662545
                                                        • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                        • Instruction ID: 895c30e64ad83b54895a57a6744cbb3f12d43907620fa2ac6cd8e479d82e95a5
                                                        • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                        • Instruction Fuzzy Hash: E4217122B18F4182EB00DF26E4502B973A1FB99F94F8442B2DA4D43766DF3CE591C380
                                                        Function 00007FFE1A4C2B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                        • String ID:
                                                        • API String ID: 1733283546-0
                                                        • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                        • Instruction ID: dc1247358d94b8f8946487b0d2494cff796437d4063e30a41f42e23dc8292a68
                                                        • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                        • Instruction Fuzzy Hash: 7D919132708F4286EB609F22D44077967A1FB54FB8F5442B6EA5D17BA8DFBCE4558300
                                                        Function 00007FFE1A4F9350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                        • String ID:
                                                        • API String ID: 3166507417-0
                                                        • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                        • Instruction ID: c3f82b52e95908ff702359446f8ab0052be4c0f2772698f9f4ca5e3691a475e0
                                                        • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                        • Instruction Fuzzy Hash: 6461D726F0C9429AFB10DAA7D4401FD3721AB94B69F5061B7DE0D636A6EE38E51AC700
                                                        Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                        • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                        • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                        • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                        • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                        • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                        • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                        • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                        • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                        • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                          • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                          • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                          • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                          • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                          • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                          • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                          • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                          • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                        • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                        • String ID:
                                                        • API String ID: 2702579277-0
                                                        • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                        • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                        • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                        • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                        Function 00007FFE1A509BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2003779279-1866435925
                                                        • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                        • Instruction ID: 84e3cabb469b7bb336ea34f7d26bdf2fffaf71057537176cb484655d820f57f4
                                                        • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                        • Instruction Fuzzy Hash: 6A918C22B1CE4681EB648B1AD5913BD6761FB81FA8F8440B7CA4E437BADF2DD446C340
                                                        Function 00007FFE1A45E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                        • API String ID: 0-3207858774
                                                        • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                        • Instruction ID: 39fa4b15e6ae35a8a47f191e89300ea927501442fc37c2752eba87970adc2b12
                                                        • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                        • Instruction Fuzzy Hash: 64919EA2B08E8699EB20EB62D4411B877B1AB45FA4F5881F3DA5D033B5DF3CE565C340
                                                        Function 00007FFE1A45A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+$Name::operator+=
                                                        • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                        • API String ID: 179159573-1464470183
                                                        • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                        • Instruction ID: 723a31083c13f433bf19b98db3c0aab2968863a39aaade657d1a71d5e50b633f
                                                        • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                        • Instruction Fuzzy Hash: 91517BB1F08B5299FB14EB66E8451BC37B0BB04BA8F5401B6EA0D53A68DF39E561C300
                                                        Function 00007FFE1A4FB440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                        • String ID:
                                                        • API String ID: 3781602613-0
                                                        • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                        • Instruction ID: 726650e1c009f38670907db22272434b27dc83e4805edbd109f020bb6ec9c981
                                                        • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                        • Instruction Fuzzy Hash: D961C522F08D429AF710EBA7C4401FD2721AB95B69F5055B7DE0D27AA5EE3CE91BC700
                                                        Function 00007FFE1A4588E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                        • Instruction ID: 439b831f61ccae05f7a44ed936508f326a15a1e937358132dc6aa78a7b56779b
                                                        • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                        • Instruction Fuzzy Hash: F36162A2F04B5698FB01EBA2D8801FC37B1BB44B68F4044B6DE4D6BA69EF78D555C340
                                                        Function 00007FFE1A4531A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 211107550-393685449
                                                        • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                        • Instruction ID: d4ff39ab3bb3689019bd4ef037047d19d5f0395cf0da8221d9ec773b6a6d2b04
                                                        • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                        • Instruction Fuzzy Hash: F9E1A3B2B08A818AE720AF36D4902BD7BA1FB44F68F1441B6DA9D47765DF38E495C700
                                                        Function 00007FFE1A4FA080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memchrtolower$_errnoisspace
                                                        • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                        • API String ID: 3508154992-2692187688
                                                        • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                        • Instruction ID: ec8d82456581c764b0b6f1d0ba6201f615c63d4de7100f1d13d41931f7cd98f4
                                                        • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                        • Instruction Fuzzy Hash: FF51F512B0DEC649EB618F2AA9103F96691AB45FB5F4950F2CE9D063A5DE3CA8528300
                                                        Function 00007FFE1A45BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                        • API String ID: 2943138195-2239912363
                                                        • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                        • Instruction ID: dba6580a2a57267591f59c3b4abd74c52651be419f6ee4b04271c7b9a41a2285
                                                        • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                        • Instruction Fuzzy Hash: 585149A2F08F4598FB51EBA2D8412BC77B0BB08B64F4441F7CA4D526A5EF7C9065CB10
                                                        Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                        • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                        • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                          • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                          • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                          • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                          • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                          • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                        • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                        • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                        • String ID: ImptRED_CEvent_
                                                        • API String ID: 2242036409-942587184
                                                        • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                        • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                        • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                        • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                        Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                        • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                        • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                          • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                          • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                          • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                          • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                          • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                        • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                        • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                        • String ID: ImptRED_SEvent_
                                                        • API String ID: 2242036409-1609572862
                                                        • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                        • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                        • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                        • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                        Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                        • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                        • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                          • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                          • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                          • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                          • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                          • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                        • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                        • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                        • String ID: ImptRED_CmdMap_
                                                        • API String ID: 2242036409-3276274529
                                                        • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                        • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                        • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                        • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                        Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                        • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                        • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                          • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                          • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                          • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                          • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                          • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                          • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                        • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                        • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                        • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                        • String ID: ImptRED_DMap_
                                                        • API String ID: 2242036409-2879874026
                                                        • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                        • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                        • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                        • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                        Function 00007FFE1A4C6C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 1099746521-1866435925
                                                        • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                        • Instruction ID: 397fe1530996da3f195e8ee79998283d39f5cdf60f4386f0057d2cd4d483a5db
                                                        • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                        • Instruction Fuzzy Hash: 9721D191B1CD0A95FB148706D8826F96322EF50BA4FD890F7D50E025BAEF2DE15AC740
                                                        Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                          • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                          • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                        • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                          • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                        • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                        • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                        • String ID: MRDH$SideCarLut
                                                        • API String ID: 916663099-3852011117
                                                        • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                        • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                        • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                        • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                        Function 00007FFE1A509940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2003779279-1866435925
                                                        • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                        • Instruction ID: c7e3076441060abd28b34c14d5d5f0a870f5fb0dd17df1407973e6eb154555e9
                                                        • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                        • Instruction Fuzzy Hash: C0617C2270CE46C5EB648B1AD5913BD6761EB81FA8F9484B7CA4E837B9DF2DD446C300
                                                        Function 00007FFE1A4D43F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 1428583292-1866435925
                                                        • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                        • Instruction ID: adb11612a8637f833b5c219cd8f0aea8bc833d5c70c5164132582bea7311f73f
                                                        • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                        • Instruction Fuzzy Hash: C3715972709E8295EB508F26E0802F933A0FB54F98F9440B3EA4D47A6ADF3DD5A5C700
                                                        Function 00007FFE1A455F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                        • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                        • API String ID: 1852475696-928371585
                                                        • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                        • Instruction ID: bf3c5928af7a4f54e96b48b622f0f3e575d0c6bfc1b8b3c3d21e3a7c1f9013cd
                                                        • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                        • Instruction Fuzzy Hash: 6351BFA2B09E4692EE20EB66E4902B9A3A0FF44FA4F4444F3DA5D43675DF3CE525C301
                                                        Function 00007FFE1A5096E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE1A5098D3
                                                        • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1A4FC678), ref: 00007FFE1A5098E4
                                                        • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE1A509927
                                                        • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1A4FC678), ref: 00007FFE1A509938
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2003779279-1866435925
                                                        • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                        • Instruction ID: f185d2e934e219c81f425477d39a6d8eafbd3013ace4a273aefba2455115eb7e
                                                        • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                        • Instruction Fuzzy Hash: 86616C22B0CE4595EB648B1AD5913BD6761EF82FA8F4480B7CA4E873B9DF2DD446C340
                                                        Function 00007FFE1A4F9E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memchrtolower$_errnoisspace
                                                        • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                        • API String ID: 3508154992-4256519037
                                                        • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                        • Instruction ID: 55b67a268b47a40e9cb9af302d2d6c1ab4674c6710464f04a596c9b8d5b9076f
                                                        • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                        • Instruction Fuzzy Hash: 10511A16B0CE8649E7618E2AA8103F97691AF45F75F0850F7DD8D827A5DF3CD8528710
                                                        Function 00007FFE1A4CB280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2003779279-1866435925
                                                        • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                        • Instruction ID: 4c2a884909a4699d672ae8fcb0739d3ea22c159514e9ee0913769615e279b6d5
                                                        • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                        • Instruction Fuzzy Hash: 55518C62B08E4981EB50CB1AD4C42B96361FB44FA8F9445B3DA5E837B9DF3CE856C740
                                                        Function 00007FFE1A45E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+$Name::operator+=
                                                        • String ID: {for
                                                        • API String ID: 179159573-864106941
                                                        • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                        • Instruction ID: 9842e773e3412af4cf65e0198cabaf7c1106b0f0c0d1e2616a1ce861183a0ec5
                                                        • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                        • Instruction Fuzzy Hash: 08515BB2B08A85A9E711AF26C4413FC77A1EB44B68F4480F2EA5C47BA9DF7CD560C340
                                                        Function 00007FFE1A4568AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A456931
                                                        • GetLastError.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A45693F
                                                        • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A456958
                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A45696A
                                                        • FreeLibrary.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A4569B0
                                                        • GetProcAddress.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A4569BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                        • String ID: api-ms-
                                                        • API String ID: 916704608-2084034818
                                                        • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                        • Instruction ID: 9efc9f075a334c014589cfccaaa18e5d51a6d937fe9a4bc18af7f42151a37550
                                                        • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                        • Instruction Fuzzy Hash: 9131AF61B1AF8291EE11AB07A8001B5A2A4BF48FB0F5945B7DD2D4B7A4EF3CE164C700
                                                        Function 00007FFE1A4F12C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4F1309
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4F1326
                                                        • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4F134B
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4F1368
                                                          • Part of subcall function 00007FFE1A4C4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D72
                                                          • Part of subcall function 00007FFE1A4C4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D98
                                                          • Part of subcall function 00007FFE1A4C4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4DB0
                                                        Strings
                                                        • :AM:am:PM:pm, xrefs: 00007FFE1A4F1392
                                                        • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE1A4F1331
                                                        • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE1A4F1373
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                        • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                        • API String ID: 1539549574-35662545
                                                        • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                        • Instruction ID: 3fa63ba6c95eb9db1bad7d7f25bd412ed0ee1f35ed0d9729641120df169ca45f
                                                        • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                        • Instruction Fuzzy Hash: D3214F26B08F4182EB10DF26E4442B973A1EB99FA4F8441B6DA4D47766EF38E595C340
                                                        Function 00007FFE1A4D6A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4D6A5E
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4D6A7B
                                                        • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4D6A9B
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4D6AB8
                                                          • Part of subcall function 00007FFE1A4C4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4DF9
                                                          • Part of subcall function 00007FFE1A4C4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4E28
                                                          • Part of subcall function 00007FFE1A4C4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4E3F
                                                        Strings
                                                        • :AM:am:PM:pm, xrefs: 00007FFE1A4D6AD4
                                                        • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE1A4D6A86
                                                        • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE1A4D6AC3
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                        • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                        • API String ID: 1539549574-3743323925
                                                        • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                        • Instruction ID: 5a5546cdf04bcf86244cedfceeb65f63d6657f8e32a2c31d8b4d8b72d5ffcb0a
                                                        • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                        • Instruction Fuzzy Hash: 08212D22A08F4182E711DF22E454279B3B1FB99FA4F4441B6D64E42766DF7CE594C740
                                                        Function 00007FFE1A4527CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abort$AdjustPointer
                                                        • String ID:
                                                        • API String ID: 1501936508-0
                                                        • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                        • Instruction ID: 642b842a912d40fdf9c2c957ef8f5295bb4b61aa26bc49168820bcaec06eb6e7
                                                        • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                        • Instruction Fuzzy Hash: 4B5190A1F09E4382FA69AB57944427867A4AF44FB4F0985F7EA4E073A4DF3CE4618300
                                                        Function 00007FFE1A4525E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abort$AdjustPointer
                                                        • String ID:
                                                        • API String ID: 1501936508-0
                                                        • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                        • Instruction ID: 6d06171c758477a8a6816760c24ef9a9f669ee0236d58f4a38a19748238d5f76
                                                        • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                        • Instruction Fuzzy Hash: 1A518FE2B09F4282EA65EB17954463863A4AF54FA4F0544F7EA4E077B4DF3CE861C300
                                                        Function 00007FFE1A4F90D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                        • String ID:
                                                        • API String ID: 578106097-0
                                                        • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                        • Instruction ID: c68b9727c09b46ff4c47cc5783bff8595a959d837d66d630beb301b2b2612d0f
                                                        • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                        • Instruction Fuzzy Hash: 7D610326B0CD4282EB119E6AE4401FE7720FF95B65F5015B3EE4E576A6DE3CE4168B00
                                                        Function 00007FFE1A4F9950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                        • String ID:
                                                        • API String ID: 578106097-0
                                                        • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                        • Instruction ID: fe447a4db6f71d4c2a86c14ae93eaa31660ae4d19f939966dee41e68b15ee8bc
                                                        • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                        • Instruction Fuzzy Hash: 10611426F1CD4282E611DE1BE4805FE7320FB84B66F5025F3EA4D936A6DE3CD41A8700
                                                        Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                          • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                          • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                        • memmove.VCRUNTIME140 ref: 000000014000C3C8
                                                        • memmove.VCRUNTIME140 ref: 000000014000C427
                                                          • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                          • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcpy$memmove$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                        • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                        • API String ID: 1084872782-103080910
                                                        • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                        • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                        • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                        • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                        Function 00007FFE1A455520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: FileHeader_local_unwind
                                                        • String ID: MOC$RCC$csm$csm
                                                        • API String ID: 2627209546-1441736206
                                                        • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                        • Instruction ID: 4bff93c56a7fd6fe365e17166ff9465f2d531dbb32de18e5b9e6cae2f04be60b
                                                        • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                        • Instruction Fuzzy Hash: 455180B2B09A4186EA60BF36900037966A0FF44FB4F5410F3DA4D833A5DF3CE4618A82
                                                        Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                        • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                        • String ID:
                                                        • API String ID: 1492985063-0
                                                        • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                        • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                        • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                        • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                        Function 00007FFE1A4CBA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBB38
                                                        • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBB48
                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBB5D
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBB91
                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBB9B
                                                        • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBBAB
                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBBBB
                                                          • Part of subcall function 00007FFE1A5125AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5AF8), ref: 00007FFE1A5125C6
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                        • String ID:
                                                        • API String ID: 2538139528-0
                                                        • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                        • Instruction ID: cb153146fe1096ba6f7237d29bade290871ebf19f16408874df9d4b29d65822d
                                                        • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                        • Instruction Fuzzy Hash: 0341A062B0CA8191EB049B67A4442BDA312FB44FE4F9445B2EE5D0BBAEDE7CD052D340
                                                        Function 00007FFE1A4D58B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2924853686-1866435925
                                                        • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                        • Instruction ID: 89bf5664e5fcb9ea07e89c5fac046e85c5c024cc6fbec4a473c79ab4e5fac991
                                                        • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                        • Instruction Fuzzy Hash: 7A417B72B18F4686EB548F26E4403B923A0FB24FA8F4441B2DA4C4B669DF3CD5A5C780
                                                        Function 00007FFE1A4D2FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$xtime_get
                                                        • String ID:
                                                        • API String ID: 1104475336-0
                                                        • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                        • Instruction ID: 2733562f6397b56846aab064a6ca662f709f2a14ea544b105c6a1e6dbc06a775
                                                        • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                        • Instruction Fuzzy Hash: 6A411A32B08E4686EA618B27E44023973A1EB55F64F5480F7DB8E426B4DF3DF895C701
                                                        Function 00007FFE1A4E3B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE1A4E3B56
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • _Maklocstr.LIBCPMT ref: 00007FFE1A4E3BCF
                                                        • _Maklocstr.LIBCPMT ref: 00007FFE1A4E3BE5
                                                        • _Getvals.LIBCPMT ref: 00007FFE1A4E3C8A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                        • String ID: false$true
                                                        • API String ID: 2626534690-2658103896
                                                        • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                        • Instruction ID: c9e2550f6d8924d5448ae0f2433ca11244111f87e5327b9647cb156fa140a53c
                                                        • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                        • Instruction Fuzzy Hash: 3E417B26B08E919AF711CF75E4001ED33B1FB98B58B405266EE4D27A69EF38D566C340
                                                        Function 00007FFE1A45D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: NameName::atol
                                                        • String ID: `template-parameter$void
                                                        • API String ID: 2130343216-4057429177
                                                        • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                        • Instruction ID: f85b8549f5f1985b488acaa23aca29926417e0d0263a1e5a1928cf8fb42e78bc
                                                        • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                        • Instruction Fuzzy Hash: 18415A62F08F4688FB04EBA6D8512FC2371BF08BA4F5401B6CE5D17A65DF38946AC340
                                                        Function 00007FFE1A458624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                        • API String ID: 2943138195-2211150622
                                                        • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                        • Instruction ID: c22a252683084e3a78dcfab078d5ef6a1db550ae4a7256e82204d7d60a5a2148
                                                        • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                        • Instruction Fuzzy Hash: 594136B2F08F8688FB029B26D8402BC77B0BB08B58F5441B2DA5D53364DF3CA5A5C740
                                                        Function 00007FFE1A45A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: char $int $long $short $unsigned
                                                        • API String ID: 2943138195-3894466517
                                                        • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                        • Instruction ID: ab7eec8e7cedd0bc971dd47ea2ea2625ab5d47f9e626b2c2f00abce42a1f2c98
                                                        • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                        • Instruction Fuzzy Hash: B34168B2F18B5689EB159F6AD8481BC37B1BB09B68F4481B3CA0C57B78DF389564C700
                                                        Function 00007FFE1A4CC0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                        • String ID:
                                                        • API String ID: 3009415009-0
                                                        • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                        • Instruction ID: 8cec56f71e4de8686837fc0c648ab055df71ef11f5d499a40f6b0e8fec4efc96
                                                        • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                        • Instruction Fuzzy Hash: 45E16D22B09F8585EB10CBB6D4402BC2371BB49FA8F9441A6DE5D27BA9DF3CD45AC304
                                                        Function 00007FFE1A4F00EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Dunscale$_errno
                                                        • String ID:
                                                        • API String ID: 2900277114-0
                                                        • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                        • Instruction ID: b5d2dc97836bc0f578425b8fb346db85385094ff71ee261bf5cf6f965c88ffa8
                                                        • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                        • Instruction Fuzzy Hash: 9EA1D432B08A469AEB109F2BC5800FC6351FFD5B76F5462F2EB49125A5EF38B5B58700
                                                        Function 00007FFE1A4F86F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Dunscale$_errno
                                                        • String ID:
                                                        • API String ID: 2900277114-0
                                                        • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                        • Instruction ID: 12d40ec79fff15f67d7243430cf42a745d2f5b6b7b451b7ed8aed4c450e20c5f
                                                        • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                        • Instruction Fuzzy Hash: EAA1A827F18E5A86F712DE3A84401FD1361FF55BA6F5062F7E64A1A565EF38A0B28300
                                                        Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memmove$memcpy$_invalid_parameter_noinfo_noreturn
                                                        • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                        • API String ID: 100741404-1215215629
                                                        • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                        • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                        • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                        • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                        Function 00007FFE1A4C8F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: fgetc
                                                        • String ID:
                                                        • API String ID: 2807381905-0
                                                        • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                        • Instruction ID: 4a12c1692a8af37170b378aa55b8d0cc2ff53caf585a02b8fc7af49e9ef99136
                                                        • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                        • Instruction Fuzzy Hash: D9912B76709E4198EB508F36C4942BC33A1FB55FA8F9512B2EA4D87BA9DF39D454C300
                                                        Function 00007FFE1A4FB960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                        • String ID:
                                                        • API String ID: 3490103321-0
                                                        • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                        • Instruction ID: 96e381484e9ff05fd333e38d2bbfa91ca03ea12f3d089ba41ac288d3acb3d54e
                                                        • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                        • Instruction Fuzzy Hash: A3613A22F1CE4286E711DE5AE4805FE6310FB86B66F5060F3EE4D57AA9DE3CD8168700
                                                        Function 00007FFE1A4FB1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                        • String ID:
                                                        • API String ID: 3490103321-0
                                                        • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                        • Instruction ID: b690bc5ace050a8d9c512a70942649a8fc402010fd9cd92406c8b2b25eb70529
                                                        • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                        • Instruction Fuzzy Hash: 76611422B1CD4286E711DE5BE4401FE6720FF96B65F5011B3EE4D176A5DE3CE81A8700
                                                        Function 00007FFE1A4C9A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1775671525-0
                                                        • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                        • Instruction ID: 4b2ca548f38852007f40dbdd00a596eaf253a0be78c3cdb93e3a522d0d6be5a9
                                                        • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                        • Instruction Fuzzy Hash: 0741D266718A45A1EF149B17A4042B9A351FB04FF0F944AB2DE6D47BEBEE7CE051C300
                                                        Function 00007FFE1A4CA000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: FileHandle$CloseCreateInformation
                                                        • String ID:
                                                        • API String ID: 1240749428-0
                                                        • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                        • Instruction ID: 38a7190b49cc630d8fc36dc4967a8b030862e98422a970c8d458648fda31ead6
                                                        • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                        • Instruction Fuzzy Hash: D841A232F08A418AF760CF76A8507B933A1AB48BBCF455776ED1C03AA8DF38D5958740
                                                        Function 00007FFE1A4562D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                        • String ID:
                                                        • API String ID: 3741236498-0
                                                        • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                        • Instruction ID: 48b66aaf2916ad99ba7d7c3e519d6005a89472b45c0c69aa8ded052bad530d61
                                                        • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                        • Instruction Fuzzy Hash: 5931C461B19F9181EB11AB27E804579A3A4FF08FE4B5945F6DE2D433A0EE3DD462C300
                                                        Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                        • String ID:
                                                        • API String ID: 2153537742-0
                                                        • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                        • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                        • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                        • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                        Function 00007FFE1A4C2F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE1A4C5F96), ref: 00007FFE1A4C2F59
                                                        • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5F96), ref: 00007FFE1A4C2F6B
                                                        • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE1A4C5F96), ref: 00007FFE1A4C2F7A
                                                        • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE1A4C5F96), ref: 00007FFE1A4C2FE0
                                                        • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE1A4C5F96), ref: 00007FFE1A4C2FEE
                                                        • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE1A4C5F96), ref: 00007FFE1A4C3001
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                        • String ID:
                                                        • API String ID: 490008815-0
                                                        • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                        • Instruction ID: 172168abb6deefdfeb68d9d9b94ecf21ca4cda4798c52cea93fa66cf4ad19e2e
                                                        • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                        • Instruction Fuzzy Hash: 6A212C22E18F8583E7018F39D5052787360FBA9F5CF59A2A5CE8C16226EF79E5E5C340
                                                        Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle$FileUnmapView
                                                        • String ID:
                                                        • API String ID: 260491571-0
                                                        • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                        • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                        • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                        • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                        Function 00007FFE1A4538A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abort$CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 2889003569-2084237596
                                                        • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                        • Instruction ID: e6ea8166ce1a269e67d5f5a9ff2da1a762e861be9e7c81596e1e14aef120ebb0
                                                        • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                        • Instruction Fuzzy Hash: AA91A2B3B08B818AE710DB66E4902BD7BA0F744B98F1441A6EF8D17765DF38E1A5C700
                                                        Function 00007FFE1A45BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                        • API String ID: 2943138195-757766384
                                                        • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                        • Instruction ID: f4d7375158b3fc1cf319c244564212f4ac27a0ac0a577c98ebed872f8e82aa37
                                                        • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                        • Instruction Fuzzy Hash: 1B715DB1B08E4294EB14AF16D9401BC66B0BB05BA4F4485FBDA5D47AB8EF3CE175CB00
                                                        Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                          • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                          • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                        • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                        • API String ID: 3207467095-2931640462
                                                        • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                        • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                        • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                        • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                        Function 00007FFE1A453690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abort$CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 2889003569-2084237596
                                                        • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                        • Instruction ID: 8141f7a08248614ccb6f765a2cdc714d694623d21637336d0a2bdc5609fc6457
                                                        • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                        • Instruction Fuzzy Hash: 48613AB7A08B858AE718DF66D4803BD77A0FB44B98F1441A6EE4D13B68DF38E065C700
                                                        Function 00007FFE1A4FBBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4FB212), ref: 00007FFE1A4FBBFE
                                                        • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4FB212), ref: 00007FFE1A4FBC0F
                                                        • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4FB212), ref: 00007FFE1A4FBC76
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: iswspace$iswxdigit
                                                        • String ID: (
                                                        • API String ID: 3812816871-3887548279
                                                        • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                        • Instruction ID: 88b1e8bdabcdc0df7d091a33e1d0901bd7bb5bf44816e990a3ae828cdac258cc
                                                        • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                        • Instruction Fuzzy Hash: D351C916F04953C9FB145B6B95002F976A1EF21FA6F5890B7DE480A0A4EF3DDC52C211
                                                        Function 00007FFE1A4F9CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4F9122), ref: 00007FFE1A4F9CFA
                                                        • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4F9122), ref: 00007FFE1A4F9D0B
                                                        • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4F9122), ref: 00007FFE1A4F9D64
                                                        • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4F9122), ref: 00007FFE1A4F9E14
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: isspace$isalnumisxdigit
                                                        • String ID: (
                                                        • API String ID: 3355161242-3887548279
                                                        • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                        • Instruction ID: 21d6cad7bd4c90d8de381c63b21f142aa1dd893509b9591994a05f63ed336dbb
                                                        • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                        • Instruction Fuzzy Hash: 5141E61AF0C98256FB714F3AA5103F57F929F21F95F18A0F2CA8C471ABDE1EA8158711
                                                        Function 00007FFE1A4E39E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE1A4DA22C), ref: 00007FFE1A4E3A25
                                                          • Part of subcall function 00007FFE1A4CB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4F1347,?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4CB7BF
                                                          • Part of subcall function 00007FFE1A4CB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE1A4F1347,?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4CB7DB
                                                        • _Getvals.LIBCPMT ref: 00007FFE1A4E3A61
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                        • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                        • API String ID: 3848194746-3573081731
                                                        • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                        • Instruction ID: 720edd59d6d92d69d0d73ac1c162174bc6bfc8815a40dd848c63a7730c89a480
                                                        • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                        • Instruction Fuzzy Hash: DE418B72B08B8197E725CB22D58057D7BA0FB85BA170542B6DB8943A21DBBCF5B2C700
                                                        Function 00007FFE1A4E3CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE1A4E3CE2
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • _Maklocstr.LIBCPMT ref: 00007FFE1A4E3D5B
                                                        • _Maklocstr.LIBCPMT ref: 00007FFE1A4E3D71
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                        • String ID: false$true
                                                        • API String ID: 309754672-2658103896
                                                        • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                        • Instruction ID: 9f112aadb9947dbe666e80d008141381b07328cb95ccdaec37b93b7eb663f6d0
                                                        • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                        • Instruction Fuzzy Hash: 87416622B18F519AE700CF75E4401FD33B1FB98B58B405166EE4D27A29EF38D5A5C384
                                                        Function 00007FFE1A4C83E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2003779279-1866435925
                                                        • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                        • Instruction ID: b6ab5eaa855ff627184972ec9fb49573b39b03da9eea77985c775b5758d6e053
                                                        • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                        • Instruction Fuzzy Hash: 4921B062B08E4692FB119B26E5413B96361FB50BA4F9440F3D64D47ABAEF3CE0A5C700
                                                        Function 00007FFE1A4C8D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2003779279-1866435925
                                                        • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                        • Instruction ID: bafae672e8a08bb536f000910cb9858b6f504d27c4dcd785b1a33b558f0ce680
                                                        • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                        • Instruction Fuzzy Hash: 0DF0A261B1890A95FB15CB06D4816F92362EB50B68FD444F3D10D065BADF3DE557C740
                                                        Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                        • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                        • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                        • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                        • String ID:
                                                        • API String ID: 3275830057-0
                                                        • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                        • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                        • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                        • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                        Function 00007FFE1A4D4A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: fgetwc
                                                        • String ID:
                                                        • API String ID: 2948136663-0
                                                        • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                        • Instruction ID: e2e7bf25441f623d52447d37a0312e89360a72c30559e30b5f5cf7d278be513c
                                                        • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                        • Instruction Fuzzy Hash: 90811872709E81C8DB208F66C0902FC33A1EB68FA8F5555B7EA4E47AA9DF39D554C310
                                                        Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 2665656946-0
                                                        • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                        • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                        • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                        • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                        Function 00007FFE1A4CB90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CB9D3
                                                        • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CB9E1
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBA1A
                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBA24
                                                        • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE1A4F1347), ref: 00007FFE1A4CBA32
                                                          • Part of subcall function 00007FFE1A5125AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5AF8), ref: 00007FFE1A5125C6
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
                                                        • String ID:
                                                        • API String ID: 3375828981-0
                                                        • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                        • Instruction ID: 2a4435b57de4b998d01ae8893d59fa5e46374ae7fdbfc24dc33cda8313b9bf44
                                                        • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                        • Instruction Fuzzy Hash: AA31E762B0CE8281EF149F17A5043BEA352EB05FE0F5445B2DE5D0B7AADE7CE0529300
                                                        Function 00007FFE1A459FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: NameName::$Name::operator+
                                                        • String ID:
                                                        • API String ID: 826178784-0
                                                        • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                        • Instruction ID: 481c71f12d8dc657a2eb355d85b103667f52c7a1ab074373772cce4ab92c22e3
                                                        • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                        • Instruction Fuzzy Hash: CF4147A2B18F5699EB10EF22D8841B833B4BB15FA4B5444F3EA5D533A5DF38E865C300
                                                        Function 00007FFE1A4C4C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4D2160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE1A4C4C3E,?,?,00000000,00007FFE1A4C5B5B), ref: 00007FFE1A4D216F
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5B5B), ref: 00007FFE1A4C4C47
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5B5B), ref: 00007FFE1A4C4C5B
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5B5B), ref: 00007FFE1A4C4C6F
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5B5B), ref: 00007FFE1A4C4C83
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5B5B), ref: 00007FFE1A4C4C97
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5B5B), ref: 00007FFE1A4C4CAB
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$setlocale
                                                        • String ID:
                                                        • API String ID: 294139027-0
                                                        • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                        • Instruction ID: d147d1042b206038db837e3caaa69cd61aa6d7550861d43785d9bc2cbbefaf72
                                                        • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                        • Instruction Fuzzy Hash: 3C110C22B0AE0581FB599F62D0A933923A1EF45F29F1801B6C90E0A169CF7DD8E4D380
                                                        Function 00007FFE1A4D3380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func$abortfputcfputs
                                                        • String ID:
                                                        • API String ID: 2697642930-0
                                                        • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                        • Instruction ID: 87f7b81ff49ed038bb2ce53b177345ae88e009b8ea4fdb1300a0b50184739d58
                                                        • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                        • Instruction Fuzzy Hash: 2DE0B6A4B1CA4686E6086B73BC5933462279F5AF6AF2900FAC90F46774DE3D54884211
                                                        Function 00007FFE1A4EC480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                        • String ID: %.0Lf$0123456789-
                                                        • API String ID: 4032823789-3094241602
                                                        • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                        • Instruction ID: f4dedbfb7decc23abb49c34ab8b6dc745726ad6d1c35672845e69a176b2971be
                                                        • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                        • Instruction Fuzzy Hash: B8716762B09B5589EB00CFA6D4502BC2371EB49FA8F4041B7DE4D57BA9DE3CD45AC384
                                                        Function 00007FFE1A4F6E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                        • String ID: 0123456789-
                                                        • API String ID: 2457263114-3850129594
                                                        • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                        • Instruction ID: c73384a0fd8989f9bf16438945b54f86cc2a82f3d96d010019ee8722fd16661b
                                                        • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                        • Instruction Fuzzy Hash: EB716C22B09F8589EB00CBBAD4502FC7771AB59BA8F4415B6DE4D17BA9CE38D45AC310
                                                        Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                        • String ID: gfffffff$gfffffff
                                                        • API String ID: 3668304517-161084747
                                                        • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                        • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                        • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                        • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                        Function 00007FFE1A4F70C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                        • String ID: %.0Lf
                                                        • API String ID: 1248405305-1402515088
                                                        • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                        • Instruction ID: dc6797583444e7e5d788277f5b4cefbb444e09f5aaa9b8fd41aa6d4add932d38
                                                        • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                        • Instruction Fuzzy Hash: 0461A322B08F8185EB01CB7AE4402FD6771EB55BA8F4451B6EE4D67B69DE3CD055C340
                                                        Function 00007FFE1A454044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                        • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4541C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abort
                                                        • String ID: $csm$csm
                                                        • API String ID: 4206212132-1512788406
                                                        • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                        • Instruction ID: ec594808b087c04fd1a0d2c26028ba867c211003b764cc75c8273e96fe0df898
                                                        • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                        • Instruction Fuzzy Hash: 9371D3B2B08A9186D7249F22944477D7BA1FB04FE8F1481B6EF4C4BAA6CB3CD461C741
                                                        Function 00007FFE1A453E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                        • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453F13
                                                        • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A453F23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                        • String ID: csm$csm
                                                        • API String ID: 4108983575-3733052814
                                                        • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                        • Instruction ID: e9fd3555d480e4ebadda4588c98b609b91d73cdf49de688a137fe66b11dbd346
                                                        • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                        • Instruction Fuzzy Hash: E1515CB2B08A8286EA64AB57945427876E0FB44FA5F1441B7DB8D47AE5CF3CF860C701
                                                        Function 00007FFE1A4C2500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Exception$RaiseThrowabort
                                                        • String ID: csm
                                                        • API String ID: 3758033050-1018135373
                                                        • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                        • Instruction ID: a49b6c8661d59d0f0a6cd5c9558830fb926a51098f9df95bf116e11a9398cf06
                                                        • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                        • Instruction Fuzzy Hash: B1518E22A08F8586EB11DF29C4502BC33A0FB68FA8F559366DA5D037A6DF78E5D5C300
                                                        Function 00007FFE1A4CF950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE1A4CF8D4
                                                        • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE1A4CF8E6
                                                        • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE1A4CF96B
                                                          • Part of subcall function 00007FFE1A4C4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D72
                                                          • Part of subcall function 00007FFE1A4C4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D98
                                                          • Part of subcall function 00007FFE1A4C4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4DB0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: setlocale$freemallocmemcpy
                                                        • String ID: bad locale name
                                                        • API String ID: 1663771476-1405518554
                                                        • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                        • Instruction ID: 027158ac6ebbd86986d5ef77407c0e9fec924fd38458390dd43be0f44676ab79
                                                        • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                        • Instruction Fuzzy Hash: C331C422F0CF4251FF548B1BA44017A6262AF45FA0F9880F7DA5E477A9DF3CE5918340
                                                        Function 00007FFE1A4F430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE1A4F2278), ref: 00007FFE1A4F434D
                                                          • Part of subcall function 00007FFE1A4CB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4F1347,?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4CB7BF
                                                          • Part of subcall function 00007FFE1A4CB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE1A4F1347,?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4CB7DB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                        • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                        • API String ID: 3376215315-3573081731
                                                        • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                        • Instruction ID: db15cd4a26c302634e7407c23bcd99fadb10fe90154f9d7ac14b119f9ddc5ac2
                                                        • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                        • Instruction Fuzzy Hash: 8841B172B08F8197E724CF2A91801BD7BA0FB45BA271451B6CB4953E22DF38E572CB00
                                                        Function 00007FFE1A4E38A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE1A4DA07C), ref: 00007FFE1A4E38E1
                                                          • Part of subcall function 00007FFE1A4CB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4F1347,?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4CB7BF
                                                          • Part of subcall function 00007FFE1A4CB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE1A4F1347,?,?,?,?,?,?,?,?,?,00007FFE1A4F243E), ref: 00007FFE1A4CB7DB
                                                          • Part of subcall function 00007FFE1A4D67B0: _Maklocstr.LIBCPMT ref: 00007FFE1A4D67E0
                                                          • Part of subcall function 00007FFE1A4D67B0: _Maklocstr.LIBCPMT ref: 00007FFE1A4D67FF
                                                          • Part of subcall function 00007FFE1A4D67B0: _Maklocstr.LIBCPMT ref: 00007FFE1A4D681E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                        • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                        • API String ID: 2904694926-3573081731
                                                        • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                        • Instruction ID: c1678c5050b5a1120f0bbb5ff98da1a5729424aa015d90c4878cc8afeb3d10b3
                                                        • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                        • Instruction Fuzzy Hash: 1741BF72B08B8197E721CB22D18017D7BA1FB85B91B0441B6CB8943A21DB7CF972CB00
                                                        Function 00007FFE1A45A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: NameName::
                                                        • String ID: %lf
                                                        • API String ID: 1333004437-2891890143
                                                        • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                        • Instruction ID: 52a06e46274a47030e9f96064f132dc5cc12c5c0162778aa279589fb8ebc8a47
                                                        • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                        • Instruction Fuzzy Hash: 6F31B4B2B0CF8585EA60DB26A8502797370FB45F94F4481F3E9AE87265CF3CD5518740
                                                        Function 00007FFE1A4CA4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: FileFindNext$wcscpy_s
                                                        • String ID: .
                                                        • API String ID: 544952861-248832578
                                                        • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                        • Instruction ID: e0305f212b24db530b2d4c7e834ba422ef414b85158ac18413f109f62fe28e50
                                                        • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                        • Instruction Fuzzy Hash: 1821ABA2B0CE8181FB709F26E80437963A1EB45FA4F8881F2DA8D476A8DF7CD455C740
                                                        Function 00007FFE1A4C6C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                        • String ID: ios_base::badbit set
                                                        • API String ID: 1099746521-3882152299
                                                        • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                        • Instruction ID: 39a0b9e4116e4601b97668be02139de40ee596834e52fefd5918590e8db9a2ab
                                                        • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                        • Instruction Fuzzy Hash: C101DF92B2CE0691FB188A17D4815B96212EB90FA4F94E0F7D50E02ABEDE3DF1168240
                                                        Function 00007FFE1A452400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                        • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45243E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abortterminate
                                                        • String ID: MOC$RCC$csm
                                                        • API String ID: 661698970-2671469338
                                                        • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                        • Instruction ID: 4707af12d9462f3d6f2484c01aa28e356b36a809efe0c17d0255c4ddf99349d1
                                                        • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                        • Instruction Fuzzy Hash: 86F03C76A18A4682EB506F66A1810797665EB48F64F1950F3E74807262CF3CD4B0CA41
                                                        Function 00007FFE1A45E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A45E9F0
                                                          • Part of subcall function 00007FFE1A45EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45ECF0
                                                          • Part of subcall function 00007FFE1A45EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A45E9F5), ref: 00007FFE1A45ED3F
                                                          • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                        • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45EA1A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                        • String ID: csm$f
                                                        • API String ID: 2451123448-629598281
                                                        • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                        • Instruction ID: b479b3da4346521d8074b59fb9537204e4fa657b5a33c0ea2cf2e72905c2445c
                                                        • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                        • Instruction Fuzzy Hash: 57E037A5F18B4181D7307B62B14117D66A5AF15F64F1480F6D64807656CE78D8B04641
                                                        Function 00007FFE1A459CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                        • Instruction ID: 996857dac50c7e8b3cf74c3128a7ebda37b01281f1425cd5fdf23e82d048d11c
                                                        • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                        • Instruction Fuzzy Hash: B4918EA6F08F5689FB119BA2D8403BC2BB0BB05B24F5440F7DA4D576A6DF3CA865C740
                                                        Function 00007FFE1A45A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+$NameName::
                                                        • String ID:
                                                        • API String ID: 168861036-0
                                                        • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                        • Instruction ID: b4e96470f146aab0293c23c966a862d76a51084b61ddae11b320a541f2fb1d8e
                                                        • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                        • Instruction Fuzzy Hash: 405169B2F18B5A89E711DF22E8447BC37A0BB44B68F5480B2DA5E477A5DF39E461C340
                                                        Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memset$_invalid_parameter_noinfo_noreturnmemmove
                                                        • String ID:
                                                        • API String ID: 48703092-0
                                                        • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                        • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                        • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                        • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                        Function 00007FFE1A4D6DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE1A4D67E5), ref: 00007FFE1A4D6EA1
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE1A4D67E5), ref: 00007FFE1A4D6EF2
                                                        • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE1A4D67E5), ref: 00007FFE1A4D6EFC
                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A4D6F3D
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1775671525-0
                                                        • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                        • Instruction ID: 8836223078e01bae05e35c908d3f72649ce2131fc0c12209ed4b736611ae3174
                                                        • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                        • Instruction Fuzzy Hash: 9A410162B28E4691EE14DB57E104179A355EB58FF4F5846B2EE6D0BBE8EE3CE051C300
                                                        Function 00007FFE1A4C9BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1775671525-0
                                                        • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                        • Instruction ID: cd56d3463ca8d9ece22644cc7cfdd14ba948d35532461ec71ce9fe41e8090418
                                                        • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                        • Instruction Fuzzy Hash: 0731D265B08A4291EF149F17A544279A295AF04FF4F9482B2DE7D47BFADE7CE051C300
                                                        Function 00007FFE1A4EFD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
                                                        • String ID:
                                                        • API String ID: 2233944734-0
                                                        • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                        • Instruction ID: 92280e481de60ecbe798c775d34df3c1830261f9fae56f3217c56d2484a20c7b
                                                        • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                        • Instruction Fuzzy Hash: 6241C322B1CE8686E7519B2FD0411B96260AFC9F70F5492F3EA4D136B6EF3CF9158600
                                                        Function 00007FFE1A4C3160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                        • String ID:
                                                        • API String ID: 2234106055-0
                                                        • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                        • Instruction ID: 78e3afd66737e58cb549cd9acc9c8dbf7ae1f1533b00fb2af00c355a23baef8e
                                                        • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                        • Instruction Fuzzy Hash: 0231C222B0CB4186F7218B17A45027DAA91EB90FA5F9840F6DA8D077ADDE3CF555CB10
                                                        Function 00007FFE1A4C3020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                        • String ID:
                                                        • API String ID: 3857474680-0
                                                        • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                        • Instruction ID: 72bad7e98bd2a7ff6b9ac5cafe8fcb06aaed19de0d4d44d3a6f0cd0a34ba19b8
                                                        • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                        • Instruction Fuzzy Hash: 7D31E223B0CF4192F7114A17A450279A6A1EB90FA5F9840F6DA8D077ADDF3CF5A4C710
                                                        Function 00007FFE1A45C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID:
                                                        • API String ID: 2943138195-0
                                                        • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                        • Instruction ID: 8d907fbcc80c657dde9576ae18326677b863449b53272ee15ec5d3a58e6a5ca5
                                                        • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                        • Instruction Fuzzy Hash: 624164B2B08B858AEB01DF66D8413BC77B0BB44B68F5481A6DA8D57769DF3894A1C700
                                                        Function 00007FFE1A4FAF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE1A4EE921), ref: 00007FFE1A4FAFB7
                                                        • memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FFE1A4EE921), ref: 00007FFE1A4FAFDB
                                                        • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE1A4EE921), ref: 00007FFE1A4FAFE8
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE1A4EE921), ref: 00007FFE1A4FB05B
                                                          • Part of subcall function 00007FFE1A4C2E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A4C2E5A
                                                          • Part of subcall function 00007FFE1A4C2E30: LCMapStringEx.KERNEL32 ref: 00007FFE1A4C2E9E
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
                                                        • String ID:
                                                        • API String ID: 2888714520-0
                                                        • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                        • Instruction ID: 12aceac05bd5019361feac014265deb575c47eb7ee891ae0a0c5ee1451ae542e
                                                        • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                        • Instruction Fuzzy Hash: 1621F761B09FD189D6209F17A40047AAA94FB46FF5F5882B2DE6D17BB5DF3CD4528300
                                                        Function 00007FFE1A4CAAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _fsopen$fclosefseek
                                                        • String ID:
                                                        • API String ID: 410343947-0
                                                        • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                        • Instruction ID: 5721b5d2292fc9c29bd18badf30276b45aa280b953eb519d1f3be2767c930bb0
                                                        • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                        • Instruction Fuzzy Hash: B731DF21B28E4141EB68CB17A4446756293EF85FA9FC841F6CF0E837B8EE3CE8518300
                                                        Function 00007FFE1A4CABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _wfsopen$fclosefseek
                                                        • String ID:
                                                        • API String ID: 1261181034-0
                                                        • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                        • Instruction ID: 3e3076b428d538d08653a4da45f5bff28a0bd8d830c2448a75e78d03c80930a6
                                                        • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                        • Instruction Fuzzy Hash: D231D921B19E4582FB68C717A4846752392EF95FA8F8D41F6CE0E437A4DE3CE8518740
                                                        Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                        • String ID:
                                                        • API String ID: 4174221723-0
                                                        • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                        • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                        • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                        • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                        Function 00007FFE1A4FA5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE1A4F576B), ref: 00007FFE1A4FA604
                                                        • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE1A4F576B), ref: 00007FFE1A4FA60E
                                                          • Part of subcall function 00007FFE1A4C26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A4C2728
                                                          • Part of subcall function 00007FFE1A4C26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A4C274E
                                                          • Part of subcall function 00007FFE1A4C26E0: GetCPInfo.KERNEL32 ref: 00007FFE1A4C2792
                                                        • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE1A4F576B), ref: 00007FFE1A4FA631
                                                        • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE1A4F576B), ref: 00007FFE1A4FA66F
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                        • String ID:
                                                        • API String ID: 3421985146-0
                                                        • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                        • Instruction ID: f67570b4731a2ba82c764862a22c5aa51465935a6ae834583316aef8dfa83d78
                                                        • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                        • Instruction Fuzzy Hash: 58215031B08B8286EB108F2B9940079A7A5FB94FE5F5941B6DA9D577A5CF3CE8118700
                                                        Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                          • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                          • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                        • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                        • API String ID: 1351999747-1487749591
                                                        • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                        • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                        • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                        • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                        Function 00007FFE1A4FB090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                        • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                        • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                        • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                        • String ID:
                                                        • API String ID: 3203701943-0
                                                        • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                        • Instruction ID: 521e695a8775bae7a3c89bb0a970a01c56bacf8ce42ac712b0bfa0a9ce113554
                                                        • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                        • Instruction Fuzzy Hash: BA0108A2F18F5186EB058F7AD800078B7A0FB59F99B18D276DA4E87720DB7CD0D28700
                                                        Function 00007FFE1A4F8620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: memmove$FormatFreeLocalMessage
                                                        • String ID: unknown error
                                                        • API String ID: 725469203-3078798498
                                                        • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                        • Instruction ID: bda2e4831a8f2f3988687b4896de2e67be78c6a6588acbad1d45cc300b40b8b1
                                                        • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                        • Instruction Fuzzy Hash: 86115122708B8581E7119B26E54037DB7A1F799FECF4441B6DA8C0B7AADF7CD5608740
                                                        Function 00007FFE1A4C2468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: malloc
                                                        • String ID: MOC$RCC$csm
                                                        • API String ID: 2803490479-2671469338
                                                        • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                        • Instruction ID: fdb6ff86d9321b25718e4138230fa4d78f21e42abbbf57881e75c00d7c8a99eb
                                                        • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                        • Instruction Fuzzy Hash: 68018821F0890687EB646F17954417D6361EF49FA4FA840F3D60D077ADCE7CA461C606
                                                        Function 00007FFE1A4EC9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                        • String ID: 0123456789-
                                                        • API String ID: 4032823789-3850129594
                                                        • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                        • Instruction ID: c8fb3505e0678b2761f094394967a9343455c9a589f378e2adf1e33e26efd913
                                                        • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                        • Instruction Fuzzy Hash: 5F717E62B09B5589EB00CFA6E4502BC2371EB49FA8F4440B6DE4D17BA8DE7CD465C344
                                                        Function 00007FFE1A4ECC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                        • String ID: %.0Lf
                                                        • API String ID: 296878162-1402515088
                                                        • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                        • Instruction ID: a55e91816dfdbb815aef2ebb7851995156862d8e889f068fb948bd4eeaf8c1b9
                                                        • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                        • Instruction Fuzzy Hash: 77717D22B08F8585EB11CB76E4402BD73A2EB95BA8F0441B3EE4D67B69DE3CD055C344
                                                        Function 00007FFE1A4EC710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                        • String ID: %.0Lf
                                                        • API String ID: 296878162-1402515088
                                                        • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                        • Instruction ID: a0c9b0a3f6092bd044e96fa595932bfdf905041030251538165a26cdc2fc6786
                                                        • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                        • Instruction Fuzzy Hash: 9B718D22B08F8585EB11CB66E4402BD63B2EB95BA8F0441B2EE4D67B69EF3CD055C344
                                                        Function 00007FFE1A4F8F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: rand_s
                                                        • String ID: invalid random_device value
                                                        • API String ID: 863162693-3926945683
                                                        • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                        • Instruction ID: eb955c760b527bc777b2559ec708970d3e9ca6d2948691e7ec16e37f87796a7b
                                                        • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                        • Instruction Fuzzy Hash: F351F815F1CE4689F2538B3A84511FA7364BF16BE5F0057F3E61E665B6DF2DA0628200
                                                        Function 00007FFE1A454710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: abort$CreateFrameInfo
                                                        • String ID: csm
                                                        • API String ID: 2697087660-1018135373
                                                        • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                        • Instruction ID: e20f068562fb8a79c6376a3f11815f6f1b5ea2c11c22a2b7706f1c1482beb7f7
                                                        • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                        • Instruction Fuzzy Hash: 6E514FB6718B4186D620AB26E04127E77B5F788FA0F1415B6EB8D07B66CF38D461CB00
                                                        Function 00007FFE1A4F7330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                        • String ID: !%x
                                                        • API String ID: 1195835417-1893981228
                                                        • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                        • Instruction ID: 09d25d98625eaeeabe2003aac87aa5dc65ac9f3d9c6be084cd4af2b83515e120
                                                        • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                        • Instruction Fuzzy Hash: 6441AE22F18A9198FB00CBAAD8407FC2771BB49BA8F4455B6DE4D67BA9DF3C9145C300
                                                        Function 00007FFE1A4C32D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A4C3305
                                                          • Part of subcall function 00007FFE1A5125AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4C5AF8), ref: 00007FFE1A5125C6
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4C57FA,?,?,?,00007FFE1A4C4438), ref: 00007FFE1A4C32FE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                        • String ID: ios_base::failbit set
                                                        • API String ID: 1934640635-3924258884
                                                        • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                        • Instruction ID: 82204215ea671918998904abbe6e0f2bd0622dafadce70bc5b65a1c53b545898
                                                        • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                        • Instruction Fuzzy Hash: F9218721B09F8195DB60CB12A5402BAF294FB48FF4F9446B2EE9C43BA9EF3CD5558700
                                                        Function 00007FFE1A459BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: Name::operator+
                                                        • String ID: void$void
                                                        • API String ID: 2943138195-3746155364
                                                        • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                        • Instruction ID: fdc32364626f0b2789df4b3192eb21c8d56db032a9ea0fa3e03a73e331164180
                                                        • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                        • Instruction Fuzzy Hash: BB3159A6F18E5598FB01DBA1E8410FC33B0BB49B58B4405B7DE4D53B69DF389164C750
                                                        Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                        • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                        • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                        • API String ID: 1654775311-1428855073
                                                        • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                        • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                        • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                        • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                        Function 00007FFE1A4CF1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE1A4CC744), ref: 00007FFE1A4CF1D4
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B0
                                                          • Part of subcall function 00007FFE1A4FB090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0B8
                                                          • Part of subcall function 00007FFE1A4FB090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0C1
                                                          • Part of subcall function 00007FFE1A4FB090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE1A4C6093), ref: 00007FFE1A4FB0DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                        • String ID: false$true
                                                        • API String ID: 2502581279-2658103896
                                                        • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                        • Instruction ID: c335c19dd41a40f447f67376e54217c69e1b3876748623c5102fac09ad6d0413
                                                        • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                        • Instruction Fuzzy Hash: C1216D66A08F8581E720DB26E4403B937A0FB99BA8F8445B3DA8C07369DF3CD565C780
                                                        Function 00007FFE1A45604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: FileHeader$ExceptionRaise
                                                        • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                        • API String ID: 3685223789-3176238549
                                                        • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                        • Instruction ID: 77a8a98164203b78b10b3da5ce8721de4c4edb34ad194b7efa84b1de598d03d5
                                                        • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                        • Instruction Fuzzy Hash: 49015EA1B29E4692EE40EB16E450178A360FF90FA4F4454F3D61E476B6EF6CD524C700
                                                        Function 00007FFE1A4563F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                        • Instruction ID: 24809a1097e044ec1e9fade81df69fa3e485ba4df1af179a0e31790d86056fee
                                                        • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                        • Instruction Fuzzy Hash: A0113D32618F8182EB518F16F440269B7A5FB88F94F2842B2DE9C07B68EF3CD561C700
                                                        Function 00007FFE1A4C6330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE1A4C633D
                                                          • Part of subcall function 00007FFE1A4C4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D72
                                                          • Part of subcall function 00007FFE1A4C4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D98
                                                          • Part of subcall function 00007FFE1A4C4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4DB0
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4C635A
                                                        Strings
                                                        • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE1A4C6365
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$Getmonthsmallocmemcpy
                                                        • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                        • API String ID: 1628830074-4232081075
                                                        • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                        • Instruction ID: 2449efc0111de6b7b3f4b6a129c3c54acb4ac8fc4f1ffec16f8f3be70afa7164
                                                        • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                        • Instruction Fuzzy Hash: DCE01521B19B4292EA009B12B58427862A1EB09BA4F8840B6DA0D02765DF3CE4E4C780
                                                        Function 00007FFE1A4C62C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE1A4C62CD
                                                          • Part of subcall function 00007FFE1A4C4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D72
                                                          • Part of subcall function 00007FFE1A4C4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4D98
                                                          • Part of subcall function 00007FFE1A4C4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE1A4D2124,?,?,?,00007FFE1A4C43DB,?,?,?,00007FFE1A4C5B31), ref: 00007FFE1A4C4DB0
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4C62EA
                                                        Strings
                                                        • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE1A4C62F5
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$Getdaysmallocmemcpy
                                                        • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                        • API String ID: 1347072587-3283725177
                                                        • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                        • Instruction ID: 0c31233c57c96a302c0a9c78394fc8e50ec4e5b16dfb2c62149633366dcc5a6c
                                                        • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                        • Instruction Fuzzy Hash: D2E0ED21B18F4292EA049B13F594379A361FF49FA4F8894B6DA1D07765EF3CE4A48700
                                                        Function 00007FFE1A4C6A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE1A4C6A3D
                                                          • Part of subcall function 00007FFE1A4C4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4DF9
                                                          • Part of subcall function 00007FFE1A4C4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4E28
                                                          • Part of subcall function 00007FFE1A4C4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4E3F
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4C6A5A
                                                        Strings
                                                        • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE1A4C6A65
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$Getmonthsmallocmemcpy
                                                        • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                        • API String ID: 1628830074-2030377133
                                                        • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                        • Instruction ID: c67749c0382048bb3d2c6e4d907c993c26bebdeb226f92d000b98a8acd00f824
                                                        • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                        • Instruction Fuzzy Hash: 35E0C921B19B4292EA419B13F58437963A1FB49FA4F8850B6DA0E07B65DF7CE4B48700
                                                        Function 00007FFE1A4C69E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE1A4C69ED
                                                          • Part of subcall function 00007FFE1A4C4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4DF9
                                                          • Part of subcall function 00007FFE1A4C4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4E28
                                                          • Part of subcall function 00007FFE1A4C4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE1A4D6AB5,?,?,?,?,?,?,?,?,?,00007FFE1A4DA96E), ref: 00007FFE1A4C4E3F
                                                        • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4C6A0A
                                                        Strings
                                                        • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE1A4C6A15
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free$Getdaysmallocmemcpy
                                                        • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                        • API String ID: 1347072587-3283725177
                                                        • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                        • Instruction ID: e4ee3aebd00e6c366f4af8701104a836dc22c48a8d02a6bd33bbc2d6e4dedbab
                                                        • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                        • Instruction Fuzzy Hash: 30E06D21B18F4292EA109B13F58437863A1EF49FA4F8840B6DA0D03B65DF3CE4E48700
                                                        Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrow
                                                        • String ID:
                                                        • API String ID: 432778473-0
                                                        • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                        • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                        • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                        • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                        Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875005466.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000000A.00000002.1874986220.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875057323.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875079136.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875101395.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875123663.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 2822070131-0
                                                        • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                        • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                        • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                        • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                        Function 00007FFE1A45672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00007FFE1A4565B9,?,?,?,?,00007FFE1A45FB22,?,?,?,?,?), ref: 00007FFE1A45674B
                                                        • SetLastError.KERNEL32(?,?,?,00007FFE1A4565B9,?,?,?,?,00007FFE1A45FB22,?,?,?,?,?), ref: 00007FFE1A4567D4
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875740679.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875720799.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875763637.00007FFE1A461000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875787395.00007FFE1A462000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875818146.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875843400.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                        • Instruction ID: fdb1df9c94b19d349ed69f8c166ea8bf2120ad24cba9874ee0081fe6e84b312c
                                                        • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                        • Instruction Fuzzy Hash: D1112164B0DA5242FA54AB27B804134A2A1AF48FB0F1846F6D97E077F5DF2CE8618700
                                                        Function 00007FFE1A4D8C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free
                                                        • String ID:
                                                        • API String ID: 1294909896-0
                                                        • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                        • Instruction ID: e312efa28b85f65f24b287bb9724a6cdf419a11ed6dbdf863311f1e8764467aa
                                                        • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                        • Instruction Fuzzy Hash: B1F0C922B19F0296EA449B26E9941786361FB89FA4B1440B2CA4D43B70DF7CE4A58300
                                                        Function 00007FFE1A4D8CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free
                                                        • String ID:
                                                        • API String ID: 1294909896-0
                                                        • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                        • Instruction ID: d566f6853388c5c3f779a106861dc7ffc67ad98244f218e49c92a6adbace3118
                                                        • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                        • Instruction Fuzzy Hash: FCF0C921B19F0292EA449F26E99417863A1FB89FA4B1440B2DA4D43B70DF7CE4A58300
                                                        Function 00007FFE1A4F1DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free
                                                        • String ID:
                                                        • API String ID: 1294909896-0
                                                        • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                        • Instruction ID: 49afa3d16aac5b3032ab87b3bd1c4309cb6d939b1bac3ceb09e037cf9bbcb0f7
                                                        • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                        • Instruction Fuzzy Hash: 48F0EC21B1CF0292DB459F27E9941786361FB89FA4F5840B2DA4D43B74DF7DE4A58300
                                                        Function 00007FFE1A4D8A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1875888736.00007FFE1A4C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE1A4C0000, based on PE: true
                                                        • Associated: 0000000A.00000002.1875867777.00007FFE1A4C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875933718.00007FFE1A515000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1875966091.00007FFE1A516000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876007504.00007FFE1A543000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876033352.00007FFE1A544000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 0000000A.00000002.1876058918.00007FFE1A547000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffe1a4c0000_ImporterREDServer.jbxd
                                                        Similarity
                                                        • API ID: free
                                                        • String ID:
                                                        • API String ID: 1294909896-0
                                                        • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                        • Instruction ID: 939ff6d7b22c98de5a184655a068e125900db32f0ad47ebd23ea3704b72e89d8
                                                        • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                        • Instruction Fuzzy Hash: BCE00266B19E0182EB159F72E8A40386375FF99F69B1810B3CE1E47274DE78D8E58300