Edit tour

Windows Analysis Report
temp_error_logs.scr.exe

Overview

General Information

Sample name:temp_error_logs.scr.exe
Analysis ID:1648207
MD5:51a1010aa03722eae1fa2a8c55e80885
SHA1:c43a11071ca070c9d01298046eb44f8a1cf7d0a6
SHA256:07162f49a860051f8f878b3e3824168d8e0ede5672d21ab3746a2ee5410c0bb3
Tags:exeuser-smica83
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • temp_error_logs.scr.exe (PID: 1796 cmdline: "C:\Users\user\Desktop\temp_error_logs.scr.exe" MD5: 51A1010AA03722EAE1FA2A8C55E80885)
    • WerFault.exe (PID: 2176 cmdline: C:\Windows\system32\WerFault.exe -u -p 1796 -s 708 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-25T16:44:04.866114+010020283713Unknown Traffic192.168.2.449712185.114.247.104443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: temp_error_logs.scr.exeVirustotal: Detection: 34%Perma Link
Source: temp_error_logs.scr.exeReversingLabs: Detection: 33%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Source: unknownHTTPS traffic detected: 185.114.247.104:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: temp_error_logs.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 4x nop then push r120_2_00007FF73EF51E03
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49712 -> 185.114.247.104:443
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/fluentform/storage/framework/intext.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 1Host: autoservice-23.ru
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/fluentform/storage/framework/intext.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 1Host: autoservice-23.ru
Source: global trafficDNS traffic detected: DNS query: autoservice-23.ru
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.3Date: Tue, 25 Mar 2025 15:44:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: X-Forwarded-Proto,Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://autoservice-23.ru/wp-json/>; rel="https://api.w.org/"
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gmpg.org/xfn/11
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F7D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.w.org/
Source: temp_error_logs.scr.exe, 00000000.00000002.1222281582.0000013840F37000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1163063671.0000013840F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/comments/feed/
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/feed/
Source: temp_error_logs.scr.exe, 00000000.00000002.1222217573.0000013840F13000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F60000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222281582.0000013840F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/wp-content/plugins/fluentform/storage/framework/intext.php
Source: temp_error_logs.scr.exe, 00000000.00000002.1222217573.0000013840F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/wp-content/plugins/fluentform/storage/framework/intext.phpM
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/wp-includes/css/classic-themes.min.css?ver=1
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/wp-includes/css/dist/block-library/style.min.css?ver=6.1.7
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F7D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru/wp-json/
Source: temp_error_logs.scr.exe, 00000000.00000002.1222217573.0000013840F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoservice-23.ru:443/wp-content/plugins/fluentform/storage/framework/intext.php
Source: temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 185.114.247.104:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF57F70 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,0_2_00007FF73EF57F70
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF59EF00_2_00007FF73EF59EF0
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF5A6300_2_00007FF73EF5A630
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF5B0800_2_00007FF73EF5B080
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF596F00_2_00007FF73EF596F0
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF57D000_2_00007FF73EF57D00
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF54F600_2_00007FF73EF54F60
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1796 -s 708
Source: temp_error_logs.scr.exeStatic PE information: Number of sections : 11 > 10
Source: temp_error_logs.scr.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9972568469101124
Source: classification engineClassification label: mal52.winEXE@2/5@1/1
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1796
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e4f18b9f-cae7-4505-aa49-a3ef386508b3Jump to behavior
Source: temp_error_logs.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: temp_error_logs.scr.exeVirustotal: Detection: 34%
Source: temp_error_logs.scr.exeReversingLabs: Detection: 33%
Source: unknownProcess created: C:\Users\user\Desktop\temp_error_logs.scr.exe "C:\Users\user\Desktop\temp_error_logs.scr.exe"
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1796 -s 708
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeSection loaded: dpapi.dllJump to behavior
Source: temp_error_logs.scr.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: temp_error_logs.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: temp_error_logs.scr.exeStatic PE information: section name: .xdata
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeAPI coverage: 3.5 %
Source: C:\Users\user\Desktop\temp_error_logs.scr.exe TID: 1016Thread sleep time: -30000s >= -30000sJump to behavior
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: temp_error_logs.scr.exe, 00000000.00000002.1222281582.0000013840F7D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.drBinary or memory string: vmci.sys
Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware20,1
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
Source: temp_error_logs.scr.exe, 00000000.00000002.1222217573.0000013840F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0;
Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF59E20 LoadLibraryA,RtlQueueWorkItem,LdrLoadDll,0_2_00007FF73EF59E20
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF66300 SetUnhandledExceptionFilter,__initenv,0_2_00007FF73EF66300
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeCode function: 0_2_00007FF73EF51190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,0_2_00007FF73EF51190
Source: C:\Users\user\Desktop\temp_error_logs.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping11
Security Software Discovery
Remote Services1
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Software Packing
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager2
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive14
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
Ingress Tool Transfer
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648207 Sample: temp_error_logs.scr.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 52 12 autoservice-23.ru 2->12 16 Multi AV Scanner detection for submitted file 2->16 18 Joe Sandbox ML detected suspicious sample 2->18 7 temp_error_logs.scr.exe 2->7         started        signatures3 process4 dnsIp5 14 autoservice-23.ru 185.114.247.104, 443, 49712 TIMEWEB-ASRU Russian Federation 7->14 10 WerFault.exe 19 16 7->10         started        process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
temp_error_logs.scr.exe34%VirustotalBrowse
temp_error_logs.scr.exe33%ReversingLabsWin64.Trojan.Sonbokli
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://autoservice-23.ru/wp-content/plugins/fluentform/storage/framework/intext.php0%Avira URL Cloudsafe
https://autoservice-23.ru/feed/0%Avira URL Cloudsafe
https://autoservice-23.ru/0%Avira URL Cloudsafe
https://autoservice-23.ru/comments/feed/0%Avira URL Cloudsafe
https://autoservice-23.ru/wp-json/0%Avira URL Cloudsafe
https://autoservice-23.ru/wp-includes/css/dist/block-library/style.min.css?ver=6.1.70%Avira URL Cloudsafe
https://autoservice-23.ru:443/wp-content/plugins/fluentform/storage/framework/intext.php0%Avira URL Cloudsafe
https://autoservice-23.ru/wp-content/plugins/fluentform/storage/framework/intext.phpM0%Avira URL Cloudsafe
https://autoservice-23.ru/wp-includes/css/classic-themes.min.css?ver=10%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
autoservice-23.ru
185.114.247.104
truefalse
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://autoservice-23.ru/wp-content/plugins/fluentform/storage/framework/intext.phpfalse
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://autoservice-23.ru:443/wp-content/plugins/fluentform/storage/framework/intext.phptemp_error_logs.scr.exe, 00000000.00000002.1222217573.0000013840F13000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://upx.sf.netAmcache.hve.3.drfalse
      high
      https://autoservice-23.ru/feed/temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://autoservice-23.ru/wp-includes/css/classic-themes.min.css?ver=1temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://autoservice-23.ru/wp-content/plugins/fluentform/storage/framework/intext.phpMtemp_error_logs.scr.exe, 00000000.00000002.1222217573.0000013840F13000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://autoservice-23.ru/wp-json/temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F7D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://autoservice-23.ru/wp-includes/css/dist/block-library/style.min.css?ver=6.1.7temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://autoservice-23.ru/temp_error_logs.scr.exe, 00000000.00000002.1222281582.0000013840F37000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1163063671.0000013840F37000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://gmpg.org/xfn/11temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://api.w.org/temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F7D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://autoservice-23.ru/comments/feed/temp_error_logs.scr.exe, 00000000.00000003.1162988527.0000013840F8D000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000003.1162972079.0000013840FD2000.00000004.00000020.00020000.00000000.sdmp, temp_error_logs.scr.exe, 00000000.00000002.1222395858.0000013840F8D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          185.114.247.104
          autoservice-23.ruRussian Federation
          9123TIMEWEB-ASRUfalse
          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1648207
          Start date and time:2025-03-25 16:43:09 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 13s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:15
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:temp_error_logs.scr.exe
          Detection:MAL
          Classification:mal52.winEXE@2/5@1/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 4
          • Number of non-executed functions: 24
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.190.135.6, 184.31.69.3, 4.245.163.56
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          TimeTypeDescription
          11:44:04API Interceptor1x Sleep call for process: temp_error_logs.scr.exe modified
          11:44:10API Interceptor1x Sleep call for process: WerFault.exe modified
          No context
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          TIMEWEB-ASRUPayment Advice Note from 18.03.2025.docxGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          Payment Advice Note from 18.03.2025.docxGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          Nueva orden.xla.xlsxGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          Nueva orden.xla.xlsxGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          PO#450-146675.xla.xlsxGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          PO 23-179, PO 23-181.xlsGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          Mawaris-RFQ.xlsGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          PO#450-146675.xla.xlsxGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          PO 23-179, PO 23-181.xlsGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          BGL-17-2025, Packing List ... . 2073799 07 [S-29-40].xlsGet hashmaliciousUnknownBrowse
          • 188.225.72.170
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          a0e9f5d64349fb13191bc781f81f42e1ASIr1Bo2x9.exeGet hashmaliciousLummaC StealerBrowse
          • 185.114.247.104
          ySTYvI9Pvk.exeGet hashmaliciousLummaC StealerBrowse
          • 185.114.247.104
          6aOM10d2pR.exeGet hashmaliciousLummaC StealerBrowse
          • 185.114.247.104
          Ec0AgD2t1q.exeGet hashmaliciousDarkVision RatBrowse
          • 185.114.247.104
          750413b4e6897a671bc759e04597952a0be747830189873b.xlsm.1.ps1Get hashmaliciousLummaC StealerBrowse
          • 185.114.247.104
          quotation_1.xlsxGet hashmaliciousUnknownBrowse
          • 185.114.247.104
          Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
          • 185.114.247.104
          750413b4e6897a671bc759e04597952a0be747830189873b.bin.exeGet hashmaliciousLummaC StealerBrowse
          • 185.114.247.104
          Qyk8RJnGN7.exeGet hashmaliciousLummaC StealerBrowse
          • 185.114.247.104
          h2H2R15NDO.exeGet hashmaliciousLummaC StealerBrowse
          • 185.114.247.104
          No context
          Process:C:\Windows\System32\WerFault.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.9258917181282965
          Encrypted:false
          SSDEEP:96:1dJFGSL5s6hOA77fnBQXIDcQtc6vCHcECcw38+HbHg/5yuuzOqgOyjCD5Pkg9hiR:R95Zm0zLMIJjV3izuiF1Z24lO8H
          MD5:7EFA2BEA1B8EC806C778FB01AF836BAE
          SHA1:051E0C20FF1A44E95FC0E54546F2AC6364622FCE
          SHA-256:9F679BB4E3BD62D5758B369896EA7EE9E6987874895570AB4113A2D49E974029
          SHA-512:DE3EE220AB7F169623D012C1CB4F1C9E1F9D59D08877029DBBD1F7268C2E98FE7CC53E3125F440569C094414505321218385FD31BE26841D6DCE89A50E715E20
          Malicious:false
          Reputation:low
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.7.3.9.1.0.4.6.8.2.6.5.7.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.7.3.9.1.0.4.7.8.8.9.0.7.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.6.f.e.1.0.2.-.a.a.3.2.-.4.9.d.b.-.9.3.0.7.-.f.6.3.2.5.6.e.f.4.e.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.6.7.2.e.b.4.-.6.b.3.d.-.4.9.e.5.-.b.e.d.3.-.3.0.0.6.8.f.b.4.0.2.e.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.t.e.m.p._.e.r.r.o.r._.l.o.g.s...s.c.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.0.4.-.0.0.0.1.-.0.0.1.8.-.8.b.8.1.-.9.e.b.b.9.c.9.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.5.5.2.6.1.6.8.a.b.5.8.e.b.8.9.a.9.b.a.4.e.b.c.8.f.8.2.a.d.6.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.3.a.1.1.0.7.1.c.a.0.7.0.c.9.d.0.1.2.9.8.0.4.6.e.b.4.4.f.8.a.1.c.f.7.d.0.a.6.!.t.e.m.p._.e.r.r.o.r._.l.o.g.s...s.c.r...e.x.e.....T.a.r.g.e.t.A.
          Process:C:\Windows\System32\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):8824
          Entropy (8bit):3.7023186062917524
          Encrypted:false
          SSDEEP:192:R6l7wVeJ/5gxIPIQ6Y6UuXgmfgLc9pDt89bibqcfZ8jm:R6lXJxyIPIQ6Y5uXgmfgLcSib5fu6
          MD5:F6749ECD9D640B363572D63E80805730
          SHA1:54BEE9F06559264D804E4E7FC94F2C9439AF49D7
          SHA-256:43A69F2F1012EAB53D89195163FAA55934CBC452242930D2DB08BCC34B574D94
          SHA-512:80A43753A155B928275FCC33CB510283B4B451DA1D8BDFE6E69EFF2EED9717318DA1E1D60162BAAB742B8DBBD3DF923A9C9D37464EBE8E9F361E450FBB09FD42
          Malicious:false
          Reputation:low
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.9.6.<./.P.i.
          Process:C:\Windows\System32\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4704
          Entropy (8bit):4.453159334433156
          Encrypted:false
          SSDEEP:48:cvIwWl8zsJJg771I9KtWpW8VYEYm8M4J946FHyq85l/8sTN3d:uIjfbI7lc7VAJWQY8oN3d
          MD5:C0D0E18B265491D659C84FA256DC1AC0
          SHA1:9ADFEB315259A64B26B5764413957BB3E8190652
          SHA-256:396D18E217ACAED1619DCD45F0B291619AD017898077C93265E569C51A8194D4
          SHA-512:BF4FB64357829BCB35C50245A860621FF5F8B585489DC13FC1530BA6C6417D2213029C495E42AF716CA52639C5A95EF8FAE561DC33A08A95E5BDA4F48E6D968D
          Malicious:false
          Reputation:low
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="776566" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
          Process:C:\Windows\System32\WerFault.exe
          File Type:Mini DuMP crash report, 15 streams, Tue Mar 25 15:44:07 2025, 0x1205a4 type
          Category:dropped
          Size (bytes):143426
          Entropy (8bit):1.3750227114062652
          Encrypted:false
          SSDEEP:192:Or8+h1muhqRQEKO+B3dxo769vOUm+gEV/MCYtnNF6CAd8fTJVgk5hpatAJG0:1+h1FmQU+Btxo76pQHYvsNF6CqMrNNJ
          MD5:0A414479DDAA2AFD89871757B5548FBA
          SHA1:FE39B31CB783B689BA7ABE424BB90EF8DDED9F10
          SHA-256:B03D703148D5D3BFF71BC2E572161713C6BE6A8ED065020C6377B4750F64882D
          SHA-512:B8E103DB1701BA2D3E955C296B8C65E590A534FC71B11385F660D4AE721A8B7B6A9ECA099E603E06B9D20D74E19CD9B27806B346C8D982D546841CB49C5B26D1
          Malicious:false
          Reputation:low
          Preview:MDMP..a..... .......G..g....................................$................S..........`.......8...........T............8..z.......................................................................................................eJ......p.......Lw......................T...........B..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
          Process:C:\Windows\System32\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):1835008
          Entropy (8bit):4.468831394625387
          Encrypted:false
          SSDEEP:6144:OIXfpi67eLPU9skLmb0b4jWSPKaJG8nAgejZMMhA2gX4WABlVuNNdwBCswSb7i:DXD94jWlLZMM6YFU/+7i
          MD5:FC0C1414C04B2A7DB043A9C051726650
          SHA1:C9E1E0831DA4BB2E3BE834404E981D666D95F0A9
          SHA-256:BD42EA8397BA4FC0787DDE9828C57CCF55DEA4DDE95D5C7F1DEB49893E5902C1
          SHA-512:A7AD3AC376F566847C351CD56FC479774451DF4203514A9A8F0D183C3B5D1EA64B71F87519A631738F32CCB2589BBC2BC11FE596FF8FDAD3FA57A7875789575B
          Malicious:false
          Reputation:low
          Preview:regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
          Entropy (8bit):7.444798509982794
          TrID:
          • Win64 Executable (generic) (12005/4) 74.95%
          • Generic Win/DOS Executable (2004/3) 12.51%
          • DOS Executable Generic (2002/1) 12.50%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
          File name:temp_error_logs.scr.exe
          File size:170'496 bytes
          MD5:51a1010aa03722eae1fa2a8c55e80885
          SHA1:c43a11071ca070c9d01298046eb44f8a1cf7d0a6
          SHA256:07162f49a860051f8f878b3e3824168d8e0ede5672d21ab3746a2ee5410c0bb3
          SHA512:2e095305a85009a9d27db558979ccf1242b08db15949b76a6e32378b8311ce0baea7ae74db01a3aac0d004c0ab937d47472de7a9f6ca6d2bf9a248ee8b8a714b
          SSDEEP:3072:RZAApTxg89HNH2XpykZOq78L/3GaT0pYQzO7zsCgxeD5zDR5:RDpn9tFkZ/0vGa4DzO/pgxeD5zV5
          TLSH:04F3C016F39362FCC523C47442AB7672BE32B86606204F7E63E8E7315E21E115B3DA59
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............&.......................@....................................d.....`... ............................
          Icon Hash:90cececece8e8eb0
          Entrypoint:0x1400014d0
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x140000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x67D3FC0A [Fri Mar 14 09:51:06 2025 UTC]
          TLS Callbacks:0x40001680, 0x1, 0x40001650, 0x1
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:2a7632ed785255ad126b2e8d95a9fa96
          Instruction
          dec eax
          sub esp, 28h
          dec eax
          mov eax, dword ptr [00011615h]
          mov dword ptr [eax], 00000001h
          call 00007F750CB66EEFh
          nop
          nop
          dec eax
          add esp, 28h
          ret
          nop dword ptr [eax]
          dec eax
          sub esp, 28h
          dec eax
          mov eax, dword ptr [000115F5h]
          mov dword ptr [eax], 00000000h
          call 00007F750CB66ECFh
          nop
          nop
          dec eax
          add esp, 28h
          ret
          nop dword ptr [eax]
          dec eax
          sub esp, 28h
          call 00007F750CB6D1B4h
          dec eax
          test eax, eax
          sete al
          movzx eax, al
          neg eax
          dec eax
          add esp, 28h
          ret
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          dec eax
          lea ecx, dword ptr [00000009h]
          jmp 00007F750CB67219h
          nop dword ptr [eax+00h]
          ret
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          dec ecx
          mov ebx, ecx
          ret
          dec ecx
          mov edx, ecx
          inc ecx
          mov eax, dword ptr [ebx+08h]
          inc ecx
          jmp dword ptr [ebx]
          ret
          nop
          dec eax
          sub esp, 28h
          dec eax
          mov eax, dword ptr [0000DAA5h]
          dec eax
          mov eax, dword ptr [eax]
          dec eax
          test eax, eax
          je 00007F750CB67264h
          nop dword ptr [eax+eax+00h]
          call eax
          dec eax
          mov eax, dword ptr [0000DA8Fh]
          dec eax
          lea edx, dword ptr [eax+08h]
          dec eax
          mov eax, dword ptr [eax+08h]
          dec eax
          mov dword ptr [0000DA80h], edx
          dec eax
          test eax, eax
          jne 00007F750CB67225h
          dec eax
          add esp, 00000000h
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x160000xa30.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x16340.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x130000x4a4.pdata
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x300000x84.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x122e00x28.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x162a80x258.idata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000xd9c80xda00261b402aec60a19230b87d056ade0159False0.5595792717889908data6.242509561498838IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0xf0000x2a600x2c00a653e93d53c1b8b105b8358fc9f01cd2False0.20152698863636365data4.594133415958572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rdata0x120000xc900xe00c67563ba238553d3f6be5853b8a7d61aFalse0.42940848214285715data4.63680692028798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .pdata0x130000x4a40x600fe4887339b5be68f76e93d2cafad6c06False0.4225260416666667data3.7255521539049417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .xdata0x140000x4600x60097e063e03464150ed3bef4069587c1f0False0.2994791666666667data3.589510160429754IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .bss0x150000xb600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .idata0x160000xa300xc009762a552cd6b6f613713fad3bee27931False0.3014322916666667data3.775851499023205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .CRT0x170000x680x2007895f8a49816d49e5dfbf278995305f6False0.072265625data0.3406417195159507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .tls0x180000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x190000x163400x16400bea343a54dabb53042b68171c2d74a32False0.9972568469101124data7.994057654667068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc0x300000x840x200aa7a02d4d0e2d78f411d76c773c2a134False0.251953125data1.5791638072144614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_RCDATA0x190580x162e2dataEnglishUnited States0.9996147495872317
          DLLImport
          KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, ReadConsoleA, ReadConsoleInputW, ReadConsoleW, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte
          msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _assert, _cexit, _commode, _errno, _filelengthi64, _fileno, _fmode, _initterm, _localtime64, _lock, _mktime64, _onexit, _time64, _unlock, _utime64, _wfopen_s, _wfreopen_s, _wstat64, abort, calloc, exit, fclose, fflush, fgetpos, fprintf, fputc, fread, free, fsetpos, fwrite, localeconv, malloc, memcmp, memcpy, memset, realloc, remove, signal, strerror, strlen, strncmp, vfprintf, wcslen
          SHELL32.dllSHGetFolderPathW
          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Download Network PCAP: filteredfull

          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2025-03-25T16:44:04.866114+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449712185.114.247.104443TCP
          • Total Packets: 15
          • 443 (HTTPS)
          • 53 (DNS)
          TimestampSource PortDest PortSource IPDest IP
          Mar 25, 2025 16:44:04.411334991 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.411376953 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:04.411477089 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.434096098 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.434129000 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:04.865977049 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:04.866113901 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.869659901 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.869678974 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:04.870037079 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:04.910397053 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.931905985 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.933309078 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:04.933381081 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985377073 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985404968 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985410929 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985419989 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985445976 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985471010 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:05.985486031 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985497952 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:05.985526085 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:05.985887051 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.985902071 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.986025095 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:05.986031055 CET44349712185.114.247.104192.168.2.4
          Mar 25, 2025 16:44:05.986092091 CET49712443192.168.2.4185.114.247.104
          Mar 25, 2025 16:44:05.987016916 CET49712443192.168.2.4185.114.247.104
          TimestampSource PortDest PortSource IPDest IP
          Mar 25, 2025 16:44:03.932454109 CET5916053192.168.2.41.1.1.1
          Mar 25, 2025 16:44:04.404454947 CET53591601.1.1.1192.168.2.4
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Mar 25, 2025 16:44:03.932454109 CET192.168.2.41.1.1.10x694aStandard query (0)autoservice-23.ruA (IP address)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 25, 2025 16:44:04.404454947 CET1.1.1.1192.168.2.40x694aNo error (0)autoservice-23.ru185.114.247.104A (IP address)IN (0x0001)false
          • autoservice-23.ru
          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.449712185.114.247.1044431796C:\Users\user\Desktop\temp_error_logs.scr.exe
          TimestampBytes transferredDirectionData
          2025-03-25 15:44:04 UTC312OUTGET /wp-content/plugins/fluentform/storage/framework/intext.php HTTP/1.1
          Cache-Control: no-cache
          Connection: Keep-Alive
          Pragma: no-cache
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
          Content-Length: 1
          Host: autoservice-23.ru
          2025-03-25 15:44:04 UTC1OUTData Raw: 00
          Data Ascii:
          2025-03-25 15:44:05 UTC399INHTTP/1.1 404 Not Found
          Server: nginx/1.26.3
          Date: Tue, 25 Mar 2025 15:44:05 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: close
          Vary: Accept-Encoding
          Vary: X-Forwarded-Proto,Accept-Encoding
          Expires: Wed, 11 Jan 1984 05:00:00 GMT
          Cache-Control: no-cache, must-revalidate, max-age=0
          Link: <https://autoservice-23.ru/wp-json/>; rel="https://api.w.org/"
          2025-03-25 15:44:05 UTC15985INData Raw: 62 33 64 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 2d 52 55 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 20 26 23 38 32 31 32 3b 20 d0 90 d0 b2 d1 82
          Data Ascii: b3dc<!doctype html><html lang="ru-RU"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><title> &#8212;
          2025-03-25 15:44:05 UTC16384INData Raw: 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a 3d 64 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 73 29 2c 64 6c 3d 6c 21 3d 27 64 61 74 61 4c 61 79 65 72 27 3f 27 26 6c 3d 27 2b 6c 3a 27 27 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 6a 2e 73 72 63 3d 0a 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 6d 2e 27 2b 27 6a 73 3f 69 64 3d 27 2b 69 2b 64 6c 3b 66 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6a 2c 66 29 3b 0a 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 64 61 74 61 4c 61 79 65 72 27 2c 27 47 54 4d 2d 4b 53 51 44 32 37 4e 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61
          Data Ascii: ByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='//www.googletagmanager.com/gtm.'+'js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KSQD27N');</script>... End Google Tag Ma


          050100s020406080100

          Click to jump to process

          050100s0.005001000MB

          Click to jump to process

          • File
          • Registry

          Click to dive into process behavior distribution

          Target ID:0
          Start time:11:44:02
          Start date:25/03/2025
          Path:C:\Users\user\Desktop\temp_error_logs.scr.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\temp_error_logs.scr.exe"
          Imagebase:0x7ff73ef50000
          File size:170'496 bytes
          MD5 hash:51A1010AA03722EAE1FA2A8C55E80885
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Target ID:3
          Start time:11:44:06
          Start date:25/03/2025
          Path:C:\Windows\System32\WerFault.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\WerFault.exe -u -p 1796 -s 708
          Imagebase:0x7ff75b790000
          File size:570'736 bytes
          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

          Execution Graph

          Execution Coverage

          Dynamic/Packed Code Coverage

          Signature Coverage

          Execution Coverage:1.3%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:16.9%
          Total number of Nodes:718
          Total number of Limit Nodes:1
          Show Legend
          Hide Nodes/Edges
          execution_graph 6099 7ff73ef5c61c 6100 7ff73ef5c622 6099->6100 6101 7ff73ef5c6f2 memcpy 6100->6101 6102 7ff73ef5c0a0 6100->6102 6101->6100 6351 7ff73ef5495b 6352 7ff73ef54733 6351->6352 6353 7ff73ef5474b 6351->6353 6354 7ff73ef53820 22 API calls 6352->6354 6355 7ff73ef53820 22 API calls 6353->6355 6354->6353 6356 7ff73ef5498e 6355->6356 6356->6356 6357 7ff73ef51e5e signal 6358 7ff73ef51e88 6357->6358 6359 7ff73ef51e74 signal 6357->6359 6359->6358 6103 7ff73ef54718 6104 7ff73ef54733 6103->6104 6105 7ff73ef5474b 6103->6105 6109 7ff73ef53820 6104->6109 6107 7ff73ef53820 22 API calls 6105->6107 6108 7ff73ef5498e 6107->6108 6108->6108 6110 7ff73ef5383a 6109->6110 6121 7ff73ef538b3 6109->6121 6122 7ff73ef528e0 6110->6122 6113 7ff73ef538d8 6114 7ff73ef538dc strlen 6113->6114 6115 7ff73ef538e7 6113->6115 6114->6115 6135 7ff73ef53680 6115->6135 6116 7ff73ef53894 6117 7ff73ef5389c 6116->6117 6118 7ff73ef53968 strlen 6116->6118 6126 7ff73ef52e80 6117->6126 6118->6117 6121->6105 6123 7ff73ef528f8 6122->6123 6139 7ff73ef54f60 6123->6139 6125 7ff73ef5296f 6125->6113 6125->6116 6125->6121 6129 7ff73ef52ea0 6126->6129 6127 7ff73ef53032 6133 7ff73ef53055 6127->6133 6238 7ff73ef52d70 6127->6238 6129->6127 6130 7ff73ef52f4d 6129->6130 6131 7ff73ef53108 6129->6131 6130->6127 6233 7ff73ef52a50 6130->6233 6132 7ff73ef52d70 8 API calls 6131->6132 6131->6133 6132->6133 6133->6121 6136 7ff73ef536ac 6135->6136 6137 7ff73ef52e80 8 API calls 6136->6137 6138 7ff73ef5371c 6137->6138 6140 7ff73ef54fa6 6139->6140 6141 7ff73ef55260 6139->6141 6142 7ff73ef551d0 6140->6142 6148 7ff73ef54fb6 6140->6148 6143 7ff73ef54d40 7 API calls 6141->6143 6146 7ff73ef551fd 6142->6146 6186 7ff73ef54d40 6142->6186 6143->6146 6144 7ff73ef55230 6147 7ff73ef54d40 7 API calls 6144->6147 6146->6125 6147->6146 6148->6144 6148->6146 6156 7ff73ef550b6 6148->6156 6179 7ff73ef568c0 6148->6179 6150 7ff73ef54fef 6151 7ff73ef55228 6150->6151 6150->6156 6190 7ff73ef569c0 6151->6190 6152 7ff73ef55599 6152->6125 6154 7ff73ef555b0 6155 7ff73ef54d00 7 API calls 6154->6155 6177 7ff73ef553a0 6154->6177 6155->6177 6156->6152 6156->6154 6157 7ff73ef55363 6156->6157 6156->6177 6196 7ff73ef54d00 6157->6196 6159 7ff73ef569c0 6 API calls 6160 7ff73ef55871 6159->6160 6162 7ff73ef569c0 6 API calls 6160->6162 6169 7ff73ef55561 6160->6169 6161 7ff73ef569c0 6 API calls 6161->6146 6162->6169 6163 7ff73ef56ae0 7 API calls 6163->6177 6164 7ff73ef56c60 11 API calls 6164->6177 6165 7ff73ef55ab8 6165->6125 6167 7ff73ef5580f 6167->6165 6204 7ff73ef56a30 6167->6204 6168 7ff73ef56df0 8 API calls 6168->6177 6169->6161 6171 7ff73ef568c0 7 API calls 6173 7ff73ef562ed memcpy 6171->6173 6172 7ff73ef5582d 6172->6159 6172->6165 6218 7ff73ef56df0 6173->6218 6176 7ff73ef56a30 9 API calls 6176->6177 6177->6163 6177->6164 6177->6165 6177->6167 6177->6168 6177->6169 6177->6171 6177->6172 6177->6176 6178 7ff73ef569c0 6 API calls 6177->6178 6200 7ff73ef56b10 6177->6200 6211 7ff73ef56f70 6177->6211 6178->6177 6224 7ff73ef56790 6179->6224 6182 7ff73ef568d4 malloc 6183 7ff73ef56910 6182->6183 6184 7ff73ef56901 6182->6184 6183->6150 6184->6183 6185 7ff73ef56943 LeaveCriticalSection 6184->6185 6185->6183 6187 7ff73ef54d53 6186->6187 6188 7ff73ef568c0 7 API calls 6187->6188 6189 7ff73ef54d74 6188->6189 6189->6146 6191 7ff73ef569ce 6190->6191 6192 7ff73ef56a08 6190->6192 6193 7ff73ef56790 5 API calls 6191->6193 6192->6144 6194 7ff73ef569e7 6193->6194 6194->6192 6195 7ff73ef56a10 LeaveCriticalSection 6194->6195 6197 7ff73ef54d0c 6196->6197 6198 7ff73ef568c0 7 API calls 6197->6198 6199 7ff73ef54d2b 6198->6199 6199->6177 6201 7ff73ef56b32 6200->6201 6202 7ff73ef568c0 7 API calls 6201->6202 6203 7ff73ef56b55 6202->6203 6203->6177 6205 7ff73ef56a50 6204->6205 6205->6205 6206 7ff73ef568c0 7 API calls 6205->6206 6210 7ff73ef56a7f 6205->6210 6207 7ff73ef56aad 6206->6207 6208 7ff73ef56ab5 memcpy 6207->6208 6207->6210 6209 7ff73ef569c0 6 API calls 6208->6209 6209->6210 6210->6172 6212 7ff73ef56fc9 6211->6212 6213 7ff73ef56f91 6211->6213 6214 7ff73ef568c0 7 API calls 6212->6214 6213->6212 6215 7ff73ef57110 6213->6215 6217 7ff73ef56fd7 6214->6217 6216 7ff73ef568c0 7 API calls 6215->6216 6216->6217 6217->6177 6219 7ff73ef56e1f 6218->6219 6220 7ff73ef568c0 7 API calls 6219->6220 6221 7ff73ef56e2e 6220->6221 6222 7ff73ef56ef4 6221->6222 6223 7ff73ef569c0 6 API calls 6221->6223 6222->6177 6223->6222 6225 7ff73ef5681e EnterCriticalSection 6224->6225 6226 7ff73ef567a3 6224->6226 6227 7ff73ef567a7 6225->6227 6226->6227 6229 7ff73ef567ef InitializeCriticalSection InitializeCriticalSection 6226->6229 6227->6225 6228 7ff73ef567cf 6227->6228 6230 7ff73ef567b8 Sleep 6227->6230 6228->6182 6228->6184 6232 7ff73ef51510 _onexit 6229->6232 6230->6227 6230->6230 6232->6227 6245 7ff73ef578c0 6233->6245 6235 7ff73ef578c0 2 API calls 6237 7ff73ef52a7d 6235->6237 6236 7ff73ef52ae9 6236->6130 6237->6235 6237->6236 6239 7ff73ef52e20 6238->6239 6242 7ff73ef52d8a 6238->6242 6254 7ff73ef57650 ___mb_cur_max_func ___lc_codepage_func 6239->6254 6240 7ff73ef52e00 6240->6133 6242->6240 6243 7ff73ef578c0 2 API calls 6242->6243 6244 7ff73ef52dc4 6243->6244 6244->6133 6246 7ff73ef578de 6245->6246 6249 7ff73ef57830 6246->6249 6248 7ff73ef578f6 6248->6237 6250 7ff73ef57844 6249->6250 6251 7ff73ef57860 WideCharToMultiByte 6249->6251 6252 7ff73ef578a4 _errno 6250->6252 6253 7ff73ef5784b 6250->6253 6251->6250 6251->6252 6252->6248 6253->6248 6257 7ff73ef574d0 6254->6257 6256 7ff73ef576aa 6256->6242 6258 7ff73ef57618 6257->6258 6260 7ff73ef574e5 6257->6260 6258->6256 6259 7ff73ef57588 6263 7ff73ef57593 6259->6263 6264 7ff73ef575e0 MultiByteToWideChar 6259->6264 6260->6259 6261 7ff73ef57519 IsDBCSLeadByteEx 6260->6261 6262 7ff73ef57534 6260->6262 6266 7ff73ef575a8 6260->6266 6261->6259 6261->6262 6265 7ff73ef5755e MultiByteToWideChar 6262->6265 6262->6266 6263->6256 6264->6266 6267 7ff73ef57628 _errno 6264->6267 6265->6267 6268 7ff73ef57578 6265->6268 6266->6256 6267->6266 6268->6256 6269 7ff73ef51f19 signal 6270 7ff73ef51f90 signal 6269->6270 6271 7ff73ef51e8d 6269->6271 6272 7ff73ef54923 6273 7ff73ef546fb 6272->6273 6274 7ff73ef54713 6272->6274 6278 7ff73ef53240 6273->6278 6276 7ff73ef53240 20 API calls 6274->6276 6277 7ff73ef54956 6276->6277 6277->6277 6279 7ff73ef53255 6278->6279 6280 7ff73ef528e0 12 API calls 6279->6280 6281 7ff73ef5328f 6280->6281 6282 7ff73ef52e80 8 API calls 6281->6282 6283 7ff73ef532e8 6281->6283 6284 7ff73ef532af 6282->6284 6283->6274 6284->6274 6363 7ff73ef54864 6364 7ff73ef5487f 6363->6364 6367 7ff73ef54897 6363->6367 6369 7ff73ef53e30 6364->6369 6366 7ff73ef53e30 8 API calls 6368 7ff73ef54a03 6366->6368 6367->6366 6368->6368 6371 7ff73ef53e90 6369->6371 6373 7ff73ef54000 6369->6373 6370 7ff73ef52a50 2 API calls 6370->6371 6371->6370 6372 7ff73ef52d70 8 API calls 6371->6372 6371->6373 6372->6371 6373->6367 6285 7ff73ef5cc26 6286 7ff73ef5cc40 6285->6286 6287 7ff73ef5e6ad memcpy memcpy 6286->6287 6288 7ff73ef5e78f 6286->6288 6287->6286 5801 7ff73ef592a0 5802 7ff73ef592c8 SHGetFolderPathW 5801->5802 5803 7ff73ef59380 5801->5803 5804 7ff73ef592f0 5802->5804 5803->5802 5805 7ff73ef59318 5804->5805 5814 7ff73ef58f40 5804->5814 5807 7ff73ef59304 5807->5805 5874 7ff73ef58840 5807->5874 5809 7ff73ef59335 5884 7ff73ef5b080 5809->5884 5811 7ff73ef5933d 5907 7ff73ef59680 5811->5907 5813 7ff73ef5935b 5816 7ff73ef58f56 5814->5816 5815 7ff73ef59270 5815->5807 5816->5815 5911 7ff73ef588d0 5816->5911 5818 7ff73ef58f85 5818->5815 5819 7ff73ef588d0 4 API calls 5818->5819 5820 7ff73ef58f9f 5819->5820 5820->5815 5821 7ff73ef588d0 4 API calls 5820->5821 5822 7ff73ef58fb9 5821->5822 5822->5815 5823 7ff73ef588d0 4 API calls 5822->5823 5824 7ff73ef58fd3 5823->5824 5824->5815 5825 7ff73ef588d0 4 API calls 5824->5825 5826 7ff73ef58fed 5825->5826 5826->5815 5827 7ff73ef588d0 4 API calls 5826->5827 5828 7ff73ef59007 5827->5828 5828->5815 5829 7ff73ef588d0 4 API calls 5828->5829 5830 7ff73ef59021 5829->5830 5830->5815 5831 7ff73ef588d0 4 API calls 5830->5831 5832 7ff73ef5903e 5831->5832 5832->5815 5833 7ff73ef588d0 4 API calls 5832->5833 5834 7ff73ef5905b 5833->5834 5834->5815 5835 7ff73ef588d0 4 API calls 5834->5835 5836 7ff73ef59078 5835->5836 5836->5815 5837 7ff73ef588d0 4 API calls 5836->5837 5838 7ff73ef59095 5837->5838 5838->5815 5839 7ff73ef588d0 4 API calls 5838->5839 5840 7ff73ef590ae 5839->5840 5840->5815 5841 7ff73ef588d0 4 API calls 5840->5841 5842 7ff73ef590c8 5841->5842 5842->5815 5843 7ff73ef588d0 4 API calls 5842->5843 5844 7ff73ef590e2 5843->5844 5844->5815 5845 7ff73ef588d0 4 API calls 5844->5845 5846 7ff73ef590fc 5845->5846 5846->5815 5847 7ff73ef588d0 4 API calls 5846->5847 5848 7ff73ef59116 5847->5848 5848->5815 5849 7ff73ef588d0 4 API calls 5848->5849 5850 7ff73ef59130 5849->5850 5850->5815 5851 7ff73ef588d0 4 API calls 5850->5851 5852 7ff73ef5914a 5851->5852 5852->5815 5853 7ff73ef588d0 4 API calls 5852->5853 5854 7ff73ef59164 5853->5854 5854->5815 5855 7ff73ef588d0 4 API calls 5854->5855 5856 7ff73ef5917e 5855->5856 5856->5815 5857 7ff73ef588d0 4 API calls 5856->5857 5858 7ff73ef59198 5857->5858 5858->5815 5859 7ff73ef588d0 4 API calls 5858->5859 5860 7ff73ef591b5 5859->5860 5860->5815 5861 7ff73ef588d0 4 API calls 5860->5861 5862 7ff73ef591d2 5861->5862 5862->5815 5863 7ff73ef588d0 4 API calls 5862->5863 5864 7ff73ef591ef 5863->5864 5864->5815 5865 7ff73ef588d0 4 API calls 5864->5865 5866 7ff73ef5920c 5865->5866 5866->5815 5867 7ff73ef588d0 4 API calls 5866->5867 5868 7ff73ef59225 5867->5868 5868->5815 5869 7ff73ef588d0 4 API calls 5868->5869 5870 7ff73ef5923e 5869->5870 5870->5815 5871 7ff73ef588d0 4 API calls 5870->5871 5872 7ff73ef59257 5871->5872 5872->5815 5873 7ff73ef588d0 4 API calls 5872->5873 5873->5815 5924 7ff73ef5b640 5874->5924 5876 7ff73ef58861 5877 7ff73ef58865 5876->5877 5928 7ff73ef5b500 5876->5928 5877->5809 5880 7ff73ef588a9 5880->5877 5958 7ff73ef5af20 5880->5958 5883 7ff73ef588b5 5883->5809 5885 7ff73ef5b0d0 5884->5885 5886 7ff73ef595f0 2 API calls 5885->5886 5887 7ff73ef5b106 5886->5887 5888 7ff73ef5b161 5887->5888 5890 7ff73ef5b3d8 5887->5890 5889 7ff73ef595f0 2 API calls 5888->5889 5892 7ff73ef5b195 5889->5892 5891 7ff73ef59680 2 API calls 5890->5891 5900 7ff73ef5b3bb 5890->5900 5891->5900 5893 7ff73ef59680 2 API calls 5892->5893 5894 7ff73ef5b1e0 5893->5894 6086 7ff73ef57f70 RtlDosPathNameToNtPathName_U 5894->6086 5896 7ff73ef5b203 5897 7ff73ef59680 2 API calls 5896->5897 5898 7ff73ef5b220 5896->5898 5897->5898 5899 7ff73ef595f0 2 API calls 5898->5899 5906 7ff73ef5b261 5898->5906 5901 7ff73ef5b48e 5899->5901 5900->5811 5902 7ff73ef58120 4 API calls 5901->5902 5902->5906 5903 7ff73ef595f0 RtlAllocateHeap RtlCreateHeap 5903->5906 5905 7ff73ef59680 RtlFreeHeap RtlCreateHeap 5905->5906 5906->5900 5906->5903 5906->5905 6090 7ff73ef58120 5906->6090 5908 7ff73ef5969c RtlFreeHeap 5907->5908 5909 7ff73ef596b0 RtlCreateHeap 5907->5909 5908->5813 5909->5908 5910 7ff73ef596e3 5909->5910 5910->5813 5912 7ff73ef58b38 5911->5912 5915 7ff73ef588d9 5911->5915 5912->5818 5913 7ff73ef58a97 strlen strncmp 5914 7ff73ef58abc 5913->5914 5917 7ff73ef58b3b 5913->5917 5914->5818 5915->5913 5915->5914 5916 7ff73ef58b4b 5919 7ff73ef588d0 2 API calls 5916->5919 5917->5916 5920 7ff73ef59e20 RtlQueueWorkItem 5917->5920 5919->5914 5923 7ff73ef59e58 5920->5923 5921 7ff73ef59edb 5921->5916 5922 7ff73ef59eae LdrLoadDll 5922->5921 5923->5921 5923->5922 5925 7ff73ef5b671 5924->5925 5927 7ff73ef5b68f 5925->5927 5964 7ff73ef595f0 5925->5964 5927->5876 5929 7ff73ef5b544 5928->5929 5930 7ff73ef595f0 2 API calls 5929->5930 5931 7ff73ef5b54d 5930->5931 5932 7ff73ef595f0 2 API calls 5931->5932 5933 7ff73ef5b574 5932->5933 5934 7ff73ef59680 2 API calls 5933->5934 5935 7ff73ef5b596 5934->5935 5945 7ff73ef58892 5935->5945 5968 7ff73ef584f0 5935->5968 5937 7ff73ef5b5df 5938 7ff73ef59680 2 API calls 5937->5938 5939 7ff73ef5b5fa 5938->5939 5984 7ff73ef59ef0 5939->5984 5941 7ff73ef5b615 5997 7ff73ef5ac70 5941->5997 5945->5877 5945->5880 5946 7ff73ef5afa0 5945->5946 5947 7ff73ef5afa9 5946->5947 5948 7ff73ef5b070 5946->5948 5949 7ff73ef5afc5 5947->5949 5950 7ff73ef595f0 2 API calls 5947->5950 5948->5880 5949->5880 5951 7ff73ef5afd5 5950->5951 5951->5949 5951->5951 5952 7ff73ef5b025 5951->5952 5953 7ff73ef59680 2 API calls 5951->5953 5954 7ff73ef595f0 2 API calls 5952->5954 5953->5952 5955 7ff73ef5b046 5954->5955 5956 7ff73ef59680 2 API calls 5955->5956 5957 7ff73ef5b062 5956->5957 5957->5880 6055 7ff73ef57d00 5958->6055 5960 7ff73ef5af3a 5960->5883 5961 7ff73ef5af36 5961->5960 5962 7ff73ef59680 2 API calls 5961->5962 5963 7ff73ef5af6b 5962->5963 5963->5883 5965 7ff73ef5960d RtlAllocateHeap 5964->5965 5966 7ff73ef59640 RtlCreateHeap 5964->5966 5967 7ff73ef59623 5965->5967 5966->5965 5966->5967 5967->5927 5969 7ff73ef58513 5968->5969 5970 7ff73ef595f0 2 API calls 5969->5970 5971 7ff73ef5851b 5970->5971 5972 7ff73ef595f0 2 API calls 5971->5972 5973 7ff73ef58559 5972->5973 5974 7ff73ef595f0 2 API calls 5973->5974 5975 7ff73ef58594 5974->5975 5976 7ff73ef595f0 2 API calls 5975->5976 5977 7ff73ef585cf 5976->5977 5978 7ff73ef595f0 2 API calls 5977->5978 5979 7ff73ef5860a 5978->5979 5980 7ff73ef595f0 2 API calls 5979->5980 5983 7ff73ef58697 5980->5983 5981 7ff73ef5871f 5981->5937 5982 7ff73ef595f0 RtlAllocateHeap RtlCreateHeap 5982->5983 5983->5981 5983->5982 6021 7ff73ef58d60 5984->6021 5986 7ff73ef59f0a 5987 7ff73ef595f0 2 API calls 5986->5987 5992 7ff73ef5a0e0 5986->5992 5993 7ff73ef5a135 5987->5993 5988 7ff73ef5a1c2 5990 7ff73ef5a1ce 5988->5990 5994 7ff73ef5a200 5988->5994 5989 7ff73ef595f0 2 API calls 5989->5993 5991 7ff73ef59680 2 API calls 5990->5991 5991->5992 5992->5941 5993->5988 5993->5989 5993->5992 5993->5994 5995 7ff73ef59680 2 API calls 5994->5995 5996 7ff73ef5a223 5995->5996 5996->5941 5998 7ff73ef5ac91 5997->5998 6002 7ff73ef5ae38 5997->6002 5999 7ff73ef5ad0a 5998->5999 6000 7ff73ef595f0 2 API calls 5998->6000 5998->6002 6001 7ff73ef59680 2 API calls 5999->6001 6003 7ff73ef5ace2 6000->6003 6001->6002 6006 7ff73ef583d0 6002->6006 6003->5999 6003->6002 6004 7ff73ef5ae30 6003->6004 6005 7ff73ef59680 2 API calls 6004->6005 6005->6002 6007 7ff73ef583d9 6006->6007 6008 7ff73ef58480 6006->6008 6009 7ff73ef59680 2 API calls 6007->6009 6008->5945 6010 7ff73ef583ec 6009->6010 6011 7ff73ef59680 2 API calls 6010->6011 6012 7ff73ef583f6 6011->6012 6013 7ff73ef59680 2 API calls 6012->6013 6014 7ff73ef58400 6013->6014 6015 7ff73ef59680 2 API calls 6014->6015 6016 7ff73ef5840a 6015->6016 6017 7ff73ef59680 2 API calls 6016->6017 6019 7ff73ef58413 6017->6019 6018 7ff73ef59680 2 API calls 6018->6019 6019->6018 6048 7ff73ef582e0 6019->6048 6023 7ff73ef58d81 6021->6023 6022 7ff73ef58e26 6022->5986 6023->6022 6024 7ff73ef59e20 2 API calls 6023->6024 6025 7ff73ef58e3a 6024->6025 6025->6022 6026 7ff73ef588d0 4 API calls 6025->6026 6027 7ff73ef58e55 6026->6027 6028 7ff73ef588d0 4 API calls 6027->6028 6029 7ff73ef58e69 6028->6029 6030 7ff73ef588d0 4 API calls 6029->6030 6031 7ff73ef58e7d 6030->6031 6032 7ff73ef588d0 4 API calls 6031->6032 6033 7ff73ef58e91 6032->6033 6034 7ff73ef588d0 4 API calls 6033->6034 6035 7ff73ef58ea5 6034->6035 6036 7ff73ef588d0 4 API calls 6035->6036 6037 7ff73ef58eb9 6036->6037 6038 7ff73ef588d0 4 API calls 6037->6038 6039 7ff73ef58ecd 6038->6039 6040 7ff73ef588d0 4 API calls 6039->6040 6041 7ff73ef58ee1 6040->6041 6042 7ff73ef588d0 4 API calls 6041->6042 6043 7ff73ef58ef5 6042->6043 6044 7ff73ef588d0 4 API calls 6043->6044 6045 7ff73ef58f09 6044->6045 6046 7ff73ef588d0 4 API calls 6045->6046 6047 7ff73ef58f1d 6046->6047 6047->5986 6049 7ff73ef583c8 6048->6049 6054 7ff73ef582e9 6048->6054 6049->6019 6050 7ff73ef5830e RtlFreeHeap 6050->6054 6051 7ff73ef58348 RtlCreateHeap 6051->6050 6051->6054 6052 7ff73ef58387 RtlCreateHeap 6053 7ff73ef583bc 6052->6053 6052->6054 6053->6019 6054->6050 6054->6051 6054->6052 6056 7ff73ef57d2c RtlAllocateHeap 6055->6056 6057 7ff73ef57e30 RtlCreateHeap 6055->6057 6058 7ff73ef57e1c 6056->6058 6059 7ff73ef57d43 6056->6059 6057->6056 6057->6058 6058->5961 6076 7ff73ef5bae0 6059->6076 6062 7ff73ef57e08 6066 7ff73ef57e14 RtlFreeHeap 6062->6066 6067 7ff73ef57e70 RtlCreateHeap 6062->6067 6063 7ff73ef57d71 6064 7ff73ef57d84 RtlFreeHeap 6063->6064 6065 7ff73ef57ef0 RtlCreateHeap 6063->6065 6069 7ff73ef57f2d RtlCreateHeap 6064->6069 6070 7ff73ef57da4 RtlAllocateHeap 6064->6070 6065->6064 6071 7ff73ef57f25 6065->6071 6066->6058 6067->6058 6068 7ff73ef57ea5 6067->6068 6068->6066 6069->6070 6072 7ff73ef57dbc 6069->6072 6070->6072 6071->6069 6073 7ff73ef57deb RtlFreeHeap 6072->6073 6074 7ff73ef57eb0 RtlCreateHeap 6072->6074 6073->5961 6074->6058 6075 7ff73ef57eea 6074->6075 6075->6073 6077 7ff73ef5bb79 6076->6077 6079 7ff73ef57d69 6077->6079 6080 7ff73ef5b6e0 6077->6080 6079->6062 6079->6063 6081 7ff73ef5b700 6080->6081 6082 7ff73ef5b916 6080->6082 6081->6082 6083 7ff73ef5ba30 memcpy 6081->6083 6085 7ff73ef5b7f8 6081->6085 6082->6079 6083->6082 6084 7ff73ef5b84a memcpy 6084->6082 6084->6085 6085->6082 6085->6084 6087 7ff73ef57fde NtCreateFile 6086->6087 6089 7ff73ef580d9 6086->6089 6088 7ff73ef58079 NtWriteFile 6087->6088 6087->6089 6088->6089 6089->5896 6091 7ff73ef5819b 6090->6091 6092 7ff73ef581e6 6091->6092 6094 7ff73ef596f0 RtlInitUnicodeString RtlInitUnicodeString 6091->6094 6092->5906 6095 7ff73ef59777 RtlCreateProcessParametersEx 6094->6095 6096 7ff73ef59767 6094->6096 6098 7ff73ef59824 6095->6098 6096->6095 6097 7ff73ef59770 RtlInitUnicodeString 6096->6097 6097->6095 6098->6092 6289 7ff73ef51720 6290 7ff73ef5173f 6289->6290 6291 7ff73ef5177d fprintf 6290->6291 6374 7ff73ef57260 6375 7ff73ef568c0 7 API calls 6374->6375 6376 7ff73ef5727c 6375->6376 6397 7ff73ef5cd9f 6400 7ff73ef5cdc0 6397->6400 6398 7ff73ef5e15d _assert 6399 7ff73ef5e1a0 6398->6399 6400->6398 6401 7ff73ef5cd86 6400->6401 6548 7ff73ef546e0 6549 7ff73ef546fb 6548->6549 6552 7ff73ef54713 6548->6552 6550 7ff73ef53240 20 API calls 6549->6550 6550->6552 6551 7ff73ef53240 20 API calls 6553 7ff73ef54956 6551->6553 6552->6551 6553->6553 6557 7ff73ef548eb 6558 7ff73ef5476b 6557->6558 6559 7ff73ef548ff 6557->6559 6558->6557 6561 7ff73ef53770 20 API calls 6558->6561 6560 7ff73ef53770 20 API calls 6559->6560 6562 7ff73ef5491e 6560->6562 6561->6558 6562->6562 6292 7ff73ef52030 6293 7ff73ef52050 6292->6293 6295 7ff73ef52046 6292->6295 6294 7ff73ef52067 EnterCriticalSection LeaveCriticalSection 6293->6294 6293->6295 6296 7ff73ef51530 6297 7ff73ef51510 _onexit 6296->6297 6377 7ff73ef56870 6378 7ff73ef56885 6377->6378 6379 7ff73ef56890 DeleteCriticalSection 6377->6379 6406 7ff73ef522b0 strlen 6407 7ff73ef52340 6406->6407 6410 7ff73ef522c6 6406->6410 6408 7ff73ef5232e 6409 7ff73ef52319 strncmp 6409->6408 6409->6410 6410->6407 6410->6408 6410->6409 6411 7ff73ef520b0 6412 7ff73ef520d0 EnterCriticalSection 6411->6412 6413 7ff73ef520c1 6411->6413 6414 7ff73ef52113 LeaveCriticalSection 6412->6414 6415 7ff73ef520e9 6412->6415 6415->6414 6416 7ff73ef5210e free 6415->6416 6416->6414 6563 7ff73ef514f0 6564 7ff73ef51190 18 API calls 6563->6564 6565 7ff73ef51506 6564->6565 6569 7ff73ef54afa 6571 7ff73ef54aff 6569->6571 6570 7ff73ef54c89 wcslen 6571->6570 6572 7ff73ef52a50 2 API calls 6571->6572 6573 7ff73ef54b3e 6572->6573 6573->6570 6574 7ff73ef51e03 6575 7ff73ef51e32 6574->6575 6576 7ff73ef51e44 6575->6576 6577 7ff73ef51f48 6575->6577 6578 7ff73ef51ea3 6575->6578 6577->6576 6579 7ff73ef51fa9 signal 6577->6579 6578->6576 6580 7ff73ef51eb3 signal 6578->6580 6580->6576 6581 7ff73ef51f70 signal 6580->6581 6581->6576 6380 7ff73ef54a85 6381 7ff73ef54a8e localeconv 6380->6381 6382 7ff73ef549a8 6380->6382 6383 7ff73ef57650 6 API calls 6381->6383 6384 7ff73ef54acb 6383->6384 6298 7ff73ef5463f 6300 7ff73ef54661 6298->6300 6299 7ff73ef52a50 2 API calls 6301 7ff73ef548e6 6299->6301 6300->6299 6301->6301 6302 7ff73ef52640 6303 7ff73ef5265d _wstat64 6302->6303 6306 7ff73ef52657 6302->6306 6304 7ff73ef5266d 6303->6304 6305 7ff73ef527fc 6305->6303 6306->6303 6306->6305 6307 7ff73ef52716 malloc memcpy _wstat64 6306->6307 6307->6304 6308 7ff73ef52757 free 6307->6308 6308->6304 6385 7ff73ef57a80 6386 7ff73ef57a93 6385->6386 6387 7ff73ef57ac0 fgetpos 6385->6387 6389 7ff73ef57b04 _errno 6386->6389 6391 7ff73ef57a9e 6386->6391 6388 7ff73ef57ab0 6387->6388 6387->6391 6389->6388 6390 7ff73ef57aa8 fsetpos 6390->6388 6391->6390 6392 7ff73ef51680 6393 7ff73ef51692 6392->6393 6394 7ff73ef516a2 6393->6394 6395 7ff73ef52140 7 API calls 6393->6395 6396 7ff73ef516f5 6395->6396 6417 7ff73ef576c0 ___lc_codepage_func ___mb_cur_max_func 6418 7ff73ef576ff 6417->6418 6423 7ff73ef57718 6417->6423 6419 7ff73ef57780 6418->6419 6420 7ff73ef57710 6418->6420 6418->6423 6421 7ff73ef574d0 4 API calls 6419->6421 6419->6423 6422 7ff73ef574d0 4 API calls 6420->6422 6420->6423 6421->6419 6422->6420 6309 7ff73ef5cf4c 6310 7ff73ef5dd5e 6309->6310 6311 7ff73ef5c622 6309->6311 6312 7ff73ef5c6f2 memcpy 6311->6312 6313 7ff73ef5c0a0 6311->6313 6312->6311 6427 7ff73ef547c8 6428 7ff73ef547d4 6427->6428 6431 7ff73ef52c70 6428->6431 6432 7ff73ef52c96 6431->6432 6433 7ff73ef52cb0 strlen 6431->6433 6432->6433 6433->6432 6585 7ff73ef54613 6586 7ff73ef5462a 6585->6586 6588 7ff73ef5463a 6585->6588 6589 7ff73ef52c70 strlen 6586->6589 6587 7ff73ef54c89 wcslen 6588->6587 6590 7ff73ef52a50 2 API calls 6588->6590 6589->6588 6591 7ff73ef54b3e 6590->6591 6591->6587 6434 7ff73ef514d0 6437 7ff73ef51190 6434->6437 6436 7ff73ef514e6 6438 7ff73ef511c4 6437->6438 6439 7ff73ef51470 GetStartupInfoA 6437->6439 6440 7ff73ef511f1 Sleep 6438->6440 6442 7ff73ef51206 6438->6442 6441 7ff73ef513c4 6439->6441 6440->6438 6441->6436 6442->6441 6443 7ff73ef5143c _initterm 6442->6443 6444 7ff73ef51239 6442->6444 6443->6444 6455 7ff73ef51ac0 6444->6455 6446 7ff73ef51261 SetUnhandledExceptionFilter 6448 7ff73ef51284 6446->6448 6447 7ff73ef5131e malloc 6449 7ff73ef51386 6447->6449 6450 7ff73ef51345 6447->6450 6448->6447 6472 7ff73ef51610 6449->6472 6451 7ff73ef51350 strlen malloc memcpy 6450->6451 6451->6449 6451->6451 6453 7ff73ef5139e 6476 7ff73ef5e950 6453->6476 6456 7ff73ef51af8 6455->6456 6471 7ff73ef51ae2 6455->6471 6457 7ff73ef51cbe 6456->6457 6458 7ff73ef51d2a 6456->6458 6459 7ff73ef51d98 6456->6459 6462 7ff73ef51d7c 6456->6462 6464 7ff73ef51cf8 6456->6464 6468 7ff73ef518a0 8 API calls 6456->6468 6469 7ff73ef51c46 6456->6469 6456->6471 6457->6462 6479 7ff73ef518a0 6457->6479 6460 7ff73ef518a0 8 API calls 6458->6460 6458->6462 6458->6471 6461 7ff73ef51830 8 API calls 6459->6461 6460->6458 6466 7ff73ef51da4 6461->6466 6508 7ff73ef51830 6462->6508 6467 7ff73ef518a0 8 API calls 6464->6467 6466->6446 6467->6458 6468->6456 6470 7ff73ef51c82 VirtualProtect 6469->6470 6469->6471 6470->6469 6471->6446 6473 7ff73ef5161a 6472->6473 6474 7ff73ef515a0 6472->6474 6473->6453 6474->6474 6475 7ff73ef51510 _onexit 6474->6475 6475->6453 6477 7ff73ef51610 _onexit 6476->6477 6478 7ff73ef5e959 6477->6478 6480 7ff73ef51a50 6479->6480 6482 7ff73ef518c2 6479->6482 6480->6464 6481 7ff73ef51970 6481->6464 6481->6481 6482->6481 6483 7ff73ef51aad 6482->6483 6485 7ff73ef5192c VirtualQuery 6482->6485 6484 7ff73ef51830 4 API calls 6483->6484 6504 7ff73ef51abc 6484->6504 6486 7ff73ef51958 6485->6486 6487 7ff73ef51a92 6485->6487 6486->6481 6490 7ff73ef51a00 VirtualProtect 6486->6490 6488 7ff73ef51830 4 API calls 6487->6488 6488->6483 6489 7ff73ef51ae2 6489->6464 6490->6481 6491 7ff73ef51a3c GetLastError 6490->6491 6492 7ff73ef51830 4 API calls 6491->6492 6492->6480 6493 7ff73ef51cbe 6498 7ff73ef51d7c 6493->6498 6499 7ff73ef518a0 4 API calls 6493->6499 6494 7ff73ef51d98 6496 7ff73ef51830 4 API calls 6494->6496 6495 7ff73ef518a0 4 API calls 6497 7ff73ef51d2a 6495->6497 6500 7ff73ef51da4 6496->6500 6497->6489 6497->6495 6497->6498 6502 7ff73ef51830 4 API calls 6498->6502 6501 7ff73ef51cf8 6499->6501 6500->6464 6503 7ff73ef518a0 4 API calls 6501->6503 6502->6494 6503->6497 6504->6489 6504->6493 6504->6494 6504->6497 6504->6498 6504->6501 6505 7ff73ef518a0 VirtualQuery VirtualProtect GetLastError VirtualProtect 6504->6505 6506 7ff73ef51c46 6504->6506 6505->6504 6506->6489 6507 7ff73ef51c82 VirtualProtect 6506->6507 6507->6506 6511 7ff73ef5185d 6508->6511 6509 7ff73ef51970 6509->6459 6509->6509 6510 7ff73ef51aad 6512 7ff73ef51830 4 API calls 6510->6512 6511->6509 6511->6510 6513 7ff73ef5192c VirtualQuery 6511->6513 6520 7ff73ef51abc 6512->6520 6514 7ff73ef51958 6513->6514 6515 7ff73ef51a92 6513->6515 6514->6509 6517 7ff73ef51a00 VirtualProtect 6514->6517 6516 7ff73ef51830 4 API calls 6515->6516 6516->6510 6517->6509 6518 7ff73ef51a3c GetLastError 6517->6518 6519 7ff73ef51830 4 API calls 6518->6519 6519->6509 6521 7ff73ef51cbe 6520->6521 6522 7ff73ef51d2a 6520->6522 6523 7ff73ef51d98 6520->6523 6528 7ff73ef51d7c 6520->6528 6529 7ff73ef51cf8 6520->6529 6532 7ff73ef518a0 VirtualQuery VirtualProtect GetLastError VirtualProtect 6520->6532 6533 7ff73ef51c46 6520->6533 6535 7ff73ef51ae2 6520->6535 6526 7ff73ef518a0 4 API calls 6521->6526 6521->6528 6524 7ff73ef518a0 4 API calls 6522->6524 6522->6528 6522->6535 6525 7ff73ef51830 4 API calls 6523->6525 6524->6522 6527 7ff73ef51da4 6525->6527 6526->6529 6527->6459 6530 7ff73ef51830 4 API calls 6528->6530 6531 7ff73ef518a0 4 API calls 6529->6531 6530->6523 6531->6522 6532->6520 6534 7ff73ef51c82 VirtualProtect 6533->6534 6533->6535 6534->6533 6535->6459 6314 7ff73ef51650 6315 7ff73ef51659 6314->6315 6316 7ff73ef5165d 6315->6316 6319 7ff73ef52140 6315->6319 6318 7ff73ef51675 6320 7ff73ef5214e 6319->6320 6321 7ff73ef52210 6319->6321 6322 7ff73ef52178 6320->6322 6323 7ff73ef52150 6320->6323 6321->6318 6326 7ff73ef5215e 6322->6326 6333 7ff73ef51fc0 EnterCriticalSection 6322->6333 6324 7ff73ef52154 6323->6324 6325 7ff73ef521a0 6323->6325 6324->6326 6327 7ff73ef52190 InitializeCriticalSection 6324->6327 6328 7ff73ef521af 6325->6328 6330 7ff73ef51fc0 4 API calls 6325->6330 6326->6318 6327->6326 6328->6326 6331 7ff73ef521e1 DeleteCriticalSection 6328->6331 6332 7ff73ef521d0 free 6328->6332 6330->6328 6331->6326 6332->6331 6332->6332 6334 7ff73ef52014 LeaveCriticalSection 6333->6334 6337 7ff73ef51fe2 6333->6337 6336 7ff73ef662d8 6334->6336 6335 7ff73ef51ff0 TlsGetValue GetLastError 6335->6337 6337->6334 6337->6335 6338 7ff73ef54750 6339 7ff73ef548ff 6338->6339 6342 7ff73ef5476b 6338->6342 6340 7ff73ef53770 20 API calls 6339->6340 6343 7ff73ef5491e 6340->6343 6342->6339 6344 7ff73ef53770 6342->6344 6343->6343 6345 7ff73ef53785 6344->6345 6346 7ff73ef528e0 12 API calls 6345->6346 6347 7ff73ef537b6 6346->6347 6348 7ff73ef53680 8 API calls 6347->6348 6350 7ff73ef53800 6347->6350 6349 7ff73ef537d6 6348->6349 6349->6342 6350->6342 6539 7ff73ef549d0 6540 7ff73ef5487f 6539->6540 6543 7ff73ef54897 6539->6543 6541 7ff73ef53e30 8 API calls 6540->6541 6541->6543 6542 7ff73ef53e30 8 API calls 6544 7ff73ef54a03 6542->6544 6543->6542 6544->6544 6545 7ff73ef577d0 ___mb_cur_max_func ___lc_codepage_func 6546 7ff73ef574d0 4 API calls 6545->6546 6547 7ff73ef5781e 6546->6547 6592 7ff73ef57910 ___lc_codepage_func ___mb_cur_max_func 6593 7ff73ef5794c 6592->6593 6594 7ff73ef57942 6592->6594 6595 7ff73ef57947 6594->6595 6598 7ff73ef579a8 6594->6598 6595->6593 6596 7ff73ef57830 2 API calls 6595->6596 6596->6595 6597 7ff73ef57830 2 API calls 6597->6598 6598->6593 6598->6597 6599 7ff73ef51010 6601 7ff73ef51058 6599->6601 6600 7ff73ef5107a __set_app_type 6602 7ff73ef51084 6600->6602 6601->6600 6601->6602

          Executed Functions

          Control-flow Graph

          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a6bf7d0c8fe181a9623d5925791fbdcaca1bbc105312d8e4c8a8ca1a1468ec64
          • Instruction ID: 7009512d5756c1049e2b82f79213d181e1f81779446907d2f9a369038eb730df
          • Opcode Fuzzy Hash: a6bf7d0c8fe181a9623d5925791fbdcaca1bbc105312d8e4c8a8ca1a1468ec64
          • Instruction Fuzzy Hash: B291AF61A08A0393FB94BB26A81472AA6A0FF85B94F804634DE4D077C4DF7DD658EB50

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: Heap$AllocateCreate
          • String ID:
          • API String ID: 2875408731-0
          • Opcode ID: 45a0b8ff22522911d1057891351f0735db9bb9d063b9c7c5c479dd8d70dcfec2
          • Instruction ID: 4ee3480a74b69a79f6f13c85c020412e38b60f9d3525d661099494db66b35455
          • Opcode Fuzzy Hash: 45a0b8ff22522911d1057891351f0735db9bb9d063b9c7c5c479dd8d70dcfec2
          • Instruction Fuzzy Hash: 59F0A461B19B1352FBA8BB566410722E2D0BF58780F884139DE9D437D0EF7CA509E710

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: Heap$CreateFree
          • String ID:
          • API String ID: 144610141-0
          • Opcode ID: 101db8124988f8e4862053b535dfbd00e50db68e29e974497628e07aa69a8635
          • Instruction ID: 68cfd25438b6f2e279e00ec9c06c096a5c67bc06148a49d69083b2aacf03c65b
          • Opcode Fuzzy Hash: 101db8124988f8e4862053b535dfbd00e50db68e29e974497628e07aa69a8635
          • Instruction Fuzzy Hash: 50F0E262F1961243FBA4BB72B814766A291BB84784F888130CE8D42B50DF7CD14AA700

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: FolderPath
          • String ID:
          • API String ID: 1514166925-0
          • Opcode ID: cc5af16b011dc5285d9b29731af92b68653836618e66b83070b605036bae9e72
          • Instruction ID: 15773d69caa7cff7a66cd43e5bf4af0361721cb975be4ae27ad54cc1d586d10c
          • Opcode Fuzzy Hash: cc5af16b011dc5285d9b29731af92b68653836618e66b83070b605036bae9e72
          • Instruction Fuzzy Hash: 37117561B18643A2F7D4B725A4117BB9254BFE0384FC00436E95E467D5DFFCE209A760

          Non-executed Functions

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: Heap$CreateFree$Allocate
          • String ID:
          • API String ID: 2480555710-0
          • Opcode ID: 8d694fd0fdc66734268c303074884b01219bdd152ddbd9f9321bd9b1a1414a03
          • Instruction ID: b265d81d69e65d633337452ee168667f2289021caa87d837240be1859e65f05d
          • Opcode Fuzzy Hash: 8d694fd0fdc66734268c303074884b01219bdd152ddbd9f9321bd9b1a1414a03
          • Instruction Fuzzy Hash: D551B162709B4352FBA4EF66A85477AA291FF88784F484134DE8E43BC4DF7CE5089750

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 241 7ff73ef51190-7ff73ef511be 242 7ff73ef511c4-7ff73ef511e1 241->242 243 7ff73ef51470-7ff73ef51473 GetStartupInfoA 241->243 244 7ff73ef511f9-7ff73ef51204 242->244 247 7ff73ef51480-7ff73ef5149a call 7ff73ef574a0 243->247 245 7ff73ef511e8-7ff73ef511eb 244->245 246 7ff73ef51206-7ff73ef51214 244->246 248 7ff73ef51410-7ff73ef51421 245->248 249 7ff73ef511f1-7ff73ef511f6 Sleep 245->249 250 7ff73ef51427-7ff73ef51436 call 7ff73ef574a8 246->250 251 7ff73ef5121a-7ff73ef5121e 246->251 248->250 248->251 249->244 259 7ff73ef5143c-7ff73ef51457 _initterm 250->259 260 7ff73ef51239-7ff73ef5123b 250->260 254 7ff73ef51224-7ff73ef51233 251->254 255 7ff73ef514a0-7ff73ef514b9 call 7ff73ef57490 251->255 254->259 254->260 267 7ff73ef514be-7ff73ef514c6 call 7ff73ef57468 255->267 262 7ff73ef5145d-7ff73ef51462 259->262 263 7ff73ef51241-7ff73ef5124e 259->263 260->262 260->263 262->263 264 7ff73ef5125c-7ff73ef512a4 call 7ff73ef51ac0 SetUnhandledExceptionFilter call 7ff73ef57a40 call 7ff73ef51820 call 7ff73ef57bf0 263->264 265 7ff73ef51250-7ff73ef51258 263->265 277 7ff73ef512a6 264->277 278 7ff73ef512c2-7ff73ef512c8 264->278 265->264 281 7ff73ef51300-7ff73ef51306 277->281 279 7ff73ef512ca-7ff73ef512d8 278->279 280 7ff73ef512b0-7ff73ef512b2 278->280 282 7ff73ef512be 279->282 285 7ff73ef512f9 280->285 286 7ff73ef512b4-7ff73ef512b7 280->286 283 7ff73ef5131e-7ff73ef51343 malloc 281->283 284 7ff73ef51308-7ff73ef51312 281->284 282->278 289 7ff73ef5138b-7ff73ef513d2 call 7ff73ef51610 call 7ff73ef5e950 283->289 290 7ff73ef51345-7ff73ef5134a 283->290 287 7ff73ef51318 284->287 288 7ff73ef51400-7ff73ef51405 284->288 285->281 291 7ff73ef512b9 286->291 292 7ff73ef512e0-7ff73ef512e2 286->292 287->283 288->287 289->267 302 7ff73ef513d8-7ff73ef513e0 289->302 294 7ff73ef51350-7ff73ef51384 strlen malloc memcpy 290->294 291->282 292->285 293 7ff73ef512e4 292->293 296 7ff73ef512e8-7ff73ef512f2 293->296 294->294 297 7ff73ef51386 294->297 296->285 300 7ff73ef512f4-7ff73ef512f7 296->300 297->289 300->285 300->296 302->247 303 7ff73ef513e6-7ff73ef513f5 302->303
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
          • String ID:
          • API String ID: 649803965-0
          • Opcode ID: 8a8c1a0eff158d8a5ae4aa765fc55ba72e4a50bebe21823d76f0685f7758aa9c
          • Instruction ID: 8d2bbe65b1b0fe0559e6c3ce8f0f1c044dd6e9f92d554f5ca0ec2b01457d414a
          • Opcode Fuzzy Hash: 8a8c1a0eff158d8a5ae4aa765fc55ba72e4a50bebe21823d76f0685f7758aa9c
          • Instruction Fuzzy Hash: 8D817BB1A08A07A2FBA0BB11E450779A7A5AF65780FC48435DD0D437D1DEADF94CA360

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: InitStringUnicode$CreateParametersProcess
          • String ID: 0$X
          • API String ID: 1304967405-1332872418
          • Opcode ID: f7127379a99f92a086bf996d42cc71ef38bae533fff528e9dd0a822ae2e01cfb
          • Instruction ID: f35c3d300d1ba38989a728a8cc7edeef1b0bf5bf1112acb1b190b625da4fd723
          • Opcode Fuzzy Hash: f7127379a99f92a086bf996d42cc71ef38bae533fff528e9dd0a822ae2e01cfb
          • Instruction Fuzzy Hash: 17021532608BC182E7718B19E4847EBB7A4F7D4754F409229DBD806B99DFBDD288CB40

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: FilePath$CreateNameName_Write
          • String ID: 0$@
          • API String ID: 1228129568-1545510068
          • Opcode ID: e2da1879468594a945b82b292004a44407e8b0cbf8f9ad71b4337f4e9967bf2b
          • Instruction ID: ba5fc0a45e1dd4edf5fcbd07df9e972771eac0f7afdd0302c6fe947148e401f7
          • Opcode Fuzzy Hash: e2da1879468594a945b82b292004a44407e8b0cbf8f9ad71b4337f4e9967bf2b
          • Instruction Fuzzy Hash: D0414772608B8196E3609F24F45479BBBA0F784798F504225EBCC47B98DF7DD189CB50
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID:
          • String ID: $ $Infinity$NaN
          • API String ID: 0-3274152445
          • Opcode ID: 61342fece5fd6cb937b5f64854fbb4bb46eed0723f01c327d97ab98e16c63858
          • Instruction ID: f2462ed9143de77278cbad67e7a8e8e8f87a079e6e612fddf900f5c83bc595d3
          • Opcode Fuzzy Hash: 61342fece5fd6cb937b5f64854fbb4bb46eed0723f01c327d97ab98e16c63858
          • Instruction Fuzzy Hash: 27C21BB2A1C6439BE7A19F25A04033AF7A0FB91784F904135EA4E47BC5DBBCE5489F10

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 783 7ff73ef51e03-7ff73ef51e2c 784 7ff73ef51f00-7ff73ef51f04 783->784 785 7ff73ef51e32-7ff73ef51e37 783->785 784->785 788 7ff73ef51f0a 784->788 786 7ff73ef51e3d-7ff73ef51e42 785->786 787 7ff73ef51ee7-7ff73ef51ef1 785->787 789 7ff73ef51e98-7ff73ef51e9d 786->789 790 7ff73ef51e44-7ff73ef51e4c 786->790 792 7ff73ef51ef3-7ff73ef51f2e 787->792 793 7ff73ef51f10-7ff73ef51f18 787->793 791 7ff73ef51e88 788->791 795 7ff73ef51f48-7ff73ef51f58 call 7ff73ef57418 789->795 796 7ff73ef51ea3 789->796 790->791 794 7ff73ef51e4e-7ff73ef51e59 790->794 797 7ff73ef51e8d-7ff73ef51e93 791->797 792->787 804 7ff73ef51f30-7ff73ef51f3c 792->804 794->791 805 7ff73ef51fa9-7ff73ef51fb8 signal 795->805 806 7ff73ef51f5a-7ff73ef51f5d 795->806 799 7ff73ef51ea5-7ff73ef51eaa 796->799 800 7ff73ef51ee0-7ff73ef51ee5 796->800 799->791 803 7ff73ef51eac-7ff73ef51eb1 799->803 800->787 800->791 803->787 807 7ff73ef51eb3-7ff73ef51ec3 signal 803->807 804->797 806->787 808 7ff73ef51f5f-7ff73ef51f6b 806->808 809 7ff73ef51ec9-7ff73ef51ecc 807->809 810 7ff73ef51f70-7ff73ef51f82 signal 807->810 808->797 809->787 812 7ff73ef51ece-7ff73ef51eda 809->812 810->797 812->797
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: signal
          • String ID: CCG
          • API String ID: 1946981877-1584390748
          • Opcode ID: 76ab41f24a7f5b04c51b0460a949affb4a2fb1d3548f6bdda32b6d52bb6a166d
          • Instruction ID: c20801f8713e3bb9f69c24cb5d6b46bffc99f8577716c5501baa81a64c5adc90
          • Opcode Fuzzy Hash: 76ab41f24a7f5b04c51b0460a949affb4a2fb1d3548f6bdda32b6d52bb6a166d
          • Instruction Fuzzy Hash: 5421F6A1E0890373FBF47264444033990816F66364FF54B72D52D823D0DEECFA89A271
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: ItemLoadQueueWork
          • String ID:
          • API String ID: 6490277-0
          • Opcode ID: a4a14fc619a4463911ebad1713f9d064b622d46d4a90150803d43663eb35926a
          • Instruction ID: 5fe50bceb24adc327465d226fec64261392e740436e5a9ca4eed22b628ff6c2c
          • Opcode Fuzzy Hash: a4a14fc619a4463911ebad1713f9d064b622d46d4a90150803d43663eb35926a
          • Instruction Fuzzy Hash: D111E26271874252EBA4AB21F4457AFA360EB94780F880039EF4E43BD4DE7CD648C710
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8bc7d027e30cde5be59ef34678afdda9546d3181ffc4ab0ca0754bf804e54345
          • Instruction ID: 193b375f9cc3e0e96cd49f874c73364293cbdd6c3e55ef0604b7cf55a6cc7f0c
          • Opcode Fuzzy Hash: 8bc7d027e30cde5be59ef34678afdda9546d3181ffc4ab0ca0754bf804e54345
          • Instruction Fuzzy Hash: 6502D6F2A0490297DBA4EF11D448979B7A1FB2478CF814231DE5E03385DE78FAA4DB64
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: FileHeapPath$AllocateCreateFreeNameName_Write
          • String ID:
          • API String ID: 2903292020-0
          • Opcode ID: 633de45d674dc8c4db2da714eacc9ae17f83c0d85a2261250dbdc99f141f6848
          • Instruction ID: 982ffb0ce231551ac9783bfb67f12792eec88c4eb3881fcc077f9b82b92de2c2
          • Opcode Fuzzy Hash: 633de45d674dc8c4db2da714eacc9ae17f83c0d85a2261250dbdc99f141f6848
          • Instruction Fuzzy Hash: 6EC18CB2F0451299FB54EBB6C8403ED6772AF94788F808035CE4D57B8ACFB8A649D750
          Memory Dump Source
          • Source File: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8a8be7e3710fcabe9086267d8ce94f58c0b54f25baa977db2af5f9d803065b01
          • Instruction ID: 3bfa90e08f684f44e71e2ba250f21f739ab83bf4588ec640c27395ae42603eb3
          • Opcode Fuzzy Hash: 8a8be7e3710fcabe9086267d8ce94f58c0b54f25baa977db2af5f9d803065b01
          • Instruction Fuzzy Hash: CB01DE97F0D6DA5BEB9696340D2A0286E905BA290079E40ABD648873D3E84CBC09E365

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 141 7ff73ef51830-7ff73ef518bc call 7ff73ef57a10 call 7ff73ef57440 call 7ff73ef57a10 call 7ff73ef573f8 call 7ff73ef57478 153 7ff73ef51a50-7ff73ef51a52 141->153 154 7ff73ef518c2-7ff73ef518cf 141->154 155 7ff73ef518d0-7ff73ef518d6 154->155 156 7ff73ef518ec-7ff73ef518f5 155->156 157 7ff73ef518d8-7ff73ef518e6 155->157 156->155 158 7ff73ef518f7-7ff73ef51905 call 7ff73ef52350 156->158 157->156 159 7ff73ef51977-7ff73ef5197a 157->159 169 7ff73ef5190b-7ff73ef51952 call 7ff73ef52480 VirtualQuery 158->169 170 7ff73ef51aad-7ff73ef51ae0 call 7ff73ef51830 158->170 161 7ff73ef5197c-7ff73ef5197f 159->161 162 7ff73ef519a8-7ff73ef519d3 159->162 164 7ff73ef51985-7ff73ef51987 161->164 165 7ff73ef51a60-7ff73ef51a71 161->165 166 7ff73ef51999-7ff73ef519a3 162->166 167 7ff73ef519d5-7ff73ef519d8 162->167 164->166 171 7ff73ef51989-7ff73ef51993 164->171 165->166 168 7ff73ef519da-7ff73ef519e9 167->168 168->168 172 7ff73ef519eb-7ff73ef519f5 168->172 178 7ff73ef51958-7ff73ef51962 169->178 179 7ff73ef51a92-7ff73ef51aa8 call 7ff73ef51830 169->179 184 7ff73ef51af8-7ff73ef51b4f call 7ff73ef523e0 call 7ff73ef52600 170->184 185 7ff73ef51ae2-7ff73ef51af2 170->185 171->166 175 7ff73ef51a80-7ff73ef51a8d 171->175 175->166 181 7ff73ef51964-7ff73ef5196a 178->181 182 7ff73ef51970 178->182 179->170 181->182 186 7ff73ef51a00-7ff73ef51a36 VirtualProtect 181->186 182->159 184->185 193 7ff73ef51b51-7ff73ef51b57 184->193 186->182 188 7ff73ef51a3c-7ff73ef51a4b GetLastError call 7ff73ef51830 186->188 188->153 194 7ff73ef51b5d-7ff73ef51b5f 193->194 195 7ff73ef51ca8-7ff73ef51caa 193->195 196 7ff73ef51b65 194->196 197 7ff73ef51d30-7ff73ef51d33 194->197 195->197 198 7ff73ef51cb0-7ff73ef51cb8 195->198 199 7ff73ef51b68-7ff73ef51b6a 196->199 197->185 200 7ff73ef51d39-7ff73ef51d54 197->200 198->199 201 7ff73ef51cbe-7ff73ef51cc1 198->201 199->197 202 7ff73ef51b70-7ff73ef51b76 199->202 203 7ff73ef51d58-7ff73ef51d7a call 7ff73ef518a0 200->203 207 7ff73ef51cd0-7ff73ef51cd4 201->207 204 7ff73ef51b7c-7ff73ef51b98 202->204 205 7ff73ef51d98-7ff73ef51dbe call 7ff73ef51830 202->205 216 7ff73ef51d7c 203->216 209 7ff73ef51bd9-7ff73ef51bf0 204->209 210 7ff73ef51b9a 204->210 221 7ff73ef51dec-7ff73ef51df0 205->221 222 7ff73ef51dc0-7ff73ef51deb 205->222 212 7ff73ef51cda-7ff73ef51cf8 call 7ff73ef518a0 207->212 213 7ff73ef51d81-7ff73ef51d93 call 7ff73ef51830 207->213 217 7ff73ef51bf6 209->217 218 7ff73ef51d00-7ff73ef51d2a call 7ff73ef518a0 209->218 210->185 212->218 213->205 216->213 217->207 224 7ff73ef51bfc-7ff73ef51c00 217->224 218->197 222->221 226 7ff73ef51ba0-7ff73ef51bd7 call 7ff73ef518a0 224->226 227 7ff73ef51c02-7ff73ef51c06 224->227 226->209 234 7ff73ef51c50-7ff73ef51c58 226->234 227->213 228 7ff73ef51c0c-7ff73ef51c44 call 7ff73ef518a0 227->228 228->209 235 7ff73ef51c46 228->235 234->185 236 7ff73ef51c5e-7ff73ef51c67 234->236 235->234 237 7ff73ef51c70-7ff73ef51c80 236->237 238 7ff73ef51c90-7ff73ef51c9d 237->238 239 7ff73ef51c82-7ff73ef51c8d VirtualProtect 237->239 238->237 240 7ff73ef51c9f 238->240 239->238 240->185
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: QueryVirtual
          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
          • API String ID: 1804819252-1534286854
          • Opcode ID: fa6c5ac48142c49164c701b6888af4b52aed866cdcc2da347c30c072c70abddf
          • Instruction ID: 44d0b30b5bcfbd0a4673a54ddb349929bd7c0b9595107e16b3436ead5c638caa
          • Opcode Fuzzy Hash: fa6c5ac48142c49164c701b6888af4b52aed866cdcc2da347c30c072c70abddf
          • Instruction Fuzzy Hash: E371F4B2B04B43A6EB90BB11E840679B7A0BF557A4F844235EE5C073D1EE7CE649D360

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 743 7ff73ef52640-7ff73ef52655 744 7ff73ef5265d-7ff73ef5266a _wstat64 743->744 745 7ff73ef52657-7ff73ef5265b 743->745 746 7ff73ef5266d-7ff73ef52671 744->746 745->744 747 7ff73ef526d0-7ff73ef526db call 7ff73ef573f0 745->747 748 7ff73ef52677-7ff73ef526c8 746->748 749 7ff73ef52850-7ff73ef52877 746->749 747->744 752 7ff73ef526dd-7ff73ef526e3 747->752 753 7ff73ef52808-7ff73ef5280f 752->753 754 7ff73ef526e9-7ff73ef526f2 752->754 753->754 757 7ff73ef52815 753->757 755 7ff73ef52768-7ff73ef52772 754->755 756 7ff73ef526f4-7ff73ef526f8 754->756 759 7ff73ef5277a-7ff73ef52789 755->759 760 7ff73ef52774-7ff73ef52778 755->760 756->755 758 7ff73ef526fa-7ff73ef5270a 756->758 757->744 761 7ff73ef5270c-7ff73ef52710 758->761 762 7ff73ef52716-7ff73ef52751 malloc memcpy _wstat64 758->762 763 7ff73ef52825-7ff73ef52828 759->763 764 7ff73ef5278f-7ff73ef52792 759->764 760->758 760->759 761->744 761->762 762->746 769 7ff73ef52757-7ff73ef5275f free 762->769 767 7ff73ef5282a-7ff73ef52832 763->767 768 7ff73ef52820-7ff73ef52823 763->768 765 7ff73ef527ab-7ff73ef527b8 764->765 766 7ff73ef52794 764->766 770 7ff73ef527ba-7ff73ef527bd 765->770 771 7ff73ef527a0-7ff73ef527a3 765->771 766->768 767->770 768->770 769->746 770->744 773 7ff73ef527c3-7ff73ef527cb 770->773 771->768 772 7ff73ef527a5-7ff73ef527a9 771->772 772->763 772->765 774 7ff73ef527cd 773->774 775 7ff73ef527e9-7ff73ef527f1 773->775 776 7ff73ef527f3-7ff73ef527f6 774->776 775->776 777 7ff73ef527d0-7ff73ef527d3 775->777 776->758 779 7ff73ef527fc 776->779 777->744 778 7ff73ef527d9-7ff73ef527dd 777->778 780 7ff73ef527df-7ff73ef527e6 778->780 781 7ff73ef52840-7ff73ef52843 778->781 779->744 780->775 781->744 782 7ff73ef52849-7ff73ef5284d 781->782 782->776
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: _wstat64$freemallocmemcpy
          • String ID:
          • API String ID: 324876230-0
          • Opcode ID: cb20074061b83dc237ea17077cfb99d21f12d9678310afc12d433fa758a84f54
          • Instruction ID: 31ebf19687db44ccd7f05add99da0772a1eafb0cca9d41bc7bf783da7d0c81eb
          • Opcode Fuzzy Hash: cb20074061b83dc237ea17077cfb99d21f12d9678310afc12d433fa758a84f54
          • Instruction Fuzzy Hash: 17518BA590865791FBE4BB55900437AA2F0FB24B94FC04236DE4D462C4DFBCDB89E760

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 864 7ff73ef588d0-7ff73ef588d3 865 7ff73ef58b38-7ff73ef58b3a 864->865 866 7ff73ef588d9-7ff73ef588f0 864->866 867 7ff73ef588f6-7ff73ef58906 866->867 868 7ff73ef58b10 866->868 867->868 869 7ff73ef5890c-7ff73ef5892b 867->869 870 7ff73ef58b12-7ff73ef58b25 868->870 869->868 871 7ff73ef58931-7ff73ef58934 869->871 872 7ff73ef5894e-7ff73ef5897a call 7ff73ef57c70 871->872 875 7ff73ef5897c-7ff73ef58984 872->875 876 7ff73ef58940-7ff73ef58948 872->876 877 7ff73ef5898a-7ff73ef58990 875->877 878 7ff73ef58b30-7ff73ef58b33 875->878 876->868 876->872 877->878 879 7ff73ef58996-7ff73ef58a0f call 7ff73ef5a3a0 call 7ff73ef594b0 877->879 878->870 884 7ff73ef58a26-7ff73ef58a34 call 7ff73ef5a3a0 879->884 887 7ff73ef58a18-7ff73ef58a20 884->887 888 7ff73ef58a36-7ff73ef58a54 call 7ff73ef57c70 call 7ff73ef5a3a0 884->888 887->884 889 7ff73ef58b55-7ff73ef58b5a 887->889 892 7ff73ef58b61-7ff73ef58b73 call 7ff73ef5a2e0 888->892 897 7ff73ef58a5a-7ff73ef58a65 888->897 889->892 892->897 898 7ff73ef58b79-7ff73ef58bb3 call 7ff73ef5a3a0 call 7ff73ef594b0 * 2 892->898 899 7ff73ef58a67 897->899 900 7ff73ef58a8f-7ff73ef58aba call 7ff73ef57c70 strlen strncmp 897->900 898->897 902 7ff73ef58a70-7ff73ef58a78 899->902 908 7ff73ef58abc-7ff73ef58b0d call 7ff73ef5a3a0 900->908 909 7ff73ef58b3b-7ff73ef58b49 call 7ff73ef58730 900->909 906 7ff73ef58a7a-7ff73ef58a7d 902->906 907 7ff73ef58a7f-7ff73ef58a8d 902->907 906->907 907->900 907->902 908->870 918 7ff73ef58b4b-7ff73ef58b53 call 7ff73ef588d0 909->918 919 7ff73ef58bb8-7ff73ef58bc6 call 7ff73ef59e20 909->919 918->870 919->918 925 7ff73ef58bc8-7ff73ef58bd8 919->925 925->918
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: strlenstrncmp
          • String ID: .dll$api-ms
          • API String ID: 1310274236-874385306
          • Opcode ID: 15f9cfa00f77da772cf3e58a2c1a8ed68c79611611a7f7ab7c884745f453a9f9
          • Instruction ID: c3fad3adcb98dcc50df7ee3782787319558042db8979c95aa4849caeda2cc733
          • Opcode Fuzzy Hash: 15f9cfa00f77da772cf3e58a2c1a8ed68c79611611a7f7ab7c884745f453a9f9
          • Instruction Fuzzy Hash: FE71D4A1B08687B2EE90AB1198503B9A790FF94784FC44535DE4E077C5DFBCE609E720

          Control-flow Graph

          APIs
          • Sleep.KERNEL32(?,?,?,00000000,00007FF73EF569E7,?,?,?,00007FF73EF55230), ref: 00007FF73EF567BD
          • InitializeCriticalSection.KERNEL32(?,?,?,00000000,00007FF73EF569E7,?,?,?,00007FF73EF55230), ref: 00007FF73EF567FD
          • InitializeCriticalSection.KERNEL32(?,?,?,00000000,00007FF73EF569E7,?,?,?,00007FF73EF55230), ref: 00007FF73EF56806
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: CriticalInitializeSection$Sleep
          • String ID: Infinity
          • API String ID: 1960909292-1015270809
          • Opcode ID: 016a7b2fca0e0e16e3dd9f19df01cba44b9a9ed007330a499fdd088cbe308813
          • Instruction ID: e4fce0780674e3d618c2a297e5962c109678250c554fab4b11847e577e717221
          • Opcode Fuzzy Hash: 016a7b2fca0e0e16e3dd9f19df01cba44b9a9ed007330a499fdd088cbe308813
          • Instruction Fuzzy Hash: 204194A3E0D5DB6BFBD2A7245C650786F90AFA1B00BCA4076C54D873D2DD9CA90DE320

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: Byte$CharLeadMultiWide
          • String ID:
          • API String ID: 2561704868-0
          • Opcode ID: f02b0bbac395ea30659d931ca654f9b0482af7a83527db6b36d24e4e81786109
          • Instruction ID: 7a9c7f6501f5cc1ff1bba9ee70f5204d284593c3211a4495bad062a3d7437bf2
          • Opcode Fuzzy Hash: f02b0bbac395ea30659d931ca654f9b0482af7a83527db6b36d24e4e81786109
          • Instruction Fuzzy Hash: 1E31B6F2A0C28397E3A05B28B40036DB690BBA1794F948135EA9C877D4DFBDD6499B10
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID:
          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
          • API String ID: 0-395989641
          • Opcode ID: 418f5de58d772dc4593c2d5cc216fe415ddbde4a04ea340d9d8ff17af06fa429
          • Instruction ID: 7ee0f6d15f5a0b4340c89ab1c33dabfcb0c41c0b99e9f5fa5634b6d9e966011d
          • Opcode Fuzzy Hash: 418f5de58d772dc4593c2d5cc216fe415ddbde4a04ea340d9d8ff17af06fa429
          • Instruction Fuzzy Hash: 4371D4A2F14A47A6EB90BB61D800769A361BF65B94F944631CD0C177C4EE7CF608E620
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID:
          • String ID: !num_bits$libs/miniz/miniz_tinfl.c
          • API String ID: 0-446014870
          • Opcode ID: 196e568b28f3d2b6abc3b8b06c965f5327417a55b6843ce999670c9af3d10bbf
          • Instruction ID: 4784c2f8765a26763700d0ba793c7268fbb52014065311ae7c68304f6bea91c9
          • Opcode Fuzzy Hash: 196e568b28f3d2b6abc3b8b06c965f5327417a55b6843ce999670c9af3d10bbf
          • Instruction Fuzzy Hash: 9D31F8B3A0D6C396F7B49B14E80436AA291FB91350F548235C6AE83BC4DEFCD508EB10
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: fprintf
          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 383729395-3474627141
          • Opcode ID: 743bb071061fffd6250729550fc8921ece9cae6b505e584f7d90744a993c8ee9
          • Instruction ID: 23ff3e263fbffd08c389c5cb94dc4f83a642e4073502c17be0f8faf2d4e85fa6
          • Opcode Fuzzy Hash: 743bb071061fffd6250729550fc8921ece9cae6b505e584f7d90744a993c8ee9
          • Instruction Fuzzy Hash: 7D01A563D0CF89C3E6419F18D8001BAB330FB6E789F559325EA8C26166DF6CE686D710
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: fprintf
          • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 383729395-2713391170
          • Opcode ID: c93dce733dc9cb8e4441e31a6181daf31e8a38fbd96fd65ed10212221be91348
          • Instruction ID: 151c3c779159198d44db47d4971ef5dbd5cdb7644bad6b35980262c97784fcdd
          • Opcode Fuzzy Hash: c93dce733dc9cb8e4441e31a6181daf31e8a38fbd96fd65ed10212221be91348
          • Instruction Fuzzy Hash: FDF09652D08E8982E242AF1CA4000BBB330FF5D788F549335EF8D3A196DF6CE6869710
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: fprintf
          • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 383729395-4283191376
          • Opcode ID: d66d60baebed1a45f193e17a704713a38364348463842b74604e083d8e0ef688
          • Instruction ID: 935d2c593846e1482594a5221e2d1178665b32ab25e3da04cee26900e7f62894
          • Opcode Fuzzy Hash: d66d60baebed1a45f193e17a704713a38364348463842b74604e083d8e0ef688
          • Instruction Fuzzy Hash: 77F09652D08E8982E242AF1CA4000BBB330FF5D788F649335EF8D36196DF6CE6869710
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: fprintf
          • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 383729395-4064033741
          • Opcode ID: 16e0593afd3f55d1f87e90979954c1eef2b7fea2465e9028d4eff53d3fcd49a6
          • Instruction ID: 204d6e9355927acb0d3dc16834b486ca9543dc32b27658c4cff14988b24166f8
          • Opcode Fuzzy Hash: 16e0593afd3f55d1f87e90979954c1eef2b7fea2465e9028d4eff53d3fcd49a6
          • Instruction Fuzzy Hash: 20F09652D08E8982E242AF1CA4000BBB330FF5D788F589335EF8D36196DF6CE6869710
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: fprintf
          • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 383729395-2187435201
          • Opcode ID: 95847ac1c890c04e7db8522beeb24e62a5d20daa24a230c2c0b5289aa80c3718
          • Instruction ID: c429b511f54ab6094f2459ffca3687d11efc8c849af74bc1eecbb0ec8fc7d94b
          • Opcode Fuzzy Hash: 95847ac1c890c04e7db8522beeb24e62a5d20daa24a230c2c0b5289aa80c3718
          • Instruction Fuzzy Hash: F4F09652D08E8982E242AF1CA4000BBB330FF5D788F549335EF8D36196DF6CE6869720
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: fprintf
          • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 383729395-4273532761
          • Opcode ID: ab87e82c848fe72dfae87f26d163e554460c21d0565fdcfa2bfb6b362917c6b0
          • Instruction ID: 9adbf35e498009657ae7f4abe8a5f3d9792b15cd040a2b2d1fd555166f22596c
          • Opcode Fuzzy Hash: ab87e82c848fe72dfae87f26d163e554460c21d0565fdcfa2bfb6b362917c6b0
          • Instruction Fuzzy Hash: 9EF06252D08E8982E242AF1CA4000BBB330FF9E788F549325EE8D26556DF6CE6869710
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1258579919.00007FF73EF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73EF50000, based on PE: true
          • Associated: 00000000.00000002.1258558623.00007FF73EF50000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258600717.00007FF73EF5F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258627741.00007FF73EF60000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258654874.00007FF73EF61000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258682815.00007FF73EF62000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258785033.00007FF73EF66000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258804896.00007FF73EF69000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1258832694.00007FF73EF80000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff73ef50000_temp_error_logs.jbxd
          Similarity
          • API ID: fprintf
          • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 383729395-2468659920
          • Opcode ID: 9eb74f8a180967b92df762968945e815cd93f0a72bf43f272e697a57524f7599
          • Instruction ID: 03f8adc974b96e1114a7c5f035c7b702eba0c481abb553b82890cac5efa60ec8
          • Opcode Fuzzy Hash: 9eb74f8a180967b92df762968945e815cd93f0a72bf43f272e697a57524f7599
          • Instruction Fuzzy Hash: 2EF09652D08E8982E242DF1CA4000BBB330FF5D788F549325EF8D36155DF28E6869710