Edit tour

Windows Analysis Report
licking.dll

Overview

General Information

Sample Name:	licking.dll (renamed file extension from dat to dll, renamed because original name is a hash value)
Original Sample Name:	licking.dat
Analysis ID:	878603
MD5:	e9fc43dd574b57dc64eefed2f4e6ac42
SHA1:	238188dea87ac33175067f63699ea32fe0f3111f
SHA256:	ab9822cf40230dccf2ab7f76e4c68c0ceebb82c25ea1859fbbdca8b5cdf82212
Infos:

Detection

Qbot

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Connects to several IPs in different countries

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4764 cmdline: loaddll32.exe "C:\Users\user\Desktop\licking.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6876 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\licking.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3320 cmdline: rundll32.exe "C:\Users\user\Desktop\licking.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7116 cmdline: rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 2016 cmdline: rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7052 cmdline: rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7208 cmdline: rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7224 cmdline: rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7260 cmdline: rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7376 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7272 cmdline: rundll32.exe "C:\Users\user\Desktop\licking.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 7460 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 7292 cmdline: rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_license MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7300 cmdline: rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_configuration MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.393410072.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000012.00000002.393553702.0000000004910000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.rundll32.exe.47b0000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.47b0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
18.2.rundll32.exe.df08c0.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.df08c0.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
18.2.rundll32.exe.df08c0.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.df08c0.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000012.00000002.393410072.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Sample uses string decryption to hide its real strings

Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: netstat -nao
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: runas
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: net localgroup
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Microsoft
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SELF_TEST_1
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: p%08x
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Self test FAILED!!!
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Self test OK.
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: /t5
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: whoami /all
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: cmd
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: route print
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .lnk
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: arp -a
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: net share
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: cmd.exe /c set
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Self check
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %u;%u;%u;
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ProfileImagePath
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ProgramData
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Self check ok!
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: powershell.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: qwinsta
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: net view
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Component_08
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Start screenshot
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: appidapi.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: c:\ProgramData
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Component_07
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: powershell.exe -encodedCommand
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: netstat -nao
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: runas
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SystemRoot
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: cscript.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: image/jpeg
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: LocalLow
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: displayName
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CommandLine
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: 1234567890
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wbj.go
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: System32
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Name
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: c:\\
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: FALSE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Packages
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Winsta0
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: userenv.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: from
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: user32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %S.%06d
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: shell32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: TRUE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: /
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: https
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %s\system32\
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_Process
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: cmd.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: APPDATA
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: select
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .cfg
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_Product
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: WQL
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wininet.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Create
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Initializing database...
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: winsta0\default
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .dat
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: next
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: fmon.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: vbs
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SysWOW64
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: mpr.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: image/gif
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: open
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SystemRoot
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: cscript.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: image/jpeg
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: LocalLow
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: displayName
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CommandLine
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: 1234567890
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wbj.go
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: System32
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Name
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: c:\\
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: FALSE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Packages
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Winsta0
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: userenv.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: from
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: user32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %S.%06d
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: shell32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: TRUE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: /
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: https
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %s\system32\
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_Process
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: cmd.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: APPDATA
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: select
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .cfg
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_Product
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: WQL
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wininet.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Create
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Initializing database...
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: winsta0\default
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: .dat
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: next
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: fmon.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: vbs
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: SysWOW64
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: mpr.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: image/gif
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: open
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.47b0000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500A3 mv_twofish_crypt,	3_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,	3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,	3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0 mv_tea_crypt,	3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100364E0 mv_rc4_crypt,	3_2_100364E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,	3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,	3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,	3_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100136FB mv_encryption_init_info_alloc,	3_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,	3_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,	3_2_10012A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,	3_2_10012B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001BF0 mv_aes_crypt,	3_2_10001BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free,	3_2_10012CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc,	3_2_10012D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0 mv_blowfish_crypt_ecb,	3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010E40 mv_des_crypt,	3_2_10010E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012F30 mv_encryption_info_add_side_data,mv_malloc,	3_2_10012F30

Source: licking.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: licking.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_047B9DA8 FindFirstFileW,FindNextFileW,

18_2_047B9DA8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View	IP Address: 2.82.8.80 2.82.8.80
Source: Joe Sandbox View	IP Address: 70.160.67.203 70.160.67.203

Source: unknown

Network traffic detected: IP country count 30

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148

Source: de-ch[1].htm.24.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.facebook.com (Facebook)
Source: de-ch[1].htm.24.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.24.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.twitter.com (Twitter)
Source: de-ch[1].htm.24.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.youtube.com (Youtube)
Source: de-ch[1].htm.24.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.facebook.com/microsoftschweiz" target="_blank" data-bi-ecn="Facebook" data-bi-bhvr="126" data-bi-cn="Facebook" data-bi-socchn="Facebook" data-bi-ct="Social Button" data-bi-pa="body" data-bi-compnm="Social Follow - horizontal"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.24.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.linkedin.com/company/1035" target="_blank" data-bi-ecn="LinkedIn" data-bi-bhvr="126" data-bi-cn="LinkedIn" data-bi-socchn="LinkedIn" data-bi-ct="Social Button" data-bi-pa="body" data-bi-compnm="Social Follow - horizontal"> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.24.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.youtube.com/user/MicrosoftCH" target="_blank" data-bi-ecn="Youtube" data-bi-bhvr="126" data-bi-cn="Youtube" data-bi-socchn="Youtube" data-bi-ct="Social Button" data-bi-pa="body" data-bi-compnm="Social Follow - horizontal"> equals www.youtube.com (Youtube)

Source: de-ch[1].htm.24.dr	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWO4yJ?ver=2ab3"
Source: de-ch[1].htm.24.dr	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWOalS?ver=cc6e"
Source: de-ch[1].htm.24.dr	String found in binary or memory: http://schema.org/Organization
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://accdn.lpsnmedia.net
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://analytics.tiktok.com
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://cdnssl.clicktale.net
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://cdnssl.clicktale.net/www32/ptc/05d32363-d534-4d93-9b65-cde674775e71.js
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://d.impactradius-event.com
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://js.monitor.azure.com
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://lpcdn.lpsnmedia.net
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://lptag.liveperson.net
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://mem.gfx.ms
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://onedrive.live.com/about/de-ch/
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://outlook.live.com/owa/
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://publisher.liveperson.net
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://schema.org
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"
Source: rundll32.exe, rundll32.exe, 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.383246566.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.383992266.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.389505573.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.390247941.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.393764515.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, licking.dll	String found in binary or memory: https://streams.videolan.org/upload/
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://twitter.com/microsoft_ch
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://www.clarity.ms
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://www.instagram.com/microsoftch/
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://www.linkedin.com/company/1035
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://www.onenote.com/?omkt=de-CH
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://www.skype.com/de/
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://www.xbox.com/
Source: de-ch[1].htm.24.dr	String found in binary or memory: https://www.youtube.com/user/MicrosoftCH

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1004D9B0 mv_thread_message_queue_recv,AcquireSRWLockExclusive,SleepConditionVariableSRW,SleepConditionVariableSRW,mv_fifo_can_read,mv_fifo_can_read,ReleaseSRWLockExclusive,mv_fifo_read,WakeConditionVariable,mv_fifo_can_read,

3_2_1004D9B0

Source: loaddll32.exe, 00000000.00000002.384209255.000000000056B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: licking.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 18.2.rundll32.exe.47b0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.df08c0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.df08c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 660

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004F020	3_2_1004F020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060	3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070	3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500A3	3_2_100500A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0B0	3_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100500E1	3_2_100500E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144	3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A1A1	3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0	3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B	3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10058218	3_2_10058218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220	3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033261	3_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270	3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280	3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023350	3_2_10023350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0	3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0	3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004D4B0	3_2_1004D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004C4C0	3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0	3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004E517	3_2_1004E517
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523	3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0	3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0	3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023620	3_2_10023620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B	3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100206A7	3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004E71B	3_2_1004E71B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010750	3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000E760	3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010778	3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A800	3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10030800	3_2_10030800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B830	3_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026870	3_2_10026870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001900	3_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091900	3_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D910	3_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F91B	3_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1009D970	3_2_1009D970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010980	3_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001099C	3_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100339B9	3_2_100339B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C9F0	3_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FA00	3_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AA10	3_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091A40	3_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007A50	3_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EAC0	3_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAE0	3_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAF7	3_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AB30	3_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10003BA5	3_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FBC0	3_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001C10	3_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DC10	3_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EC10	3_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10031C30	3_2_10031C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000BC40	3_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004C96	3_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000ECC9	3_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DD40	3_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CD50	3_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002DD90	3_2_1002DD90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EDB0	3_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0	3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004DDC5	3_2_1004DDC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023E60	3_2_10023E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004E92	3_2_10004E92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CEA0	3_2_1000CEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EEB0	3_2_1002EEB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004FED0	3_2_1004FED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10050F00	3_2_10050F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EF48	3_2_1002EF48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002F80	3_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CF80	3_2_1000CF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047C8D30	18_2_047C8D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047C71FF	18_2_047C71FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047C4A6F	18_2_047C4A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047B3A40	18_2_047B3A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047C6E40	18_2_047C6E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047C320D	18_2_047C320D

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 100089C0 appears 35 times

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047BA823 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	18_2_047BA823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047BA412 NtAllocateVirtualMemory,NtWriteVirtualMemory,	18_2_047BA412
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047BCA0F NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,	18_2_047BCA0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047C43F4 NtProtectVirtualMemory,NtProtectVirtualMemory,	18_2_047C43F4

Source: licking.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs licking.dll

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: licking.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\licking.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\licking.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 660
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\licking.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",next	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_license	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_configuration	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Nyzvoufu

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A9D.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winDLL@31/25@0/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_047BD213 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

18_2_047BD213

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_047BC71C CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

18_2_047BC71C

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7260
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7052
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7E845320-6207-4DAE-8634-F92F65E4A349}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7E845320-6207-4DAE-8634-F92F65E4A349}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7116
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3320
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{2A2C5C6A-4557-474A-9A8E-A0BC89FB7AD0}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7208

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: licking.dll

Static PE information: More than 582 > 100 exports found

Source: licking.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100A2A90 push eax; mov dword ptr [esp], esi

3_2_100A2B31

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: licking.dll

Static PE information: real checksum: 0xf1b7b should be: 0xf5a04

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 7460 base: E53C50 value: E9 63 D7 0D 02

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7276	Thread sleep count: 183 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 7488	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_047BB883 GetSystemInfo,

18_2_047BB883

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_047B9DA8 FindFirstFileW,FindNextFileW,

18_2_047B9DA8

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]	3_2_1001E0D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_3_00D32297 mov eax, dword ptr fs:[00000030h]	18_3_00D32297
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047B1015 mov eax, dword ptr fs:[00000030h]	18_2_047B1015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047B21CD mov eax, dword ptr fs:[00000030h]	18_2_047B21CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2F60000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2F30000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: E53C50	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2F30000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2F60000 protect: page read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2F30000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\licking.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1008DB50 cpuid

3_2_1008DB50

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100A0AD0 GetCurrentThread,GetThreadTimes,GetSystemTimeAsFileTime,QueryPerformanceFrequency,QueryPerformanceCounter,GetCurrentProcess,GetProcessTimes,_errno,GetModuleHandleA,GetProcAddress,

3_2_100A0AD0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

3_2_10092180

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_047BBB4D GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

18_2_047BBB4D

Source: rundll32.exe, 00000012.00000003.384546359.000000000498F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000012.00000003.384546359.000000000498F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000012.00000003.384546359.000000000498F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000012.00000003.384546359.000000000498F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000012.00000003.384546359.000000000498F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: Amcache.hve.9.dr	Binary or memory string: procexp.exe
Source: rundll32.exe, 00000012.00000003.384546359.000000000498F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 18.2.rundll32.exe.47b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.df08c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.df08c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.393410072.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.393553702.0000000004910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 18.2.rundll32.exe.47b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.df08c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.df08c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.393410072.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.393553702.0000000004910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	311 Process Injection	11 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	22 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 Input Capture	31 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://mem.gfx.ms	0%	URL Reputation	safe
https://analytics.tiktok.com	0%	URL Reputation	safe
https://www.clarity.ms	0%	Avira URL Cloud	safe
https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"	0%	Avira URL Cloud	safe
https://d.impactradius-event.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.live.com/owa/	de-ch[1].htm.24.dr	false		high
https://www.onenote.com/?omkt=de-CH	de-ch[1].htm.24.dr	false		high
https://js.monitor.azure.com	de-ch[1].htm.24.dr	false		high
https://onedrive.live.com/about/de-ch/	de-ch[1].htm.24.dr	false		high
https://lpcdn.lpsnmedia.net	de-ch[1].htm.24.dr	false		high
https://www.skype.com/de/	de-ch[1].htm.24.dr	false		high
https://www.youtube.com/user/MicrosoftCH	de-ch[1].htm.24.dr	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://schema.org	de-ch[1].htm.24.dr	false		high
https://mem.gfx.ms	de-ch[1].htm.24.dr	false	URL Reputation: safe	unknown
https://aka.ms/yourcaliforniaprivacychoices	de-ch[1].htm.24.dr	false		high
https://lptag.liveperson.net	de-ch[1].htm.24.dr	false		high
https://analytics.tiktok.com	de-ch[1].htm.24.dr	false	URL Reputation: safe	unknown
https://twitter.com/microsoft_ch	de-ch[1].htm.24.dr	false		high
https://streams.videolan.org/upload/	rundll32.exe, rundll32.exe, 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.383246566.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.383992266.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.389505573.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.390247941.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.393764515.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, licking.dll	false		high
https://www.instagram.com/microsoftch/	de-ch[1].htm.24.dr	false		high
https://www.clarity.ms	de-ch[1].htm.24.dr	false	Avira URL Cloud: safe	unknown
https://accdn.lpsnmedia.net	de-ch[1].htm.24.dr	false		high
https://www.linkedin.com/company/1035	de-ch[1].htm.24.dr	false		high
https://cdnssl.clicktale.net/www32/ptc/05d32363-d534-4d93-9b65-cde674775e71.js	de-ch[1].htm.24.dr	false		high
https://www.xbox.com/	de-ch[1].htm.24.dr	false		high
https://cdnssl.clicktale.net	de-ch[1].htm.24.dr	false		high
https://publisher.liveperson.net	de-ch[1].htm.24.dr	false		high
http://schema.org/Organization	de-ch[1].htm.24.dr	false		high
https://d.impactradius-event.com	de-ch[1].htm.24.dr	false	Avira URL Cloud: safe	unknown
https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"	de-ch[1].htm.24.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true
77.86.98.236	unknown	United Kingdom	12390	KINGSTON-UK-ASGB	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878603
Start date and time:	2023-05-30 21:41:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	licking.dll (renamed file extension from dat to dll, renamed because original name is a hash value)
Original Sample Name:	licking.dat
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@31/25@0/100
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 9.8% (good quality ratio 7.5%) Quality average: 55.7% Quality standard deviation: 38.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 339
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.42.65.92, 20.189.173.21, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50, 20.112.52.29, 23.36.225.122
Excluded domains from analysis (whitelisted): www.microsoft.com-c-3.edgekey.net, onedsblobprdeus17.eastus.cloudapp.azure.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, e13678.dscb.akamaiedge.net, watson.telemetry.microsoft.com, microsoft.com, www.microsoft.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
Execution Graph export aborted for target rundll32.exe, PID 7116 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: licking.dll

Simulations

Behavior and APIs

Time	Type	Description
21:42:16	API Interceptor	5x Sleep call for process: WerFault.exe modified
21:42:16	API Interceptor	1x Sleep call for process: loaddll32.exe modified
21:42:26	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
2.82.8.80	main2.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	graphically.dat.dll	Get hash	malicious	Qbot	Browse
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse
	TB9mkKe4Qzu.dat.dll	Get hash	malicious	Qbot	Browse
	leiotrichy.js	Get hash	malicious	Qbot	Browse
	a0UFMZnC6ltxphw.dat.dll	Get hash	malicious	Qbot	Browse
	msfilter.dll	Get hash	malicious	Qbot	Browse
	QPAWJ8VnpO.dll	Get hash	malicious	Qbot	Browse
	Cjpxxx.js	Get hash	malicious	Qbot	Browse
	analysis.dll	Get hash	malicious	Qbot	Browse
	ss3.dll	Get hash	malicious	Qbot	Browse
	Ffzknz.js	Get hash	malicious	Qbot	Browse
	Onhytfnr.js	Get hash	malicious	Qbot	Browse
	Hlyl.js	Get hash	malicious	Qbot	Browse
	Emrd.js	Get hash	malicious	Qbot	Browse
70.160.67.203	main2.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	graphically.dat.dll	Get hash	malicious	Qbot	Browse
	43acf3.msi	Get hash	malicious	Qbot	Browse
	43acf3.msi	Get hash	malicious	Qbot	Browse
	666.dat.dll	Get hash	malicious	Qbot	Browse
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse
	TB9mkKe4Qzu.dat.dll	Get hash	malicious	Qbot	Browse
	a0UFMZnC6ltxphw.dat.dll	Get hash	malicious	Qbot	Browse
	808.dll	Get hash	malicious	Qbot	Browse
	808.dll	Get hash	malicious	Qbot	Browse
	Oupxwi.js	Get hash	malicious	Qbot	Browse
	Nyyne.js	Get hash	malicious	Qbot	Browse
	aQg9MHOT1WJY.dat.dll	Get hash	malicious	Qbot	Browse
	fYV9RX7dVuLH.dll	Get hash	malicious	Qbot	Browse
	aQ2nHl74yJrc6dw8N.dat.dll	Get hash	malicious	Qbot	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEO-RESIDENCIALPT	main2.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	LEo7jDCX96.elf	Get hash	malicious	Mirai	Browse	2.81.219.243
	yvweY4vsVq.elf	Get hash	malicious	Mirai	Browse	188.81.116.228
	8C3RpG9eka.elf	Get hash	malicious	Mirai	Browse	85.244.28.246
	Pc8ewtsPRR.elf	Get hash	malicious	Mirai	Browse	85.240.179.8
	33cWz2DNq2.elf	Get hash	malicious	Mirai	Browse	2.83.183.198
	pu3jOk0Q9u.elf	Get hash	malicious	Mirai	Browse	82.155.117.104
	6mu5y2WWPK.elf	Get hash	malicious	Mirai	Browse	85.246.119.61
	A6BM2Ru5xc.elf	Get hash	malicious	Mirai	Browse	37.189.107.20
	43acf3.msi	Get hash	malicious	Qbot	Browse	188.83.251.100
	43acf3.msi	Get hash	malicious	Qbot	Browse	188.83.251.100
	666.dat.dll	Get hash	malicious	Qbot	Browse	188.83.251.100
	UnhookAverment.js	Get hash	malicious	Unknown	Browse	188.251.219.243
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
ASN-CXA-ALL-CCI-22773-RDCUS	main2.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	UMyY7qXi7b.elf	Get hash	malicious	Mirai	Browse	68.6.72.41
	udxyqUncDs.elf	Get hash	malicious	Gafgyt, Mirai	Browse	184.188.248.242
	KipHfbWc5u.elf	Get hash	malicious	Mirai	Browse	174.74.5.188
	CT1zp877iP.elf	Get hash	malicious	Mirai	Browse	68.108.254.249
	65cBS6uCoV.elf	Get hash	malicious	Mirai	Browse	70.187.92.80
	gLeiWqaVuD.elf	Get hash	malicious	Mirai	Browse	24.249.120.101
	RW3fkwplaC.elf	Get hash	malicious	Mirai	Browse	70.171.100.214
	i12DwPGkzd.elf	Get hash	malicious	Mirai	Browse	68.101.71.203
	65iP0qrS2t.elf	Get hash	malicious	Mirai	Browse	68.107.216.55
	1ETFmiL6wm.elf	Get hash	malicious	Mirai	Browse	72.213.79.128
	0ngHKmaLgS.elf	Get hash	malicious	Unknown	Browse	72.208.54.96
	6Kzt2SSef6.elf	Get hash	malicious	Mirai	Browse	72.218.57.225
	pu3jOk0Q9u.elf	Get hash	malicious	Mirai	Browse	68.225.100.70
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	70.190.21.60

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_3b59b89922c4cddf77f72f6dd2d986ddcfc674cb_82810a17_13bb9ae6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9056958729479141
Encrypted:	false
SSDEEP:	192:dxkioE0oXvbHBUZMX4jed+Vh/u7sVS274ItWcv:rkiXXzBUZMX4jem/u7sVX4ItWcv
MD5:	FBB43DD75F02825F3EA149E6392BA742
SHA1:	F590886601E4BE0419FE8F34BC763DBE037F3B77
SHA-256:	31B6AFB74683FF5B3E33C34DE8D2E79085230BA4931D12F73EE426A2263E3A75
SHA-512:	A98569E70A3B61E15F30A885B91078251CBFD17B2A4F61F39A669DB109E989F69449E19F22E6E41CA1A5350F6D98250B0273D71C9B3F09D56C59C6424E0AFD18
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.8.1.7.2.8.2.4.4.2.2.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.8.1.7.2.9.5.5.6.7.2.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.3.5.e.e.0.5.-.f.e.5.6.-.4.0.0.9.-.9.f.8.b.-.2.e.a.c.e.d.2.6.b.6.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.8.4.f.7.4.c.-.b.b.1.d.-.4.b.4.2.-.a.c.f.4.-.e.f.6.f.8.d.e.1.f.7.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.f.8.-.0.0.0.1.-.0.0.1.f.-.5.9.3.3.-.2.6.4.1.7.a.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_3b59b89922c4cddf77f72f6dd2d986ddcfc674cb_82810a17_14339b25\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9059624005028971
Encrypted:	false
SSDEEP:	192:H3S/ih0oXwbHBUZMX4jed+Vh/u7sVS274ItWc:XS/iPXGBUZMX4jem/u7sVX4ItWc
MD5:	7AE91B1B1105228E0B12110702F4CEFE
SHA1:	9E7DBFC13CCE4D5B3665C7694C8062884DE8976B
SHA-256:	1040F47735CD0FA8088F6944342F542FCC22076A3E706B3714BC348C30D72F5F
SHA-512:	1BF94073DF642CB5ED6C43036C18D1F0AF6E8D19A1917F6DD9A24CE07056AB809F042C3095A3353BE4ED1762B4F9BB64099B62603B8C74F0EA077B80317B4319
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.8.1.7.2.8.5.1.2.1.1.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.8.1.7.2.9.5.7.4.5.9.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.5.9.a.8.2.2.-.3.7.2.e.-.4.4.5.d.-.9.1.9.1.-.3.b.4.f.5.0.d.0.8.1.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.d.0.2.9.9.6.-.8.1.6.7.-.4.d.d.0.-.a.0.e.6.-.0.5.6.6.3.d.8.3.d.5.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.c.-.0.0.0.1.-.0.0.1.f.-.a.d.f.5.-.2.2.4.1.7.a.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_3b59b89922c4cddf77f72f6dd2d986ddcfc674cb_82810a17_1cc7a70c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9059381499594809
Encrypted:	false
SSDEEP:	192:3rmniP0oXGbHBUZMX4jed+Vh/u7sVS274ItWc:SixX0BUZMX4jem/u7sVX4ItWc
MD5:	0F16FDB5104827916323F8E969869666
SHA1:	AA880B12EFE38C6653327C2751CE3C4B292AAC7C
SHA-256:	46B6A59D99269F5F9DF51E735709BA4A7DA84304C679A791C155AC6F96ADF522
SHA-512:	59B734DE462EAE565B0D6085DB6D3D86FD89E59AC2DDC39B86DCEEBA2B28C4FBF6838611BBF1404AFA1FC437D338E50F06877E5BCA6127079F73A432E611091D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.8.1.7.3.7.6.1.8.4.4.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.8.1.7.3.8.8.6.8.4.5.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.7.1.4.3.f.8.-.5.2.a.6.-.4.d.e.f.-.a.6.8.0.-.3.1.c.5.2.9.f.1.3.c.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.7.3.2.2.7.0.-.4.1.e.e.-.4.2.6.3.-.8.d.a.4.-.1.4.5.0.7.1.c.5.e.5.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.2.8.-.0.0.0.1.-.0.0.1.f.-.c.7.d.1.-.9.d.4.6.7.a.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8fe1ff6253b685daeb750e0d8c1ede8ec9d8783_82810a17_1bab9b83\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9060456015678179
Encrypted:	false
SSDEEP:	192:/gi20oX97HBUZMX4jed+Vh/u7sVS274ItWc:IiwXJBUZMX4jem/u7sVX4ItWc
MD5:	FBE1B50713F12D545FDB9552123A99CD
SHA1:	95B15A67894E47D36E92F580EFB0C38D63C81C72
SHA-256:	E0FA82AA4CF11C0F517023078106C1804BBFB9CE448F9CEB3A08BB13440C91EB
SHA-512:	DAB175F44C0AD3707E4C3043029DBD5ED0D687237F965EBCAF580667619BBFD33E799FA184FD3BC013E47CD3D2D3D92272E96C553B47C922C9D388FF5738ECB7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.8.1.7.3.3.8.5.3.9.1.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.8.1.7.3.4.5.5.7.0.1.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.e.3.7.3.6.a.-.f.b.d.6.-.4.5.a.6.-.b.8.f.d.-.4.6.b.9.e.d.5.5.c.1.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.e.6.0.2.5.e.-.a.2.0.5.-.4.5.1.1.-.8.8.8.7.-.1.5.7.2.9.0.3.0.a.8.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.c.-.0.0.0.1.-.0.0.1.f.-.6.4.f.a.-.c.9.4.4.7.a.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8fe1ff6253b685daeb750e0d8c1ede8ec9d8783_82810a17_1cb3a815\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9065729729925465
Encrypted:	false
SSDEEP:	192:TWiJ0oXX7HBUZMX4jed+Vh/u7sVS274ItWc:6inXrBUZMX4jem/u7sVX4ItWc
MD5:	E24AF30766D0EEF619DF6D4702938E81
SHA1:	AB2C318FF99044757C21567C337384591DE2521D
SHA-256:	2ADDFCB10F11B503E27362F1E296C8BDEE152297484775EECF2FC528E26E2435
SHA-512:	5CD36E629879BDBA9422A9FDD99B048DF0B02949F9C860CA1CF72806DC4BA8F1155C71CCC9D6E99ECF96413EC5B0A61B9C8F587D52BF6942B53FB9751827AA40
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.8.1.7.3.7.7.7.5.6.8.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.8.1.7.3.8.9.7.8.7.8.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.3.5.c.8.a.0.-.2.4.8.0.-.4.4.6.f.-.8.e.b.1.-.c.f.a.5.0.4.9.f.3.9.4.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.9.0.0.1.7.f.-.0.8.5.7.-.4.2.d.d.-.9.8.8.c.-.0.1.c.8.6.c.f.c.2.c.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.c.-.0.0.0.1.-.0.0.1.f.-.8.a.6.1.-.c.3.4.6.7.a.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A9D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 04:42:08 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	44172
Entropy (8bit):	2.097495749195016
Encrypted:	false
SSDEEP:	192:vWI7C6crO5SkbORXwUs6WpdEIQifGpSSSgzQWZ2++Q2n+dld:u6cy5LbkXwUs6W9QifkSSwWZ0gz
MD5:	7B8042D4FBFC2A09AB6517366477D861
SHA1:	9CFFD05291A1668E9B391FD0350CFE0D4E3ACEB3
SHA-256:	C680285405D34F2DB7C21DAC87C1D819732B14DA76726AE408B3BDC7F1A486D2
SHA-512:	0DF4A2F54AF98037100A9782E73867E681331E342AB467CD183A9250762E6206A680305AC45DEC4ADA0E07CC026274772268C7BE6724344F2D99EBE8F7B56AB8
Malicious:	false
Preview:	MDMP....... ....... .vd.........................................,..........T.......8...........T...........P...<...........0................................................................................U...........B..............GenuineIntelW...........T.............vd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BA6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 04:42:08 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	35632
Entropy (8bit):	2.3672782552984604
Encrypted:	false
SSDEEP:	192:vwcK1LZ53+T+1QGO5SkbOHXqSbI+68Q1Q0CSQ6f8MXGyGoZx:aU+iR5LbEqbQ0Cof8MbpZ
MD5:	7E39F7ED646C8EBDFDCE4773530496BA
SHA1:	8F8BDB2CC1C4D96288AEE69873B2159A7BC977C6
SHA-256:	DCB885639CFFFAC00CC0D97E1BB4037874EB8F8C528E3A5CB779C9C94C4718CC
SHA-512:	6A3D793593C1EDB7490A7C133429E46EB8392B94DE814D6F3726269AEE30FBBCD37FE04A3A858FC0B0ED95B6FE1389C6A6C9E13FF22E28D9E739FA13307ED55F
Malicious:	false
Preview:	MDMP....... ....... .vd............d...............l............)..........T.......8...........T...............0q...........................................................................................U...........B..............GenuineIntelW...........T.............vd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D0F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8252
Entropy (8bit):	3.689918905254578
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiE567zRMe6Y7+6KcgmfTOISPICprL89bMDsfQEm:RrlsNiK6r6YS6RgmfTlS0MofS
MD5:	E733FBEFA1896F1D203E61D2D5BB8A00
SHA1:	A65901F429717AD110A9B0D4BCF8044761169A9E
SHA-256:	B0AA462DCB25B1362A6B24CD4D03481BC2F19721CEA0B16A2E239B3CC017973A
SHA-512:	28AF00236D2DEA66FD0E76FB360489AE40EE6B90DDC68C5E15697B14163252DC2A8D71713D26825097D59D3232214DAEB8D670005397159232C835AEEC38A578
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D2E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.6859681952075274
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiXa6r6Ysn6pgmfTOISPICprv89bMC6sfeEm:RrlsNiK6r6Y86pgmfTlSIMCZf0
MD5:	2D45AD4343AACB3AC2ECCC904BE8678F
SHA1:	E5AC8D3F392E1FECF73E0F6F8E08CF3840345616
SHA-256:	E62782FBC694352A3E47BF11221C91F12621B1E4ECB516C0A5F5E4CB5D4E2CF1
SHA-512:	94A4A941F0D2F8C00C14C5837B5502A5D1EF5C559A04B9DED167C5A9097F31A472B308457314D7F23EFD7DCDB47DF8883A0984E982664D43785B2A3B8B4A0CF1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.2.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D6D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.450272154762781
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6tJgtWI9vPWgc8sqYje8fm8M4JCdsPZFo+q8/0Ku4SrSDd:uITf6HkegrsqYvJhUBRDWDd
MD5:	3877D61B761C575F053BDF32D0C5525D
SHA1:	75D08AD27EB787235B814898F5B9CFBE81C23E67
SHA-256:	9052D72F7C7AE65FE9767152BE47319FAEEAED28103F671BB0465F34EFAB1C5A
SHA-512:	59C444E9509E82D9C5F1ACE906E5C0300306ECE45E322F95D7F0BB237961A447D320A4436FBDB20E9EDB0081D69255B71F64EAA5BB76A2222CE178FF3AE42407
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D8D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.453041767763166
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6tJgtWI9vPWgc8sqYjj8fm8M4JCdsPZFE+q8/0Kg4SrSid:uITf6HkegrsqYcJhgBbDWid
MD5:	6124AE1AE49AB9C992660357EAAAD21F
SHA1:	DBBA525CC479F7D0682E22B3624EDC9CB850E5F0
SHA-256:	4DA6F3F3D28275E16C7563FF3427C2874C98FC8E6532F18BE41D9DF08BA8DC1B
SHA-512:	E98E2C80BDF8F89C3A8B97BE268427ABEAF5E1CFA4CCED9D5D8DA43D5DD25D2CB09B5BDE3B9322A0912B04C716E2C56A051DBE5A75E7C063FFD37648082E6C8B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9086.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 04:42:14 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37244
Entropy (8bit):	2.2660034530016024
Encrypted:	false
SSDEEP:	192:VcXyLZ53+T+WGzO5SkbOedr4ayQ0CSF9hESU5HI2nWL:7U+dq5Lbu7Q0CiDEZHh
MD5:	6F71CC519D0B1EF41F67126B43E22F5C
SHA1:	B634947BC1E1627458F9B7E64B5544D4200878A9
SHA-256:	0CB5943C286A18218B01BBB33C74DF3F01BB511D2784E50B352C4869E2A0F5C2
SHA-512:	383A58FC77A70B1EDE920D4B46F808DFAD1988A0F1740835AF9D81EB3AA25C80EBB1630ACA08F0B054DA49928133A578EB61EA4CEC63DFFBC037C784EA4D8C62
Malicious:	false
Preview:	MDMP....... .......&.vd............d...............l............)..........T.......8...........T...............\|w...........................................................................................U...........B..............GenuineIntelW...........T...........%.vd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91C0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8250
Entropy (8bit):	3.6915898043297557
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNidB67zC6Y7C6pYgmfTOoSPICprt89bhDsfqLm:RrlsNib6q6Ye6WgmfTFSihofv
MD5:	D666A9F9465B3A109A7DDDF19E5FBDAF
SHA1:	99B6C9372C42743C0FA11F3C1DCFCC529E0E54A7
SHA-256:	ABC8256ADB01FC5332A5BE935D957A9602D3E60D6EEE8C7FAE5A7ADB3AE26D5A
SHA-512:	72BF183AA5DCDBABC1BDEB27D90E50D3AD8564529CC3C5051F6D30349B605F1188566E403D77CA1BC382D6DBB069ED08C4D5A0B9B372E8EDB1D363433F91DF1F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91EF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.4530073304885045
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6tJgtWI9vPWgc8sqYjw8fm8M4JCdsP9FRo+q8/0894SrSWd:uITf6HkegrsqYJJhJoBMDWWd
MD5:	A25599E5301FC0D20F17B404E9C137C9
SHA1:	A29E30ADF8FDFD596EA09F8381E6EF82D86B3BF2
SHA-256:	6F6BCA80A71158831C52529269065C370FA3047F998CAFC82C35815AAA88D5D8
SHA-512:	E17573DC3A3CA5AFCBAAEDC6C9EAFB022F4202D9CCF87B6F69E24E3358EA3C2235491D1D359D23FEBBC9948A83DD5F5F4048427656096EF1374748A82E750B95
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F3C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 04:42:18 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	41768
Entropy (8bit):	2.2079665024431345
Encrypted:	false
SSDEEP:	192:p4q7P7Cai2M3VNO5SkbO8cuZM4k+UQ0U2ek9Shzjy/zl++HsTH2:ZqaeVA5Lb9cWlkVQ0U2l9OC/p+R
MD5:	CC2F0356C236E4ACCF8F4F5A0CD179D3
SHA1:	CD49DCB8BC22A3E63919F63F56F71796D3D7450B
SHA-256:	18222FCC1D0C016FD780BB1B86056C4985EC2E24AD110797D43E839F874BE4D6
SHA-512:	25E67CB0F2AA524DB9B611C30005A9B2129116CFD9341C0992AE3116A08719EE5985F10991404E5B32A9AF237F58259576243966522EFB998FD1E389639B97AE
Malicious:	false
Preview:	MDMP....... .......*.vd.........................................,..........T.......8...........T...............(...........0................................................................................U...........B..............GenuineIntelW...........T.......(...(.vd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FD8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 04:42:18 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	45572
Entropy (8bit):	2.048727993333921
Encrypted:	false
SSDEEP:	192:p/T7Ct6d5EsO5SkbO78BSJZ+nGu109Y6NQ0SnxYJaprlLn2Q0LOQzg5:QA0j5LbM8BfGu10/Q0S9/LnCg5
MD5:	8B30424D4008A2ECE9EC0FDF647DD868
SHA1:	09005A037C9356B691DA33ECECE3273DF19420F6
SHA-256:	C0D568488A83C6A96A4EF348D50315D717C315BFC7AA79CF2EFF8CA6B4C91417
SHA-512:	24300D2D5BF94644B64E1953CC6B3D2F5DEA3D2ED919A3F8B849B880F3BD88C5F1B1FB08C1B7DE73BF99415F218832FFAD2EFD929258BAD83067EE0B6543B0B5
Malicious:	false
Preview:	MDMP....... .......*.vd.........................................,..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......\...(.vd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA131.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8244
Entropy (8bit):	3.688134623994175
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiAy6Xe6YDO6iSgmfTOISPICprw89bN/sf7vm:RrlsNil6u6YK6PgmfTlSlNkf6
MD5:	29A9ADE428FACEDBC56D765854F2B92D
SHA1:	11BD73ADD53A9B999575404A81B2F818B0E778E9
SHA-256:	58A4E933BD7195C4D4D63EBB33621F959155C39A2B23C9B3073EB1E03B9A6C4C
SHA-512:	7116A3DCD85ECB8ADD1BFE18740E0C0A67CBE318F6370CE5DAE7DF04A0B21C03DDA78B8A4A81CC06981FB37B2E3C83C8A18DBE4E17F037849D08FC0C63033744
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA19F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.450715966881692
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6tJgtWI9vPWgc8sqYjob8fm8M4JCdsPZFY+q8/0Ky4SrSrd:uITf6HkegrsqYbJh8BJDWrd
MD5:	6F0AB44B71B1D81770EBC17488247147
SHA1:	149051FC32D36C1EF22F0D9BFA424F277AA095E0
SHA-256:	C94E9D0C4921E7362651CF464AE608F85345683849A76492E8E270BDA03B9D67
SHA-512:	EC8A3E7FF88522AA8DED876557A1D4FD5D3CA59A0895B65B636284EF3FDD0E8C3B2655DA0CE89DC13BE9A6D1EB83D3408910DB29F2EFF6DED622E91F3EDC5D62
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1CD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8244
Entropy (8bit):	3.689226818563688
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiuz6Yb6YDE6iSgmfTOoSPICprF89bN8sf9vm:RrlsNiq6k6YA6PgmfTFSqNPfY
MD5:	D8E0528345959AE197F0BDE78F1586B2
SHA1:	B92241417CF8DD3E4E78E0342FB811F727766F5E
SHA-256:	6FA4D401A9EFDDF40DD448AB3EDC671EC8F701CE4A6CD4F599011B0467B4AF23
SHA-512:	5BD387F2487AC0886C0CB31585C7C485BC7932DC4C6D6085DDFAEBEA26F43C5B5F1B14DF3F7BD283B6BAC647EDEB00F0F91D9D2B200E9773D3495AD8B32AFB83
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.453026355871779
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6tJgtWI9vPWgc8sqYjR8fm8M4JCdsP9FAM+q8/08gz4SrSUd:uITf6HkegrsqYaJh4MBFDWUd
MD5:	DEF984BCE76FB08382BBFA6CD051EFAA
SHA1:	253DAE2200E21FBA43598D8048C505A4D2F5FDEB
SHA-256:	9FDDAD935DB57FE26E3A4A183E66145B2195B2E5834C36518B7A05F782311F22
SHA-512:	17E4E6A05EB9CC7C4B141EE9DD44E0279A24E1B37C1E3BB9C94433A4CC7CCB52DE8A6BF83E46AB1701ADC410A46FE81888AEF5A659F9B899367E5277A679A92C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\de-ch[1].htm

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3929), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	147267
Entropy (8bit):	5.018920207444994
Encrypted:	false
SSDEEP:	768:u1gCrecqKIRxktMqNPnOwMO4q68oGlRI5lH9D12KubdCmTia7zjR5BC6Q1kPJPjY:agBkGwMO4q6cI592erufw/FF903c
MD5:	9025CBDC9526117AEFBD748F8B5E0B42
SHA1:	81EFA8AF7EBE6EB5D411C9C5B0F4AC02770AB44E
SHA-256:	771570D90E4FA9EDCE8B26765BC9E76B63573FED8776091DB0256C05A1485564
SHA-512:	4D1060F76DE433DA01527249584BFE87E484DE88B6DADD66D902F35BBEB00EF128F9F11D79F3D48174954B0BDCDC179420BA4C1EB5B6A6E287761C23B3E9ECC0
Malicious:	false
Preview:	<!DOCTYPE HTML>..<html lang="de-CH" dir="ltr">.<head>. . .. ..... . . . . . . . .. . Start of ADDITIONAL DEBUG INFO cv.html .. CVToken: CASMicrosoftCV1dad9a13.0. End of ADDITIONAL DEBUG INFO -->..... . . .. . . <meta charset="UTF-8"/>. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>. <meta http-equiv="x-ua-compatible" content="ie=edge"/>.. <link rel="SHORTCUT ICON" href="/favicon.ico?v2" type="image/x-icon"/>.. ... . <meta name="robots" content="index, follow"/>. . .. <meta name="template" content="mscom"/>.. . <meta name="awa-canvasType" content="web"/>. <meta name="awa-isTented" content="false"/>.. <meta name="awa-pageType" content="MSCOM Home Page"/>. <meta name="awa-pgtmp" content="mscom"/>. <meta name="awa-pageId" content="4bca0c3fec9ac6f60e

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.292719396970795
Encrypted:	false
SSDEEP:	12288:JQsyzwSoCVxdfeaFPyabK3TpPJlKX756CwRQk+cBhDoT6JEkP/Oiv3S:hyzwSoCVxdfeaF8lj
MD5:	B901C12D3AB68680271F7815AD665A1E
SHA1:	0AD646BBF4B9C213E27E5C33DB873FA173D5476D
SHA-256:	4CE7BE07272519CBCBD61B11BA235C6E74E839E138FD942D4255CF04B0ACFC53
SHA-512:	37DA619CAE717A0374E12442DE38BFA000C260451B69154E200F9CF39E2D4F1E99F45B03A8369F167F44403B9D60547A5FED7496B1E31740EED9B2B8DA17EBBA
Malicious:	false
Preview:	regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...Az...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.831463993912044
Encrypted:	false
SSDEEP:	384:vdM55Rftx1jPJ4JcwHFnql9OjIRCMYVQln:KnRftx1bJ4J1HF+9O7MY8
MD5:	7B42D329895CDACE6BF8726ACF5EFF7C
SHA1:	7A73B1003E0D8992BBBF8F465806B3BB216D4776
SHA-256:	39429DAC3044C390F04EEA7EC27D1D2061A1DF3E8BAD7680C2F2A7BCC8B188AD
SHA-512:	34AE106F8414FC0C1F0A08350BEBF9936797186CACAFE26C9F496FEC452E45F4B1A503C2EEE64FE77636975AB89905C7DE0E8F4D1B03C5281BBED711EFDAA62A
Malicious:	false
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...Az...................................................................................................................................................................................................................................................................................................................................................HvLE.>......i.............H6..C.E._..-...........0..............hbin................p.\..,..........nk,..^.Az.......p........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..^.Az....... ........................... .......Z.......................Root........lf......Root....nk ..^.Az....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

C:\Windows\appcompat\Programs\Amcache.hve.tmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	1.8934494947268745
Encrypted:	false
SSDEEP:	48:mHVKDmX+pYdAAm5W3SS3eX5/cwlApldplCPjD04zISw0:mmmX+p76C0QALdLq/zID0
MD5:	B7DC5228D706B10A7A5BF8C54DBF8B28
SHA1:	CB166304FFAB192C8DC2D86749CB180A3F6E3876
SHA-256:	2CEED654DB5A85BD5F9E97219D6E21AE1F336FC82E9E276B0B4C70938DEBD8BF
SHA-512:	E9E31813CC7451F9BA705B31D10ACBC24BFBD8E9742FCFF8DDAD9945A67D02CB7039675444FF16029BC88ECC95D79F9923A7A4E52711616F0169F6392EDD4B57
Malicious:	false
Preview:	regf...........Az................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p...M.............-.M.............-.....N.............-.rmtm.^.Az................................................................................................................................................................................................................................................................................................................................................\.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	1.9287535056414729
Encrypted:	false
SSDEEP:	48:wHVKDmqb+pYdAAm5W3SS3eX5/cwlApldplCPjD04zISw0:wmmqb+p76C0QALdLq/zID0
MD5:	816C93686D1FA3EDB0F60C09929267C3
SHA1:	FA4051388C8C2A3E6E3161545294ADDC0454BB5D
SHA-256:	7F0A54644DEFEA35C6239F484FC2F423DE7E4F3DDB069F9AED4FFD4AE4A98B22
SHA-512:	B42702930F6ADD8FBB75482D2B64303B4F201D7FC84EC37A45DD1E3CD1D1E9D3B18F968B5A61209CA9226B611A39D6FB516F1A091AABE4291A9CFE5DBC17ED6A
Malicious:	false
Preview:	regf...........Az................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p...M.............-.M.............-.....N.............-.rmtm.^.Az................................................................................................................................................................................................................................................................................................................................................\.HvLE.....................2.=..9......q........hbin...................Az...........nk,..^.Az.......p...........0...........................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......sk..............(.................................................................................8......................1.?l.cL<.P...b....~z...........8......................1.?l.cL<.P...b....~z.............?...................?...................?........... ... ........... ...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.673238642160537
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	licking.dll
File size:	981326
MD5:	e9fc43dd574b57dc64eefed2f4e6ac42
SHA1:	238188dea87ac33175067f63699ea32fe0f3111f
SHA256:	ab9822cf40230dccf2ab7f76e4c68c0ceebb82c25ea1859fbbdca8b5cdf82212
SHA512:	a9e84338caed1c73c328ce9af4e183af4f383f3eb11804a2b8657b36c440a2838bdb47c4b95247bfefdf3fd3ba17952560e86279cb0dd200fd4e4e95197e1c2e
SSDEEP:	24576:D7AkdHt+UnNtqbVotX4Dw/9JGCZdBK/+NYouXFPn/yd4M:DZ8RDwlJGoY7XM
TLSH:	3B258EC0FBD744FAE46718B1B09AB7AFAB3112050138CE76DFA58E09E976B401DDB245
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0d...........#...'.....................................................0 .....{.....@... .........................hC.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6430AE80 [Sat Apr 8 00:00:00 2023 UTC]
TLS Callbacks:	0x10090cc0, 0x10090c70, 0x100a1c60
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac404a1028e7ce450416867d9b3974cc

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [101D86FCh], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007FA6F486A3C7h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 100C9000h
mov dword ptr [esp+04h], eax
call 00007FA6F490935Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 10001400h
call 00007FA6F486A543h
leave
ret
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push edi
push esi
push ebx
mov edx, dword ptr [esp+14h]
mov esi, dword ptr [esp+1Ch]
mov edi, dword ptr [esp+18h]
movzx ebx, dx
shr edx, 10h
test esi, esi
je 00007FA6F486A5F8h
nop
cmp esi, 04h
jbe 00007FA6F486A5B2h
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
movzx eax, byte ptr [edi]
add edi, 04h
sub esi, 04h
movzx ebp, byte ptr [edi-03h]
movzx ecx, byte ptr [edi-02h]
add eax, ebx
movzx ebx, byte ptr [edi-01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da000	0x4368	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df000	0x1388	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e3000	0x378	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e4000	0x4128	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc61e4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1df328	0x2c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab124	0xab200	False	0.4480831126734843	data	6.432110661692397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xad000	0x100	0x200	False	0.28125	Matlab v4 mat-file (little endian) \377\377\377\377 , text, rows 4294967295, columns 4294967295, imaginary	2.102897197014083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xae000	0x1a624	0x1a800	False	0.3911224941037736	data	5.329684115990636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xc9000	0x110264	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1da000	0x4368	0x4400	False	0.4040670955882353	data	5.488698281853443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1df000	0x1388	0x1400	False	0.3810546875	data	5.386273709762828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1e1000	0x30	0x200	False	0.060546875	data	0.25451054171027127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1e2000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e3000	0x1a64e	0x1b000	False	0.9544542100694444	data	7.905004935518631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1fe000	0x4128	0x4200	False	0.7178030303030303	data	6.590473987933104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1e3058	0x31c	data	English	United States

Imports

DLL	Import
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
KERNEL32.dll	AcquireSRWLockExclusive, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileMappingA, CreateMutexA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FreeLibrary, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFullPathNameW, GetHandleInformation, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount64, GetTimeZoneInformation, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleTextAttribute, SetEvent, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadPriority, Sleep, SleepConditionVariableSRW, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW
msvcrt.dll	__mb_cur_max, __setusermatherr, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _beginthreadex, _endthreadex, _errno, _fstat64, _get_osfhandle, _gmtime64, _hypot, _initterm, _iob, _localtime64, _lock, _mktime64, _setjmp3, _sopen, _ultoa, _unlock, _wsopen, abort, acos, asin, atan, atoi, bsearch, calloc, clock, cosh, exit, fprintf, fputc, fputs, free, fwrite, getc, getenv, islower, isspace, isupper, isxdigit, localeconv, log10, malloc, memchr, memcmp, memcpy, memmove, memset, printf, rand, realloc, setlocale, sinh, strchr, strcmp, strcpy, strcspn, strerror, strftime, strlen, strncmp, strrchr, strspn, strstr, strtol, strtoul, tan, tanh, tolower, ungetc, vfprintf, wcscat, wcscpy, wcslen, wcsrchr, longjmp, _strdup, _read, _isatty, _fdopen, _close
USER32.dll	GetDesktopWindow

Exports

Name	Ordinal	Address
mv_add_i	1	0x10023c30
mv_add_q	2	0x10035990
mv_add_stable	3	0x10027e10
mv_adler32_update	4	0x10001410
mv_aes_alloc	5	0x10001bd0
mv_aes_crypt	6	0x10001bf0
mv_aes_ctr_alloc	7	0x100022f0
mv_aes_ctr_crypt	8	0x10002480
mv_aes_ctr_free	9	0x10002420
mv_aes_ctr_get_iv	10	0x10002370
mv_aes_ctr_increment_iv	11	0x10002430
mv_aes_ctr_init	12	0x100023c0
mv_aes_ctr_set_full_iv	13	0x10002340
mv_aes_ctr_set_iv	14	0x10002310
mv_aes_ctr_set_random_iv	15	0x10002380
mv_aes_init	16	0x10001c10
mv_aes_size	17	0x100ae00c
mv_append_path_component	18	0x10006eb0
mv_asprintf	19	0x10006850
mv_assert0_fpu	20	0x1008cfa0
mv_audio_fifo_alloc	21	0x10002670
mv_audio_fifo_drain	22	0x10002af0
mv_audio_fifo_free	23	0x10002610
mv_audio_fifo_peek	24	0x10002900
mv_audio_fifo_peek_at	25	0x10002990
mv_audio_fifo_read	26	0x10002a40
mv_audio_fifo_realloc	27	0x100027b0
mv_audio_fifo_reset	28	0x10002b70
mv_audio_fifo_size	29	0x10002bb0
mv_audio_fifo_space	30	0x10002bc0
mv_audio_fifo_write	31	0x10002850
mv_base64_decode	32	0x100076c0
mv_base64_encode	33	0x100078d0
mv_basename	34	0x10006d70
mv_blowfish_alloc	35	0x10007da0
mv_blowfish_crypt	36	0x100084b0
mv_blowfish_crypt_ecb	37	0x10007dc0
mv_blowfish_init	38	0x100a6ac0
mv_bmg_get	39	0x10024fe0
mv_bprint_append_data	40	0x10008f30
mv_bprint_channel_layout	41	0x1000c9f0
mv_bprint_chars	42	0x10008d20
mv_bprint_clear	43	0x10009670
mv_bprint_escape	44	0x10009730
mv_bprint_finalize	45	0x10009690
mv_bprint_get_buffer	46	0x10009500
mv_bprint_init	47	0x10008880
mv_bprint_init_for_buffer	48	0x100089a0
mv_bprint_strftime	49	0x10009130
mv_bprintf	50	0x100089c0
mv_buffer_alloc	51	0x10009dc0
mv_buffer_allocz	52	0x10009ef0
mv_buffer_create	53	0x10009e60
mv_buffer_default_free	54	0x10009d10
mv_buffer_get_opaque	55	0x1000a090
mv_buffer_get_ref_count	56	0x1000a0a0
mv_buffer_is_writable	57	0x1000a070
mv_buffer_make_writable	58	0x1000a0b0
mv_buffer_pool_buffer_get_opaque	59	0x1000a9b0
mv_buffer_pool_get	60	0x1000a720
mv_buffer_pool_init	61	0x1000a5f0
mv_buffer_pool_init2	62	0x1000a590
mv_buffer_pool_uninit	63	0x1000a650
mv_buffer_realloc	64	0x1000a1d0
mv_buffer_ref	65	0x10009fc0
mv_buffer_replace	66	0x1000a480
mv_buffer_unref	67	0x1000a000
mv_calloc	68	0x100291f0
mv_camellia_alloc	69	0x1000b0b0
mv_camellia_crypt	70	0x1000b0d0
mv_camellia_init	71	0x100a6c8e
mv_camellia_size	72	0x100af650
mv_cast5_alloc	73	0x1000c090
mv_cast5_crypt	74	0x1000c1b0
mv_cast5_crypt2	75	0x1000c0b0
mv_cast5_init	76	0x100a7a6e
mv_cast5_size	77	0x100b1a60
mv_channel_description	78	0x1000c470
mv_channel_description_bprint	79	0x1000c3c0
mv_channel_from_string	80	0x1000c560
mv_channel_layout_channel_from_index	81	0x1000dc10
mv_channel_layout_channel_from_string	82	0x1000eac0
mv_channel_layout_check	83	0x1000ec10
mv_channel_layout_compare	84	0x1000edb0
mv_channel_layout_copy	85	0x1000d340
mv_channel_layout_default	86	0x1000eff0
mv_channel_layout_describe	87	0x1000dba0
mv_channel_layout_describe_bprint	88	0x1000d4d0
mv_channel_layout_extract_channel	89	0x1000d060
mv_channel_layout_from_mask	90	0x1000d1b0
mv_channel_layout_from_string	91	0x1000dd40
mv_channel_layout_index_from_channel	92	0x1000e760
mv_channel_layout_index_from_string	93	0x1000e950
mv_channel_layout_standard	94	0x1000f050
mv_channel_layout_subset	95	0x1000f080
mv_channel_layout_uninit	96	0x1000d270
mv_channel_name	97	0x1000c2d0
mv_channel_name_bprint	98	0x1000c220
mv_chroma_location_enum_to_pos	99	0x10034f30
mv_chroma_location_from_name	100	0x10034ee0
mv_chroma_location_name	101	0x10034ec0
mv_chroma_location_pos_to_enum	102	0x10034f70
mv_cmp_i	103	0x10024200
mv_color_primaries_from_name	104	0x10034d90
mv_color_primaries_name	105	0x10034d70
mv_color_range_from_name	106	0x10034d20
mv_color_range_name	107	0x10034d00
mv_color_space_from_name	108	0x10034e70
mv_color_space_name	109	0x10034e50
mv_color_transfer_from_name	110	0x10034e00
mv_color_transfer_name	111	0x10034de0
mv_compare_mod	112	0x100279f0
mv_compare_ts	113	0x10027830
mv_content_light_metadata_alloc	114	0x10027020
mv_content_light_metadata_create_side_data	115	0x10027050
mv_cpu_count	116	0x1000f8f0
mv_cpu_force_count	117	0x1000f9e0
mv_cpu_max_align	118	0x1000f9f0
mv_crc	119	0x100101d0
mv_crc_get_table	120	0x1000fdb0
mv_crc_init	121	0x1000fbc0
mv_csp_luma_coeffs_from_avcsp	122	0x100102b0
mv_csp_primaries_desc_from_id	123	0x100102f0
mv_csp_primaries_id_from_desc	124	0x10010320
mv_d2q	125	0x10035aa0
mv_d2str	126	0x100068e0
mv_default_get_category	127	0x10026240
mv_default_item_name	128	0x10026230
mv_des_alloc	129	0x10010d80
mv_des_crypt	130	0x10010e40
mv_des_init	131	0x10010da0
mv_des_mac	132	0x10010e90
mv_detection_bbox_alloc	133	0x10010ee0
mv_detection_bbox_create_side_data	134	0x10010f70
mv_dict_copy	135	0x10011d20
mv_dict_count	136	0x10011070
mv_dict_free	137	0x10011cc0
mv_dict_get	138	0x100110d0
mv_dict_get_string	139	0x100121a0
mv_dict_iterate	140	0x10011090
mv_dict_parse_string	141	0x100118c0
mv_dict_set	142	0x10011210
mv_dict_set_int	143	0x10011560
mv_dirname	144	0x10006e10
mv_display_matrix_flip	145	0x100126f0
mv_display_rotation_get	146	0x10012470
mv_display_rotation_set	147	0x100125c0
mv_div_i	148	0x10024ef0
mv_div_q	149	0x10035920
mv_dovi_alloc	150	0x10012780
mv_dovi_metadata_alloc	151	0x100127b0
mv_downmix_info_update_side_data	152	0x10012800
mv_dynamic_hdr_plus_alloc	153	0x1001d0a0
mv_dynamic_hdr_plus_create_side_data	154	0x1001d0d0
mv_dynamic_hdr_vivid_alloc	155	0x1001d130
mv_dynamic_hdr_vivid_create_side_data	156	0x1001d160
mv_dynarray2_add	157	0x100296f0
mv_dynarray_add	158	0x10029620
mv_dynarray_add_nofree	159	0x10029560
mv_encryption_info_add_side_data	160	0x10012f30
mv_encryption_info_alloc	161	0x10012a70
mv_encryption_info_clone	162	0x10012b40
mv_encryption_info_free	163	0x10012cf0
mv_encryption_info_get_side_data	164	0x10012d40
mv_encryption_init_info_add_side_data	165	0x10013860
mv_encryption_init_info_alloc	166	0x10013100
mv_encryption_init_info_free	167	0x100132d0
mv_encryption_init_info_get_side_data	168	0x10013480
mv_escape	169	0x10007050
mv_expr_count_func	170	0x100176e0
mv_expr_count_vars	171	0x10017650
mv_expr_eval	172	0x100177a0
mv_expr_free	173	0x10015280
mv_expr_parse	174	0x10017110
mv_expr_parse_and_eval	175	0x100177f0
mv_fast_malloc	176	0x10029d10
mv_fast_mallocz	177	0x10029df0
mv_fast_realloc	178	0x10029c60
mv_fifo_alloc	179	0x10018a20
mv_fifo_alloc2	180	0x10017e40
mv_fifo_alloc_array	181	0x10018990
mv_fifo_auto_grow_limit	182	0x10017ef0
mv_fifo_can_read	183	0x10017f10
mv_fifo_can_write	184	0x10017f40
mv_fifo_drain	185	0x100192b0
mv_fifo_drain2	186	0x100188c0
mv_fifo_elem_size	187	0x10017f00
mv_fifo_free	188	0x10018aa0
mv_fifo_freep	189	0x10018ae0
mv_fifo_freep2	190	0x10018950
mv_fifo_generic_peek	191	0x10019120
mv_fifo_generic_peek_at	192	0x10018fc0
mv_fifo_generic_read	193	0x10019160
mv_fifo_generic_write	194	0x10018e70
mv_fifo_grow	195	0x10018ce0
mv_fifo_grow2	196	0x10017f70
mv_fifo_peek	197	0x10018760
mv_fifo_peek_to_cb	198	0x100188a0
mv_fifo_read	199	0x10018500
mv_fifo_read_to_cb	200	0x100186c0
mv_fifo_realloc2	201	0x10018b70
mv_fifo_reset	202	0x10018b20
mv_fifo_reset2	203	0x10018930
mv_fifo_size	204	0x10018b40
mv_fifo_space	205	0x10018b50
mv_fifo_write	206	0x100180f0
mv_fifo_write_from_cb	207	0x100182a0
mv_file_map	208	0x100192e0
mv_file_unmap	209	0x10019570
mv_film_grain_params_alloc	210	0x10019b60
mv_film_grain_params_create_side_data	211	0x10019b90
mv_find_best_pix_fmt_of_2	212	0x10034a40
mv_find_info_tag	213	0x10032410
mv_find_nearest_q_idx	214	0x10035e60
mv_fopen_utf8	215	0x10019b50
mv_force_cpu_flags	216	0x1000f820
mv_fourcc_make_string	217	0x1008ced0
mv_frame_alloc	218	0x1001ac40
mv_frame_apply_cropping	219	0x1001c490
mv_frame_clone	220	0x1001c050
mv_frame_copy	221	0x1001b8d0
mv_frame_copy_props	222	0x1001b550
mv_frame_free	223	0x1001adb0
mv_frame_get_buffer	224	0x1001adf0
mv_frame_get_plane_buffer	225	0x1001b570
mv_frame_get_side_data	226	0x1001b890
mv_frame_is_writable	227	0x1001b4b0
mv_frame_make_writable	228	0x1001c210
mv_frame_move_ref	229	0x1001b320
mv_frame_new_side_data	230	0x1001b7e0
mv_frame_new_side_data_from_buf	231	0x1001b750
mv_frame_ref	232	0x1001bc40
mv_frame_remove_side_data	233	0x1001c3e0
mv_frame_side_data_name	234	0x1001c470
mv_frame_unref	235	0x1001b300
mv_free	236	0x100290d0
mv_freep	237	0x100290e0
mv_gcd	238	0x10027090
mv_gcd_q	239	0x100362f0
mv_get_alt_sample_fmt	240	0x1003c9f0
mv_get_bits_per_pixel	241	0x100345a0
mv_get_bytes_per_sample	242	0x1003cb50
mv_get_channel_description	243	0x1000cf80
mv_get_channel_layout	244	0x1000c640
mv_get_channel_layout_channel_index	245	0x1000cd50
mv_get_channel_layout_nb_channels	246	0x1000cc80
mv_get_channel_layout_string	247	0x1000cbf0
mv_get_channel_name	248	0x1000cea0
mv_get_colorspace_name	249	0x1001ac20
mv_get_cpu_flags	250	0x1000f880
mv_get_default_channel_layout	251	0x1000cd10
mv_get_extended_channel_layout	252	0x1000c8f0
mv_get_known_color_name	253	0x10031760
mv_get_media_type_string	254	0x1008cd60
mv_get_packed_sample_fmt	255	0x1003ca30
mv_get_padded_bits_per_pixel	256	0x100345f0
mv_get_picture_type_char	257	0x1008cd80
mv_get_pix_fmt	258	0x10034480
mv_get_pix_fmt_loss	259	0x10034a10
mv_get_pix_fmt_name	260	0x10034450
mv_get_pix_fmt_string	261	0x100346a0
mv_get_planar_sample_fmt	262	0x1003ca70
mv_get_random_seed	263	0x10035030
mv_get_sample_fmt	264	0x1003c860
mv_get_sample_fmt_name	265	0x1003c840
mv_get_sample_fmt_string	266	0x1003caa0
mv_get_standard_channel_layout	267	0x1000d150
mv_get_time_base_q	268	0x1008cf90
mv_get_token	269	0x10006940
mv_gettime	270	0x1004dbb0
mv_gettime_relative	271	0x1004dbf0
mv_gettime_relative_is_monotonic	272	0x1004dc60
mv_hash_alloc	273	0x1001c790
mv_hash_final	274	0x1001cb30
mv_hash_final_b64	275	0x1001ce80
mv_hash_final_bin	276	0x1001cbc0
mv_hash_final_hex	277	0x1001ce00
mv_hash_freep	278	0x1001d070
mv_hash_get_name	279	0x1001c770
mv_hash_get_size	280	0x1001c780
mv_hash_init	281	0x1001c870
mv_hash_names	282	0x1001c750
mv_hash_update	283	0x1001ca10
mv_hmac_alloc	284	0x1001d220
mv_hmac_calc	285	0x1001d720
mv_hmac_final	286	0x1001d5a0
mv_hmac_free	287	0x1001d3a0
mv_hmac_init	288	0x1001d3e0
mv_hmac_update	289	0x1001d590
mv_hwdevice_ctx_alloc	290	0x1001d9d0
mv_hwdevice_ctx_create	291	0x1001e0b0
mv_hwdevice_ctx_create_derived	292	0x1001e320
mv_hwdevice_ctx_create_derived_opts	293	0x1001e190
mv_hwdevice_ctx_init	294	0x1001db30
mv_hwdevice_find_type_by_name	295	0x1001d920
mv_hwdevice_get_hwframe_constraints	296	0x1001dfd0
mv_hwdevice_get_type_name	297	0x1001d970
mv_hwdevice_hwconfig_alloc	298	0x1001dfa0
mv_hwdevice_iterate_types	299	0x1001d990
mv_hwframe_constraints_free	300	0x1001e070
mv_hwframe_ctx_alloc	301	0x1008d450
mv_hwframe_ctx_create_derived	302	0x1001ea30
mv_hwframe_ctx_init	303	0x1001e7f0
mv_hwframe_get_buffer	304	0x1001e690
mv_hwframe_map	305	0x1001e450
mv_hwframe_transfer_data	306	0x1001dd70
mv_hwframe_transfer_get_formats	307	0x1001dd40
mv_i2int	308	0x10024fb0
mv_image_alloc	309	0x10021d20
mv_image_check_sar	310	0x100222b0
mv_image_check_size	311	0x100221c0
mv_image_check_size2	312	0x10022070
mv_image_copy	313	0x10022610
mv_image_copy_plane	314	0x100224f0
mv_image_copy_plane_uc_from	315	0x10022390
mv_image_copy_to_buffer	316	0x10023350
mv_image_copy_uc_from	317	0x10022af0
mv_image_fill_arrays	318	0x10022fe0
mv_image_fill_black	319	0x10023620
mv_image_fill_linesizes	320	0x100215d0
mv_image_fill_max_pixsteps	321	0x10021380
mv_image_fill_plane_sizes	322	0x100219b0
mv_image_fill_pointers	323	0x10021af0
mv_image_get_buffer_size	324	0x10023180
mv_image_get_linesize	325	0x10021480
mv_int2i	326	0x10024f80
mv_int_list_length_for_size	327	0x1008cda0
mv_lfg_init	328	0x100a7ee0
mv_lfg_init_from_data	329	0x10025100
mv_log	330	0x10026560
mv_log2	331	0x10024fc0
mv_log2_16bit	332	0x10024fd0
mv_log2_i	333	0x10023dd0
mv_log_default_callback	334	0x10025b10
mv_log_format_line	335	0x10026550
mv_log_format_line2	336	0x10026250
mv_log_get_flags	337	0x10026710
mv_log_get_level	338	0x100266e0
mv_log_once	339	0x100265d0
mv_log_set_callback	340	0x10026720
mv_log_set_flags	341	0x10026700
mv_log_set_level	342	0x100266f0
mv_lzo1x_decode	343	0x10026870
mv_malloc	344	0x10028d50
mv_malloc_array	345	0x10028ec0
mv_mallocz	346	0x10029100
mv_mallocz_array	347	0x10028f20
mv_mastering_display_metadata_alloc	348	0x10026f40
mv_mastering_display_metadata_create_side_data	349	0x10026f60
mv_match_list	350	0x100075a0
mv_match_name	351	0x10007100
mv_max_alloc	352	0x10028d40
mv_md5_alloc	353	0x10028790
mv_md5_final	354	0x100289f0
mv_md5_init	355	0x100287b0
mv_md5_size	356	0x100b7208
mv_md5_sum	357	0x10028b00
mv_md5_update	358	0x100287e0
mv_memcpy_backptr	359	0x10029830
mv_memdup	360	0x100294a0
mv_mod_i	361	0x100243c0
mv_mul_i	362	0x10023e60
mv_mul_q	363	0x100358c0
mv_murmur3_alloc	364	0x10029fc0
mv_murmur3_final	365	0x1002a800
mv_murmur3_init	366	0x1002a0d0
mv_murmur3_init_seeded	367	0x10029fe0
mv_murmur3_update	368	0x1002a1b0
mv_nearer_q	369	0x10035ca0
mv_opt_child_class_iterate	370	0x100303a0
mv_opt_child_next	371	0x10030380
mv_opt_copy	372	0x10030430
mv_opt_eval_double	373	0x1002f620
mv_opt_eval_flags	374	0x1002f520
mv_opt_eval_float	375	0x1002f5e0
mv_opt_eval_int	376	0x1002f560
mv_opt_eval_int64	377	0x1002f5a0
mv_opt_eval_q	378	0x1002f660
mv_opt_find	379	0x1002ee70
mv_opt_find2	380	0x1002ec60
mv_opt_flag_is_set	381	0x100302d0
mv_opt_free	382	0x1002ebd0
mv_opt_freep_ranges	383	0x10030760
mv_opt_get	384	0x1002d870
mv_opt_get_channel_layout	385	0x1002e4c0
mv_opt_get_chlayout	386	0x1002e550
mv_opt_get_dict_val	387	0x1002e5e0
mv_opt_get_double	388	0x1002df00
mv_opt_get_image_size	389	0x1002e1a0
mv_opt_get_int	390	0x1002dd90
mv_opt_get_key_value	391	0x1002ea50
mv_opt_get_pixel_fmt	392	0x1002e3c0
mv_opt_get_q	393	0x1002e010
mv_opt_get_sample_fmt	394	0x1002e440
mv_opt_get_video_rate	395	0x1002e230
mv_opt_is_set_to_default	396	0x10030800
mv_opt_is_set_to_default_by_name	397	0x10030d80
mv_opt_next	398	0x1002c760
mv_opt_ptr	399	0x100303c0
mv_opt_query_ranges	400	0x10030700
mv_opt_query_ranges_default	401	0x1002b9f0
mv_opt_serialize	402	0x10030dd0
mv_opt_set	403	0x1002f6a0
mv_opt_set_bin	404	0x1002cfc0
mv_opt_set_channel_layout	405	0x1002d730
mv_opt_set_chlayout	406	0x1002d820
mv_opt_set_defaults	407	0x1002ea30
mv_opt_set_defaults2	408	0x1002e6b0
mv_opt_set_dict	409	0x100302a0
mv_opt_set_dict2	410	0x10030180
mv_opt_set_dict_val	411	0x1002d7b0
mv_opt_set_double	412	0x1002c9d0
mv_opt_set_from_string	413	0x1002ff20
mv_opt_set_image_size	414	0x1002d120
mv_opt_set_int	415	0x1002c7b0
mv_opt_set_pixel_fmt	416	0x1002d510
mv_opt_set_q	417	0x1002ccc0
mv_opt_set_sample_fmt	418	0x1002d620
mv_opt_set_video_rate	419	0x1002d1e0
mv_opt_show2	420	0x1002e640
mv_parse_color	421	0x10031420
mv_parse_cpu_caps	422	0x1000f8b0
mv_parse_ratio	423	0x100310f0
mv_parse_time	424	0x10031c30
mv_parse_video_rate	425	0x100312c0
mv_parse_video_size	426	0x10031200
mv_pix_fmt_count_planes	427	0x10034870
mv_pix_fmt_desc_get	428	0x10034790
mv_pix_fmt_desc_get_id	429	0x10034800
mv_pix_fmt_desc_next	430	0x100347c0
mv_pix_fmt_get_chroma_sub_sample	431	0x10034830
mv_pix_fmt_swap_endianness	432	0x10034920
mv_pixelutils_get_sad_fn	433	0x10035000
mv_q2intfloat	434	0x10036090
mv_rc4_alloc	435	0x100363e0
mv_rc4_crypt	436	0x100364e0
mv_rc4_init	437	0x10036400
mv_read_image_line	438	0x100339c0
mv_read_image_line2	439	0x10033270
mv_realloc	440	0x10028da0
mv_realloc_array	441	0x10029010
mv_realloc_f	442	0x10028de0
mv_reallocp	443	0x10028e40
mv_reallocp_array	444	0x10029050
mv_reduce	445	0x100353b0
mv_rescale	446	0x10027760
mv_rescale_delta	447	0x10027a80
mv_rescale_q	448	0x100277e0
mv_rescale_q_rnd	449	0x100277b0
mv_rescale_rnd	450	0x10027220
mv_ripemd_alloc	451	0x1003c470
mv_ripemd_final	452	0x1003c6e0
mv_ripemd_init	453	0x100a7f8c
mv_ripemd_size	454	0x100bf9a4
mv_ripemd_update	455	0x1003c490
mv_sample_fmt_is_planar	456	0x1003cb70
mv_samples_alloc	457	0x1003ce40
mv_samples_alloc_array_and_samples	458	0x1003d010
mv_samples_copy	459	0x1003d270
mv_samples_fill_arrays	460	0x1003ccd0
mv_samples_get_buffer_size	461	0x1003cb90
mv_samples_set_silence	462	0x1003d450
mv_set_options_string	463	0x1002fd50
mv_sha512_alloc	464	0x1004c260
mv_sha512_final	465	0x1004c4c0
mv_sha512_init	466	0x100a81b0
mv_sha512_size	467	0x100bfaec
mv_sha512_update	468	0x1004c280
mv_sha_alloc	469	0x100411a0
mv_sha_final	470	0x10041410
mv_sha_init	471	0x100a80b4
mv_sha_size	472	0x100bfae4
mv_sha_update	473	0x100411c0
mv_shr_i	474	0x10024280
mv_size_mult	475	0x10029fa0
mv_small_strptime	476	0x10031790
mv_spherical_alloc	477	0x1004d120
mv_spherical_from_name	478	0x1004d280
mv_spherical_projection_name	479	0x1004d260
mv_spherical_tile_bounds	480	0x1004d150
mv_sscanf	481	0x10002f80
mv_stereo3d_alloc	482	0x1004d2d0
mv_stereo3d_create_side_data	483	0x1004d2f0
mv_stereo3d_from_name	484	0x1004d360
mv_stereo3d_type_name	485	0x1004d340
mv_strcasecmp	486	0x10006b30
mv_strdup	487	0x100292e0
mv_strerror	488	0x10013b30
mv_strireplace	489	0x10006bf0
mv_stristart	490	0x10006580
mv_stristr	491	0x100065f0
mv_strlcat	492	0x10006750
mv_strlcatf	493	0x100067f0
mv_strlcpy	494	0x100066e0
mv_strncasecmp	495	0x10006b80
mv_strndup	496	0x100293b0
mv_strnstr	497	0x10006660
mv_strstart	498	0x10006530
mv_strtod	499	0x100150e0
mv_strtok	500	0x10006aa0
mv_sub_i	501	0x10023d00
mv_sub_q	502	0x10035a10
mv_tea_alloc	503	0x1004d460
mv_tea_crypt	504	0x1004d4b0
mv_tea_init	505	0x1004d480
mv_tea_size	506	0x100bfc60
mv_tempfile	507	0x100195a0
mv_thread_message_flush	508	0x1004db40
mv_thread_message_queue_alloc	509	0x1004d700
mv_thread_message_queue_free	510	0x1004d7d0
mv_thread_message_queue_nb_elems	511	0x1004d880
mv_thread_message_queue_recv	512	0x1004d9b0
mv_thread_message_queue_send	513	0x1004d8d0
mv_thread_message_queue_set_err_recv	514	0x1004daf0
mv_thread_message_queue_set_err_send	515	0x1004daa0
mv_thread_message_queue_set_free_func	516	0x1004d7c0
mv_timecode_adjust_ntsc_framenum2	517	0x1004dd30
mv_timecode_check_frame_rate	518	0x1004e8c0
mv_timecode_get_smpte	519	0x1004e080
mv_timecode_get_smpte_from_framenum	520	0x1004ddd0
mv_timecode_init	521	0x1004e930
mv_timecode_init_from_components	522	0x1004ea50
mv_timecode_init_from_string	523	0x1004ec80
mv_timecode_make_mpeg_tc_string	524	0x1004e850
mv_timecode_make_smpte_tc_string	525	0x1004e720
mv_timecode_make_smpte_tc_string2	526	0x1004e520
mv_timecode_make_string	527	0x1004e270
mv_timegm	528	0x10031b50
mv_tree_destroy	529	0x1004f8f0
mv_tree_enumerate	530	0x1004fad0
mv_tree_find	531	0x1004ef60
mv_tree_insert	532	0x1004f020
mv_tree_node_alloc	533	0x1004ef40
mv_tree_node_size	534	0x100bfd80
mv_twofish_alloc	535	0x10050090
mv_twofish_crypt	536	0x100500b0
mv_twofish_init	537	0x100a8637
mv_twofish_size	538	0x100bfda0
mv_tx_init	539	0x100a9843
mv_tx_uninit	540	0x100a8f2b
mv_usleep	541	0x1004dc70
mv_utf8_decode	542	0x10007270
mv_util_ffversion	543	0x100c3fa0
mv_uuid_parse	544	0x1008d110
mv_uuid_parse_range	545	0x1008cff0
mv_uuid_unparse	546	0x1008d160
mv_uuid_urn_parse	547	0x1008d3e0
mv_vbprintf	548	0x10008b70
mv_version_info	549	0x1008d440
mv_video_enc_params_alloc	550	0x1008d480
mv_video_enc_params_create_side_data	551	0x1008d500
mv_vk_frame_alloc	552	0x10021370
mv_vkfmt_from_pixfmt	553	0x10021360
mv_vlog	554	0x10026650
mv_write_image_line	555	0x10034210
mv_write_image_line2	556	0x10033e70
mv_xtea_alloc	557	0x10090760
mv_xtea_crypt	558	0x100907d0
mv_xtea_init	559	0x10090780
mv_xtea_le_crypt	560	0x10090910
mv_xtea_le_init	561	0x100907b0
mvpriv_alloc_fixed_dsp	562	0x10019fa0
mvpriv_cga_font	563	0x100c59e0
mvpriv_dict_set_timestamp	564	0x10012370
mvpriv_float_dsp_alloc	565	0x100a7b20
mvpriv_fopen_utf8	566	0x10019a90
mvpriv_get_gamma_from_trc	567	0x1000f7d0
mvpriv_get_trc_function_from_trc	568	0x1000f800
mvpriv_init_lls	569	0x100a7f58
mvpriv_open	570	0x100195e0
mvpriv_report_missing_feature	571	0x100267e0
mvpriv_request_sample	572	0x10026730
mvpriv_scalarproduct_float_c	573	0x1001a2e0
mvpriv_set_systematic_pal2	574	0x10021bf0
mvpriv_slicethread_create	575	0x1004ce50
mvpriv_slicethread_execute	576	0x1004cb50
mvpriv_slicethread_free	577	0x1004cd20
mvpriv_solve_lls	578	0x10025270
mvpriv_tempfile	579	0x10019970
mvpriv_vga16_font	580	0x100c49e0
mvutil_configuration	581	0x1008d460
mvutil_license	582	0x1008d470
next	583	0x1001db90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2023 21:45:38.958667040 CEST	49720	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:38.958729982 CEST	443	49720	124.122.47.148	192.168.2.3
May 30, 2023 21:45:38.958929062 CEST	49720	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:38.959391117 CEST	49720	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:38.959424973 CEST	443	49720	124.122.47.148	192.168.2.3
May 30, 2023 21:45:40.430382013 CEST	443	49720	124.122.47.148	192.168.2.3
May 30, 2023 21:45:40.432975054 CEST	49721	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:40.433026075 CEST	443	49721	124.122.47.148	192.168.2.3
May 30, 2023 21:45:40.433202028 CEST	49721	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:40.433501959 CEST	49721	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:40.433521986 CEST	443	49721	124.122.47.148	192.168.2.3
May 30, 2023 21:45:43.649837017 CEST	443	49721	124.122.47.148	192.168.2.3
May 30, 2023 21:45:43.650660992 CEST	49722	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:43.650732994 CEST	443	49722	124.122.47.148	192.168.2.3
May 30, 2023 21:45:43.650835991 CEST	49722	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:43.650953054 CEST	49722	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:43.651051998 CEST	443	49722	124.122.47.148	192.168.2.3
May 30, 2023 21:45:43.651124001 CEST	49722	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:43.654587984 CEST	49723	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:43.654637098 CEST	443	49723	124.122.47.148	192.168.2.3
May 30, 2023 21:45:43.654738903 CEST	49723	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:43.655288935 CEST	49723	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:43.655308962 CEST	443	49723	124.122.47.148	192.168.2.3
May 30, 2023 21:45:54.110179901 CEST	443	49723	124.122.47.148	192.168.2.3
May 30, 2023 21:45:54.111216068 CEST	49724	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:54.111273050 CEST	443	49724	124.122.47.148	192.168.2.3
May 30, 2023 21:45:54.111403942 CEST	49724	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:54.111728907 CEST	49724	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:54.111754894 CEST	443	49724	124.122.47.148	192.168.2.3
May 30, 2023 21:45:57.329828024 CEST	443	49724	124.122.47.148	192.168.2.3
May 30, 2023 21:45:57.331355095 CEST	49725	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:57.331414938 CEST	443	49725	124.122.47.148	192.168.2.3
May 30, 2023 21:45:57.331590891 CEST	49725	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:57.331938028 CEST	49725	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:57.331981897 CEST	443	49725	124.122.47.148	192.168.2.3
May 30, 2023 21:45:57.332089901 CEST	49725	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:59.344280005 CEST	49726	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:59.344346046 CEST	443	49726	124.122.47.148	192.168.2.3
May 30, 2023 21:45:59.344579935 CEST	49726	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:59.344846964 CEST	49726	443	192.168.2.3	124.122.47.148
May 30, 2023 21:45:59.344871998 CEST	443	49726	124.122.47.148	192.168.2.3
May 30, 2023 21:46:00.353161097 CEST	443	49726	124.122.47.148	192.168.2.3
May 30, 2023 21:46:00.354748011 CEST	49727	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:00.354842901 CEST	443	49727	124.122.47.148	192.168.2.3
May 30, 2023 21:46:00.354988098 CEST	49727	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:00.356808901 CEST	49727	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:00.356843948 CEST	443	49727	124.122.47.148	192.168.2.3
May 30, 2023 21:46:03.570064068 CEST	443	49727	124.122.47.148	192.168.2.3
May 30, 2023 21:46:03.579653025 CEST	49728	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:03.579705954 CEST	443	49728	124.122.47.148	192.168.2.3
May 30, 2023 21:46:03.579802990 CEST	49728	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:03.580053091 CEST	49728	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:03.580147028 CEST	443	49728	124.122.47.148	192.168.2.3
May 30, 2023 21:46:03.580204964 CEST	49728	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:03.584590912 CEST	49729	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:03.584654093 CEST	443	49729	124.122.47.148	192.168.2.3
May 30, 2023 21:46:03.584743977 CEST	49729	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:03.585154057 CEST	49729	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:03.585184097 CEST	443	49729	124.122.47.148	192.168.2.3
May 30, 2023 21:46:06.590576887 CEST	443	49729	124.122.47.148	192.168.2.3
May 30, 2023 21:46:06.591437101 CEST	49730	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:06.591505051 CEST	443	49730	124.122.47.148	192.168.2.3
May 30, 2023 21:46:06.591655016 CEST	49730	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:06.592011929 CEST	49730	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:06.592044115 CEST	443	49730	124.122.47.148	192.168.2.3
May 30, 2023 21:46:09.810112953 CEST	443	49730	124.122.47.148	192.168.2.3
May 30, 2023 21:46:09.811090946 CEST	49731	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:09.811168909 CEST	443	49731	124.122.47.148	192.168.2.3
May 30, 2023 21:46:09.811274052 CEST	49731	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:09.811358929 CEST	49731	443	192.168.2.3	124.122.47.148
May 30, 2023 21:46:09.811537027 CEST	443	49731	124.122.47.148	192.168.2.3
May 30, 2023 21:46:09.811599016 CEST	49731	443	192.168.2.3	124.122.47.148

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 4764, Parent PID: 3452

General

Target ID:	0
Start time:	21:42:06
Start date:	30/05/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\licking.dll"
Imagebase:	0x8b0000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7092, Parent PID: 4764

General

Target ID:	1
Start time:	21:42:07
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6876, Parent PID: 4764

General

Target ID:	2
Start time:	21:42:07
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\licking.dll",#1
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7116, Parent PID: 4764

General

Target ID:	3
Start time:	21:42:07
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_i
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3320, Parent PID: 6876

General

Target ID:	4
Start time:	21:42:07
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\licking.dll",#1
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5080, Parent PID: 3320

General

Target ID:	8
Start time:	21:42:07
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 660
Imagebase:	0x7ff745070000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5200, Parent PID: 7116

General

Target ID:	9
Start time:	21:42:07
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 672
Imagebase:	0xf70000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2016, Parent PID: 4764

General

Target ID:	10
Start time:	21:42:10
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_q
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7052, Parent PID: 4764

General

Target ID:	11
Start time:	21:42:13
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\licking.dll,mv_add_stable
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7112, Parent PID: 7052

General

Target ID:	13
Start time:	21:42:13
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 664
Imagebase:	0xf70000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7208, Parent PID: 4764

General

Target ID:	14
Start time:	21:42:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_i
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7224, Parent PID: 4764

General

Target ID:	15
Start time:	21:42:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_q
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7260, Parent PID: 4764

General

Target ID:	17
Start time:	21:42:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\licking.dll",mv_add_stable
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7272, Parent PID: 4764

General

Target ID:	18
Start time:	21:42:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\licking.dll",next
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000002.393410072.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000002.393553702.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7292, Parent PID: 4764

General

Target ID:	19
Start time:	21:42:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_license
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7300, Parent PID: 4764

General

Target ID:	20
Start time:	21:42:16
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\licking.dll",mvutil_configuration
Imagebase:	0xff0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7332, Parent PID: 7208

General

Target ID:	21
Start time:	21:42:17
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 652
Imagebase:	0xf70000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7376, Parent PID: 7260

General

Target ID:	23
Start time:	21:42:17
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 652
Imagebase:	0xf70000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 7460, Parent PID: 7272

General

Target ID:	24
Start time:	21:42:20
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0xe40000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 7116, Parent PID: 4764COMMON

Non-executed Functions

Function 100206A7 Relevance: 142.6, APIs: 68, Strings: 13, Instructions: 805libraryCOMMON

Download Yara Rule

APIs

atoi.MSVCRT ref: 100206E2
mv_mallocz.LICKING ref: 100206F2
MultiByteToWideChar.KERNEL32 ref: 1002074D
mv_calloc.LICKING ref: 10020768
MultiByteToWideChar.KERNEL32 ref: 100207A0
LoadLibraryExW.KERNEL32 ref: 100207F2
MultiByteToWideChar.KERNEL32 ref: 1002083E
mv_calloc.LICKING ref: 10020859
MultiByteToWideChar.KERNEL32 ref: 10020891
LoadLibraryExW.KERNEL32 ref: 100208D9
GetDesktopWindow.USER32 ref: 10020A0C
mv_log.LICKING ref: 10020A76
_errno.MSVCRT ref: 10020AFA
mv_log.LICKING ref: 10020B82
_errno.MSVCRT ref: 10020B9A
mv_log.LICKING ref: 10020C18
wcslen.MSVCRT ref: 10020E1E
mv_realloc_array.LICKING ref: 10020E84
LoadLibraryExA.KERNEL32 ref: 10020ED6
mv_log.LICKING ref: 10021263
mv_log.LICKING ref: 100212AF
mv_log.LICKING ref: 100212D5

Strings

Direct3DCreate9, xrefs: 10020C87
Failed to load DXVA2 library, xrefs: 10020BFC
Direct3DCreate9Ex, xrefs: 10020986
Failed to load D3D9 library, xrefs: 10020B66
dxva2.dll, xrefs: 1002081B, 10020877, 10020EF0
DXVA2CreateDirect3DDeviceManager9, xrefs: 100208FA
Failed to create Direct3D device manager, xrefs: 1002126D
Using D3D9Ex device., xrefs: 10020A61
Failed to locate DXVA2CreateDirect3DDeviceManager9, xrefs: 1002124E
Failed to open device handle, xrefs: 100212C0
SetDefaultDllDirectories, xrefs: 100207B7, 100208A3, 10020B22, 10020BBD
Failed to bind Direct3D device to device manager, xrefs: 1002129A
d3d9.dll, xrefs: 10020722, 10020786, 10020EC0

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$ByteCharMultiWide$LibraryLoad$_errnomv_calloc$DesktopWindowatoimv_malloczmv_realloc_arraywcslen
String ID: DXVA2CreateDirect3DDeviceManager9$Direct3DCreate9$Direct3DCreate9Ex$Failed to bind Direct3D device to device manager$Failed to create Direct3D device manager$Failed to load D3D9 library$Failed to load DXVA2 library$Failed to locate DXVA2CreateDirect3DDeviceManager9$Failed to open device handle$SetDefaultDllDirectories$Using D3D9Ex device.$d3d9.dll$dxva2.dll
API String ID: 2285110006-3565051934
Opcode ID: 81119a8c00db03e304e4471758cb6eecfd6299740ba6e44e8e551f5fdf6c1372
Instruction ID: 81d1aa8d4d65b830f3c484e294571b6d288d1a976026b3de523a4ddd3e2ab054
Opcode Fuzzy Hash: 81119a8c00db03e304e4471758cb6eecfd6299740ba6e44e8e551f5fdf6c1372
Instruction Fuzzy Hash: B372CFB49097459FD750EF68D58461EBBE1FF88344F91892EE888C7351EB78D844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000DD40 Relevance: 88.2, APIs: 46, Strings: 4, Instructions: 685stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1000DD7C

Strings

channels, xrefs: 1000E600
%d channels (%[^)], xrefs: 1000DE67
ambisonic , xrefs: 1000DDB0
mono, xrefs: 1000DD56

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID: channels$%d channels (%[^)]$ambisonic $mono
API String ID: 1004003707-221731140
Opcode ID: 3fcea38b41cec4d3ebdd14d00128d4641ef764b39a3a1557bded19b5732e6eea
Instruction ID: af13545016f1191d554496b72978131d65e8235d82ba03aef5ebe22e60126d8d
Opcode Fuzzy Hash: 3fcea38b41cec4d3ebdd14d00128d4641ef764b39a3a1557bded19b5732e6eea
Instruction Fuzzy Hash: 42523574A083818FE350DF28C48065EFBE1EF89384F56892EE8999B355E775ED41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10031C30 Relevance: 39.2, APIs: 13, Strings: 9, Instructions: 668COMMON

Download Yara Rule

APIs

mv_small_strptime.LICKING ref: 10031CA8

Strings

%M:%S, xrefs: 10032264
gfff, xrefs: 100320EF
%H%M%S, xrefs: 10031E05
%Y%m%d, xrefs: 10031D8D
now, xrefs: 10031D53
%J:%M:%S, xrefs: 10031C9C
%H:%M, xrefs: 100321AA
%H:%M:%S, xrefs: 10031DEA
%Y - %m - %d, xrefs: 10031D71

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_small_strptime
String ID: %H%M%S$%H:%M$%H:%M:%S$%J:%M:%S$%M:%S$%Y - %m - %d$%Y%m%d$gfff$now
API String ID: 1704653723-929505383
Opcode ID: c07e3ed3db188dc21c8adbcd0e357f61113d2520e688381badbebc1be746c33f
Instruction ID: 8fbf63dde28870bd3f78db4de03dde82e588073897310f7f9868a07d9c83f39e
Opcode Fuzzy Hash: c07e3ed3db188dc21c8adbcd0e357f61113d2520e688381badbebc1be746c33f
Instruction Fuzzy Hash: E542F4316083458FD716CF29C48039BBBE2EBC9345F15896EE899CB352E735D946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4D0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 306
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E1000D4D0(void* __ebx, void* __edi, void* __esi) {
				char _t142;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				char _t160;
				signed int _t163;
				signed int _t166;
				unsigned int _t178;
				signed int _t182;
				char* _t191;
				char _t192;
				char* _t206;
				void* _t211;
				unsigned int _t227;
				intOrPtr _t238;
				intOrPtr _t241;
				signed int _t243;
				signed int _t250;
				signed int _t272;
				intOrPtr _t273;
				char* _t280;
				unsigned int _t284;
				intOrPtr _t285;
				signed int _t289;
				signed int _t292;
				void* _t293;
				char* _t329;
				unsigned int _t330;
				unsigned int _t332;
				signed int _t333;
				signed int _t337;
				unsigned int _t341;
				unsigned int _t351;
				char* _t353;
				intOrPtr _t379;
				char* _t380;
				signed int _t381;
				signed int _t382;
				char* _t386;
				unsigned int _t387;
				signed int _t388;
				char* _t390;
				signed int _t395;
				void* _t397;
				signed int _t399;
				signed int _t402;
				void* _t403;
				char _t420;
				signed int _t421;
				char* _t423;
				signed int _t425;
				char* _t426;
				char* _t428;
				void* _t431;
				char** _t432;
				char** _t434;
				char** _t435;
				intOrPtr* _t438;
				void* _t440;

				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_t432 = _t431 - 0x2c;
				_t423 = _t432[0x10];
				_t432[6] = _t432[0x11];
				_t142 =  *_t423;
				_t440 = _t142 - 2;
				if(_t440 == 0) {
					L60();
					if(_t432[6] >= 0) {
						goto L8;
					} else {
						goto L14;
					}
					goto L12;
				} else {
					if(_t440 > 0) {
						if(_t142 != 3) {
							_t144 = 0xffffffea;
							goto L12;
						} else {
							_t191 = _t432[6];
							_t434 =  &(_t432[0xb]);
							_t353 = _t423;
							_pop(_t273);
							_pop(_t403);
							_pop(_t389);
							_pop(_t427);
							_t428 = _t353;
							_t390 = _t191;
							_push(_t403);
							_push(_t273);
							_t435 = _t434 - 0x4c;
							_t192 =  *_t353;
							if(_t192 == 3) {
								_t206 = _t428[4];
								_t280 =  &(_t206[ !((((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f) + (((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f))]);
								goto L74;
							} else {
								_t332 = _t353[8];
								if(_t192 != 2) {
									_t435[5] = 0x29a;
									_t435[1] = 0;
									 *_t435 = 0;
									_t435[4] = "libavutil/channel_layout.c";
									_t435[3] = "channel_layout->order == AV_CHANNEL_ORDER_CUSTOM";
									_t435[2] = "Assertion %s failed at %s:%d\n";
									E10026560();
									abort();
									_t438 = _t435 - 0x41c;
									 *((intOrPtr*)(_t438 + 0x418)) = _t273;
									_t238 =  *((intOrPtr*)(_t438 + 0x424));
									_t379 =  *((intOrPtr*)(_t438 + 0x428));
									if(_t238 != 0 || _t379 == 0) {
										 *((intOrPtr*)(_t438 + 8)) = _t379;
										_t285 = _t438 + 0x10;
										 *((intOrPtr*)(_t438 + 4)) = _t238;
										 *_t438 = _t285;
										E100089A0();
										 *((intOrPtr*)(_t438 + 4)) = _t285;
										 *_t438 =  *((intOrPtr*)(_t438 + 0x420));
										_t241 = E1000D4D0(_t285, _t390, _t403);
										if(_t241 >= 0) {
											_t241 =  *((intOrPtr*)(_t438 + 0x14));
										}
									} else {
										_t241 = 0xffffffea;
									}
									return _t241;
								} else {
									_t420 = _t353[4];
									_t380 = 0;
									_t280 = 0xffffffff;
									if(_t420 > 0) {
										do {
											_t206 =  *_t332 - 0x400;
											if(_t206 > 0x3ff) {
												goto L67;
											} else {
												if(_t380 > 0) {
													if( *((intOrPtr*)(_t332 - 0x18)) - 0x400 > 0x3ff || _t206 != _t380) {
														goto L72;
													} else {
														goto L66;
													}
												} else {
													if(_t206 > 0x3ff) {
														goto L67;
													} else {
														if(_t206 == _t380) {
															L66:
															_t280 = _t380;
															goto L67;
														} else {
															goto L72;
														}
													}
												}
											}
											goto L91;
											L67:
											_t380 =  &(_t380[1]);
											_t332 = _t332 + 0x18;
										} while (_t380 != _t420);
										L74:
										if(_t280 < 0) {
											goto L72;
										} else {
											asm("pxor xmm0, xmm0");
											asm("cvtsi2sd xmm0, ebx");
											asm("sqrtsd xmm0, xmm0");
											asm("cvttsd2si eax, xmm0");
											_t406 =  &(_t206[1]) *  &(_t206[1]);
											if(_t406 !=  &(_t280[1])) {
												goto L72;
											} else {
												_t435[2] = _t206;
												_t435[1] = "ambisonic %d";
												 *_t435 = _t390;
												E100089C0();
												_t329 = _t428[4];
												if(_t329 > _t406) {
													_t211 = 0;
													do {
														 *((intOrPtr*)(_t435 + _t211 + 0x28)) = 0;
														 *((intOrPtr*)(_t435 + _t211 + 0x2c)) = 0;
														_t211 = _t211 + 8;
													} while (_t211 < 0x18);
													if( *_t428 == 3) {
														_t330 = _t428[8];
														_t435[0xa] = 1;
														_t284 = _t428[0xc];
														_t435[0xc] = _t330;
														_t435[0xd] = _t284;
														_t227 = (((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 8);
														_t406 = _t227 >> 0x10;
														_t435[0xb] = ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) & 0x0000003f) + (_t227 + (_t227 >> 0x00000010) & 0x0000003f);
													} else {
														_t284 = 2;
														_t435[0xa] = 2;
														_t435[0xb] = _t329 - _t406;
														_t435[0xc] = _t428[8] + (_t406 + _t406 * 2) * 8;
													}
													 *_t435 = _t390;
													_t435[2] = 1;
													_t435[1] = 0x2b;
													E10008D20();
													_t435[1] = _t390;
													 *_t435 =  &(_t435[0xa]);
													E1000D4D0(_t284, _t390, _t406);
												}
												return 0;
											}
										}
									} else {
										L72:
										return 0xffffffea;
									}
								}
							}
						}
					} else {
						if(_t142 == 0) {
							_t148 = _t423[4];
							goto L59;
						} else {
							_t421 = _t423[8];
							_t243 = 4;
							_t333 = 0;
							_t289 = _t423[0xc];
							_t381 = 0;
							while((_t333 ^ _t289 | _t243 ^ _t421) != 0) {
								_t381 =  &(1[_t381]);
								if(_t381 == 0x1f) {
									L14:
									_t145 = _t423[4];
									if(_t145 != 0) {
										_t432[2] = _t145;
										_t432[1] = "%d channels (";
										 *_t432 = _t432[6];
										E100089C0();
										_t395 = _t423[4];
										if(_t395 > 0) {
											_t425 = 0;
											_t386 = _t423;
											goto L19;
											do {
												do {
													L19:
													if(_t425 >= _t395) {
														L57:
														_t432[1] = 0x100b1acf;
														 *_t432 = _t432[6];
														E100089C0();
														goto L24;
													} else {
														_t160 =  *_t386;
														if(_t160 == 2) {
															_t292 =  *(_t386[8] + (_t425 + _t425 * 2) * 8);
															_t250 = _t292 - 0x400;
															if(_t425 != 0) {
																_t432[4] = _t292;
																_t432[1] = 0x100b1acf;
																 *_t432 = _t432[6];
																E100089C0();
																_t292 = _t432[4];
															}
															if(_t250 > 0x3ff) {
																goto L53;
															} else {
																goto L51;
															}
														} else {
															if(_t160 == 3) {
																_t178 = _t386[8];
																_t432[4] = _t178;
																_t432[5] = _t386[0xc];
																_t397 = _t395 - (((((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000010) + (((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) & 0x0000003f) + ((((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f);
																_t272 = _t425 - _t397;
																if(_t425 >= _t397) {
																	goto L32;
																} else {
																	_t250 = 0;
																	if(_t425 == 0) {
																		L51:
																		_t432[2] = _t250;
																		_t432[1] = "AMBI%d";
																		 *_t432 = _t432[6];
																		E100089C0();
																	} else {
																		_t250 = _t425;
																		_t432[1] = 0x100b1acf;
																		_t64 = _t425 + 0x400; // 0x401
																		_t432[4] = _t64;
																		 *_t432 = _t432[6];
																		E100089C0();
																		_t292 = _t432[4];
																		if(_t425 <= 0x3ff) {
																			goto L51;
																		} else {
																			goto L47;
																		}
																	}
																}
															} else {
																if(_t160 == 1) {
																	_t272 = _t425;
																	_t432[4] = _t386[8];
																	_t432[5] = _t386[0xc];
																	L32:
																	_t432[7] = _t425;
																	_t182 = _t432[4];
																	_t292 = 0;
																	_t351 = _t432[5];
																	_t426 = _t386;
																	do {
																		_t387 = _t351;
																		_t399 = (_t387 << 0x00000020 | _t182) >> _t292;
																		_t388 = _t387 >> _t292;
																		if((_t292 & 0x00000020) != 0) {
																			_t399 = _t388;
																		}
																		if((_t399 & 0x00000001) == 0) {
																			goto L34;
																		} else {
																			_t49 = _t272 - 1; // 0x0
																			_t402 = _t49;
																			if(_t272 != 0) {
																				_t272 = _t402;
																				goto L34;
																			} else {
																				_t386 = _t426;
																				_t425 = _t432[7];
																				if(_t425 != 0) {
																					_t432[4] = _t292;
																					_t432[1] = 0x100b1acf;
																					 *_t432 = _t432[6];
																					E100089C0();
																					_t292 = _t432[4];
																					L53:
																					if(_t292 <= 0x28) {
																						goto L41;
																					} else {
																						if(_t292 != 0xffffffff) {
																							goto L47;
																						} else {
																							goto L24;
																						}
																					}
																				} else {
																					if(_t292 > 0x28) {
																						L47:
																						_t432[2] = _t292;
																						_t432[1] = "USR%d";
																						 *_t432 = _t432[6];
																						E100089C0();
																					} else {
																						L41:
																						_t163 =  *(0x100b2280 + _t292 * 8);
																						if(_t163 == 0) {
																							goto L47;
																						} else {
																							_t432[2] = _t163;
																							_t432[1] = "%s";
																							 *_t432 = _t432[6];
																							E100089C0();
																						}
																					}
																				}
																			}
																		}
																		goto L25;
																		L34:
																		_t292 =  &(1[_t292]);
																	} while (_t292 != 0x40);
																	_t386 = _t426;
																	_t425 = _t432[7];
																	if(_t425 == 0) {
																		goto L24;
																	} else {
																		goto L57;
																	}
																	goto L29;
																} else {
																	if(_t425 != 0) {
																		goto L57;
																	}
																	L24:
																	_t432[1] = "NONE";
																	 *_t432 = _t432[6];
																	E100089C0();
																}
															}
														}
													}
													L25:
													if( *_t386 != 2) {
														goto L18;
													} else {
														_t341 = _t386[8];
														_t166 = _t425 + _t425 * 2;
														_t293 = _t341 + _t166 * 8;
														if( *((char*)(_t341 + 4 + _t166 * 8)) == 0) {
															goto L18;
														} else {
															goto L27;
														}
													}
													goto L29;
													L27:
													_t425 =  &(1[_t425]);
													_t432[2] = _t293 + 4;
													_t432[1] = "@%s";
													 *_t432 = _t432[6];
													E100089C0();
													_t395 = _t386[4];
												} while (_t395 > _t425);
												goto L29;
												L18:
												_t395 = _t386[4];
												_t425 =  &(1[_t425]);
											} while (_t395 > _t425);
										}
										L29:
										if(_t395 == 0) {
											goto L15;
										} else {
											_t432[1] = 0x100b1ad1;
											 *_t432 = _t432[6];
											E100089C0();
											_t144 = 0;
										}
									} else {
										L15:
										_t148 = 0;
										L59:
										_t432[2] = _t148;
										_t432[1] = "%d channels";
										 *_t432 = _t432[6];
										E100089C0();
										_t144 = 0;
									}
								} else {
									_t337 = _t381 << 5;
									_t6 = _t337 + 0x100b1c90; // 0x0
									_t243 =  *_t6;
									_t7 = _t337 + 0x100b1c94; // 0x0
									_t333 =  *_t7;
									continue;
								}
								goto L12;
							}
							_t382 = _t381 << 5;
							_t432[1] = "%s";
							_t9 = _t382 + 0x100b1c80; // 0x100b1abb
							_t432[2] =  *_t9;
							 *_t432 = _t432[6];
							E100089C0();
							L8:
							_t144 = 0;
						}
						L12:
						return _t144;
					}
				}
				L91:
			}

0x1000d4d1
0x1000d4d2
0x1000d4d3
0x1000d4d4
0x1000d4db
0x1000d4df
0x1000d4e3
0x1000d4e6
0x1000d4e9
0x1000d586
0x1000d58d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d4ef
0x1000d4ef
0x1000d55b
0x1000d570
0x00000000
0x1000d55d
0x1000d55d
0x1000d561
0x1000d564
0x1000d566
0x1000d567
0x1000d568
0x1000d569
0x1000d911
0x1000d914
0x1000d916
0x1000d917
0x1000d918
0x1000d91b
0x1000d920
0x1000da10
0x1000da15
0x00000000
0x1000d922
0x1000d925
0x1000d928
0x1000db65
0x1000db6f
0x1000db73
0x1000db76
0x1000db7e
0x1000db86
0x1000db8e
0x1000db93
0x1000dba0
0x1000dba6
0x1000dbad
0x1000dbb4
0x1000dbbd
0x1000dbc3
0x1000dbc7
0x1000dbcb
0x1000dbcf
0x1000dbd2
0x1000dbde
0x1000dbe2
0x1000dbe5
0x1000dbec
0x1000dbee
0x1000dbee
0x1000dc00
0x1000dc00
0x1000dc00
0x1000dbff
0x1000d92e
0x1000d92e
0x1000d931
0x1000d933
0x1000d93a
0x1000d963
0x1000d965
0x1000d96f
0x00000000
0x1000d971
0x1000d973
0x1000d94f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d975
0x1000d97a
0x00000000
0x1000d97c
0x1000d980
0x1000d955
0x1000d955
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d980
0x1000d97a
0x1000d973
0x00000000
0x1000d957
0x1000d957
0x1000d958
0x1000d95b
0x1000da17
0x1000da19
0x00000000
0x1000da1f
0x1000da1f
0x1000da23
0x1000da27
0x1000da2b
0x1000da33
0x1000da38
0x00000000
0x1000da3e
0x1000da3e
0x1000da47
0x1000da4b
0x1000da4e
0x1000da53
0x1000da58
0x1000da5c
0x1000da5e
0x1000da5e
0x1000da62
0x1000da66
0x1000da69
0x1000da72
0x1000dac8
0x1000dad0
0x1000dad4
0x1000dad7
0x1000dadf
0x1000db44
0x1000db4f
0x1000db5c
0x1000da74
0x1000da7a
0x1000da7f
0x1000da85
0x1000da8c
0x1000da8c
0x1000da90
0x1000da9d
0x1000daa1
0x1000daa5
0x1000daae
0x1000dab2
0x1000dab5
0x1000dab5
0x1000dac3
0x1000dac3
0x1000da38
0x1000d93c
0x1000d982
0x1000d98e
0x1000d98e
0x1000d93a
0x1000d928
0x1000d920
0x1000d4f1
0x1000d4f3
0x1000d8e0
0x00000000
0x1000d4f9
0x1000d4f9
0x1000d4fc
0x1000d501
0x1000d503
0x1000d506
0x1000d527
0x1000d510
0x1000d514
0x1000d58f
0x1000d58f
0x1000d594
0x1000d59d
0x1000d5aa
0x1000d5ae
0x1000d5b1
0x1000d5b6
0x1000d5bb
0x1000d5c5
0x1000d5c7
0x1000d5c9
0x1000d5dc
0x1000d5dc
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8c3
0x1000d8cb
0x1000d8ce
0x00000000
0x1000d5e4
0x1000d5e4
0x1000d5e9
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83f
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ef
0x1000d5f2
0x1000d720
0x1000d726
0x1000d72e
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x00000000
0x1000d7c5
0x1000d7c5
0x1000d7c9
0x1000d85b
0x1000d85b
0x1000d864
0x1000d86c
0x1000d86f
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d7c9
0x1000d5f8
0x1000d5f9
0x1000d68b
0x1000d690
0x1000d694
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6d2
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6db
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d882
0x1000d88a
0x1000d88d
0x1000d892
0x1000d896
0x1000d899
0x00000000
0x1000d89f
0x1000d8a2
0x00000000
0x1000d8a8
0x00000000
0x1000d8a8
0x1000d8a2
0x1000d6e9
0x1000d6ec
0x1000d800
0x1000d800
0x1000d80d
0x1000d811
0x1000d814
0x1000d6f2
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x00000000
0x1000d701
0x1000d701
0x1000d70a
0x1000d712
0x1000d715
0x1000d715
0x1000d6fb
0x1000d6ec
0x1000d6e3
0x1000d6d9
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ff
0x1000d601
0x00000000
0x00000000
0x1000d607
0x1000d610
0x1000d614
0x1000d617
0x1000d617
0x1000d5f9
0x1000d5f2
0x1000d5e9
0x1000d620
0x1000d623
0x00000000
0x1000d625
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d634
0x00000000
0x1000d636
0x1000d63d
0x1000d63e
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d656
0x00000000
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d4
0x1000d5dc
0x1000d660
0x1000d662
0x00000000
0x1000d668
0x1000d671
0x1000d675
0x1000d678
0x1000d67d
0x1000d67d
0x1000d596
0x1000d596
0x1000d596
0x1000d8e3
0x1000d8e3
0x1000d8ec
0x1000d8f4
0x1000d8f7
0x1000d8fc
0x1000d8fc
0x1000d516
0x1000d518
0x1000d51b
0x1000d51b
0x1000d521
0x1000d521
0x00000000
0x1000d521
0x00000000
0x1000d514
0x1000d52f
0x1000d537
0x1000d53b
0x1000d541
0x1000d549
0x1000d54c
0x1000d551
0x1000d551
0x1000d551
0x1000d575
0x1000d57c
0x1000d57c
0x1000d4ef
0x00000000

APIs

mv_bprintf.LICKING ref: 1000D54C
mv_bprintf.LICKING ref: 1000D8F7

Strings

USR%d, xrefs: 1000D808
@%s, xrefs: 1000D642
AMBI%d, xrefs: 1000D85F
%d channels, xrefs: 1000D8E7
NONE, xrefs: 1000D60B
%d channels (, xrefs: 1000D5A5

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %d channels$%d channels ($@%s$AMBI%d$NONE$USR%d
API String ID: 3083893021-1306170362
Opcode ID: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction ID: 96990cf085468aa9ba630c0c0793423886e9eba89b3e303bf26647e4a11a856d
Opcode Fuzzy Hash: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction Fuzzy Hash: 8BB1A675A087068BD714EF28C48066EB7E1FF882D0F55892EE989C7345EB31ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10035030 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 10035059
BCryptGenRandom.BCRYPT ref: 10035083
BCryptCloseAlgorithmProvider.BCRYPT ref: 1003509A
mvpriv_open.LICKING ref: 100350B7
_read.MSVCRT ref: 100350D7
_close.MSVCRT ref: 100350E1
mvpriv_open.LICKING ref: 100350FC
_read.MSVCRT ref: 1003511C
_close.MSVCRT ref: 10035126
clock.MSVCRT ref: 10035208

Strings

RNG, xrefs: 1003503A
Microsoft Primitive Provider, xrefs: 10035034
N, xrefs: 10035375

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmProvider_close_readmvpriv_open$CloseOpenRandomclock
String ID: Microsoft Primitive Provider$N$RNG
API String ID: 4139849330-2077157618
Opcode ID: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction ID: 55d25eed0a1b74d277015fe739bb6a08acfe9f0c77a35e4a57d9ad1f3d4738c5
Opcode Fuzzy Hash: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction Fuzzy Hash: E891A075A043508FE304DF78C9C021ABBE2FBC9311F51897EE9889B365EB75D9448B51

Uniqueness

Uniqueness Score: -1.00%

Function 1001F523 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 273
libraryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 30%

			E1001F523(intOrPtr _a4, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v64;
				intOrPtr _v96;
				signed int _v100;
				char _v320;
				signed char _v328;
				intOrPtr _v336;
				intOrPtr _v344;
				intOrPtr _v352;
				void* _v356;
				signed int _v360;
				char _v364;
				intOrPtr* _v368;
				intOrPtr _v376;
				intOrPtr _v384;
				signed int _v388;
				char _v392;
				void* _v396;
				intOrPtr _v400;
				intOrPtr* _v404;
				intOrPtr* _v408;
				void* _v412;
				CHAR* _v416;
				signed int _v420;
				char _v424;
				int _v428;
				void* _v452;
				char* _v456;
				intOrPtr _v460;
				char _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				char _v476;
				intOrPtr _v480;
				void* _t93;
				struct HINSTANCE__* _t94;
				intOrPtr _t102;
				void* _t108;
				intOrPtr* _t109;
				char _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t115;
				void* _t116;
				struct HINSTANCE__* _t117;
				_Unknown_base(*)()* _t118;
				void* _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				void* _t127;
				void* _t134;
				int _t136;
				void* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				_Unknown_base(*)()* _t146;
				intOrPtr _t147;
				signed int _t152;
				char _t155;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr* _t169;
				intOrPtr* _t191;
				intOrPtr _t194;
				void* _t195;
				void* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t205;

				_v328 = 0;
				_t191 =  *((intOrPtr*)(_a4 + 0xc));
				_t93 = E100110D0(_a12, "debug", 0, 0);
				_t94 = LoadLibraryA("d3d11_1sdklayers.dll");
				_t200 = _t198 - 0x178;
				if(_t93 == 0 || _t94 == 0) {
					_t194 = 0x800;
					_v344 = 0;
				} else {
					_t194 = 0x802;
					_v344 = 1;
				}
				_v396 = 0x100d7268;
				_v320 = 0;
				_t152 =  &_v320;
				_v384 = 0;
				_v388 = _t152;
				_v392 = 0;
				__imp__InitOnceBeginInitialize();
				_t201 = _t200 - 0x10;
				if(_v336 != 0) {
					_v356 = E100A7C1C("d3d11.dll", 0, 0);
					_t102 = E100A7C1C("dxgi.dll", 0, 0);
					_t155 = _v356;
					if(_t155 != 0) {
						_v352 = _t102;
						if(_t102 != 0) {
							_v412 = _t155;
							_v408 = "D3D11CreateDevice";
							_v356 = GetProcAddress;
							_t146 = GetProcAddress(??, ??);
							_v416 = "CreateDXGIFactory1";
							_t169 = _v364;
							 *0x100d7260 = _t146;
							_v420 = _v360;
							_t147 =  *_t169(0, 0);
							_push(_t169);
							_push(_t169);
							 *0x100d7264 = _t147;
						}
					}
				}
				_v412 = 0x100d7268;
				_v404 = 0;
				_v408 = 0;
				__imp__InitOnceComplete();
				_t202 = _t201 - 0xc;
				if( *0x100d7260 == 0) {
					L29:
					E10026560(_v24, 0x10, "Failed to load D3D11 library or its functions\n");
					goto L30;
				} else {
					_t109 =  *0x100d7264;
					if(_t109 == 0) {
						goto L29;
					}
					if(_v20 != 0) {
						_v420 = _t152;
						_v424 = 0x100c75a0;
						_t134 =  *_t109();
						_t202 = _t202 - 8;
						if(_t134 >= 0) {
							 *_t202 = _v28;
							_t136 = atoi(??);
							_v424 =  &_v364;
							_v428 = _t136;
							 *_t202 = _v356;
							_t140 =  *((intOrPtr*)( *_v356 + 0x1c))();
							_t205 = _t202 - 0xc;
							if(_t140 < 0) {
								_v376 = 0;
								_t142 = _v368;
								 *_t205 = _t142;
								 *((intOrPtr*)( *_t142 + 8))();
								_t202 = _t205 - 4;
							} else {
								_t144 = _v368;
								 *_t205 = _t144;
								 *((intOrPtr*)( *_t144 + 8))();
								_t202 = _t205 - 4;
							}
						}
					}
					_t110 = _v356;
					if(_t110 != 0) {
						_v420 = _t152;
						_v424 = _t110;
						_t127 =  *((intOrPtr*)( *_t110 + 0x20))();
						_t202 = _t202 - 8;
						if(_t127 >= 0) {
							_v412 = _t152;
							_v416 = _v96;
							_v420 = _v100;
							_v424 = "Using device %04x:%04x (%ls).\n";
							_v428 = 0x20;
							 *_t202 = _v32;
							E10026560();
						}
						_t110 = _v364;
					}
					_v412 = _t194;
					_v388 = 0;
					_v392 = 0;
					_v400 = 7;
					_v404 = 0;
					_v408 = 0;
					_v396 = _t191;
					_v416 = 0;
					_v420 = 0 | _t110 == 0x00000000;
					_v424 = _t110;
					_t111 =  *0x100d7260();
					_t202 = _t202 - 0x28;
					_t195 = _t111;
					_t112 = _v396;
					if(_t112 != 0) {
						_v464 = _t112;
						 *((intOrPtr*)( *_t112 + 8))();
						_t202 = _t202 - 4;
					}
					if(_t195 < 0) {
						E10026560(_v64, 0x10, "Failed to create Direct3D device (%lx)\n", _t195);
						L30:
						_t108 = 0xb1b4b1ab;
						goto L19;
					} else {
						_t115 =  *_t191;
						_v456 =  &_v392;
						_v460 = 0x100c70d0;
						_v464 = _t115;
						_t116 =  *((intOrPtr*)( *_t115))();
						_t202 = _t202 - 0xc;
						if(_t116 >= 0) {
							_t122 = _v404;
							_v472 = 1;
							_v476 = _t122;
							 *((intOrPtr*)( *_t122 + 0x14))();
							_t204 = _t202 - 8;
							_t124 = _v412;
							 *_t204 = _t124;
							 *((intOrPtr*)( *_t124 + 8))();
							_t202 = _t204 - 4;
						}
						if(_v424 != 0) {
							_t117 = LoadLibraryA("dxgidebug.dll");
							_t202 = _t202 - 4;
							if(_t117 != 0) {
								_t118 = GetProcAddress(_t117, "DXGIGetDebugInterface");
								_t202 = _t202 - 8;
								if(_t118 != 0) {
									_v472 = _t152;
									_v400 = 0;
									_v476 = 0x100c7530;
									_t119 =  *_t118();
									_t202 = _t202 - 8;
									if(_t119 >= 0) {
										_t120 = _v408;
										if(_t120 != 0) {
											_v464 = 7;
											_t162 =  *0x100c6e30; // 0xe48ae283
											 *_t202 = _t120;
											_v480 = _t162;
											_t163 =  *0x100c6e34; // 0x490bda80
											_v476 = _t163;
											_t164 =  *0x100c6e38; // 0xe943e687
											_v472 = _t164;
											_t165 =  *0x100c6e3c; // 0x8dacfa9
											_v468 = _t165;
											 *((intOrPtr*)( *_t120 + 0xc))();
											_t202 = _t202 - 0x18;
										}
									}
								}
							}
						}
						_t108 = 0;
						L19:
						return _t108;
					}
				}
			}

0x1001f545
0x1001f550
0x1001f569
0x1001f57d
0x1001f57f
0x1001f584
0x1001f5a2
0x1001f5a7
0x1001f58a
0x1001f58f
0x1001f594
0x1001f594
0x1001f5ab
0x1001f5b6
0x1001f5ba
0x1001f5be
0x1001f5c4
0x1001f5c8
0x1001f5cc
0x1001f5d2
0x1001f5db
0x1001f8b6
0x1001f8bf
0x1001f8c4
0x1001f8ca
0x1001f8d0
0x1001f8d6
0x1001f8dc
0x1001f8e5
0x1001f8ed
0x1001f8f1
0x1001f8f9
0x1001f901
0x1001f905
0x1001f90a
0x1001f90d
0x1001f90f
0x1001f910
0x1001f911
0x1001f911
0x1001f8d6
0x1001f8ca
0x1001f5e1
0x1001f5ea
0x1001f5f0
0x1001f5f4
0x1001f5ff
0x1001f604
0x1001f85a
0x1001f876
0x00000000
0x1001f60a
0x1001f60a
0x1001f611
0x00000000
0x00000000
0x1001f620
0x1001f622
0x1001f626
0x1001f62d
0x1001f62f
0x1001f634
0x1001f7f7
0x1001f7fa
0x1001f80b
0x1001f813
0x1001f817
0x1001f81a
0x1001f81d
0x1001f822
0x1001f842
0x1001f846
0x1001f84c
0x1001f84f
0x1001f852
0x1001f824
0x1001f824
0x1001f82a
0x1001f82d
0x1001f830
0x1001f830
0x1001f822
0x1001f634
0x1001f63a
0x1001f640
0x1001f644
0x1001f648
0x1001f64b
0x1001f64e
0x1001f653
0x1001f7b0
0x1001f7bb
0x1001f7c6
0x1001f7cf
0x1001f7d8
0x1001f7e3
0x1001f7e6
0x1001f7e6
0x1001f659
0x1001f659
0x1001f65d
0x1001f665
0x1001f66e
0x1001f674
0x1001f67a
0x1001f680
0x1001f688
0x1001f68f
0x1001f693
0x1001f697
0x1001f69a
0x1001f6a0
0x1001f6a3
0x1001f6a5
0x1001f6ab
0x1001f6af
0x1001f6b2
0x1001f6b5
0x1001f6b5
0x1001f6ba
0x1001f8a5
0x1001f87b
0x1001f87b
0x00000000
0x1001f6c0
0x1001f6c0
0x1001f6cd
0x1001f6d1
0x1001f6d5
0x1001f6d8
0x1001f6da
0x1001f6df
0x1001f6e1
0x1001f6ec
0x1001f6f0
0x1001f6f3
0x1001f6f6
0x1001f6f9
0x1001f6ff
0x1001f702
0x1001f705
0x1001f705
0x1001f70e
0x1001f727
0x1001f729
0x1001f72e
0x1001f73c
0x1001f742
0x1001f747
0x1001f749
0x1001f74f
0x1001f753
0x1001f75a
0x1001f75c
0x1001f761
0x1001f763
0x1001f769
0x1001f772
0x1001f776
0x1001f77c
0x1001f77f
0x1001f783
0x1001f789
0x1001f78d
0x1001f793
0x1001f797
0x1001f79d
0x1001f7a1
0x1001f7a4
0x1001f7a4
0x1001f769
0x1001f761
0x1001f747
0x1001f72e
0x1001f710
0x1001f712
0x1001f71c
0x1001f71c
0x1001f6ba

APIs

mv_dict_get.LICKING ref: 1001F569
LoadLibraryA.KERNEL32 ref: 1001F57D
InitOnceBeginInitialize.KERNEL32 ref: 1001F5CC
InitOnceComplete.KERNEL32 ref: 1001F5F4

Strings

DXGIGetDebugInterface, xrefs: 1001F733
Failed to load D3D11 library or its functions, xrefs: 1001F861
Failed to create Direct3D device (%lx), xrefs: 1001F890
Using device %04x:%04x (%ls)., xrefs: 1001F7CA
debug, xrefs: 1001F534
d3d11.dll, xrefs: 1001F8AC
dxgi.dll, xrefs: 1001F8BA

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitOnce$BeginCompleteInitializeLibraryLoadmv_dict_get
String ID: DXGIGetDebugInterface$Failed to create Direct3D device (%lx)$Failed to load D3D11 library or its functions$Using device %04x:%04x (%ls).$d3d11.dll$debug$dxgi.dll
API String ID: 2640887736-2754084114
Opcode ID: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction ID: b26665e88cdb3ff3bd93bc6ff27e16a968a577adae798b8ccfa67922602f4651
Opcode Fuzzy Hash: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction Fuzzy Hash: 4EB1E4B4A087419FD354EF69D58462ABBF1FF89740F41892EE989CB354EB34D884CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100132D0 Relevance: 28.6, APIs: 19, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100132D0() {
				void* _t43;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr* _t78;
				intOrPtr* _t84;
				intOrPtr* _t87;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr* _t95;

				_t95 = _t94 - 0x2c;
				_t87 =  *((intOrPtr*)(_t95 + 0x40));
				if(_t87 != 0) {
					if( *((intOrPtr*)(_t87 + 0xc)) == 0) {
						L4:
						_t84 =  *((intOrPtr*)(_t87 + 0x1c));
						if(_t84 == 0) {
							L21:
							 *_t95 =  *_t87;
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 8));
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 0x14));
							L23();
							 *((intOrPtr*)(_t95 + 0x40)) = _t87;
							return __imp___aligned_free();
						}
						if( *((intOrPtr*)(_t84 + 0xc)) == 0) {
							L8:
							_t93 =  *((intOrPtr*)(_t84 + 0x1c));
							if(_t93 == 0) {
								L20:
								 *_t95 =  *_t84;
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 8));
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 0x14));
								L23();
								 *_t95 = _t84;
								L23();
								goto L21;
							}
							if( *((intOrPtr*)(_t93 + 0xc)) == 0) {
								L12:
								_t78 =  *((intOrPtr*)(_t93 + 0x1c));
								if(_t78 == 0) {
									L19:
									 *_t95 =  *_t93;
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 8));
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 0x14));
									L23();
									 *_t95 = _t93;
									L23();
									goto L20;
								}
								if( *((intOrPtr*)(_t78 + 0xc)) == 0) {
									L16:
									_t55 =  *((intOrPtr*)(_t78 + 0x1c));
									if( *((intOrPtr*)(_t78 + 0x1c)) != 0) {
										 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
										E10012850(_t55);
										_t78 =  *((intOrPtr*)(_t95 + 0x1c));
									}
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									 *_t95 =  *_t78;
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 8));
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 0x14));
									L23();
									 *_t95 =  *((intOrPtr*)(_t95 + 0x1c));
									L23();
									goto L19;
								}
								_t72 = 0;
								do {
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t78 + 8)) + _t72 * 4));
									_t72 = _t72 + 1;
									 *_t95 = _t61;
									L23();
									_t78 =  *((intOrPtr*)(_t95 + 0x1c));
								} while (_t72 <  *((intOrPtr*)(_t78 + 0xc)));
								goto L16;
							}
							_t73 = 0;
							do {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)) + _t73 * 4));
								_t73 = _t73 + 1;
								 *_t95 = _t63;
								L23();
							} while (_t73 <  *((intOrPtr*)(_t93 + 0xc)));
							goto L12;
						}
						_t74 = 0;
						do {
							_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 8)) + _t74 * 4));
							_t74 = _t74 + 1;
							 *_t95 = _t65;
							L23();
						} while (_t74 <  *((intOrPtr*)(_t84 + 0xc)));
						goto L8;
					}
					_t75 = 0;
					do {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + _t75 * 4));
						_t75 = _t75 + 1;
						 *_t95 = _t67;
						L23();
					} while (_t75 <  *((intOrPtr*)(_t87 + 0xc)));
					goto L4;
				}
				return _t43;
			}

0x100132d4
0x100132d7
0x100132dd
0x100132e8
0x10013304
0x10013304
0x10013309
0x10013439
0x1001343b
0x1001343e
0x10013446
0x10013449
0x10013451
0x10013454
0x10013459
0x100290d0
0x100290d0
0x10013314
0x10013334
0x10013334
0x10013339
0x10013411
0x10013413
0x10013416
0x1001341e
0x10013421
0x10013429
0x1001342c
0x10013431
0x10013434
0x00000000
0x10013434
0x10013344
0x10013364
0x10013364
0x10013369
0x100133e8
0x100133eb
0x100133ee
0x100133f6
0x100133f9
0x10013401
0x10013404
0x10013409
0x1001340c
0x00000000
0x1001340c
0x10013370
0x1001339c
0x1001339c
0x100133a1
0x100133a3
0x100133a7
0x100133ac
0x100133ac
0x100133b0
0x100133b6
0x100133b9
0x100133c5
0x100133c8
0x100133d4
0x100133d7
0x100133e0
0x100133e3
0x00000000
0x100133e3
0x10013372
0x10013380
0x10013380
0x10013387
0x1001338a
0x1001338b
0x1001338e
0x10013393
0x10013397
0x00000000
0x10013380
0x10013346
0x10013350
0x10013353
0x10013356
0x10013357
0x1001335a
0x1001335f
0x00000000
0x10013350
0x10013316
0x10013320
0x10013323
0x10013326
0x10013327
0x1001332a
0x1001332f
0x00000000
0x10013320
0x100132ea
0x100132f0
0x100132f3
0x100132f6
0x100132f7
0x100132fa
0x100132ff
0x00000000
0x100132f0
0x10013477

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction ID: aab0cb6abdf460125275c6e5ebe0c2fb3ff18ba6de562b5529d80b352c1cac01
Opcode Fuzzy Hash: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction Fuzzy Hash: 14519F79A047098FCB50EFA9D0C5A5AF7F0FF44250F41892DE8998B301DA71F985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1004F020 Relevance: 26.2, APIs: 17, Instructions: 666COMMON

Download Yara Rule

APIs

mv_tree_insert.LICKING ref: 1004F09E
mv_tree_find.LICKING ref: 1004F277
mv_tree_find.LICKING ref: 1004F296

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find$mv_tree_insert
String ID:
API String ID: 3047205218-0
Opcode ID: 80c4f16b25e93cf13fac10a13682a04c4d944ea14c030e41bdf2d1b908fff40c
Instruction ID: 3975adde767f042089edfd8a70e518d438757c294b32aed3f4a56a4ed1a14d33
Opcode Fuzzy Hash: 80c4f16b25e93cf13fac10a13682a04c4d944ea14c030e41bdf2d1b908fff40c
Instruction Fuzzy Hash: 5B52CF75A087469FC304DF1AC08442AFBE6FFC8654F658A2DE888DB315E735E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 10030800 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 252
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E10030800(intOrPtr __ebx, void* __ecx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, void* __fp0, char* _a4, intOrPtr* _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v48;
				signed int _v52;
				char* _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v92;
				signed int _v96;
				char* _v100;
				char** _v104;
				char* _t152;
				signed int _t153;
				intOrPtr* _t163;
				signed int _t171;
				void* _t181;
				char** _t184;
				void* _t187;

				_v16 = __ebx;
				_t163 = _a8;
				_v12 = __esi;
				_t152 = _a4;
				_v8 = __edi;
				_v4 = __ebp;
				if(_t163 == 0 || _t152 == 0) {
					_t153 = 0xffffffea;
					goto L5;
				} else {
					_t171 =  *(_t163 + 0xc);
					_t181 =  *((intOrPtr*)(_t163 + 8)) + _t152;
					_t187 = _t171 - 0x13;
					if(_t187 > 0) {
						_v96 = _t171;
						 *_t184 = _t152;
						_v100 = "Not supported option type: %d, option name: %s\n";
						_v92 =  *_t163;
						_v104 = 0x18;
						E10026560();
						_t153 = 0xbaa8beb0;
						L5:
						return _t153;
					}
					switch( *((intOrPtr*)(_t171 * 4 +  &M100B7FA8))) {
						case 0:
							_v104 =  &_v52;
							 *_t184 = 0;
							E1002AAC0(_t163, _t181);
							_t153 = (( *(_t163 + 0x10) ^ _v52 |  *(_t163 + 0x14) ^ _v48) & 0xffffff00 | _t187 == 0x00000000) & 0x000000ff;
							goto L5;
						case 1:
							 *__esp = 0;
							__ebp = 0;
							__edx = __esi;
							_v104 = 0;
							__ecx =  &_v52;
							__ebx = E1002AAC0(__ebx, __esi);
							asm("movsd xmm0, [ebx+0x10]");
							goto L12;
						case 2:
							 *__esp = 0;
							__edi = 0;
							__edx = __esi;
							_v104 = 0;
							__ecx =  &_v52;
							__ebx = E1002AAC0(__ebx, __esi);
							asm("pxor xmm0, xmm0");
							asm("cvtsd2ss xmm0, [ebx+0x10]");
							asm("cvtss2sd xmm0, xmm0");
							L12:
							__eax = 0;
							__edx = 0;
							asm("ucomisd xmm0, [esp+0x38]");
							0 | __eflags =  !=  ? 0 : 0 | __eflags;
							goto L5;
						case 3:
							__eax =  *__esi;
							__edx = __ebx[0x10];
							__eflags = __edx - __eax;
							if(__edx == __eax) {
								goto L10;
							}
							__eflags = __eax;
							if(__eax == 0) {
								goto L53;
							}
							__eflags = __edx;
							if(__edx == 0) {
								goto L53;
							}
							__eax = strcmp(__eax, __edx);
							__eflags = __eax;
							__eax = __al & 0x000000ff;
							goto L5;
						case 4:
							__ecx = 0x7fffffff;
							_v100 = 0x7fffffff;
							asm("movsd xmm0, [ebx+0x10]");
							asm("movsd [esp], xmm0");
							__eax = E10035AA0(__eax, __ebx, __edi, __esi);
							__ecx =  *__esi;
							__esi = __esi[4];
							_v52 = __eax;
							__ebp = __edx;
							__ebx = __eax;
							_v48 = __ebp;
							__eax = __ecx;
							__edi = __ebp;
							__edx = __eax * __ebp >> 0x20;
							_v76 = __eax;
							__eax = __ebx;
							_v72 = __edx;
							__edx = __eax * __esi >> 0x20;
							__eax = __eax * __esi;
							_v64 = __edx;
							__edx = _v72;
							_v68 = __eax;
							__eax = _v64;
							__ebp = _v68;
							__edx = _v72 ^ _v64;
							__eax = _v76;
							__ebp = _v68 ^ _v76;
							_v68 ^ _v76 = _v68 ^ _v76 | _v72 ^ _v64;
							__eflags = _v68 ^ _v76 | _v72 ^ _v64;
							if((_v68 ^ _v76 | _v72 ^ _v64) != 0) {
								goto L53;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L39;
							}
							__eflags = __edi;
							if(__edi == 0) {
								goto L39;
							}
							goto L10;
						case 5:
							__edi = __esi[4];
							__eax = 0;
							__edx = 0;
							_v52 = 0;
							__ebx = __ebx[0x10];
							_v48 = 0;
							__eflags = __edi;
							if(__edi == 0) {
								__eflags = __ebx;
								if(__ebx == 0) {
									goto L10;
								}
								__eax = 0;
								__eflags =  *__ebx;
								__eax = 0 |  *__ebx == 0x00000000;
								goto L5;
							}
							__eflags = __ebx;
							if(__ebx == 0) {
								goto L53;
							}
							__eflags =  *__ebx;
							if( *__ebx == 0) {
								goto L53;
							}
							__eax = strlen(__ebx);
							__edx = __eax;
							__eax = 0;
							__eflags = __edx - __edi;
							if(__edx != __edi) {
								goto L5;
							}
							__edx =  &_v52;
							__eax = __ebx;
							__esi =  *__esi;
							__eax = E1002B710(__ebx,  &_v52);
							__ebx = _v52;
							__eflags = __eax;
							if(__eax == 0) {
								_v104 = __ebx;
								__eax = _v48;
								 *__esp = __esi;
								_v100 = __eax;
								L100A0770();
								__eflags = __eax;
								_t128 = __eax == 0;
								__eflags = _t128;
								__eax = __eax & 0xffffff00 | _t128;
								__eax = __al & 0x000000ff;
							}
							 *__esp = __ebx;
							_v76 = __eax;
							L100290D0();
							__eax = _v76;
							goto L5;
						case 6:
							__esi =  *__esi;
							__edi =  &_v52;
							__eax = 0;
							_v52 = 0;
							__eax = 0;
							_v92 = 0;
							__eax = L":=";
							_v96 = L":=";
							__eax = 0x100b7c27;
							_v100 = 0x100b7c27;
							__eax = __ebx[0x10];
							 *__esp = __edi;
							_v104 = __ebx[0x10];
							__eax = E100118C0();
							__eflags = __eax;
							if(__eax < 0) {
								 *__esp = __edi;
								_v76 = __eax;
								E10011CC0();
								__eax = _v76;
								goto L5;
							}
							__ebp = 0;
							__ebx = 0;
							while(1) {
								_v100 = __ebx;
								__eax = 2;
								__edx = 0x100b75dd;
								_v96 = 2;
								__eax = _v52;
								_v104 = 0x100b75dd;
								 *__esp = _v52;
								__eax = E100110D0();
								__ecx = 2;
								_v100 = __ebp;
								__ebp = 0x100b75dd;
								_v104 = 0x100b75dd;
								_v96 = 2;
								 *__esp = __esi;
								__ebx = __eax;
								__eax = E100110D0();
								__eflags = __ebx;
								__ebp = __eax;
								if(__eflags == 0) {
									break;
								}
								__eflags = __eax;
								if(__eflags == 0) {
									break;
								}
								_v104 = __eax;
								__eax =  *__ebx;
								 *__esp =  *__ebx;
								__eflags = strcmp(??, ??);
								if(__eflags == 0) {
									__eax = _a4;
									_v104 = _a4;
									__eax = __ebx[4];
									 *__esp = __ebx[4];
									__eflags = strcmp(??, ??);
									if(__eflags != 0) {
										break;
									}
									continue;
								}
								break;
							}
							E10011CC0(__edi);
							__eax = 0;
							__ebx = __ebx | __ebp;
							__eax = 0 | __eflags == 0x00000000;
							goto L5;
						case 7:
							L10:
							__eax = 1;
							goto L5;
						case 8:
							__ebx = __ebx[0x10];
							__eflags = __ebx;
							if(__ebx == 0) {
								L51:
								__eax = 0;
								_v52 = 0;
								__eax = 0;
								__eflags = 0;
								L52:
								__eflags =  *__esi - __eax;
								if( *__esi == __eax) {
									__eax = _v52;
									__eflags = __esi[4] - __eax;
									__eax = __al & 0x000000ff;
									goto L5;
								}
								goto L53;
							}
							 *__esp = __ebx;
							__eax = 0x100b729c;
							_v104 = 0x100b729c;
							__eax = strcmp(??, ??);
							__eflags = __eax;
							if(__eax != 0) {
								_v100 = __ebx;
								__eax =  &_v52;
								_v104 =  &_v52;
								__eax =  &_v56;
								 *__esp =  &_v56;
								__eax = E10031200();
								__eflags = __eax;
								if(__eax < 0) {
									goto L5;
								}
								__eax = _v56;
								goto L52;
							}
							goto L51;
						case 9:
							__eax = 0;
							_v52 = 0;
							__eax = 0;
							_v48 = 0;
							__eax = __ebx[0x10];
							__eflags = __eax;
							if(__eax == 0) {
								L53:
								__eax = 0;
								goto L5;
							}
							_v104 = __eax;
							__eax =  &_v52;
							 *__esp =  &_v52;
							__eax = E100312C0();
							__eflags = __eax;
							if(__eax < 0) {
								goto L5;
							}
							__ecx =  *__esi;
							__edi = __esi[4];
							__esi = _v48;
							__ebx = _v52;
							__eax = __ecx;
							__edx = __eax * __esi >> 0x20;
							_v76 = __eax;
							__eax = __ebx;
							_v72 = __edx;
							__edx = __eax * __edi >> 0x20;
							__eax = __eax * __edi;
							_v64 = __edx;
							__edx = _v72;
							_v68 = __eax;
							__eax = _v64;
							__ebp = _v68;
							__edx = _v72 ^ _v64;
							__eax = _v76;
							__ebp = _v68 ^ _v76;
							_v68 ^ _v76 = _v68 ^ _v76 | _v72 ^ _v64;
							__eflags = _v68 ^ _v76 | _v72 ^ _v64;
							if((_v68 ^ _v76 | _v72 ^ _v64) != 0) {
								goto L53;
							}
							__eflags = __esi;
							if(__esi == 0) {
								L39:
								__eflags = __ebx;
								if(__ebx == 0) {
									goto L53;
								}
								__eflags = __ecx;
								if(__eflags == 0) {
									goto L53;
								}
								__ecx = __ecx >> 0x1f;
								__eax = 0;
								__ecx =  &(__ebx[__ecx]);
								__eax = 0 | __eflags == 0x00000000;
								goto L5;
							}
							__eflags = __edi;
							__eax = 1;
							if(__edi != 0) {
								goto L5;
							}
							goto L39;
						case 0xa:
							__eax = __ebx[0x10];
							__ebp = 0;
							_v52 = 0;
							__eflags = __eax;
							if(__eax == 0) {
								L20:
								__eax = _v52;
								__eflags =  *__esi - __eax;
								__eax = __al & 0x000000ff;
								goto L5;
							}
							_v104 = __eax;
							__ebx = 0;
							__edi = 0xffffffff;
							_v96 = 0;
							__eax =  &_v52;
							_v100 = 0xffffffff;
							 *__esp =  &_v52;
							__eax = E10031420(__fp0);
							__eflags = __eax;
							if(__eax < 0) {
								goto L5;
							}
							goto L20;
						case 0xb:
							__edx = 0;
							__eax = 0;
							__eflags = 0;
							do {
								 *((intOrPtr*)(__esp +  &(__eax[0x38]))) = 0;
								 *((intOrPtr*)(__esp +  &(__eax[0x3c]))) = 0;
								__eax =  &(__eax[8]);
								__eflags = __eax - 0x18;
							} while (__eax < 0x18);
							__eax = __ebx[0x10];
							__eflags = __eax;
							if(__eax == 0) {
								__edi =  &_v52;
								L25:
								_v104 = __edi;
								 *__esp = __esi;
								__eax = E1000EDB0(__ecx);
								__eflags = __eax;
								__eax = __al & 0x000000ff;
								goto L5;
							}
							_v104 = __eax;
							__edi =  &_v52;
							 *__esp = __edi;
							__eax = E1000DD40(__fp0);
							__eflags = __eax;
							if(__eax < 0) {
								goto L5;
							}
							goto L25;
					}
				}
			}

0x10030803
0x10030807
0x1003080b
0x1003080f
0x10030813
0x10030817
0x1003081d
0x10030d68
0x00000000
0x1003082b
0x1003082e
0x10030831
0x10030833
0x10030836
0x10030cb1
0x10030cba
0x10030cbd
0x10030cc1
0x10030cca
0x10030cce
0x10030cd3
0x1003087c
0x1003088f
0x1003088f
0x1003083c
0x00000000
0x1003084e
0x10030856
0x1003085d
0x10030879
0x00000000
0x00000000
0x10030920
0x10030927
0x10030929
0x1003092b
0x1003092f
0x10030935
0x1003093a
0x00000000
0x00000000
0x10030960
0x10030967
0x10030969
0x1003096b
0x1003096f
0x10030975
0x1003097a
0x1003097e
0x10030983
0x1003093f
0x1003093f
0x10030941
0x10030946
0x1003094f
0x00000000
0x00000000
0x10030990
0x10030992
0x10030995
0x10030997
0x00000000
0x00000000
0x1003099d
0x1003099f
0x00000000
0x00000000
0x100309a5
0x100309a7
0x00000000
0x00000000
0x100309b4
0x100309b9
0x100309be
0x00000000
0x00000000
0x10030890
0x10030895
0x10030899
0x1003089e
0x100308a3
0x100308a8
0x100308aa
0x100308ad
0x100308b1
0x100308b3
0x100308b5
0x100308b9
0x100308bb
0x100308bd
0x100308bf
0x100308c3
0x100308c5
0x100308c9
0x100308c9
0x100308cb
0x100308cf
0x100308d3
0x100308d7
0x100308db
0x100308df
0x100308e1
0x100308e5
0x100308e9
0x100308e9
0x100308eb
0x00000000
0x00000000
0x100308f1
0x100308f3
0x00000000
0x00000000
0x100308f9
0x100308fb
0x00000000
0x00000000
0x00000000
0x00000000
0x10030bf8
0x10030bfb
0x10030bfd
0x10030bff
0x10030c03
0x10030c06
0x10030c0a
0x10030c0c
0x10030ce0
0x10030ce2
0x00000000
0x00000000
0x10030ce8
0x10030cea
0x10030ced
0x00000000
0x10030ced
0x10030c12
0x10030c14
0x00000000
0x00000000
0x10030c1a
0x10030c1d
0x00000000
0x00000000
0x10030c26
0x10030c2d
0x10030c2f
0x10030c31
0x10030c33
0x00000000
0x00000000
0x10030c39
0x10030c3d
0x10030c3f
0x10030c41
0x10030c46
0x10030c4a
0x10030c4c
0x10030c4e
0x10030c52
0x10030c56
0x10030c59
0x10030c5d
0x10030c62
0x10030c64
0x10030c64
0x10030c64
0x10030c67
0x10030c67
0x10030c6a
0x10030c6d
0x10030c71
0x10030c76
0x00000000
0x00000000
0x10030a70
0x10030a72
0x10030a76
0x10030a78
0x10030a7c
0x10030a7e
0x10030a82
0x10030a87
0x10030a8b
0x10030a90
0x10030a94
0x10030a97
0x10030a9a
0x10030a9e
0x10030aa3
0x10030aa5
0x10030d50
0x10030d53
0x10030d57
0x10030d5c
0x00000000
0x10030d5c
0x10030aab
0x10030aad
0x10030ace
0x10030ace
0x10030ad2
0x10030ad7
0x10030adc
0x10030ae0
0x10030ae4
0x10030ae8
0x10030aeb
0x10030af0
0x10030af5
0x10030af9
0x10030afe
0x10030b02
0x10030b06
0x10030b09
0x10030b0b
0x10030b10
0x10030b12
0x10030b14
0x00000000
0x00000000
0x10030b16
0x10030b18
0x00000000
0x00000000
0x10030b1c
0x10030b20
0x10030b22
0x10030b2a
0x10030b2c
0x10030ab8
0x10030abb
0x10030abf
0x10030ac2
0x10030aca
0x10030acc
0x00000000
0x00000000
0x00000000
0x10030acc
0x00000000
0x10030b2c
0x10030b31
0x10030b36
0x10030b38
0x10030b3a
0x00000000
0x00000000
0x10030910
0x10030910
0x00000000
0x00000000
0x10030c80
0x10030c83
0x10030c85
0x10030c9c
0x10030c9c
0x10030c9e
0x10030ca2
0x10030ca2
0x10030ca4
0x10030ca4
0x10030ca6
0x10030cf8
0x10030cfc
0x10030d02
0x00000000
0x10030d02
0x00000000
0x10030ca6
0x10030c87
0x10030c8a
0x10030c8f
0x10030c93
0x10030c98
0x10030c9a
0x10030d10
0x10030d14
0x10030d18
0x10030d1c
0x10030d20
0x10030d23
0x10030d28
0x10030d2a
0x00000000
0x00000000
0x10030d30
0x00000000
0x10030d30
0x00000000
0x00000000
0x10030b48
0x10030b4a
0x10030b4e
0x10030b50
0x10030b54
0x10030b57
0x10030b59
0x10030ca8
0x10030ca8
0x00000000
0x10030ca8
0x10030b5f
0x10030b63
0x10030b67
0x10030b6a
0x10030b6f
0x10030b71
0x00000000
0x00000000
0x10030b77
0x10030b79
0x10030b7c
0x10030b80
0x10030b84
0x10030b86
0x10030b88
0x10030b8c
0x10030b8e
0x10030b92
0x10030b92
0x10030b94
0x10030b98
0x10030b9c
0x10030ba0
0x10030ba4
0x10030ba8
0x10030baa
0x10030bae
0x10030bb2
0x10030bb2
0x10030bb4
0x00000000
0x00000000
0x10030bba
0x10030bbc
0x10030bd0
0x10030bd0
0x10030bd2
0x00000000
0x00000000
0x10030bd8
0x10030bda
0x00000000
0x00000000
0x10030be0
0x10030be3
0x10030be8
0x10030bea
0x00000000
0x10030bea
0x10030bbe
0x10030bc0
0x10030bc5
0x00000000
0x00000000
0x00000000
0x00000000
0x100309d0
0x100309d3
0x100309d5
0x100309d9
0x100309db
0x10030a04
0x10030a04
0x10030a08
0x10030a0d
0x00000000
0x10030a0d
0x100309dd
0x100309e1
0x100309e3
0x100309e8
0x100309ec
0x100309f0
0x100309f4
0x100309f7
0x100309fc
0x100309fe
0x00000000
0x00000000
0x00000000
0x00000000
0x10030a18
0x10030a1a
0x10030a1a
0x10030a1c
0x10030a1c
0x10030a20
0x10030a24
0x10030a27
0x10030a27
0x10030a2c
0x10030a2f
0x10030a31
0x10030d40
0x10030a4f
0x10030a4f
0x10030a53
0x10030a56
0x10030a5b
0x10030a60
0x00000000
0x10030a60
0x10030a37
0x10030a3b
0x10030a3f
0x10030a42
0x10030a47
0x10030a49
0x00000000
0x00000000
0x00000000
0x00000000
0x1003083c

APIs

mv_d2q.LICKING ref: 100308A3
strcmp.MSVCRT ref: 100309B4
mv_dict_parse_string.LICKING ref: 10030A9E
mv_dict_get.LICKING ref: 10030AEB
mv_dict_get.LICKING ref: 10030B0B
strcmp.MSVCRT ref: 10030B25
mv_dict_free.LICKING ref: 10030B31
strlen.MSVCRT ref: 10030C26
memcmp.MSVCRT ref: 10030C5D
mv_log.LICKING ref: 10030CCE

Strings

Not supported option type: %d, option name: %s, xrefs: 10030CB5

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_getstrcmp$memcmpmv_d2qmv_dict_freemv_dict_parse_stringmv_logstrlen
String ID: Not supported option type: %d, option name: %s
API String ID: 55484637-782529697
Opcode ID: 61f1d9ad922e6a4252ce3a192c568b42e4e3967036f1b74156302d27616f7257
Instruction ID: def0f341197f21d83010d515f0d1470e651d91757f71c567d5382369b3c9b903
Opcode Fuzzy Hash: 61f1d9ad922e6a4252ce3a192c568b42e4e3967036f1b74156302d27616f7257
Instruction Fuzzy Hash: 58A14474A097048FC795DF69C19021ABBE1FF88780F51892EB8C9DB355EB74E840CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10023350 Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 634
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E10023350(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t304;
				char* _t305;
				signed int _t314;
				signed int _t316;
				signed int _t325;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				int _t335;
				signed int _t336;
				signed int _t338;
				signed int _t342;
				signed int _t344;
				signed int _t347;
				signed int _t348;
				signed char* _t350;
				signed int _t351;
				int _t352;
				signed int _t354;
				int _t355;
				signed int _t356;
				signed int _t358;
				int _t361;
				signed int _t362;
				void _t364;
				signed int _t365;
				signed int _t367;
				signed int _t369;
				signed int _t372;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t386;
				signed int _t388;
				char* _t389;
				signed int _t393;
				signed char _t398;
				void* _t399;
				char* _t405;
				char _t406;
				char* _t408;
				signed int _t409;
				signed char _t411;
				signed int _t413;
				signed int _t414;
				signed int _t417;
				signed int _t418;
				signed short _t425;
				void* _t429;
				char* _t430;
				unsigned int _t434;
				signed int _t435;
				signed int _t437;
				signed char _t439;
				signed char* _t440;
				unsigned int _t441;
				signed int _t442;
				int _t444;
				signed char _t449;
				void* _t450;
				signed int _t453;
				signed int _t454;
				intOrPtr _t455;
				signed char _t456;
				signed char _t457;
				int _t458;
				char* _t463;
				char* _t464;
				signed int _t465;
				signed int _t467;
				signed int _t471;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t479;
				signed int* _t484;
				signed int _t489;
				signed int _t494;
				void _t495;
				char* _t496;
				signed int _t498;
				void* _t499;
				signed int _t501;
				void* _t502;
				void* _t503;
				signed int _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				void* _t514;
				signed int _t517;
				char* _t519;
				signed int _t526;
				signed int _t528;
				int _t533;
				signed int _t534;
				void* _t537;
				signed int* _t538;
				signed int _t539;
				char* _t540;
				void* _t541;
				unsigned int _t543;
				unsigned int _t544;
				signed int _t545;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t552;
				int _t553;
				void* _t554;
				char** _t555;
				signed int* _t557;
				void* _t571;

				_t465 = __edx;
				_t555 = _t554 - 0x6c;
				_t408 = _t555[0x24];
				_t519 = _t555[0x22];
				_t555[3] = _t555[0x27];
				 *_t555 = _t408;
				_t555[2] = _t555[0x26];
				_t555[1] = _t555[0x25];
				_t304 = E10023180(__edx, __eflags);
				 *_t555 = _t408;
				_t543 = _t304;
				_t305 = E10034790();
				_t555[0x12] = _t305;
				_t430 = _t305;
				if((_t543 >> 0x0000001f | _t465 & 0xffffff00 | _t543 - _t555[0x21] > 0x00000000) != 0 || _t430 == 0) {
					_t544 = 0xffffffea;
					goto L28;
				} else {
					_t467 = _t430[4] & 0x000000ff;
					if(_t467 == 0) {
						_t496 = 0;
						_t555[0xf] = 0;
					} else {
						_t463 =  >=  ? _t430[0x10] : 0;
						_t555[0xf] = _t463;
						_t496 = _t463;
						if(_t467 != 1) {
							_t464 = _t555[0x12];
							_t496 =  >=  ? _t555[0xf] : _t464[0x24];
							_t555[0xf] = _t496;
							if(_t467 != 2) {
								_t405 =  >=  ? _t496 : _t464[0x38];
								_t555[0xf] = _t405;
								_t496 = _t405;
								if(_t467 != 3) {
									_t406 = _t464[0x4c];
									_t571 = _t496 - _t406;
									_t407 =  >=  ? _t496 : _t406;
									_t555[0xf] =  >=  ? _t496 : _t406;
								}
							}
						}
					}
					_t555[1] = _t408;
					_t555[2] = _t555[0x25];
					 *_t555 =  &(_t555[0x14]);
					if(E100215D0(_t571) < 0) {
						_t555[5] = 0x209;
						__eflags = 0;
						_t555[1] = 0;
						 *_t555 = 0;
						_t555[4] = "libavutil/imgutils.c";
						_t555[3] = "ret >= 0";
						_t555[2] = "Assertion %s failed at %s:%d\n";
						E10026560();
						abort();
						_push(_t543);
						_push(_t496);
						_t557 = _t555 - 0x15c;
						_t409 = _t557[0x5e];
						 *_t557 = _t409;
						_t314 = E10034790(_t408);
						 *_t557 = _t409;
						_t545 = _t314;
						_t557[0xd] = E10034870(_t519);
						_t316 = 0;
						__eflags = 0;
						do {
							 *((intOrPtr*)(_t557 + _t316 + 0xd0)) = 0;
							 *((intOrPtr*)(_t557 + _t316 + 0xd4)) = 0;
							_t316 = _t316 + 8;
							__eflags = _t316 - 0x80;
						} while (_t316 < 0x80);
						_t557[0x14] = 0;
						_t557[0x15] = 0;
						_t557[0x16] = 0;
						_t557[0x17] = 0;
						_t557[0x18] = 0;
						_t557[0x19] = 0;
						_t557[0x1a] = 0;
						_t557[0x1b] = 0;
						__eflags = _t557[0xd] - 1 - 3;
						if(_t557[0xd] - 1 > 3) {
							L61:
							return 0xffffffea;
						} else {
							__eflags = _t545;
							if(_t545 == 0) {
								goto L61;
							} else {
								_t325 =  *(_t545 + 8);
								_t471 = _t325 & 0x00000008;
								_t498 = _t471;
								__eflags = _t498;
								if(_t498 != 0) {
									goto L61;
								} else {
									_t557[0xa] = _t325 & 0x00000020;
									__eflags = _t325 & 0x00000004;
									if(__eflags != 0) {
										 *_t557 = _t409;
										_t557[2] = 0;
										_t557[1] = _t557[0x60];
										_t547 = E10021480(__eflags);
										_t330 = _t409 - 9;
										__eflags = _t330 - 1;
										_t331 = _t330 & 0xffffff00 | _t330 - 0x00000001 < 0x00000000;
										__eflags = _t409 - 9;
										_t411 =  !=  ? _t498 : 0xff;
										__eflags = _t557[0xd] - 1;
										if(__eflags != 0 || __eflags == 0) {
											goto L61;
										} else {
											__eflags = _t547;
											if(_t547 <= 0) {
												goto L61;
											} else {
												__eflags = _t557[0x5c];
												if(_t557[0x5c] != 0) {
													__eflags = _t557[0x61];
													_t526 =  *(_t557[0x5c]);
													if(_t557[0x61] > 0) {
														_t335 = (_t411 & 0x000000ff) * 0x1010101;
														__eflags = _t335;
														do {
															__eflags = _t547 - 8;
															_t474 = _t547;
															_t499 = _t526;
															if(_t547 >= 8) {
																__eflags = _t526 & 0x00000001;
																if((_t526 & 0x00000001) != 0) {
																	 *_t526 = _t335;
																	_t499 = _t526 + 1;
																	_t226 = _t547 - 1; // -1
																	_t474 = _t226;
																}
																__eflags = _t499 & 0x00000002;
																if((_t499 & 0x00000002) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 2;
																	_t499 = _t499 + 2;
																}
																__eflags = _t499 & 0x00000004;
																if((_t499 & 0x00000004) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 4;
																	_t499 = _t499 + 4;
																}
																_t434 = _t474;
																_t474 = _t474 & 0x00000003;
																_t435 = _t434 >> 2;
																_t335 = memset(_t499, _t335, _t435 << 2);
																_t557 =  &(_t557[3]);
																_t499 = _t499 + _t435;
															}
															_t475 = _t474 & 0x00000007;
															__eflags = _t475;
															if(_t475 != 0) {
																_t437 = 0;
																__eflags = 0;
																do {
																	 *(_t499 + _t437) = _t411;
																	_t437 = _t437 + 1;
																	__eflags = _t437 - _t475;
																} while (_t437 < _t475);
															}
															_t526 = _t526 +  *(_t557[0x5d]);
															_t216 =  &(_t557[0x61]);
															 *_t216 = _t557[0x61] - 1;
															__eflags =  *_t216;
														} while ( *_t216 != 0);
													}
												}
												goto L78;
											}
										}
									} else {
										_t477 =  *(_t545 + 4) & 0x000000ff;
										__eflags = _t477;
										if(__eflags == 0) {
											L58:
											_t557[0xa] = _t545;
											_t501 = _t557[0x60];
											_t548 = 0;
											_t528 = _t557[0xd];
											while(1) {
												_t557[2] = _t548;
												_t557[1] = _t501;
												 *_t557 = _t409;
												_t336 = E10021480(__eflags);
												 *(_t557 + 0x60 + _t548 * 4) = _t336;
												__eflags = _t336;
												if(_t336 < 0) {
													goto L61;
												}
												_t548 = _t548 + 1;
												__eflags = _t528 - _t548;
												if(__eflags <= 0) {
													_t549 = _t557[0xa];
													__eflags = _t557[0x5c];
													if(_t557[0x5c] == 0) {
														L78:
														_t332 = 0;
														__eflags = 0;
													} else {
														_t557[0x13] = _t549;
														__eflags = 0;
														_t557[0xe] =  &(_t557[0x34]);
														_t557[0xa] = 0;
														do {
															_t338 = _t557[0xa];
															_t557[0xf] =  *(_t557 + 0x60 + _t338 * 4);
															_t550 =  *(_t557[0x5c] + _t338 * 4);
															__eflags = _t338 - 1 - 1;
															if(_t338 - 1 <= 1) {
																_t439 =  *(_t557[0x13] + 6) & 0x000000ff;
																_t342 = 1 << _t439;
															} else {
																_t342 = 1;
																_t439 = 0;
																__eflags = 0;
															}
															_t344 = _t342 + _t557[0x61] - 1 >> _t439;
															_t557[0xc] = _t344;
															__eflags = _t344;
															if(_t344 > 0) {
																_t413 =  *(_t557 + 0x50 + _t557[0xa] * 4);
																_t347 = _t557[0xf];
																_t557[0xb] = _t413;
																__eflags = _t347 - _t413;
																_t533 =  >  ? _t413 : _t347;
																_t557[0x10] = _t533;
																_t348 = _t347 - _t533;
																__eflags = _t348;
																_t557[0x11] = _t348;
																do {
																	_t534 = _t557[0xb];
																	__eflags = _t534;
																	if(_t534 != 0) {
																		_t350 = _t557[0xe];
																		_t479 =  *_t350 & 0x000000ff;
																		_t440 =  &(_t350[_t534]);
																		while(1) {
																			__eflags =  *_t350 - _t479;
																			if( *_t350 != _t479) {
																				break;
																			}
																			_t350 =  &(_t350[1]);
																			__eflags = _t440 - _t350;
																			if(_t440 == _t350) {
																				L103:
																				_t351 = _t557[0xf];
																				_t502 = _t550;
																				__eflags = _t351 - 8;
																				_t414 = _t351;
																				if(_t351 >= 8) {
																					_t352 = _t479 * 0x1010101;
																					__eflags = _t550 & 0x00000001;
																					if((_t550 & 0x00000001) != 0) {
																						 *_t550 = _t352;
																						_t502 = _t550 + 1;
																						_t414 = _t557[0xf] - 1;
																					}
																					__eflags = _t502 & 0x00000002;
																					if((_t502 & 0x00000002) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 2;
																						_t502 = _t502 + 2;
																					}
																					__eflags = _t502 & 0x00000004;
																					if((_t502 & 0x00000004) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 4;
																						_t502 = _t502 + 4;
																					}
																					_t441 = _t414;
																					_t414 = _t414 & 0x00000003;
																					_t442 = _t441 >> 2;
																					memset(_t502, _t352, _t442 << 2);
																					_t557 =  &(_t557[3]);
																					_t502 = _t502 + _t442;
																				}
																				_t413 = _t414 & 0x00000007;
																				__eflags = _t413;
																				if(_t413 != 0) {
																					_t354 = 0;
																					__eflags = 0;
																					do {
																						 *(_t502 + _t354) = _t479;
																						_t354 = _t354 + 1;
																						__eflags = _t354 - _t413;
																					} while (_t354 < _t413);
																				}
																			} else {
																				continue;
																			}
																			goto L100;
																		}
																		__eflags = _t557[0xb] - 1;
																		if(_t557[0xb] == 1) {
																			goto L103;
																		} else {
																			_t355 = _t557[0x10];
																			_t503 = _t550;
																			_t537 = _t557[0xe];
																			__eflags = _t355 - 8;
																			_t444 = _t355;
																			if(_t355 >= 8) {
																				__eflags = _t550 & 0x00000001;
																				if((_t550 & 0x00000001) != 0) {
																					_t356 =  *_t537 & 0x000000ff;
																					_t503 = _t550 + 1;
																					_t537 = _t537 + 1;
																					_t557[0x12] = _t356;
																					 *_t550 = _t356;
																					_t444 = _t557[0x10] - 1;
																				}
																				__eflags = _t503 & 0x00000002;
																				if((_t503 & 0x00000002) != 0) {
																					_t358 =  *_t537 & 0x0000ffff;
																					_t503 = _t503 + 2;
																					_t537 = _t537 + 2;
																					_t444 = _t444 - 2;
																					 *(_t503 - 2) = _t358;
																				}
																				__eflags = _t503 & 0x00000004;
																				if((_t503 & 0x00000004) != 0) {
																					_t364 =  *_t537;
																					_t503 = _t503 + 4;
																					_t537 = _t537 + 4;
																					_t444 = _t444 - 4;
																					 *(_t503 - 4) = _t364;
																				}
																			}
																			memcpy(_t503, _t537, _t444);
																			_t557 =  &(_t557[3]);
																			_t557[2] = _t557[0x11];
																			_t361 = _t557[0x10];
																			_t557[1] = _t361;
																			_t362 = _t361 + _t550;
																			__eflags = _t362;
																			 *_t557 = _t362;
																			E10029830(_t413, _t537 + _t444 + _t444, _t537);
																		}
																	}
																	L100:
																	_t550 = _t550 +  *((intOrPtr*)(_t557[0x5d] + _t557[0xa] * 4));
																	_t267 =  &(_t557[0xc]);
																	 *_t267 = _t557[0xc] - 1;
																	__eflags =  *_t267;
																} while ( *_t267 != 0);
															}
															_t557[0xa] = _t557[0xa] + 1;
															_t557[0xe] = _t557[0xe] + 0x20;
															__eflags = _t557[0xd] - _t557[0xa];
														} while (_t557[0xd] > _t557[0xa]);
														_t332 = 0;
													}
													return _t332;
												} else {
													continue;
												}
												goto L122;
											}
											goto L61;
										} else {
											_t365 =  *(_t545 + 0x14);
											__eflags = _t365;
											_t447 =  >=  ? _t365 : 0;
											__eflags = _t365 - 0x20;
											 *((intOrPtr*)(_t557 + 0x50 +  *(_t545 + 0x10) * 4)) =  >=  ? _t365 : 0;
											if(_t365 > 0x20) {
												goto L61;
											} else {
												__eflags = _t477 - 1;
												if(__eflags == 0) {
													L46:
													_t557[0x5e] = _t409;
													_t557[0xa] = _t545;
													_t367 = _t557[0xa];
													_t557[0xc] = __eflags == 0;
													_t145 = _t545 + 0x10; // 0x10
													_t538 = _t145;
													__eflags = _t557[0x5f] - 2;
													_t557[0xe] = _t367;
													_t507 = 0;
													_t369 = (_t367 & 0xffffff00 | _t557[0x5f] != 0x00000002) & _t557[0xc] & 0x000000ff;
													__eflags = _t369;
													_t557[0xb] = _t369;
													while(1) {
														_t449 = _t538[4];
														asm("cdq");
														_t372 =  *(_t557 + 0x50 +  *_t538 * 4) / _t538[1];
														_t557[0x20] = 0;
														_t557[0x21] = 0;
														__eflags = _t449 - 0x10;
														_t557[0x22] = 0;
														_t557[0x23] = 0;
														if(_t449 > 0x10) {
															goto L61;
														}
														__eflags = _t449 - 7;
														if(_t449 > 7) {
															L50:
															__eflags = _t372;
															if(_t372 <= 0) {
																goto L61;
															} else {
																__eflags = _t507;
																if(_t507 != 0) {
																	L62:
																	_t199 = _t507 - 1; // -1
																	_t417 = 0;
																	__eflags = _t199 - 1;
																	if(_t199 <= 1) {
																		__eflags = _t557[0xe];
																		if(_t557[0xe] == 0) {
																			_t417 = 0x00000080 << _t449 - 0x00000008 & 0x0000ffff;
																		}
																	} else {
																		__eflags = _t507 - 3;
																		if(_t507 == 3) {
																			_t417 = (0x00000001 << _t449) - 0x00000001 & 0x0000ffff;
																		}
																	}
																} else {
																	__eflags = _t557[0xb];
																	if(_t557[0xb] == 0) {
																		goto L62;
																	} else {
																		_t425 = 0x10 << _t449 - 8;
																		__eflags = _t425;
																		_t417 = _t425 & 0x0000ffff;
																	}
																}
																_t552 =  &(_t557[0x24]);
																_t450 = _t552 + _t372 * 2;
																_t484 = _t552;
																do {
																	 *_t484 = _t417;
																	_t484 =  &(_t484[0]);
																	__eflags = _t450 - _t484;
																} while (_t450 != _t484);
																_t418 = _t557[0xa];
																_t538 =  &(_t538[5]);
																_t557[7] = _t372;
																_t557[5] = 0;
																_t557[0x1c] =  &(_t557[0x34]);
																_t557[4] = 0;
																_t557[0x1d] =  &(_t557[0x3c]);
																_t557[2] =  &(_t557[0x20]);
																_t557[0x1e] =  &(_t557[0x44]);
																_t557[6] = _t507;
																_t507 = _t507 + 1;
																_t557[1] =  &(_t557[0x1c]);
																_t557[3] = _t418;
																 *_t557 = _t552;
																_t557[0x1f] =  &(_t557[0x4c]);
																E10034210();
																__eflags = ( *(_t418 + 4) & 0x000000ff) - _t507;
																if(__eflags > 0) {
																	continue;
																} else {
																	_t545 = _t557[0xa];
																	_t409 = _t557[0x5e];
																	goto L58;
																}
															}
														} else {
															__eflags = _t557[0xc];
															if(_t557[0xc] != 0) {
																goto L61;
															} else {
																goto L50;
															}
														}
														goto L122;
													}
													goto L61;
												} else {
													_t453 =  *(_t545 + 0x24);
													_t508 =  *((intOrPtr*)(_t545 + 0x28));
													_t379 =  *((intOrPtr*)(_t557 + 0x50 + _t453 * 4));
													__eflags = _t379 - _t508;
													_t380 =  <  ? _t508 : _t379;
													 *((intOrPtr*)(_t557 + 0x50 + _t453 * 4)) = _t380;
													__eflags = _t380 - 0x20;
													if(_t380 > 0x20) {
														goto L61;
													} else {
														__eflags = _t477 - 2;
														if(__eflags == 0) {
															goto L46;
														} else {
															_t454 =  *(_t545 + 0x38);
															_t509 =  *((intOrPtr*)(_t545 + 0x3c));
															_t381 =  *((intOrPtr*)(_t557 + 0x50 + _t454 * 4));
															__eflags = _t381 - _t509;
															_t382 =  <  ? _t509 : _t381;
															 *((intOrPtr*)(_t557 + 0x50 + _t454 * 4)) = _t382;
															__eflags = _t382 - 0x20;
															if(_t382 > 0x20) {
																goto L61;
															} else {
																__eflags = _t477 - 3;
																if(__eflags == 0) {
																	goto L46;
																} else {
																	_t489 =  *(_t545 + 0x4c);
																	_t455 =  *((intOrPtr*)(_t545 + 0x50));
																	_t383 =  *((intOrPtr*)(_t557 + 0x50 + _t489 * 4));
																	__eflags = _t383 - _t455;
																	_t384 =  <  ? _t455 : _t383;
																	 *((intOrPtr*)(_t557 + 0x50 + _t489 * 4)) = _t384;
																	__eflags = _t384 - 0x20;
																	if(__eflags > 0) {
																		goto L61;
																	} else {
																		goto L46;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t456 = 0;
						_t555[0x22] = _t519;
						_t539 = 0xffffffff;
						_t555[0x13] = _t543;
						_t555[0xe] = _t555[0x23];
						_t386 = 1;
						_t555[0x11] =  ~(_t555[0x27]);
						while(1) {
							_t388 = _t386 + _t555[0x26] - 1 >> _t456;
							_t429 = _t555[0x22][4 + _t539 * 4];
							_t555[0xc] = _t388;
							if(_t388 <= 0) {
								goto L18;
							}
							_t553 =  *(_t555 + 0x54 + _t539 * 4);
							_t555[0x10] = _t539;
							_t555[0xb] = 0;
							_t398 = _t555[0x20];
							_t555[0xd] = _t555[0x11] & _t553 + _t555[0x27] - 0x00000001;
							do {
								_t458 = _t553;
								_t514 = _t398;
								_t541 = _t429;
								if(_t553 >= 8) {
									if((_t398 & 0x00000001) != 0) {
										_t514 = _t398 + 1;
										_t541 = _t429 + 1;
										 *_t398 =  *_t429 & 0x000000ff;
										_t458 = _t553 - 1;
									}
									if((_t514 & 0x00000002) != 0) {
										_t494 =  *_t541 & 0x0000ffff;
										_t514 = _t514 + 2;
										_t541 = _t541 + 2;
										_t458 = _t458 - 2;
										 *(_t514 - 2) = _t494;
									}
									if((_t514 & 0x00000004) != 0) {
										_t495 =  *_t541;
										_t514 = _t514 + 4;
										_t541 = _t541 + 4;
										_t458 = _t458 - 4;
										 *(_t514 - 4) = _t495;
									}
								}
								_t399 = memcpy(_t514, _t541, _t458);
								_t555 =  &(_t555[3]);
								_t555[0xb] =  &(_t555[0xb][1]);
								_t517 = _t555[0xd];
								_t398 = _t399 + _t517;
								_t429 = _t429 +  *(_t555[0xe]);
							} while (_t555[0xc] != _t555[0xb]);
							_t539 = _t555[0x10];
							_t68 =  &(_t555[0x20]);
							 *_t68 = _t555[0x20] + _t555[0xc] * _t517;
							__eflags =  *_t68;
							L18:
							_t539 = _t539 + 1;
							__eflags = _t555[0xf] - _t539;
							if(_t555[0xf] != _t539) {
								__eflags = _t539 - 1;
								if(_t539 <= 1) {
									_t456 = _t555[0x12][6] & 0x000000ff;
									_t386 = 1 << _t456;
								} else {
									_t386 = 1;
									_t456 = 0;
									__eflags = 0;
								}
								_t555[0xe] =  &(_t555[0xe][4]);
								continue;
							}
							_t389 = _t555[0x12];
							_t544 = _t555[0x13];
							_t540 = _t555[0x22];
							__eflags = _t389[8] & 0x00000002;
							if((_t389[8] & 0x00000002) != 0) {
								_t457 = _t555[0x20];
								_t393 = 0;
								__eflags = 0;
								do {
									 *((intOrPtr*)(_t457 + _t393)) =  *((intOrPtr*)(_t540[4] + _t393));
									_t393 = _t393 + 4;
									__eflags = _t393 - 0x400;
								} while (_t393 != 0x400);
							}
							L28:
							return _t544;
							goto L122;
						}
					}
				}
				L122:
			}

0x10023350
0x10023354
0x1002335e
0x10023365
0x1002336c
0x10023377
0x1002337a
0x10023385
0x10023389
0x1002338e
0x10023391
0x10023393
0x100233a2
0x100233a6
0x100233af
0x100235d8
0x00000000
0x100233bd
0x100233bd
0x100233c3
0x100235cd
0x100235cf
0x100233c9
0x100233d0
0x100233d6
0x100233da
0x100233dc
0x100233de
0x100233e9
0x100233f1
0x100233f5
0x100233fc
0x10023402
0x10023406
0x10023408
0x1002340a
0x1002340d
0x1002340f
0x10023412
0x10023412
0x10023408
0x100233f5
0x100233dc
0x10023416
0x10023421
0x10023429
0x10023433
0x100235df
0x100235e7
0x100235e9
0x100235ed
0x100235f0
0x100235f8
0x10023600
0x10023608
0x1002360d
0x10023620
0x10023621
0x10023624
0x1002362a
0x10023631
0x10023634
0x10023639
0x1002363c
0x10023645
0x10023649
0x10023649
0x1002364b
0x1002364b
0x10023652
0x10023659
0x1002365c
0x1002365c
0x10023667
0x1002366f
0x10023677
0x1002367d
0x10023683
0x1002368b
0x1002368f
0x10023693
0x10023698
0x1002369b
0x100238d1
0x100238e0
0x100236a1
0x100236a1
0x100236a3
0x00000000
0x100236a9
0x100236a9
0x100236b0
0x100236b3
0x100236b3
0x100236b5
0x00000000
0x100236bb
0x100236c3
0x100236c9
0x100236cc
0x10023930
0x1002393c
0x10023940
0x10023949
0x1002394b
0x1002394e
0x10023951
0x10023954
0x1002395c
0x1002395f
0x10023964
0x00000000
0x10023979
0x10023979
0x1002397b
0x00000000
0x10023981
0x10023988
0x1002398a
0x1002399a
0x1002399c
0x1002399e
0x100239a3
0x100239a3
0x100239b0
0x100239b0
0x100239b3
0x100239b5
0x100239b7
0x100239f0
0x100239f6
0x10023a14
0x10023a16
0x10023a19
0x10023a19
0x10023a19
0x100239f8
0x100239fe
0x10023a28
0x10023a2b
0x10023a2e
0x10023a2e
0x10023a00
0x10023a06
0x10023a1e
0x10023a20
0x10023a23
0x10023a23
0x10023a08
0x10023a0a
0x10023a0d
0x10023a10
0x10023a10
0x10023a10
0x10023a10
0x100239b9
0x100239b9
0x100239bc
0x100239be
0x100239be
0x100239c0
0x100239c0
0x100239c3
0x100239c4
0x100239c4
0x100239c0
0x100239d1
0x100239d3
0x100239d3
0x100239d3
0x100239d3
0x100239b0
0x1002399e
0x00000000
0x1002398a
0x1002397b
0x100236d2
0x100236d2
0x100236d6
0x100236d8
0x10023898
0x10023898
0x1002389e
0x100238a5
0x100238a7
0x100238b9
0x100238b9
0x100238bd
0x100238c1
0x100238c4
0x100238c9
0x100238cd
0x100238cf
0x00000000
0x00000000
0x100238b0
0x100238b1
0x100238b3
0x10023a3a
0x10023a3e
0x10023a40
0x100239dc
0x100239dc
0x100239dc
0x10023a42
0x10023a42
0x10023a4d
0x10023a4f
0x10023a53
0x10023a57
0x10023a57
0x10023a5f
0x10023a6a
0x10023a6e
0x10023a71
0x10023bcb
0x10023bd4
0x10023a77
0x10023a77
0x10023a7c
0x10023a7c
0x10023a7c
0x10023a89
0x10023a8b
0x10023a8f
0x10023a91
0x10023a9b
0x10023a9f
0x10023aa3
0x10023aa7
0x10023aab
0x10023aae
0x10023ab2
0x10023ab2
0x10023ab4
0x10023ac0
0x10023ac0
0x10023ac4
0x10023ac6
0x10023ac8
0x10023acc
0x10023acf
0x10023add
0x10023add
0x10023adf
0x00000000
0x00000000
0x10023ad8
0x10023ad9
0x10023adb
0x10023b50
0x10023b50
0x10023b54
0x10023b56
0x10023b59
0x10023b5b
0x10023b6e
0x10023b74
0x10023b7a
0x10023bf0
0x10023bf3
0x10023bfa
0x10023bfa
0x10023b7c
0x10023b82
0x10023be5
0x10023be8
0x10023beb
0x10023beb
0x10023b84
0x10023b8a
0x10023bdb
0x10023bdd
0x10023be0
0x10023be0
0x10023b8c
0x10023b8e
0x10023b91
0x10023b94
0x10023b94
0x10023b94
0x10023b94
0x10023b5d
0x10023b5d
0x10023b60
0x10023b62
0x10023b62
0x10023b64
0x10023b64
0x10023b67
0x10023b68
0x10023b68
0x10023b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x10023adb
0x10023ae1
0x10023ae6
0x00000000
0x10023ae8
0x10023ae8
0x10023aec
0x10023aee
0x10023af2
0x10023af5
0x10023af7
0x10023b98
0x10023b9e
0x10023c14
0x10023c17
0x10023c1a
0x10023c1b
0x10023c1f
0x10023c26
0x10023c26
0x10023ba0
0x10023ba6
0x10023c02
0x10023c05
0x10023c08
0x10023c0b
0x10023c0e
0x10023c0e
0x10023ba8
0x10023bae
0x10023bb4
0x10023bb6
0x10023bb9
0x10023bbc
0x10023bbf
0x10023bbf
0x10023bae
0x10023afd
0x10023afd
0x10023b03
0x10023b07
0x10023b0b
0x10023b0f
0x10023b0f
0x10023b11
0x10023b14
0x10023b14
0x10023ae6
0x10023b19
0x10023b27
0x10023b29
0x10023b29
0x10023b29
0x10023b29
0x10023ac0
0x10023b2f
0x10023b33
0x10023b3c
0x10023b3c
0x10023b46
0x10023b46
0x100239e8
0x00000000
0x00000000
0x00000000
0x00000000
0x100238b3
0x00000000
0x100236de
0x100236de
0x100236e6
0x100236e8
0x100236eb
0x100236ee
0x100236f2
0x00000000
0x100236f8
0x100236f8
0x100236fb
0x1002375b
0x1002375b
0x10023766
0x1002376a
0x1002376c
0x10023776
0x10023776
0x10023779
0x10023781
0x10023788
0x1002378a
0x1002378a
0x1002378c
0x10023790
0x10023796
0x1002379d
0x1002379e
0x100237a3
0x100237ac
0x100237b3
0x100237b6
0x100237bd
0x100237c4
0x00000000
0x00000000
0x100237ca
0x100237cd
0x100237da
0x100237da
0x100237dc
0x00000000
0x100237e2
0x100237e2
0x100237e4
0x100238e8
0x100238e8
0x100238eb
0x100238ed
0x100238f0
0x10023914
0x10023916
0x10023926
0x10023926
0x100238f2
0x100238f2
0x100238f5
0x10023903
0x10023903
0x100238f5
0x100237ea
0x100237ea
0x100237f0
0x00000000
0x100237f6
0x100237fe
0x100237fe
0x10023800
0x10023800
0x100237f0
0x10023803
0x1002380a
0x1002380e
0x10023810
0x10023810
0x10023813
0x10023816
0x10023816
0x1002381a
0x10023825
0x10023828
0x1002382e
0x10023834
0x1002383f
0x1002384a
0x10023855
0x1002385d
0x10023868
0x1002386c
0x1002386d
0x10023871
0x10023875
0x10023878
0x1002387c
0x10023885
0x10023887
0x00000000
0x1002388d
0x1002388d
0x10023891
0x00000000
0x10023891
0x10023887
0x100237cf
0x100237cf
0x100237d4
0x00000000
0x00000000
0x00000000
0x00000000
0x100237d4
0x00000000
0x100237cd
0x00000000
0x100236fd
0x100236fd
0x10023700
0x10023703
0x10023707
0x10023709
0x1002370c
0x10023710
0x10023713
0x00000000
0x10023719
0x10023719
0x1002371c
0x00000000
0x1002371e
0x1002371e
0x10023721
0x10023724
0x10023728
0x1002372a
0x1002372d
0x10023731
0x10023734
0x00000000
0x1002373a
0x1002373a
0x1002373d
0x00000000
0x1002373f
0x1002373f
0x10023742
0x10023745
0x10023749
0x1002374b
0x1002374e
0x10023752
0x10023755
0x00000000
0x00000000
0x00000000
0x00000000
0x10023755
0x1002373d
0x10023734
0x1002371c
0x10023713
0x100236fb
0x100236f2
0x100236d8
0x100236cc
0x100236b5
0x100236a3
0x10023439
0x10023445
0x10023447
0x10023455
0x10023457
0x1002345d
0x10023461
0x10023466
0x1002346a
0x1002347c
0x1002347e
0x10023482
0x10023488
0x00000000
0x00000000
0x1002348e
0x10023494
0x1002349f
0x100234ad
0x100234b4
0x100234de
0x100234e1
0x100234e3
0x100234e5
0x100234e7
0x100234eb
0x1002355b
0x1002355e
0x10023561
0x10023563
0x10023563
0x100234f3
0x10023540
0x10023543
0x10023546
0x10023549
0x1002354c
0x1002354c
0x100234fb
0x100234fd
0x100234ff
0x10023502
0x10023505
0x10023508
0x10023508
0x100234fb
0x100234c0
0x100234c0
0x100234c6
0x100234ca
0x100234d4
0x100234d6
0x100234d8
0x10023514
0x1002351b
0x1002351b
0x1002351b
0x10023522
0x10023522
0x10023523
0x10023527
0x10023529
0x1002352c
0x10023574
0x1002357d
0x1002352e
0x1002352e
0x10023533
0x10023533
0x10023533
0x10023535
0x00000000
0x10023535
0x10023588
0x1002358c
0x10023590
0x1002359d
0x100235a0
0x100235a2
0x100235a9
0x100235a9
0x100235b0
0x100235b6
0x100235b9
0x100235bc
0x100235bc
0x100235b0
0x100235c3
0x100235cc
0x00000000
0x100235cc
0x1002346a
0x10023433
0x00000000

APIs

mv_image_get_buffer_size.LICKING ref: 10023389

Part of subcall function 10023180: mv_pix_fmt_desc_get.LICKING ref: 1002319F
Part of subcall function 10023180: mv_image_get_linesize.LICKING ref: 100231D4
Part of subcall function 10023180: mv_image_fill_linesizes.LICKING(?), ref: 10023268
Part of subcall function 10023180: mv_image_fill_plane_sizes.LICKING(?), ref: 100232CB

mv_pix_fmt_desc_get.LICKING ref: 10023393
mv_image_fill_linesizes.LICKING ref: 1002342C
mv_log.LICKING ref: 10023608
abort.MSVCRT ref: 1002360D
mv_pix_fmt_desc_get.LICKING ref: 10023634
mv_pix_fmt_count_planes.LICKING ref: 1002363E

Strings

, xrefs: 10023B33
Assertion %s failed at %s:%d, xrefs: 10023600

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizes$abortmv_image_fill_plane_sizesmv_image_get_buffer_sizemv_image_get_linesizemv_logmv_pix_fmt_count_planes
String ID: $Assertion %s failed at %s:%d
API String ID: 1281078460-3513380740
Opcode ID: 9aef0dac34642e9098724214980251baa09342b1a0c5f46c773e477262ad99eb
Instruction ID: a089d9c762c3cfd1a1d7a4299d54b2c96b1105fbb81873ac574cad1f7e45a592
Opcode Fuzzy Hash: 9aef0dac34642e9098724214980251baa09342b1a0c5f46c773e477262ad99eb
Instruction Fuzzy Hash: 2E429A71A083958FC761CF28E48065EBBE1FFC8354F96892EE98997310E771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10013100 Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 10013116
mv_mallocz.LICKING ref: 10013128
mv_mallocz.LICKING ref: 10013154
mv_mallocz.LICKING ref: 100131C3
mv_calloc.LICKING ref: 100132A0

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_calloc
String ID:
API String ID: 1417229449-0
Opcode ID: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction ID: 852a126e1f502dc2a5b99aeb69476376aef21eb3025c4fc6af9fe8b8a21a2e70
Opcode Fuzzy Hash: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction Fuzzy Hash: CE51D374605B069FC750EFA9D480A1AF7F0FF44780F42892CE9998B601DB74F890CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100A0AD0 Relevance: 15.2, APIs: 10, Instructions: 157
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E100A0AD0(int _a4, intOrPtr* _a8) {
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				struct HINSTANCE__* _v60;
				signed int _v64;
				signed int _v68;
				struct _FILETIME* _v92;
				struct _FILETIME* _v96;
				struct _FILETIME* _v100;
				struct _FILETIME* _v104;
				struct _FILETIME* _v108;
				int _t78;
				intOrPtr* _t86;
				void* _t93;
				intOrPtr* _t94;

				_t94 = _t93 - 0x60;
				_t78 = _a4;
				_t86 = _a8;
				if(_t78 > 4) {
					L15:
					__imp___errno();
					 *_t78 = 0x16;
					return 0xffffffff;
				} else {
					switch( *((intOrPtr*)(_t78 * 4 +  &M100C6CB4))) {
						case 0:
							__eax =  *0x101d9210;
							if(__eax == 0) {
								__eax = GetModuleHandleA("kernel32.dll");
								__esp = __esp - 4;
								__eax = GetProcAddress(__eax, "GetSystemTimePreciseAsFileTime");
								__esp = __esp - 8;
								__eax =  ==  ? __imp__GetSystemTimeAsFileTime : __eax;
								 *0x101d9210 = __eax;
							}
							__edx =  &_v44;
							_v108 =  &_v44;
							__eax = __eax->i();
							goto L7;
						case 1:
							__eax =  &_v28;
							__eax = QueryPerformanceFrequency( &_v28);
							__esp = __esp - 4;
							if(__eax == 0) {
								goto L15;
							} else {
								__eax =  &_v20;
								__eax = QueryPerformanceCounter( &_v20);
								__esp = __esp - 4;
								if(__eax == 0) {
									goto L15;
								} else {
									__eax = _v28.dwLowDateTime;
									__edx = _v28.dwHighDateTime;
									_v68 = _v28.dwLowDateTime;
									__eax =  &_v52;
									_v64 = _v28.dwHighDateTime;
									__edx = _v64;
									_v92 =  &_v52;
									__eax = _v68;
									_v96 = _v64;
									__edx = _v20.dwHighDateTime;
									_v100 = _v68;
									__eax = _v20.dwLowDateTime;
									_v104 = _v20.dwHighDateTime;
									_v108 = _v20.dwLowDateTime;
									__eax = E10091A40();
									 *__ebx = __eax;
									__ebx[1] = __edx;
									__ecx = _v48 * 0x3b9aca00;
									_v60 = __eax;
									__eax = 0x3b9aca00;
									_v56 = __edx;
									__edx = 0x3b9aca00 * _v52 >> 0x20;
									__eax = 0x3b9aca00 * _v52;
									__edx = _v68;
									__ecx = _v64;
									__edx = (__ecx << 0x00000020 | _v68) >> 1;
									__ecx = __ecx >> 1;
									asm("adc edi, ecx");
									__eax = 0x3b9aca00 * _v52 + __edx;
									__edx = (0x3b9aca00 * _v52 >> 0x20) + _v48 * 0x3b9aca00;
									_v108 = __eax;
									_v100 = _v68;
									_v96 = _v64;
									_v104 = (0x3b9aca00 * _v52 >> 0x20) + _v48 * 0x3b9aca00;
									__eax = E10091900();
									__ebx[2] = __eax;
									if(__eax > 0x3b9ac9ff) {
										asm("adc edi, 0x0");
										__eax = __eax - 0x3b9aca00;
										 *__ebx =  &(_v60->i);
										__ebx[1] = _v56;
										__ebx[2] = __eax;
									}
									goto L5;
								}
							}
							goto L17;
						case 2:
							__eax = GetCurrentProcess();
							__edx =  &_v20;
							_v92 =  &_v20;
							__edx =  &_v28;
							_v96 =  &_v28;
							__edx =  &_v36;
							_v100 =  &_v36;
							__edx =  &_v44;
							_v104 =  &_v44;
							_v108 = __eax;
							__eax = GetProcessTimes(??, ??, ??, ??, ??);
							__esp = __esp - 0x14;
							if(__eax != 0) {
								goto L3;
							} else {
								goto L15;
							}
							goto L17;
						case 3:
							_t78 = GetThreadTimes(GetCurrentThread(),  &_v44,  &_v36,  &_v28,  &_v20);
							_t94 = _t94 - 0x14;
							if(_t78 == 0) {
								goto L15;
							} else {
								L3:
								_t92 = _v20.dwHighDateTime;
								_t82 = _v20.dwLowDateTime + _v28.dwLowDateTime;
								asm("adc edx, [esp+0x54]");
								goto L4;
							}
							goto L17;
						case 4:
							__eax =  &_v44;
							GetSystemTimeAsFileTime( &_v44);
							L7:
							__esp = __esp - 4;
							__eax = _v48;
							__edx = _v44.dwLowDateTime;
							__eax = _v48 + 0x2ac18000;
							asm("adc edx, 0xfe624e21");
							L4:
							_v104 = 0x989680;
							_v96 =  &_v56;
							_v100 = 0;
							 *_t94 = _t82;
							_v108 = _t92;
							 *_t86 = E10091D60();
							 *(_t86 + 4) = _t92;
							 *(_t86 + 8) = _v56 * 0x64;
							L5:
							return 0;
							goto L17;
					}
				}
				L17:
			}

0x100a0ad3
0x100a0ad6
0x100a0ada
0x100a0ae1
0x100a0cea
0x100a0cea
0x100a0cf0
0x100a0d01
0x100a0ae7
0x100a0ae7
0x00000000
0x100a0ba0
0x100a0ba7
0x100a0d0f
0x100a0d15
0x100a0d23
0x100a0d29
0x100a0d2e
0x100a0d35
0x100a0d35
0x100a0bad
0x100a0bb1
0x100a0bb4
0x00000000
0x00000000
0x100a0bc0
0x100a0bc7
0x100a0bcd
0x100a0bd2
0x00000000
0x100a0bd8
0x100a0bd8
0x100a0bdf
0x100a0be5
0x100a0bea
0x00000000
0x100a0bf0
0x100a0bf0
0x100a0bf4
0x100a0bf8
0x100a0bfc
0x100a0c00
0x100a0c04
0x100a0c08
0x100a0c0c
0x100a0c10
0x100a0c14
0x100a0c18
0x100a0c1c
0x100a0c20
0x100a0c24
0x100a0c27
0x100a0c2c
0x100a0c2e
0x100a0c31
0x100a0c39
0x100a0c3d
0x100a0c42
0x100a0c46
0x100a0c46
0x100a0c4c
0x100a0c54
0x100a0c58
0x100a0c5c
0x100a0c60
0x100a0c62
0x100a0c68
0x100a0c6e
0x100a0c71
0x100a0c75
0x100a0c79
0x100a0c7d
0x100a0c82
0x100a0c8a
0x100a0c9b
0x100a0c9e
0x100a0ca3
0x100a0ca5
0x100a0ca8
0x100a0ca8
0x00000000
0x100a0c8a
0x100a0bea
0x00000000
0x00000000
0x100a0cb0
0x100a0cb6
0x100a0cba
0x100a0cbe
0x100a0cc2
0x100a0cc6
0x100a0cca
0x100a0cce
0x100a0cd2
0x100a0cd6
0x100a0cd9
0x100a0cdf
0x100a0ce4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100a0b19
0x100a0b1f
0x100a0b24
0x00000000
0x100a0b2a
0x100a0b2a
0x100a0b2e
0x100a0b32
0x100a0b36
0x00000000
0x100a0b36
0x00000000
0x00000000
0x100a0b78
0x100a0b7f
0x100a0b85
0x100a0b85
0x100a0b88
0x100a0b8c
0x100a0b90
0x100a0b95
0x100a0b3a
0x100a0b3e
0x100a0b46
0x100a0b4a
0x100a0b52
0x100a0b55
0x100a0b5e
0x100a0b60
0x100a0b68
0x100a0b6b
0x100a0b73
0x00000000
0x00000000
0x100a0ae7
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 100A0AF0
GetThreadTimes.KERNEL32 ref: 100A0B19
GetSystemTimeAsFileTime.KERNEL32 ref: 100A0B7F
QueryPerformanceFrequency.KERNEL32 ref: 100A0BC7
QueryPerformanceCounter.KERNEL32 ref: 100A0BDF
GetCurrentProcess.KERNEL32 ref: 100A0CB0
GetProcessTimes.KERNEL32 ref: 100A0CD9
_errno.MSVCRT ref: 100A0CEA

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentPerformanceProcessQueryThreadTimeTimes$CounterFileFrequencySystem_errno
String ID:
API String ID: 3786581644-0
Opcode ID: 51dd1917017ce4ea344f544ca5ab7e9253984b8f770848b5d1487a3e4aba5e97
Instruction ID: 224ccc2d68d42bde2d8b7ebeaf1b237af48248911179ec13eeff64e5b6c0fdca
Opcode Fuzzy Hash: 51dd1917017ce4ea344f544ca5ab7e9253984b8f770848b5d1487a3e4aba5e97
Instruction Fuzzy Hash: 2261ADB59093459FC700DF68C58855ABBE1FFC8390F15CA2EE89987228E774E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001F91B Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

mv_image_copy.LICKING ref: 1001FAAE

Part of subcall function 10022610: mv_pix_fmt_desc_get.LICKING ref: 10022691

mv_image_fill_pointers.LICKING ref: 1001FA71

Part of subcall function 10021AF0: mv_image_fill_plane_sizes.LICKING ref: 10021B60

mv_image_fill_pointers.LICKING ref: 1001FBEE
mv_image_copy.LICKING ref: 1001FC33
mv_log.LICKING ref: 1001FD5B
mv_log.LICKING ref: 1001FD8C

Strings

Could not create the staging texture (%lx), xrefs: 1001FD77
Unable to lock D3D11VA surface (%lx), xrefs: 1001FD4B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_copymv_image_fill_pointersmv_log$mv_image_fill_plane_sizesmv_pix_fmt_desc_get
String ID: Could not create the staging texture (%lx)$Unable to lock D3D11VA surface (%lx)
API String ID: 592549278-3417175521
Opcode ID: 24b71dbb73dbe40009c121059ddc25a2eb799a974b9bfa21cce5b9229e8e68c5
Instruction ID: f5ec83dd13fc7becc1cb8906caf4b861a1731c5e6261b2f5775d2eea63273682
Opcode Fuzzy Hash: 24b71dbb73dbe40009c121059ddc25a2eb799a974b9bfa21cce5b9229e8e68c5
Instruction Fuzzy Hash: 14E14AB4A087419FC364DF2AD18465AFBE1FFC8250F51892EE9998B321E774E845CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1004D9B0 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004D9C1
SleepConditionVariableSRW.KERNEL32 ref: 1004DA06
mv_fifo_can_read.LICKING ref: 1004DA17
mv_fifo_can_read.LICKING ref: 1004DA25
ReleaseSRWLockExclusive.KERNEL32 ref: 1004DA34
mv_fifo_can_read.LICKING ref: 1004DA89

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_fifo_can_read$ExclusiveLock$AcquireConditionReleaseSleepVariable
String ID:
API String ID: 98678970-0
Opcode ID: 3959360fa278840f977a4993fe4e46d526df8954f2e855f95a908014ffa0a08b
Instruction ID: be2d06b19ca8a59b54d10a00cd4906d3fd2f484dddbee0c7cb82d754c0b8dff3
Opcode Fuzzy Hash: 3959360fa278840f977a4993fe4e46d526df8954f2e855f95a908014ffa0a08b
Instruction Fuzzy Hash: B82125B16086059BD700FF39D98460BBBE4EF84350F12496EFD88CB355E630E8558B97

Uniqueness

Uniqueness Score: -1.00%

Function 10012A70 Relevance: 12.1, APIs: 8, Instructions: 56COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 10012A96
mv_mallocz.LICKING ref: 10012AA8
mv_mallocz.LICKING ref: 10012AB6
mv_calloc.LICKING ref: 10012ACD

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_calloc
String ID:
API String ID: 1417229449-0
Opcode ID: 3961a8143fb2640b46fa4abe10631e48d72dc7f59a8019542beb5829ff2d5fe6
Instruction ID: 4f273aacc6c8985cf144dd44f50dfa69b109835566be6b0f09916b89282c3819
Opcode Fuzzy Hash: 3961a8143fb2640b46fa4abe10631e48d72dc7f59a8019542beb5829ff2d5fe6
Instruction Fuzzy Hash: AE21B4B89083058BCB44DF2691C111ABBE0FF88750F86495DEC889B306D774E9A1CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1000D910 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1000DA4E
mv_bprint_chars.LICKING ref: 1000DAA5
mv_channel_layout_describe_bprint.LICKING ref: 1000DAB5
mv_log.LICKING ref: 1000DB8E
abort.MSVCRT ref: 1000DB93

Strings

ambisonic %d, xrefs: 1000DA42

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_bprint_charsmv_bprintfmv_channel_layout_describe_bprintmv_log
String ID: ambisonic %d
API String ID: 3836754782-1019176007
Opcode ID: 8a70b174e9998083d75cb8294677662316375fd398f8923e194a6155ccb056f1
Instruction ID: 7d4baa19d6437278bcf9c3f85c676b03b21fcab95b0c7f72d61f0495902c71c4
Opcode Fuzzy Hash: 8a70b174e9998083d75cb8294677662316375fd398f8923e194a6155ccb056f1
Instruction Fuzzy Hash: 166191B6B146054BE704DE28C88135DB6D2EBD82B4F0DC63EE989D7349EA34DD418782

Uniqueness

Uniqueness Score: -1.00%

Function 1009D970 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 1009D977
memset.MSVCRT ref: 1009DAC7

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: 091bfdadab7a1312a2f9ae87a80e29fe30512d9ac2a5c2ea8d4e3587416069bc
Instruction ID: fbeeb5ece51aede5e1024ef9b62eceea96644c9d27e399b32471eaca61424df1
Opcode Fuzzy Hash: 091bfdadab7a1312a2f9ae87a80e29fe30512d9ac2a5c2ea8d4e3587416069bc
Instruction Fuzzy Hash: 5742BC716083958FC710DF28C59035ABBE2FF85344F16892EE8898B391D775ED49EB82

Uniqueness

Uniqueness Score: -1.00%

Function 10013480 Relevance: 9.3, APIs: 6, Instructions: 286COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.LICKING ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction ID: 5f2a4f4094cb7a0488fc386a39adfcdd6b5e851adb51ea05a95b9a0d2f55e3bd
Opcode Fuzzy Hash: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction Fuzzy Hash: 44B156B1A083418FC764CF29C58461AFBE2FFC8250F56896DE9899B350E631E981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0B0 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1002B231

Strings

INT64_MIN, xrefs: 1002B3E6
%d:%02d.%06d, xrefs: 1002B220
INT64_MAX, xrefs: 1002B3A6
%d.%06d, xrefs: 1002B413
%lld:%02d:%02d.%06d, xrefs: 1002B386

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: %d.%06d$%d:%02d.%06d$%lld:%02d:%02d.%06d$INT64_MAX$INT64_MIN
API String ID: 39653677-2240581584
Opcode ID: 11cc0387ba0acaa09a76acaf0e1bd6dd28ec28603ad3855deced5f26615f1bcb
Instruction ID: 43d3ff7a82607b78a247297113464a0dd0228f1a79180d729c91701a74fde06b
Opcode Fuzzy Hash: 11cc0387ba0acaa09a76acaf0e1bd6dd28ec28603ad3855deced5f26615f1bcb
Instruction Fuzzy Hash: CBA16C72A187118FC708CF6DD44061EFBE6EBC8750F598A2EF498D7364D674D9058B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C9F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

%d channels, xrefs: 1000CAF8

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %d channels
API String ID: 0-1351059727
Opcode ID: 8f88c7eba476947328e87fe40425447bcd99ec8031b5ce492b0e1bd0b4f33cc5
Instruction ID: c9c7a3ae5954c17f5d5603ead32183c847cfa5897b85e8beb4ef6d1985739e28
Opcode Fuzzy Hash: 8f88c7eba476947328e87fe40425447bcd99ec8031b5ce492b0e1bd0b4f33cc5
Instruction Fuzzy Hash: 2351E9B6B047054BD308DF28D85126EB7E2FBC52A0F58C83EE586C7345EA35ED418782

Uniqueness

Uniqueness Score: -1.00%

Function 10004C96 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

4, xrefs: 10005E70

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 4d8cbeff02eae78f0e6d9551b3900ff6fa45a2d250c9fd757a52c3161d27cb74
Instruction ID: 142c53129f6dd5162a6dc74f8f9d5308986cdb620bee08254c43db3c68278e48
Opcode Fuzzy Hash: 4d8cbeff02eae78f0e6d9551b3900ff6fa45a2d250c9fd757a52c3161d27cb74
Instruction Fuzzy Hash: 5D023A30A18784CAE375CF24C88479BB7E6FF85381F218B1ED48A97259E7719885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10007270 Relevance: 6.3, APIs: 4, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction ID: 80344777319d5c39256bea2cca684abcfe3cba157365ca00e8d05506c74a31d6
Opcode Fuzzy Hash: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction Fuzzy Hash: 54C19E71A087858FD354CF2D888064EBBE1FFC9294F198A2EF8D8C7355E675D9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 10023620 Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.LICKING ref: 10023634
mv_pix_fmt_count_planes.LICKING ref: 1002363E
mv_write_image_line.LICKING(?), ref: 1002387C
mv_image_get_linesize.LICKING ref: 100238C4

Strings

, xrefs: 10023B33
Assertion %s failed at %s:%d, xrefs: 10023600

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_get_linesizemv_pix_fmt_count_planesmv_pix_fmt_desc_getmv_write_image_line
String ID: $Assertion %s failed at %s:%d
API String ID: 2742463661-3513380740
Opcode ID: b15f4da3bc99d86a8a72eb8f47aa1c4a0f05deb1cb0c640b6a96daa2dd6c2713
Instruction ID: e860dd3250005cc84d28b56d21b73749903b5aa19a013802b2ff0fa26c58b836
Opcode Fuzzy Hash: b15f4da3bc99d86a8a72eb8f47aa1c4a0f05deb1cb0c640b6a96daa2dd6c2713
Instruction Fuzzy Hash: 527129B5A083458BC765CF29E48029BFBE1FFC8350F558D2EE899C7250E730D8858B82

Uniqueness

Uniqueness Score: -1.00%

Function 10003BA5 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

p, xrefs: 10003E93

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 8d7e843892f8bc59acea61e8ee3f406ea24a0c133f8ecf0cb21e14aadc3c8eac
Instruction ID: b120ad44887f90431df98fb91d1d6e0570ae98d5f198b3888bdd975ad240fbdf
Opcode Fuzzy Hash: 8d7e843892f8bc59acea61e8ee3f406ea24a0c133f8ecf0cb21e14aadc3c8eac
Instruction Fuzzy Hash: B8421775A083918FE374CF298480B9BB7E2FFC9390F558A2ED98997355D7709841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10092180 Relevance: 4.6, APIs: 3, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 100921A1

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction ID: 7e8eca435f47cc72285f0ff92e2e59cf077fa7250504efb7398187b0f8841556
Opcode Fuzzy Hash: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction Fuzzy Hash: FC2139B04093419FDB20EF28D58825ABBF0FF84350F11892DE8D987258E738D584DB52

Uniqueness

Uniqueness Score: -1.00%

Function 10012CF0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220783f6518366c083297090f3e1f15f6edb796605cfe3e619791d83dcd7bf41
Instruction ID: 5805fcc4f61ad00ae9ae6704460015b8043034553e22dbe709ae6012cd6c24b5
Opcode Fuzzy Hash: 220783f6518366c083297090f3e1f15f6edb796605cfe3e619791d83dcd7bf41
Instruction Fuzzy Hash: 28E0A5B45083048BCB00EFA8D0C191AFBF0FF58244F80485DA9884B303D275E5548BB2

Uniqueness

Uniqueness Score: -1.00%

Function 1004DDC5 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

gfff, xrefs: 1004DE31
gfff, xrefs: 1004DF1C
gfff, xrefs: 1004DFAC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: gfff$gfff$gfff
API String ID: 0-4275324669
Opcode ID: 268b3e8c4049cf9f0418b796dedf1257a26545202377507e9ea087931b81b73a
Instruction ID: b8e1b3ef7b19016f091dd3aee8bfbae4d0f31b66eef5915195d5171b29ecea2e
Opcode Fuzzy Hash: 268b3e8c4049cf9f0418b796dedf1257a26545202377507e9ea087931b81b73a
Instruction Fuzzy Hash: 377196327047164FD758DE2ECD8020AB7D6EBC8340F598A3DE599DB394DA70ED198B81

Uniqueness

Uniqueness Score: -1.00%

Function 10013860 Relevance: 3.2, APIs: 2, Instructions: 222COMMON

Download Yara Rule

APIs

mv_malloc.LICKING ref: 10013AE8

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloc
String ID:
API String ID: 3797683224-0
Opcode ID: db7b46ff415f0054f38cb9c001ad25aec02b0895e2a85fae17c1af358806de38
Instruction ID: 2c16346d9416021724ca7b8b44fcd442ffeb85943fcf338eab2551d35e8829f5
Opcode Fuzzy Hash: db7b46ff415f0054f38cb9c001ad25aec02b0895e2a85fae17c1af358806de38
Instruction Fuzzy Hash: E6718DB2A042568FCB14CF28C88175AB7E2FF94354F66C568ED899F341E671ED81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 100084B0 Relevance: 3.2, APIs: 2, Instructions: 185COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.LICKING ref: 10008642

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction ID: d8ffb9ab9be6425fb2f2151958634ca33b63df147d529954a2eeef9d18f7c60e
Opcode Fuzzy Hash: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction Fuzzy Hash: 537145B19097818BC709CF29D5C846AFBE1FFC9245F118A5EE8DC87344E270AA04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 100243C0 Relevance: 2.2, APIs: 1, Instructions: 724COMMON

Download Yara Rule

APIs

mv_mod_i.LICKING ref: 10024C49

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mod_i
String ID:
API String ID: 416848386-0
Opcode ID: a8d4099fe6c0eb055b727cce64fe07889f2056542eb8a35ea18b6c28ee92d382
Instruction ID: 43765a35f2f4f9fc1063cca94ddc9992076bb8f6061d82eb0e951d8864de96b8
Opcode Fuzzy Hash: a8d4099fe6c0eb055b727cce64fe07889f2056542eb8a35ea18b6c28ee92d382
Instruction Fuzzy Hash: 43621971A083A18BD724CF29D04066EF7E2FFC8750F568A1EE9D997390D770A840DB96

Uniqueness

Uniqueness Score: -1.00%

Function 10026870 Relevance: 2.0, APIs: 1, Instructions: 473COMMON

Download Yara Rule

APIs

mv_memcpy_backptr.LICKING ref: 10026924

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_memcpy_backptr
String ID:
API String ID: 3283147377-0
Opcode ID: 82edd6c9b28d5e3e87d5fc8225cc50ae9901fcbf316564df120b2eb5d842609a
Instruction ID: 6adeda491979ec79bc18b55163f70ef6a5914fbcbff489884736b25c3339ce0e
Opcode Fuzzy Hash: 82edd6c9b28d5e3e87d5fc8225cc50ae9901fcbf316564df120b2eb5d842609a
Instruction Fuzzy Hash: 3902C271A083568FC715CF29D88025AB7E1FF8C348FA5897DE8899B351D731E949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100353B0 Relevance: 1.9, APIs: 1, Instructions: 385COMMON

Download Yara Rule

APIs

mv_gcd.LICKING ref: 1003544D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_gcd
String ID:
API String ID: 2848192316-0
Opcode ID: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction ID: e6b2b5b070de62496659ab70d0058dc1d8b8705572cd85af2ca405c8e7fadc16
Opcode Fuzzy Hash: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction Fuzzy Hash: 5DF1BF75A083508FC358CF2AC48060AFBE6AFC8750F558A2EF998D7361D670E9458F82

Uniqueness

Uniqueness Score: -1.00%

Function 100215D0 Relevance: 1.8, APIs: 1, Instructions: 297COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get
String ID:
API String ID: 2427544746-0
Opcode ID: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction ID: 559f6f707dd61799b0b773c6f5cd064c8ce248da486725d9c35fe17e2713b67a
Opcode Fuzzy Hash: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction Fuzzy Hash: DBA138387083098FD758DE29E4507ABB7E1EF94390F94463EE866CB780EB31E9458B01

Uniqueness

Uniqueness Score: -1.00%

Function 1002DD90 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_d2q.LICKING ref: 1002E0EC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_d2q
String ID:
API String ID: 1563177686-0
Opcode ID: df60b9c3e4e375c28ecf4bde0fe12835fdcb229c5ee143df9ba315de1fe879c0
Instruction ID: 00a00f14b8a667a48f961a05508467dfe02d8a23c66dc59f7518774abb1ed7aa
Opcode Fuzzy Hash: df60b9c3e4e375c28ecf4bde0fe12835fdcb229c5ee143df9ba315de1fe879c0
Instruction Fuzzy Hash: CC715034508B45CFC346EF38D48061AF3B1FF8A380F9587AAE95A6B261D771AC85DB41

Uniqueness

Uniqueness Score: -1.00%

Function 1000EDB0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200260e9623359c508817fde2ba7d890febb787173ff349f83ddfd7edfc928b9
Instruction ID: 0d64d5b4eefbac50bd85d2b9f56cd68fe73ffd577be4b7bc55791283b886aa23
Opcode Fuzzy Hash: 200260e9623359c508817fde2ba7d890febb787173ff349f83ddfd7edfc928b9
Instruction Fuzzy Hash: 0651F7767043464BE718CE58D8C062DB3D1EB883B4B1EC63DEE59AB399D630EC45C681

Uniqueness

Uniqueness Score: -1.00%

Function 10012D40 Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

APIs

mv_encryption_info_alloc.LICKING ref: 10012DD5

Part of subcall function 10012A70: mv_mallocz.LICKING ref: 10012A96
Part of subcall function 10012A70: mv_mallocz.LICKING ref: 10012AA8
Part of subcall function 10012A70: mv_mallocz.LICKING ref: 10012AB6
Part of subcall function 10012A70: mv_calloc.LICKING ref: 10012ACD

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_callocmv_encryption_info_alloc
String ID:
API String ID: 3322142038-0
Opcode ID: 42a5be7598cb39ad7791f87488e6a70f642197d01b399c05ab6afc0b11886a48
Instruction ID: 564550559dc25ff60d170d57d2507b8afd000e4bbd60ef45d364b311c6fa6347
Opcode Fuzzy Hash: 42a5be7598cb39ad7791f87488e6a70f642197d01b399c05ab6afc0b11886a48
Instruction Fuzzy Hash: B1517CB2E042118BC704CF19C48461AFBE2FFE8354F26856DD88CAB315E674EDA5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1001363B Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.LICKING ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction ID: 78d0e82bed4cec982bfd679939fa63163902b3eee1ff480991edcad54221ee49
Opcode Fuzzy Hash: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction Fuzzy Hash: 1951F5B1A087419FC744CF29C58451ABBE2FFC8654F56CA2DF889A7350D731ED458B82

Uniqueness

Uniqueness Score: -1.00%

Function 100136FB Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.LICKING ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction ID: 95a8c643b77e51546d68e8d33e3f4ed292e5d24ad01eeb6ce01257d6c0bf5d32
Opcode Fuzzy Hash: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction Fuzzy Hash: 2D5128B1A087419FC744CF29C58461AFBE2FFC8654F56C92DE889AB350D731ED428B82

Uniqueness

Uniqueness Score: -1.00%

Function 10002480 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

mv_aes_crypt.LICKING ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction ID: 6533aa27bc2eace4d46e94b1d96a72d5c0883edd5f4be066e5c3eb9db2eb8fbd
Opcode Fuzzy Hash: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction Fuzzy Hash: 81419D3510D7C18FD301CF69848054AFFE1FF99288F198A6DE8D993306D260EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1000EAC0 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

mv_channel_layout_index_from_string.LICKING ref: 1000EAD6

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_index_from_string
String ID:
API String ID: 1941520394-0
Opcode ID: b5427e202f8ac7429ec52a8e90e2a2ab38b9bd65bff75006616c9072962c14a1
Instruction ID: dd8c77e47ba7934b60b61c42e329a9640ddafb1186b5f9bdd33cfe49ccecab15
Opcode Fuzzy Hash: b5427e202f8ac7429ec52a8e90e2a2ab38b9bd65bff75006616c9072962c14a1
Instruction Fuzzy Hash: 6331E4B7F1476A0BE7209999DCC0216B3C0EB88270B4E863DDE5AA7786F551BD1582C1

Uniqueness

Uniqueness Score: -1.00%

Function 10012B40 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

mv_encryption_info_alloc.LICKING ref: 10012B5E

Part of subcall function 10012A70: mv_mallocz.LICKING ref: 10012A96
Part of subcall function 10012A70: mv_mallocz.LICKING ref: 10012AA8
Part of subcall function 10012A70: mv_mallocz.LICKING ref: 10012AB6
Part of subcall function 10012A70: mv_calloc.LICKING ref: 10012ACD

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_callocmv_encryption_info_alloc
String ID:
API String ID: 3322142038-0
Opcode ID: 0d1d6d985499e695549cee1dfdc865532ac4685cf5ab5fd08e705158918137f9
Instruction ID: 70bb560b92b21ff9a949702552601914469cb58a4fc0686d30597e3817c1d297
Opcode Fuzzy Hash: 0d1d6d985499e695549cee1dfdc865532ac4685cf5ab5fd08e705158918137f9
Instruction Fuzzy Hash: 19418DF69082518BD714CF14C5D162BBBA2FF94310F6686A8CE890F309E335E9E1D790

Uniqueness

Uniqueness Score: -1.00%

Function 10002523 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

mv_aes_crypt.LICKING ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction ID: b15eea7d1e62e16a03610dfd725cbd08b0199710858140edd711ee624ae9ea9b
Opcode Fuzzy Hash: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction Fuzzy Hash: DC31C47610D7C18FD302CB6990C0099FFE1FF99248F198AADE4DD93706D264EA19CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1000867B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.LICKING ref: 100086C2

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction ID: 3ce9d50094e6346554c2820e15aae8c95f0dca09f8e32c6084807ed2f7b375be
Opcode Fuzzy Hash: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction Fuzzy Hash: 26019DB59093448FC709CF18E48842AFBE0FB8C355F11892EF8CCA7740E774AA448B46

Uniqueness

Uniqueness Score: -1.00%

Function 10010750 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 0ad661e65bf89006e5cb82a1dd902ac23a8ed1824c44f0f6cdc208644b3eae13
Instruction ID: 42a7ec19d686179b44da1d5c9b288b2ee9791ca70b21cf781f8aa0d3f756190c
Opcode Fuzzy Hash: 0ad661e65bf89006e5cb82a1dd902ac23a8ed1824c44f0f6cdc208644b3eae13
Instruction Fuzzy Hash: 48615E76A183158FD308DF19D88021AF7E2FBC8710F59892DF998DB351D674EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 10010980 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010B38

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: c6972a37ad2e2222d65afc4e55376d73186b7d177790482f72f96b84295bef74
Instruction ID: 88479de14bb2f39b9fc55125830bf113a632cebd2de1f332091022c863dacf4c
Opcode Fuzzy Hash: c6972a37ad2e2222d65afc4e55376d73186b7d177790482f72f96b84295bef74
Instruction Fuzzy Hash: F7519C76A183148FD308DF19D88025AF7E2FBC8710F5A892DE998DB311D770EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 10010778 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: b861221cc90de6241f85d3be745dbcb4f6bcddd84e3623fe88ddccbc427f34d0
Instruction ID: 7f4d39fd12622659375b300fc8b1f39ce51f3fa70086a48383707f29ea88d571
Opcode Fuzzy Hash: b861221cc90de6241f85d3be745dbcb4f6bcddd84e3623fe88ddccbc427f34d0
Instruction Fuzzy Hash: E5517D76A187158FD308DF19D88021AF7E2FBC8710F4A892DE999DB351D774EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 1001099C Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010B38

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 06a843a8851a56a66e7df70c880cd4096c4c69da5a0f70d5f5e3fd97c5f100c7
Instruction ID: 19cd5f952c3110aaa204112f2fa5bdffc5ff9ac6086c667ec371dfd1999c3bcc
Opcode Fuzzy Hash: 06a843a8851a56a66e7df70c880cd4096c4c69da5a0f70d5f5e3fd97c5f100c7
Instruction Fuzzy Hash: 9F518B76A187158FD308DF19D88025AF3E2FBC8710F5A892DE999DB311D770EC159B82

Uniqueness

Uniqueness Score: -1.00%

Function 1004E517 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

%02u:%02u:%02u%c%02u, xrefs: 1004E650

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %02u:%02u:%02u%c%02u
API String ID: 0-3773705257
Opcode ID: b357c0945c8bd78d424991b74f4df69209fe368a457671497f9701e50f6f69a1
Instruction ID: 16373764aa7b57c467d4ddb1398818065a43813a8caca82b3b75591bc4d36b3a
Opcode Fuzzy Hash: b357c0945c8bd78d424991b74f4df69209fe368a457671497f9701e50f6f69a1
Instruction Fuzzy Hash: 7F518AB1A083958FD754CF29C48065AB7E2FBD8344F514A3EF489C7392E635DA09CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 100105C0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

*, xrefs: 100106C6

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction ID: cf0b5ffff515d544aa88b6753479d2fbc1523f17d7230f1051f2f56c5c5a0ce0
Opcode Fuzzy Hash: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction Fuzzy Hash: EB414DB6E083514FD340CE29C88021AF7E1EBC8754F5A892EF8D8DB351E674ED418B82

Uniqueness

Uniqueness Score: -1.00%

Function 1004E71B Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

%02u:%02u:%02u%c%02u, xrefs: 1004E7D7

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %02u:%02u:%02u%c%02u
API String ID: 0-3773705257
Opcode ID: d82a510f73677fb691e615c0541bb961be59e874028533813ffe8460b3d1ecfc
Instruction ID: d90ce8b978bf5b8c3d0bac3652b59c3561294d3fd41cd0306b810182fdfdbc6a
Opcode Fuzzy Hash: d82a510f73677fb691e615c0541bb961be59e874028533813ffe8460b3d1ecfc
Instruction Fuzzy Hash: 8F31C17590C3628FE710CE15C4C139AB7E3EBC0751FA0893EE6844B393D639694ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 10028070 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction ID: 3bfc1c5f2a162aac7bd0c21019aebd2925a812e4926be9baa0010d95d64e9f74
Opcode Fuzzy Hash: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction Fuzzy Hash: 9532503274471D4BC708EEE9DC811D5B3D2BB88614F49813C9E15D3706FBB8BA6A96C8

Uniqueness

Uniqueness Score: -1.00%

Function 10033261 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd6380a6ea4c78d65a7d71ee52a6b8ffee4365087ee231698d748b4880fdc6b
Instruction ID: f869e9a1b34da82721341a2e34109cf1638c9a300c83071e32ba022aecfd3d09
Opcode Fuzzy Hash: 7fd6380a6ea4c78d65a7d71ee52a6b8ffee4365087ee231698d748b4880fdc6b
Instruction Fuzzy Hash: DB228672A083559FC715DE28C8C155AB7F1FF89316F198A2DE9C9AB310D234EE05DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction ID: 3194deff8c1016480bd4981d57c44dc359412b19884f203e35b39e086724ce96
Opcode Fuzzy Hash: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction Fuzzy Hash: D342DE756087409FC754CF29C58099AFBE2BFCE250F16C92EE899C7356D630E942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10058218 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8673a169bbf8a7600cb09c2bfd4fb798068d64e0c6cd272ed47d5aa3153b32cc
Instruction ID: ca0c9c01fde4724b4c864b32b8bd85e5f59bcfffef0ae5b99c965017491d0dfe
Opcode Fuzzy Hash: 8673a169bbf8a7600cb09c2bfd4fb798068d64e0c6cd272ed47d5aa3153b32cc
Instruction Fuzzy Hash: FD420E31A18F948EC327DE39C46066BF7A9BFDB2C0F01C71EE85A6B621DB3195468741

Uniqueness

Uniqueness Score: -1.00%

Function 10007DC0 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89019973bee3dffa5506d068e04858f8f99ab5c1de9c519b00743639777b486
Instruction ID: 7b21dc0033a548e5174aa2f0601695db2f061ee7d4fbd3404672eef6e23c78c5
Opcode Fuzzy Hash: f89019973bee3dffa5506d068e04858f8f99ab5c1de9c519b00743639777b486
Instruction Fuzzy Hash: 4A222635A002218FD398DE1ED8D0D6A7393ABC4329F57C36E9E445B3AACD38786597D0

Uniqueness

Uniqueness Score: -1.00%

Function 1002A1A1 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction ID: 9772ef97af37772237b7d3f4791e376c52d85cc118ce0e008e01ab5786da6001
Opcode Fuzzy Hash: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction Fuzzy Hash: 0002F1719083058FC314CF28D88025ABBF2EFCA344F59896ED8989F356D775D986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10001C10 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45114ea78a404cb3cc5152c11c1bce9efc033c213ab6a958cd88ee2eb44a16a
Instruction ID: f74a24015f26f5817d470ebb5349e6953816b24295dffa4bf4435206cc52e42c
Opcode Fuzzy Hash: d45114ea78a404cb3cc5152c11c1bce9efc033c213ab6a958cd88ee2eb44a16a
Instruction Fuzzy Hash: 5212903090C3D18FD315CF29C4902AAFBE1EF8A354F1949AEE8D58B356D234EA45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000AB30 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d71789e1cfc5ba619a513dd52caf5850fc783eb8f71c40b6a59df87316754b2
Instruction ID: 41af5d95f87fbfb2af461ad8df70ea3d515ec82b3f583ba1e2401cfb082bbbf6
Opcode Fuzzy Hash: 2d71789e1cfc5ba619a513dd52caf5850fc783eb8f71c40b6a59df87316754b2
Instruction Fuzzy Hash: C102A075A087119FD744CF29C58061BFBE2AFCC650F16C96AE898DB319D770EC428B92

Uniqueness

Uniqueness Score: -1.00%

Function 10027220 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction ID: a1783afd4e89d5d45f318d4dea30fc4f4dbee87a7b07b29a2b4422f07ac09f3a
Opcode Fuzzy Hash: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction Fuzzy Hash: 55E10675B083008FC314CE2CD88060AFBE6BBC9764F598A2DF999D73A1D775E9458B42

Uniqueness

Uniqueness Score: -1.00%

Function 1004C4C0 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd2940973defb10da75f7d0a0d281f42e3bf5b71a3b14d95178fa4bbb93f91a
Instruction ID: cfe0db77eb5cf6d1d758d10ab8d8d19e39a375eed658ea468c837abfea5f450e
Opcode Fuzzy Hash: cdd2940973defb10da75f7d0a0d281f42e3bf5b71a3b14d95178fa4bbb93f91a
Instruction Fuzzy Hash: C6D124729083698BC790CE28C88176A77D2EF85310F3A89BDDC95CF346E635E844DB95

Uniqueness

Uniqueness Score: -1.00%

Function 100339B9 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129f30df6b4c6de6fa15e734229779a4f3ca43ecadf31894dce80d162879d2d5
Instruction ID: d71ca33738c10803c7f621c1fa200d4107b0c626772951217f95a0ac31ba9ac0
Opcode Fuzzy Hash: 129f30df6b4c6de6fa15e734229779a4f3ca43ecadf31894dce80d162879d2d5
Instruction Fuzzy Hash: 59E14A35A0871A9BC710CF68C8C165AB7F1FFC9255F09C95CEA896B315E330AE55CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC40 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f79798d6274997cf86a9830772a643e2613ef96d413b4a7de7c3b2c507637b8
Instruction ID: 6a64d29b74dd50650807f73386f8a28ca4746a726bb9b946e7f8f6c26765422b
Opcode Fuzzy Hash: 1f79798d6274997cf86a9830772a643e2613ef96d413b4a7de7c3b2c507637b8
Instruction Fuzzy Hash: 13C16336A002358FD708CF59E8D48E533A3ABD931174F87ADE646973A5CA30F825DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B830 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52550eb076a4e706d339de0456ef0f0ef9ca300451e06a09269b05e4983c36a4
Instruction ID: 1df3b6ebd6122cdab682df68e20255591825bd97864da38137cd296708d31c63
Opcode Fuzzy Hash: 52550eb076a4e706d339de0456ef0f0ef9ca300451e06a09269b05e4983c36a4
Instruction Fuzzy Hash: A3C13E396042284FD74CDF29E8E48B53363ABD8351B4B83ADE602473E5CA34B925DB94

Uniqueness

Uniqueness Score: -1.00%

Function 100500A3 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2f5e3a6e755b5cd1ec8c14b0b22a304fa7b3516a21b49beeeb033897322eaa
Instruction ID: c2fc9c73d0549f28eeec7fbf908dec06a9eb77b9269da131990b573fe809a1f2
Opcode Fuzzy Hash: 8b2f5e3a6e755b5cd1ec8c14b0b22a304fa7b3516a21b49beeeb033897322eaa
Instruction Fuzzy Hash: DDC15F302087959FC741CF2AC4805AAFBF1EF99200F49C55EF9D88B346D634EA15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100500E1 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d016340bc325db1fd1648bbb37fa4be5db1333341c3535a9616d09fdc8b0c0ba
Instruction ID: 9c0e596813f4bfa3225ed572cc817963e9f57f296ce0d566ee08c052ea472f19
Opcode Fuzzy Hash: d016340bc325db1fd1648bbb37fa4be5db1333341c3535a9616d09fdc8b0c0ba
Instruction Fuzzy Hash: 13B150312087959FC745CF2AC4805A6FBF1EF9A200F49C55EE8D88B347D634EA15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10008144 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction ID: 8c294614796abfce7a9b313687c0130c20c351539878b9b69ed8c38673feebb7
Opcode Fuzzy Hash: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction Fuzzy Hash: 2DA134356002118FD398DE1FD8D0D6A7393ABC432DF5BC26E9E445B3AACD38B4669790

Uniqueness

Uniqueness Score: -1.00%

Function 10007A50 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930e695f6b8eca41130a53b596d6cf8baec4992ec9755c4dd3e6ab00923b5f85
Instruction ID: ebf589678dd2b21f450bef16afd8acf277a4c86fda3af18da15dd9d105d6ad1f
Opcode Fuzzy Hash: 930e695f6b8eca41130a53b596d6cf8baec4992ec9755c4dd3e6ab00923b5f85
Instruction Fuzzy Hash: 0CA13C70E003198FD39CDE1ED850E7A73A3AFC8229B8B865E95464F2F6DD346461C798

Uniqueness

Uniqueness Score: -1.00%

Function 1002A800 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23b611c883a24b7dc64f5ed3ae72e36c28d5f49227ddd76db04b40012c1942
Instruction ID: 5a3567ab1930261374c9840a1c83134747ca7f3c34ec4ff9dc62d8c6c08ad054
Opcode Fuzzy Hash: fb23b611c883a24b7dc64f5ed3ae72e36c28d5f49227ddd76db04b40012c1942
Instruction Fuzzy Hash: 59815172B047019FD308CF19D58161AF7E7ABD8210F5AC43DA999CB3A5DA74E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1004D4B0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdeefbb9b1cc8c6670991cf24b173620491e3b0587a273fc61fabb3fb5080e81
Instruction ID: 7c052d3adecac24b92ca5bc1e5dcd8f7a2892c0960664a487740c9dedc837351
Opcode Fuzzy Hash: cdeefbb9b1cc8c6670991cf24b173620491e3b0587a273fc61fabb3fb5080e81
Instruction Fuzzy Hash: EA61AE716097959FC700DF69888055AFBF0FF9A200F5A896EE9ECD7342D230EA14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10091A40 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee1c2db8a7d7445515ed4ed8b5a79ec0df0280c1516db77d56b195c4cd682aa
Instruction ID: c0db4bac9e752cda226084d9a6b8fff8e792133d8021f7f25b9a52affd6acdcb
Opcode Fuzzy Hash: aee1c2db8a7d7445515ed4ed8b5a79ec0df0280c1516db77d56b195c4cd682aa
Instruction Fuzzy Hash: 76514C717087164BD704CE2EC49425AFAE3ABC8260F15CA3EE59DC3794EA70DC499B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000E760 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction ID: a9fd71970cc6ae0704401159e34ccb1fdaf457640d2c7af12330d1c819c8daf0
Opcode Fuzzy Hash: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction Fuzzy Hash: 8941B173F2582507E7188828CC05319B2C3DBE4271B1EC37AED59EB789E934ED1686C2

Uniqueness

Uniqueness Score: -1.00%

Function 10001900 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c9731ac9791965d3b7a154f2342cee9636098d280da4ae3d7531fa599f4c67
Instruction ID: cc9643936d2b1120ca3b10c8b858c6b31ca5e6aa37f2d348ce5eafb853cc114c
Opcode Fuzzy Hash: 08c9731ac9791965d3b7a154f2342cee9636098d280da4ae3d7531fa599f4c67
Instruction Fuzzy Hash: E791D7755042618FDB40CF29C480692BBE1FF99324F1D85BAED989F31AD270A951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000FBC0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cead09edc808eba7652fd3d48dd65b28855fe963b82d9cdceffa72e781f375
Instruction ID: d4bf447c78ef34d846e3780bb63b59d672897940ec14c231ea6f15673d30e65f
Opcode Fuzzy Hash: 76cead09edc808eba7652fd3d48dd65b28855fe963b82d9cdceffa72e781f375
Instruction Fuzzy Hash: D451F433A209684BE304CD3ACC4079E72D3EBC4245F1EC77AD955CB64EDA74E9069780

Uniqueness

Uniqueness Score: -1.00%

Function 1000164B Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction ID: 873dc1b037270df3c72fc734cdf9910190291773d7bcced776bb32a5dc4e00db
Opcode Fuzzy Hash: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction Fuzzy Hash: 3081E2745042528FDB94CF29C5C0A96BBE1FF9E310F59C4B9ED988F61AE230A941DF60

Uniqueness

Uniqueness Score: -1.00%

Function 1000EC10 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f31e89bf383224261359c19d973366952f6040810ff11a53915b1b7b06738d
Instruction ID: 7e8a3e0d9609ec9b68da2310c9f9daf873c96b394346dc03648b3db89d458a9c
Opcode Fuzzy Hash: e3f31e89bf383224261359c19d973366952f6040810ff11a53915b1b7b06738d
Instruction Fuzzy Hash: 3E318BB7B2574307E70C89A8DCE232892C1E76823078DC23EEB17D7787E454DD5A8642

Uniqueness

Uniqueness Score: -1.00%

Function 10091900 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 077d42be5f2903746ef15cd59dbb682990c555792fad529c54c47e406318dc5a
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 7F31C13170831A4BC714EEAEC4D439AF6D3DBC82A0F56863DE98DC3380E9718C45A782

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD50 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6082cca1dc85545b64e55bf4046541dfc96b67093dd2ab0c149368fdd1ef0414
Instruction ID: e3fe650a6823e4e4dc9b535e6935c2817203043b6de3b1da7cd6ba713d0eb7c0
Opcode Fuzzy Hash: 6082cca1dc85545b64e55bf4046541dfc96b67093dd2ab0c149368fdd1ef0414
Instruction Fuzzy Hash: 8B3150F7F2692A03D31C441D9C11325A1C396E853075FC37EAE6AE77C6EC25AE1541C2

Uniqueness

Uniqueness Score: -1.00%

Function 1000DC10 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20aa1a2ed174444797f685eedafff3cac45e3a360d2fd9617722acb5f664a91e
Instruction ID: f0472b0e8e5d5ce24967d3d273812064255cadfc7dac72f8d46582de7e0842bc
Opcode Fuzzy Hash: 20aa1a2ed174444797f685eedafff3cac45e3a360d2fd9617722acb5f664a91e
Instruction Fuzzy Hash: 243146B3E1422A47E314E8089C80518F392EBD82B0B1FC376CD4DDB386E961AE45D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 10024280 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction ID: d243654ff977fd15b0e0421b28be889c9be6cd6a9a899c254bf598e7771c2fe2
Opcode Fuzzy Hash: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction Fuzzy Hash: 0A4174627043329AE314ABEDF4C045EF2E1FE81BA1B874A69D2952F141D230D84DC7EB

Uniqueness

Uniqueness Score: -1.00%

Function 1000D060 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction ID: 6d93bd8323a72235920ba6e149a4a7bae96c73b66a2dfad555009d0c6ff0ce4f
Opcode Fuzzy Hash: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction Fuzzy Hash: 5311D2B3F2453203E71CD4199C2136D828387E82B071FC23FDE47A7286EC609D5682D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000FA00 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16418492506d26e88d9ea5ffe778ecedbadd0674902667d5b4f3f091e616a9e4
Instruction ID: 959dd8b958685b2c602623f8f1487b2043f59aa88e98173f8505a8abe479dfa4
Opcode Fuzzy Hash: 16418492506d26e88d9ea5ffe778ecedbadd0674902667d5b4f3f091e616a9e4
Instruction Fuzzy Hash: 01214F33BA0CAB07D748CD7ACC823DA62D3E7C4209F49C6789556D7649D53DD8429680

Uniqueness

Uniqueness Score: -1.00%

Function 1000FAE0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3141d09b1683437dc047317c092a48923b199cea0971d17c0b8de08017b4ddf
Instruction ID: 7401ec26052bbdd11a75dd464f743d8617a1d02d8098354ba99e3f62ca5db7ec
Opcode Fuzzy Hash: f3141d09b1683437dc047317c092a48923b199cea0971d17c0b8de08017b4ddf
Instruction Fuzzy Hash: A8219D73F300320BC728CD7D8C5825662C1D7C8295B4E8BB9EE58EF786E668DD419AC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0B0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction ID: 192b5b8e635135c3962563ef613f7b52fce4010c0b042699b34e9086fceffb22
Opcode Fuzzy Hash: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction Fuzzy Hash: 38316F651087D85ECB11CF3544904EABFE09EAB581B09C49EF8E84B247C524EB09EB71

Uniqueness

Uniqueness Score: -1.00%

Function 100101D0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction ID: 7615e6e647f5862a10f08712ea71b14590be4302af2179b17c0dfb1654340f57
Opcode Fuzzy Hash: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction Fuzzy Hash: FF2122726042658BCB14DE19C8D86AB73E2FBC9314F168A68E9C55F205C234F84ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 1000FAF7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e8cd7bf255c7c8b941f54418a5bf7396c934417188cacc302b08a8026b8cc6
Instruction ID: e42923ef10120b0fce72e2dfd62ff0f6b1e92c6f034ab2fe8244b6ba9566043e
Opcode Fuzzy Hash: 21e8cd7bf255c7c8b941f54418a5bf7396c934417188cacc302b08a8026b8cc6
Instruction Fuzzy Hash: 2F115E73E301320BC724CD7D8C4834262C1D788256B4E8BB5DE98EF342E268ED429AC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA10 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7af4f46a08e7ef1a4a56e4a40f5981226a4f69f761e678816acde0877da6c7
Instruction ID: 4618d661b8687cc8c0899b5e88aa78636db23022fb76ddc9f1eb2064e60bd1bc
Opcode Fuzzy Hash: 2c7af4f46a08e7ef1a4a56e4a40f5981226a4f69f761e678816acde0877da6c7
Instruction Fuzzy Hash: 67314DB1A006344BE358CF1AEDE062AF3E2E38C320F46416DD999D33B1D9786825D792

Uniqueness

Uniqueness Score: -1.00%

Function 100364E0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad436124cf0627712d9c57b5f9352303ce41f418a33c0e13c018656ee81bd46e
Instruction ID: 0140c66fcf905bb5118d3f18eb888db55aaf18b1bd6e0981530fe2a838cae29c
Opcode Fuzzy Hash: ad436124cf0627712d9c57b5f9352303ce41f418a33c0e13c018656ee81bd46e
Instruction Fuzzy Hash: 3521AD3400D7E05EC713DB65849056AFFE1AE9A652F09C9EEE8E84A387D1389614DB23

Uniqueness

Uniqueness Score: -1.00%

Function 1001E0D9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction ID: 69aa92c53cb6c6df6d72f2decc3ec4bd7719b31d68b56e1e2cf303e831d432a8
Opcode Fuzzy Hash: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction Fuzzy Hash: 9421BF71A08189EFCB68CF98C8A1A9DBBF5EB09314F244095E905AF751D330EDC1EB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001021B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction ID: bcaa8491dccb865917a35a3d808823525e0e43ff59a73624eea8fea794acadd0
Opcode Fuzzy Hash: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction Fuzzy Hash: 141134326041618BCB15CE69C8D86AA73D2FBC9315F17C968E9C69F245C334F94ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1000ECC9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b3cff72a2fe030a4ed2511b45a548b940cb1d6c9d7d61aaa5361d334626fbb
Instruction ID: a76a18bd8d72b9e19a2e58a34af59ce664b239cd2ef53a40b3fd3bff6214917f
Opcode Fuzzy Hash: d0b3cff72a2fe030a4ed2511b45a548b940cb1d6c9d7d61aaa5361d334626fbb
Instruction Fuzzy Hash: E2011DE7B6170707D70C48A8DCE632892C1E36813078DC13EEB17D7783E4549E6A8642

Uniqueness

Uniqueness Score: -1.00%

Function 1000C1B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction ID: f8771a243a862af8759e5689c7b57640d36b1020b076dab7645bd5d8fe9118fc
Opcode Fuzzy Hash: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction Fuzzy Hash: BDF0F676B1435947E900DF459C40B8BB7D9FFC42D8F16052EED48A3305C630BD0586A1

Uniqueness

Uniqueness Score: -1.00%

Function 1008DB50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566e91d0b8d452359c7bb78fe999ee31250548b62ca49a35f0ac2a50155920e7
Instruction ID: fb49bc79d4318df5132ff4e8978937c42cbf5c601f0cfd761cb428f5592a7514
Opcode Fuzzy Hash: 566e91d0b8d452359c7bb78fe999ee31250548b62ca49a35f0ac2a50155920e7
Instruction Fuzzy Hash: 19E0C9B62193159FE314DE09E8808A7FBECEBD8664B10492FF4C493300C231AC448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 10010E40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4a808940af3d4a140e2e1c9c95b8793836aa8f74c0c524a2d00d0069a1faa0
Instruction ID: 79e2239c1779ac0dba93b4b28f17700ca5fd18050b696cdb3e602ef130546564
Opcode Fuzzy Hash: ff4a808940af3d4a140e2e1c9c95b8793836aa8f74c0c524a2d00d0069a1faa0
Instruction Fuzzy Hash: 7AE0C5B99183629FC700DF09D58041AFBE4BB98A14F558A5EF9D8A3311C370A9589FE3

Uniqueness

Uniqueness Score: -1.00%

Function 10001BF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc891dde5e5142dc419ac2e2b5c6ff9a8dc6ccd91bf6328c5a5782cc288a074
Instruction ID: 017239b7fcefab97b4c7b84e08d353cd020fbbd4a0174547befcb6416ae83df2
Opcode Fuzzy Hash: 9fc891dde5e5142dc419ac2e2b5c6ff9a8dc6ccd91bf6328c5a5782cc288a074
Instruction Fuzzy Hash: 91B00274508205DFC309CF04C1859D677E1BB98741F2589F9E55847226D27099459A92

Uniqueness

Uniqueness Score: -1.00%

Function 10017162 Relevance: 100.1, APIs: 56, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 10017236

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 1901900789-1422635149
Opcode ID: d35623eb4b68d314ae0af4ba429531c6b924d290049fd1e943cfdb02dea8e5ab
Instruction ID: c3773f839444201a897c0eab6702ce5d2794ca60865343955b286594f26e5f05
Opcode Fuzzy Hash: d35623eb4b68d314ae0af4ba429531c6b924d290049fd1e943cfdb02dea8e5ab
Instruction Fuzzy Hash: E1E182B89097459FC780DFA8D08191ABBF1FF88290F95586DF8C58B312D735E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10017261 Relevance: 98.3, APIs: 55, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10017261(void* __eax, void* __ebx, void* __edi, intOrPtr __esi, char _a4, char* _a8, char* _a12, intOrPtr _a16, char _a48, char* _a52, char _a56, char _a60) {
				intOrPtr _t116;
				void* _t118;
				intOrPtr* _t120;

				_t116 = __esi;
				_a12 = __eax;
				__eax = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__edx = 0x10;
				_a8 = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__eax =  &_a60;
				_a16 = __ebx;
				_a4 = 0x10;
				 *__esp =  &_a60;
				__eax = E10026560();
				_a48 = __edi;
				if(__edi != 0) {
					__eax =  *(__edi + 0x18);
					_a52 = __eax;
					if(__eax != 0) {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
					}
					__eax =  *(__edi + 0x1c);
					_a52 = __eax;
					if(__eax == 0) {
						L22:
						__eax =  *(__edi + 0x20);
						_a52 = __eax;
						if(__eax == 0) {
							L30:
							E100290E0(__edi);
							__eax =  &_a48;
							E100290E0( &_a48);
							goto L1;
						}
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L30;
					} else {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L22;
					}
				}
				L1:
				 *_t120 = _t116;
				L100290D0();
				return _t118;
			}

0x10017261
0x10017268
0x1001726c
0x10017271
0x10017276
0x1001727a
0x1001727e
0x10017282
0x10017286
0x10017289
0x10017293
0x10017299
0x1001729b
0x1001729e
0x100172a4
0x100172aa
0x100172ad
0x100172b3
0x100172bb
0x100172c4
0x100172ca
0x100172d3
0x100172de
0x100172e2
0x100172e8
0x100172ed
0x100172f4
0x100172f9
0x100172f9
0x100172fd
0x10017300
0x10017306
0x1001730e
0x10017317
0x1001731d
0x10017326
0x10017331
0x10017335
0x1001733b
0x10017340
0x10017347
0x1001734c
0x1001734c
0x10017350
0x10017353
0x10017359
0x10017361
0x1001736a
0x10017370
0x10017379
0x10017384
0x10017388
0x1001738e
0x10017393
0x1001739a
0x1001739f
0x1001739f
0x100173a9
0x100173ae
0x100173b5
0x100173ba
0x100173ba
0x100173be
0x100173c1
0x100173c7
0x100174e1
0x100174e1
0x100174e4
0x100174ea
0x10017604
0x1001760a
0x1001760f
0x10017616
0x00000000
0x10017616
0x100174f0
0x100174f3
0x100174f9
0x10017501
0x1001750a
0x10017510
0x10017519
0x10017524
0x10017528
0x1001752e
0x10017533
0x1001753a
0x1001753f
0x1001753f
0x10017543
0x10017546
0x1001754c
0x10017554
0x1001755d
0x10017563
0x1001756c
0x10017577
0x1001757b
0x10017581
0x10017586
0x1001758d
0x10017592
0x10017592
0x10017596
0x10017599
0x1001759f
0x100175a7
0x100175b0
0x100175b6
0x100175bf
0x100175ca
0x100175ce
0x100175d4
0x100175d9
0x100175e0
0x100175e5
0x100175e5
0x100175ef
0x100175f4
0x100175fb
0x10017600
0x00000000
0x100173cd
0x100173cd
0x100173d0
0x100173d6
0x100173de
0x100173e7
0x100173ed
0x100173f6
0x10017401
0x10017405
0x1001740b
0x10017410
0x10017417
0x1001741c
0x1001741c
0x10017420
0x10017423
0x10017429
0x10017431
0x1001743a
0x10017440
0x10017449
0x10017454
0x10017458
0x1001745e
0x10017463
0x1001746a
0x1001746f
0x1001746f
0x10017473
0x10017476
0x1001747c
0x10017484
0x1001748d
0x10017493
0x1001749c
0x100174a7
0x100174ab
0x100174b1
0x100174b6
0x100174bd
0x100174c2
0x100174c2
0x100174cc
0x100174d1
0x100174d8
0x100174dd
0x00000000
0x100174dd
0x100173c7
0x1001724f
0x1001724f
0x10017252
0x10017260

APIs

mv_log.LICKING ref: 10017289
mv_freep.LICKING ref: 100172E8
mv_freep.LICKING ref: 100172F4
mv_expr_free.LICKING ref: 100172D9

Part of subcall function 10015280: mv_freep.LICKING ref: 10015588
Part of subcall function 10015280: mv_freep.LICKING ref: 10015594
Part of subcall function 10015280: mv_freep.LICKING ref: 100155DB
Part of subcall function 10015280: mv_freep.LICKING ref: 100155E7
Part of subcall function 10015280: mv_freep.LICKING ref: 100155F6
Part of subcall function 10015280: mv_freep.LICKING ref: 10015602
Part of subcall function 10015280: mv_freep.LICKING ref: 10015667
Part of subcall function 10015280: mv_freep.LICKING ref: 10015673
Part of subcall function 10015280: mv_freep.LICKING ref: 100156BA

mv_expr_free.LICKING ref: 100172CA

Part of subcall function 10015280: mv_freep.LICKING ref: 1001542C
Part of subcall function 10015280: mv_freep.LICKING ref: 10015438
Part of subcall function 10015280: mv_freep.LICKING ref: 10015447
Part of subcall function 10015280: mv_freep.LICKING ref: 10015453
Part of subcall function 10015280: mv_freep.LICKING ref: 1001549A
Part of subcall function 10015280: mv_freep.LICKING ref: 100154A6
Part of subcall function 10015280: mv_freep.LICKING ref: 100154B5
Part of subcall function 10015280: mv_freep.LICKING ref: 100154C1
Part of subcall function 10015280: mv_freep.LICKING ref: 10015517
Part of subcall function 10015280: mv_freep.LICKING ref: 10015523

mv_expr_free.LICKING ref: 100172BB

Part of subcall function 10015280: mv_freep.LICKING ref: 100152FA
Part of subcall function 10015280: mv_freep.LICKING ref: 10015306
Part of subcall function 10015280: mv_freep.LICKING ref: 1001534D
Part of subcall function 10015280: mv_freep.LICKING ref: 10015359
Part of subcall function 10015280: mv_freep.LICKING ref: 10015368
Part of subcall function 10015280: mv_freep.LICKING ref: 10015374
Part of subcall function 10015280: mv_freep.LICKING ref: 100153D9
Part of subcall function 10015280: mv_freep.LICKING ref: 100153E5

mv_expr_free.LICKING ref: 1001730E
mv_expr_free.LICKING ref: 1001731D
mv_expr_free.LICKING ref: 1001732C
mv_freep.LICKING ref: 1001733B
mv_freep.LICKING ref: 10017347
mv_expr_free.LICKING ref: 10017361
mv_expr_free.LICKING ref: 10017370
mv_expr_free.LICKING ref: 1001737F
mv_freep.LICKING ref: 1001738E
mv_freep.LICKING ref: 1001739A
mv_freep.LICKING ref: 100173A9
mv_freep.LICKING ref: 100173B5
mv_expr_free.LICKING ref: 100173DE
mv_expr_free.LICKING ref: 100173ED
mv_expr_free.LICKING ref: 100173FC
mv_freep.LICKING ref: 1001740B
mv_freep.LICKING ref: 10017417
mv_expr_free.LICKING ref: 10017431
mv_expr_free.LICKING ref: 10017440
mv_expr_free.LICKING ref: 1001744F
mv_freep.LICKING ref: 1001745E
mv_freep.LICKING ref: 1001746A
mv_expr_free.LICKING ref: 10017484
mv_expr_free.LICKING ref: 10017493
mv_expr_free.LICKING ref: 100174A2
mv_freep.LICKING ref: 100174B1
mv_freep.LICKING ref: 100174BD
mv_freep.LICKING ref: 100174CC
mv_freep.LICKING ref: 100174D8
mv_expr_free.LICKING ref: 10017501
mv_expr_free.LICKING ref: 10017510
mv_expr_free.LICKING ref: 1001751F
mv_freep.LICKING ref: 1001752E
mv_freep.LICKING ref: 1001753A
mv_expr_free.LICKING ref: 10017554
mv_expr_free.LICKING ref: 10017563
mv_expr_free.LICKING ref: 10017572
mv_freep.LICKING ref: 10017581
mv_freep.LICKING ref: 1001758D
mv_expr_free.LICKING ref: 100175A7
mv_expr_free.LICKING ref: 100175B6
mv_expr_free.LICKING ref: 100175C5
mv_freep.LICKING ref: 100175D4
mv_freep.LICKING ref: 100175E0
mv_freep.LICKING ref: 100175EF
mv_freep.LICKING ref: 100175FB
mv_freep.LICKING ref: 1001760A
mv_freep.LICKING ref: 10017616

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_log
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 75827668-1422635149
Opcode ID: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction ID: 39916f313f6673765a40fa09fad6d79edb9ef4feb13054b409069c6d602bd34a
Opcode Fuzzy Hash: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction Fuzzy Hash: F3C133B95097459FC784EFA8D18591ABBF0FF88290F85586DF8C58B311D635E880CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100177F0 Relevance: 75.3, APIs: 50, Instructions: 291COMMON

Download Yara Rule

APIs

mv_expr_parse.LICKING ref: 10017862

Part of subcall function 10017110: strlen.MSVCRT ref: 10017141
Part of subcall function 10017110: mv_malloc.LICKING ref: 1001714A

mv_expr_free.LICKING ref: 100178D7
mv_expr_free.LICKING ref: 100178E6
mv_expr_free.LICKING ref: 100178F5
mv_freep.LICKING ref: 10017904
mv_freep.LICKING ref: 1001790C
mv_expr_free.LICKING ref: 10017926
mv_expr_free.LICKING ref: 10017935
mv_expr_free.LICKING ref: 10017944
mv_freep.LICKING ref: 10017953
mv_freep.LICKING ref: 1001795B
mv_expr_free.LICKING ref: 10017975
mv_expr_free.LICKING ref: 10017984
mv_expr_free.LICKING ref: 10017993
mv_freep.LICKING ref: 100179A2
mv_freep.LICKING ref: 100179AA
mv_freep.LICKING ref: 100179B9
mv_freep.LICKING ref: 100179C5
mv_expr_free.LICKING ref: 100179EE
mv_freep.LICKING ref: 10017A1B
mv_freep.LICKING ref: 10017A23
mv_freep.LICKING ref: 10017A79
mv_freep.LICKING ref: 10017A81
mv_expr_free.LICKING ref: 10017A6A

Part of subcall function 10015280: mv_freep.LICKING ref: 100159C5
Part of subcall function 10015280: mv_freep.LICKING ref: 100159D1
Part of subcall function 10015280: mv_freep.LICKING ref: 100159E0
Part of subcall function 10015280: mv_freep.LICKING ref: 100159EC
Part of subcall function 10015280: mv_freep.LICKING ref: 100159FB
Part of subcall function 10015280: mv_freep.LICKING ref: 10015A07
Part of subcall function 10015280: mv_freep.LICKING ref: 10015A16
Part of subcall function 10015280: mv_freep.LICKING ref: 10015A22

mv_expr_free.LICKING ref: 10017A5B

Part of subcall function 10015280: mv_freep.LICKING ref: 1001584F
Part of subcall function 10015280: mv_freep.LICKING ref: 1001585B
Part of subcall function 10015280: mv_freep.LICKING ref: 100158A2
Part of subcall function 10015280: mv_freep.LICKING ref: 100158AE
Part of subcall function 10015280: mv_freep.LICKING ref: 100158BD
Part of subcall function 10015280: mv_freep.LICKING ref: 100158C9
Part of subcall function 10015280: mv_freep.LICKING ref: 1001591F
Part of subcall function 10015280: mv_freep.LICKING ref: 1001592B
Part of subcall function 10015280: mv_freep.LICKING ref: 10015972
Part of subcall function 10015280: mv_freep.LICKING ref: 1001597E

mv_expr_free.LICKING ref: 10017A4C

Part of subcall function 10015280: mv_freep.LICKING ref: 100156C6
Part of subcall function 10015280: mv_freep.LICKING ref: 100156D5
Part of subcall function 10015280: mv_freep.LICKING ref: 100156E1
Part of subcall function 10015280: mv_freep.LICKING ref: 100156F0
Part of subcall function 10015280: mv_freep.LICKING ref: 100156FC
Part of subcall function 10015280: mv_freep.LICKING ref: 10015770
Part of subcall function 10015280: mv_freep.LICKING ref: 1001577C
Part of subcall function 10015280: mv_freep.LICKING ref: 1001579A
Part of subcall function 10015280: mv_freep.LICKING ref: 100157A6
Part of subcall function 10015280: mv_freep.LICKING ref: 100157FC
Part of subcall function 10015280: mv_freep.LICKING ref: 10015808

mv_freep.LICKING ref: 10017A90
mv_freep.LICKING ref: 10017A9C
mv_expr_free.LICKING ref: 10017AC5
mv_expr_free.LICKING ref: 10017AD4
mv_expr_free.LICKING ref: 10017AE3
mv_freep.LICKING ref: 10017AF2
mv_freep.LICKING ref: 10017AFA
mv_expr_free.LICKING ref: 10017B14
mv_expr_free.LICKING ref: 10017B23
mv_expr_free.LICKING ref: 10017B32
mv_freep.LICKING ref: 10017B41
mv_freep.LICKING ref: 10017B49
mv_expr_free.LICKING ref: 10017A32

Part of subcall function 10015280: mv_freep.LICKING ref: 10015588
Part of subcall function 10015280: mv_freep.LICKING ref: 10015594
Part of subcall function 10015280: mv_freep.LICKING ref: 100155DB
Part of subcall function 10015280: mv_freep.LICKING ref: 100155E7
Part of subcall function 10015280: mv_freep.LICKING ref: 100155F6
Part of subcall function 10015280: mv_freep.LICKING ref: 10015602
Part of subcall function 10015280: mv_freep.LICKING ref: 10015667
Part of subcall function 10015280: mv_freep.LICKING ref: 10015673
Part of subcall function 10015280: mv_freep.LICKING ref: 100156BA

mv_expr_free.LICKING ref: 10017A0C

Part of subcall function 10015280: mv_freep.LICKING ref: 1001542C
Part of subcall function 10015280: mv_freep.LICKING ref: 10015438
Part of subcall function 10015280: mv_freep.LICKING ref: 10015447
Part of subcall function 10015280: mv_freep.LICKING ref: 10015453
Part of subcall function 10015280: mv_freep.LICKING ref: 1001549A
Part of subcall function 10015280: mv_freep.LICKING ref: 100154A6
Part of subcall function 10015280: mv_freep.LICKING ref: 100154B5
Part of subcall function 10015280: mv_freep.LICKING ref: 100154C1
Part of subcall function 10015280: mv_freep.LICKING ref: 10015517
Part of subcall function 10015280: mv_freep.LICKING ref: 10015523

mv_expr_free.LICKING ref: 100179FD

Part of subcall function 10015280: mv_freep.LICKING ref: 100152FA
Part of subcall function 10015280: mv_freep.LICKING ref: 10015306
Part of subcall function 10015280: mv_freep.LICKING ref: 1001534D
Part of subcall function 10015280: mv_freep.LICKING ref: 10015359
Part of subcall function 10015280: mv_freep.LICKING ref: 10015368
Part of subcall function 10015280: mv_freep.LICKING ref: 10015374
Part of subcall function 10015280: mv_freep.LICKING ref: 100153D9
Part of subcall function 10015280: mv_freep.LICKING ref: 100153E5

mv_expr_free.LICKING ref: 10017B63
mv_expr_free.LICKING ref: 10017B72
mv_expr_free.LICKING ref: 10017B81
mv_freep.LICKING ref: 10017B90
mv_freep.LICKING ref: 10017B98
mv_freep.LICKING ref: 10017BA7
mv_freep.LICKING ref: 10017BB3
mv_freep.LICKING ref: 10017BC2
mv_freep.LICKING ref: 10017BCE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_expr_parsemv_mallocstrlen
String ID:
API String ID: 1389959791-0
Opcode ID: 8fc3577bfb7cae8029ba773bfad3d65c292d51f5e7331e78cc098861103f96c6
Instruction ID: 11b1eda091ece5b6f93ddcdca37633d3328e67849ea26751cca1a066e4925893
Opcode Fuzzy Hash: 8fc3577bfb7cae8029ba773bfad3d65c292d51f5e7331e78cc098861103f96c6
Instruction Fuzzy Hash: 75D153B9A187058FC750EF68D08591ABBF0FF89254F458D6DE9D48B312D736E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10050C30 Relevance: 57.9, APIs: 15, Strings: 18, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10050C30(intOrPtr* __eax, void* __ecx, char* __edx) {
				char _v1052;
				char* _v1056;
				intOrPtr _v1072;
				char* _v1076;
				char* _v1080;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t52;
				signed int _t57;
				char* _t59;
				char* _t64;
				intOrPtr* _t92;
				char* _t102;
				char* _t104;
				void* _t108;
				signed int _t109;
				void* _t111;
				char* _t112;
				void* _t113;
				intOrPtr* _t114;

				_t111 = __ecx;
				_t92 = __eax;
				_t114 = _t113 - 0x42c;
				_t52 = 0;
				_v1056 = __edx;
				do {
					 *((intOrPtr*)(_t114 + _t52 + 0x20)) = 0;
					 *((intOrPtr*)(_t114 + _t52 + 0x24)) = 0;
					_t52 = _t52 + 8;
				} while (_t52 < 0x400);
				_v1076 = 1;
				_t112 =  &_v1052;
				_v1080 = 0;
				 *_t114 = _t112;
				E10008880(__eax, _t108, __ecx, _t112);
				_v1080 = "%s - type: ";
				 *_t114 = _t112;
				_v1076 =  *_t92;
				E100089C0();
				_t57 =  *(_t92 + 8);
				if(_t57 > 8) {
					_t59 =  !=  ? "unknown" : "any";
				} else {
					switch( *((intOrPtr*)(_t57 * 4 +  &M100C02EC))) {
						case 0:
							__eax = "fft_float";
							goto L5;
						case 1:
							_t59 = "mdct_float";
							goto L5;
						case 2:
							__eax = "fft_double";
							goto L5;
						case 3:
							__eax = "mdct_double";
							goto L5;
						case 4:
							__eax = "fft_int32";
							goto L5;
						case 5:
							__eax = "mdct_int32";
							goto L5;
						case 6:
							__eax = "rdft_float";
							goto L5;
						case 7:
							__eax = "rdft_double";
							goto L5;
						case 8:
							__eax = "rdft_int32";
							goto L5;
					}
				}
				L5:
				_v1076 = _t59;
				_v1080 = "%s";
				 *_t114 = _t112;
				E100089C0();
				_v1080 = ", len: ";
				 *_t114 = _t112;
				E100089C0();
				_t102 =  *((intOrPtr*)(_t92 + 0x28));
				_t64 =  *((intOrPtr*)(_t92 + 0x2c));
				if(_t102 != _t64) {
					_v1076 = _t102;
					_v1080 = "[%i, ";
					 *_t114 = _t112;
					E100089C0();
					_t64 =  *((intOrPtr*)(_t92 + 0x2c));
				}
				if(_t64 == 0xffffffff) {
					 *_t114 = _t112;
					_v1080 = 0x100c02c0;
					E100089C0();
				} else {
					_v1076 = _t64;
					_v1080 = 0x100c02c4;
					 *_t114 = _t112;
					E100089C0();
				}
				_v1080 = "%s, factors: [";
				 *_t114 = _t112;
				_t69 =  !=  ? 0x100c0232 : 0x100c01c3;
				_t109 = 0;
				_v1076 =  !=  ? 0x100c0232 : 0x100c01c3;
				E100089C0();
				_t104 =  *((intOrPtr*)(_t92 + 0x18));
				if(_t104 == 0xffffffff) {
					 *_t114 = _t112;
					_t109 = 1;
					_v1080 = "any";
					E100089C0();
					goto L13;
				} else {
					L10:
					if(_t104 != 0) {
						_v1076 = _t104;
						_v1080 = 0x100c02c4;
						 *_t114 = _t112;
						E100089C0();
						L12:
						_t109 = _t109 + 1;
						if(_t109 != 4) {
							L13:
							if( *((intOrPtr*)(_t92 + 0x18 + _t109 * 4)) != 0) {
								 *_t114 = _t112;
								_v1080 = 0x100c01c0;
								E100089C0();
								_t104 =  *((intOrPtr*)(_t92 + 0x18 + _t109 * 4));
								if(_t104 != 0xffffffff) {
									goto L10;
								} else {
									 *_t114 = _t112;
									_v1080 = "any";
									E100089C0();
									goto L12;
								}
							}
						}
					}
				}
				 *_t114 = _t112;
				_v1080 = "], ";
				E100089C0();
				E100505B0(_t112,  *((intOrPtr*)(_t92 + 0x14)),  *((intOrPtr*)(_t92 + 0x10)));
				if(_t111 != 0) {
					 *_t114 = _t112;
					_v1080 = ", prio: %i";
					_v1076 = _v1056;
					E100089C0();
				}
				 *_t114 = 0;
				_v1080 = 0x28;
				_v1072 = _v1052;
				_v1076 = "%s\n";
				return E10026560();
			}

0x10050c33
0x10050c36
0x10050c38
0x10050c3e
0x10050c40
0x10050c46
0x10050c46
0x10050c4a
0x10050c4e
0x10050c51
0x10050c5f
0x10050c63
0x10050c67
0x10050c6b
0x10050c6e
0x10050c7a
0x10050c7e
0x10050c81
0x10050c85
0x10050c8a
0x10050c90
0x10050e93
0x10050c96
0x10050c96
0x00000000
0x10050e40
0x00000000
0x00000000
0x10050ca0
0x00000000
0x00000000
0x10050e10
0x00000000
0x00000000
0x10050e00
0x00000000
0x00000000
0x10050df0
0x00000000
0x00000000
0x10050de0
0x00000000
0x00000000
0x10050e30
0x00000000
0x00000000
0x10050e20
0x00000000
0x00000000
0x10050dd0
0x00000000
0x00000000
0x10050c96
0x10050cb0
0x10050cb0
0x10050cb9
0x10050cbd
0x10050cc0
0x10050cca
0x10050cce
0x10050cd1
0x10050cd6
0x10050cd9
0x10050cde
0x10050ce0
0x10050ce9
0x10050ced
0x10050cf0
0x10050cf5
0x10050cf5
0x10050cfb
0x10050ea0
0x10050ea8
0x10050eac
0x10050d01
0x10050d01
0x10050d0a
0x10050d0e
0x10050d11
0x10050d11
0x10050d2b
0x10050d2f
0x10050d32
0x10050d35
0x10050d37
0x10050d3b
0x10050d40
0x10050d46
0x10050ee0
0x10050ee8
0x10050eed
0x10050ef1
0x00000000
0x10050d4c
0x10050d4c
0x10050d4e
0x10050d50
0x10050d59
0x10050d5d
0x10050d60
0x10050d65
0x10050d65
0x10050d69
0x10050d6b
0x10050d71
0x10050e50
0x10050e58
0x10050e5c
0x10050e61
0x10050e68
0x00000000
0x10050e6e
0x10050e6e
0x10050e76
0x10050e7a
0x00000000
0x10050e7a
0x10050e68
0x10050d71
0x10050d69
0x10050d4e
0x10050d77
0x10050d7f
0x10050d83
0x10050d92
0x10050d99
0x10050ec0
0x10050ecc
0x10050ed0
0x10050ed4
0x10050ed4
0x10050d9f
0x10050daf
0x10050db3
0x10050dbc
0x10050dcf

APIs

mv_bprint_init.LICKING ref: 10050C6E
mv_bprintf.LICKING ref: 10050C85

Strings

fft_int32, xrefs: 10050DF0
%s, factors: [, xrefs: 10050D1E
rdft_double, xrefs: 10050E20
mdct_float, xrefs: 10050CA0
fft_float, xrefs: 10050E40
rdft_int32, xrefs: 10050DD0
any, xrefs: 10050E71, 10050E8E, 10050EE3
, len: , xrefs: 10050CC5
], , xrefs: 10050D7A
rdft_float, xrefs: 10050E30
mdct_double, xrefs: 10050E00
[%i, , xrefs: 10050CE4
unknown, xrefs: 10050E89
%s, xrefs: 10050DB7
, prio: %i, xrefs: 10050EC7
fft_double, xrefs: 10050E10
mdct_int32, xrefs: 10050DE0
%s - type: , xrefs: 10050C75

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_initmv_bprintf
String ID: %s$%s - type: $%s, factors: [$, len: $, prio: %i$[%i, $], $any$fft_double$fft_float$fft_int32$mdct_double$mdct_float$mdct_int32$rdft_double$rdft_float$rdft_int32$unknown
API String ID: 3566169034-155954179
Opcode ID: 315da0e2fbe3fce4dde0f4079cf8654f20101361adaebdc86a8058a59b30a058
Instruction ID: 4013f8a3b107a3fce9af7e5f0e720e0d361b3fc33b5c1cbb089b9898e9a777b9
Opcode Fuzzy Hash: 315da0e2fbe3fce4dde0f4079cf8654f20101361adaebdc86a8058a59b30a058
Instruction Fuzzy Hash: E7512CB4A08740CBD740DF68C68521EBBE1FB85350FA1896DF8C88B355DA39E845DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002C470 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 401COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1002BF79
mv_log.LICKING ref: 1002C0B3
mv_log.LICKING ref: 1002C0D8
mv_log.LICKING ref: 1002C19C
mv_log.LICKING ref: 1002C1CB
mv_log.LICKING ref: 1002C16D

Part of subcall function 1002B460: mv_log.LICKING ref: 1002B54C

mv_freep.LICKING ref: 1002C241
mv_freep.LICKING ref: 1002C24D
mv_log.LICKING ref: 1002C29B
mv_log.LICKING ref: 1002C4A5

Strings

to , xrefs: 1002C187
%d/%d, xrefs: 1002C5AB
%s, xrefs: 1002C0C3
(default , xrefs: 1002C282
%c%c%c%c%c%c%c%c%c%c%c, xrefs: 1002C09E
%-15s , xrefs: 1002BDF4
%lld, xrefs: 1002C396
"%s", xrefs: 1002C2CF
(from , xrefs: 1002C158
%-12s , xrefs: 1002BF60
%-12lld , xrefs: 1002C481

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_freep
String ID: %-15s $ %s$ (default $ (from $ to $"%s"$%-12lld $%-12s $%c%c%c%c%c%c%c%c%c%c%c$%d/%d$%lld
API String ID: 3216983768-538076109
Opcode ID: ac0072550d9328f0ee7ca60dd531dc481fba00c2972fbd96b99def6fa88064fd
Instruction ID: fb6ea6c6a0f2321fbc4e3f9226b07db0358892c939e969a2d4937e0b03469604
Opcode Fuzzy Hash: ac0072550d9328f0ee7ca60dd531dc481fba00c2972fbd96b99def6fa88064fd
Instruction Fuzzy Hash: 3D0204B4A08B458FC714CF68D48065EBBE1FF88750F95C92EF8A98B355E734E8448B42

Uniqueness

Uniqueness Score: -1.00%

Function 10009730 Relevance: 51.1, APIs: 23, Strings: 6, Instructions: 372
stringCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E10009730(int _a4, int _a8, unsigned int _a12, void** _a16, void* _a20) {
				char _v29;
				signed int _v32;
				int _v36;
				char _v37;
				void** _v40;
				signed int _v44;
				char** _v52;
				int _v56;
				int __ebx;
				int __edi;
				signed int __esi;
				int __ebp;
				signed int _t114;
				void** _t115;
				int _t116;
				int _t117;
				void* _t118;
				void* _t119;
				int _t120;
				void* _t121;
				signed char _t123;
				void* _t124;
				signed char* _t129;
				int _t130;
				void* _t133;
				unsigned int _t135;
				int _t136;
				signed int _t137;
				char _t146;
				void* _t150;
				int _t157;
				signed int _t158;
				void* _t163;
				void* _t164;
				void* _t167;
				void** _t170;
				int _t172;
				int _t173;
				int _t174;
				void* _t175;
				void** _t178;
				void*** _t179;
				void** _t180;

				_t179 =  &_v44;
				_t170 = _a4;
				_t129 = _a8;
				_v44 = _a12;
				_t112 = _a16;
				if(_a16 == 2) {
					L1();
					_t114 =  *_t129 & 0x000000ff;
					__eflags = _t114;
					if(_t114 != 0) {
						while(1) {
							L56:
							__eflags = _t114 - 0x27;
							if(_t114 == 0x27) {
								break;
							}
							_t129 =  &(_t129[1]);
							L1();
							_t114 =  *_t129 & 0x000000ff;
							__eflags = _t114;
							if(_t114 != 0) {
								continue;
							}
							goto L58;
						}
						 *_t179 = _t170;
						_t129 =  &(_t129[1]);
						_v56 = 0x100af503;
						E100089C0();
						_t114 =  *_t129 & 0x000000ff;
						__eflags = _t114;
						if(_t114 != 0) {
							goto L56;
						} else {
						}
					}
					L58:
					_t179 =  &(_t179[0xb]);
					_t112 = _t170;
					_pop(_t129);
					_pop(_t170);
					_pop(_t161);
					_pop(_t177);
					_t178 = _t112;
					_push(_t170);
					_push(_t129);
					_t115 =  &(_t112[4]);
					_t180 = _t179 - 0x2c;
					_v29 = 0x27;
					_t130 =  *(_t115 - 8);
					_v40 = _t115;
					while(1) {
						_t116 = _a4;
						_t144 =  <=  ? _t116 : _t130;
						_t172 = _t130 - ( <=  ? _t116 : _t130);
						if(_t172 > 1) {
							break;
						}
						_t135 = _a12;
						if(_t116 >= _t130 || _t135 == _t130) {
							L22:
							__eflags = _t172;
							if(_t172 != 0) {
								_t172 = 1;
								break;
							}
						} else {
							_t154 =  >  ? 1 : 0xfffffffe - _t116;
							_t17 = _t116 + 1; // 0xffffffff
							_t121 = ( >  ? 1 : 0xfffffffe - _t116) + _t17;
							if(_t135 >> 1 >= _t130) {
								_t130 = _t130 + _t130;
								__eflags = _t130;
							} else {
								_t130 = _t135;
							}
							if(_t130 < _t121) {
								_t125 =  <=  ? _t135 : _t121;
								_t130 =  <=  ? _t135 : _t121;
							}
							_t163 =  *_t178;
							_v56 = _t130;
							if(_t163 == _v40) {
								 *_t180 = 0;
								_t123 = E10028DA0();
								__eflags = _t123;
								if(_t123 == 0) {
									goto L21;
								} else {
									goto L15;
								}
							} else {
								 *_t180 = _t163;
								_t123 = E10028DA0();
								if(_t123 == 0) {
									L21:
									_t116 = _a4;
									goto L22;
								} else {
									if(_t163 == 0) {
										L15:
										_t157 = _a4;
										_t164 = _t123;
										_t175 =  *_t178;
										_t136 = _t157 + 1;
										_v36 = _t175;
										__eflags = _t136 - 8;
										if(_t136 >= 8) {
											__eflags = _t123 & 0x00000001;
											if((_t123 & 0x00000001) != 0) {
												_t137 =  *_t175 & 0x000000ff;
												_t35 = _t123 + 1; // 0x1
												_t164 = _t35;
												_t175 = _t175 + 1;
												 *_t123 = _t137;
												_t136 = _t157;
											}
											__eflags = _t164 & 0x00000002;
											if((_t164 & 0x00000002) != 0) {
												_t158 =  *_t175 & 0x0000ffff;
												_t164 = _t164 + 2;
												_t175 = _t175 + 2;
												_t136 = _t136 - 2;
												 *(_t164 - 2) = _t158;
											}
											__eflags = _t164 & 0x00000004;
											if((_t164 & 0x00000004) == 0) {
												goto L16;
											} else {
												_t167 = _t164 + 4;
												 *(_t167 - 4) =  *_t175;
												_t124 = memcpy(_t167, _t175 + 4, _t136 - 4);
												_t180 =  &(_t180[3]);
												goto L8;
											}
										} else {
											L16:
											_t124 = memcpy(_t164, _t175, _t136);
											_t180 =  &(_t180[3]);
											goto L8;
										}
										goto L23;
									}
									L8:
									 *_t178 = _t124;
									_a8 = _t130;
									continue;
								}
							}
						}
						L23:
						__eflags = 0xfffffffa;
						_t149 =  >  ? 1 : 0xfffffffa - _t116;
						_t150 = ( >  ? 1 : 0xfffffffa - _t116) + _t116;
						_t117 = _a8;
						_a4 = 0xfffffffa;
						__eflags = _t117;
						if(_t117 != 0) {
							_t118 = _t117 - 1;
							__eflags = _t118 - 0xfffffffa;
							_t119 =  >  ? _t150 : _t118;
							 *((char*)( *_t178 + _t119)) = 0;
							return _t119;
						}
						return _t117;
						goto L122;
					}
					_t173 = _t172 - 1;
					__eflags = _t173;
					_t174 =  >  ? 1 : _t173;
					_t146 = _v29;
					_t133 =  *_t178 + _t116;
					__eflags = _t174;
					if(_t174 != 0) {
						_t120 = 0;
						__eflags = 0;
						do {
							 *((char*)(_t133 + _t120)) = _t146;
							_t120 = _t120 + 1;
							__eflags = _t120 - _t174;
						} while (_t120 < _t174);
						_t116 = _a4;
					}
					goto L23;
				} else {
					__eflags = __eax - 3;
					if(__eax != 3) {
						__eax =  *__ebx;
						__eflags = __al;
						if(__al != 0) {
							__eflags = __cl & 0x00000002;
							if((__cl & 0x00000002) == 0) {
								_v37 = 1;
								__ebp = _v44;
								__edi = __ebx;
								__eflags = _v44;
								if(_v44 == 0) {
									_v36 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										 *__esp = "\'\\";
										_v44 = __eax;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L118;
										}
										L113:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L114:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L118:
										__edx = _v44;
										__eflags = _v44;
										if(_v44 != 0) {
											__eflags = _v36 & 0x00000001;
											if((_v36 & 0x00000001) != 0) {
												goto L113;
											} else {
												__eflags = _v37;
												if(_v37 != 0) {
													goto L113;
												} else {
												}
											}
										}
										goto L114;
									}
								} else {
									_v32 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										_v36 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L97;
										}
										L70:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L71:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L97:
										__eax = strchr("\'\\", __ebp);
										__eflags = __eax;
										if(__eax != 0) {
											goto L70;
										} else {
											__eax = _v36;
											__eflags = _v36;
											if(_v36 != 0) {
												__eflags = _v32 & 0x00000001;
												if((_v32 & 0x00000001) != 0) {
													goto L70;
												} else {
													__eflags = _v37;
													if(_v37 != 0) {
														goto L70;
													} else {
													}
												}
											}
										}
										goto L71;
									}
								}
							} else {
								__edx = _v44;
								__eflags = _v44;
								if(_v44 == 0) {
									while(1) {
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											goto L53;
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											return __eax;
										}
									}
								} else {
									do {
										_v56 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax != 0) {
											__edx = 0x5c;
											__eax = __esi;
											L1();
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eax =  *__ebx;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					} else {
						__eax =  *__ebx & 0x000000ff;
						__eflags = __al;
						if(__al != 0) {
							__edx = __ecx;
							__edx = __ecx & 0x00000008;
							__eflags = __cl & 0x00000004;
							if((__cl & 0x00000004) != 0) {
								__eflags = __edx;
								if(__edx == 0) {
									goto L85;
								} else {
									do {
										__dl = __al;
										__dl = __al - 0x22;
										__eflags = __dl - 0x1c;
										if(__dl > 0x1c) {
											L89:
											__edx = __al;
											__eax = __esi;
											L1();
											goto L90;
										}
										__edx = __dl & 0x000000ff;
										switch( *((intOrPtr*)((__dl & 0x000000ff) * 4 +  &M100AF530))) {
											case 0:
												 *__esp = __esi;
												__eax = "&quot;";
												_v52 = "&quot;";
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 1:
												goto L89;
											case 2:
												 *__esp = __esi;
												__eax = 0x100af508;
												_v52 = 0x100af508;
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 3:
												 *__esp = __esi;
												__eax = "&apos;";
												_v52 = "&apos;";
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 4:
												 *__esp = __esi;
												__edi = 0x100af50e;
												__ebp = 0x100af500;
												_v52 = 0x100af50e;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 5:
												 *__esp = __esi;
												__edx = 0x100af513;
												__ecx = 0x100af500;
												_v52 = 0x100af513;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
										}
										L90:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
									return __eax;
								}
								do {
									goto L85;
									L84:
									__eax =  *(__ebx + 1) & 0x000000ff;
									__ebx = __ebx + 1;
									__eflags = __al;
								} while (__al != 0);
								goto L53;
								L85:
								__eflags = __al - 0x3c;
								if(__eflags == 0) {
									 *__esp = __esi;
									__eax = 0x100af50e;
									__edx = 0x100af500;
									_v52 = 0x100af50e;
									_v56 = 0x100af500;
									__eax = E100089C0();
								} else {
									if(__eflags <= 0) {
										__eflags = __al - 0x26;
										if(__al == 0x26) {
											 *__esp = __esi;
											__eax = 0x100af508;
											_v52 = 0x100af508;
											__eax = 0x100af500;
											_v56 = 0x100af500;
											__eax = E100089C0();
										} else {
											__eflags = __al - 0x27;
											if(__al != 0x27) {
												goto L103;
											} else {
												 *__esp = __esi;
												__ebp = "&apos;";
												__eax = 0x100af500;
												_v52 = "&apos;";
												_v56 = 0x100af500;
												__eax = E100089C0();
											}
										}
									} else {
										__eflags = __al - 0x3e;
										if(__al != 0x3e) {
											L103:
											__edx = __al;
											__eax = __esi;
											L1();
										} else {
											 *__esp = __esi;
											__ecx = 0x100af513;
											__edi = 0x100af500;
											_v52 = 0x100af513;
											_v56 = 0x100af500;
											__eax = E100089C0();
										}
									}
								}
								goto L84;
							} else {
								__eflags = __edx;
								if(__edx == 0) {
									do {
										__eflags = __al - 0x3c;
										if(__al == 0x3c) {
											 *__esp = __esi;
											__ebp = 0x100af50e;
											__eax = 0x100af500;
											_v52 = 0x100af50e;
											_v56 = 0x100af500;
											__eax = E100089C0();
										} else {
											__eflags = __al - 0x3e;
											if(__al != 0x3e) {
												__eflags = __al - 0x26;
												if(__al == 0x26) {
													 *__esp = __esi;
													__eax = 0x100af508;
													_v52 = 0x100af508;
													__eax = 0x100af500;
													_v56 = 0x100af500;
													__eax = E100089C0();
												} else {
													__edx = __al;
													__eax = __esi;
													L1();
												}
											} else {
												 *__esp = __esi;
												__ecx = 0x100af513;
												__edi = 0x100af500;
												_v52 = 0x100af513;
												_v56 = 0x100af500;
												__eax = E100089C0();
											}
										}
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								} else {
									do {
										__eflags = __al - 0x3c;
										if(__eflags == 0) {
											 *__esp = __esi;
											__edx = 0x100af50e;
											__ecx = 0x100af500;
											_v52 = 0x100af50e;
											_v56 = 0x100af500;
											__eax = E100089C0();
										} else {
											if(__eflags <= 0) {
												__eflags = __al - 0x22;
												if(__al == 0x22) {
													 *__esp = __esi;
													__eax = "&quot;";
													_v52 = "&quot;";
													__eax = 0x100af500;
													_v56 = 0x100af500;
													__eax = E100089C0();
												} else {
													__eflags = __al - 0x26;
													if(__al != 0x26) {
														goto L102;
													} else {
														 *__esp = __esi;
														__eax = 0x100af508;
														_v52 = 0x100af508;
														__eax = 0x100af500;
														_v56 = 0x100af500;
														__eax = E100089C0();
													}
												}
											} else {
												__eflags = __al - 0x3e;
												if(__al != 0x3e) {
													L102:
													__edx = __al;
													__eax = __esi;
													L1();
												} else {
													 *__esp = __esi;
													__edi = 0x100af513;
													__ebp = 0x100af500;
													_v52 = 0x100af513;
													_v56 = 0x100af500;
													__eax = E100089C0();
												}
											}
										}
										goto L41;
										L41:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					}
					L53:
					return __eax;
				}
				L122:
			}

0x10009734
0x1000973b
0x1000973f
0x10009747
0x1000974b
0x10009752
0x10009877
0x1000987c
0x1000987f
0x10009881
0x10009890
0x10009890
0x10009890
0x10009892
0x00000000
0x00000000
0x10009897
0x1000989a
0x1000989f
0x100098a2
0x100098a4
0x00000000
0x00000000
0x00000000
0x100098a4
0x100098c0
0x100098c8
0x100098c9
0x100098cd
0x100098d2
0x100098d5
0x100098d7
0x00000000
0x00000000
0x100098d9
0x100098d7
0x100098a6
0x100098a6
0x100098a9
0x100098ab
0x100098b1
0x100098b2
0x100098b3
0x100086f1
0x100086f4
0x100086f5
0x100086f6
0x100086f9
0x100086fc
0x10008700
0x10008703
0x10008746
0x10008746
0x1000874f
0x10008752
0x10008757
0x00000000
0x00000000
0x1000875f
0x10008762
0x100087f4
0x100087f4
0x100087f6
0x1000882b
0x00000000
0x1000882b
0x10008770
0x1000877f
0x10008782
0x10008782
0x1000878c
0x10008710
0x10008710
0x1000878e
0x1000878e
0x1000878e
0x10008714
0x10008718
0x1000871b
0x1000871b
0x1000871d
0x10008720
0x1000872a
0x10008798
0x1000879f
0x100087a4
0x100087a6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000872c
0x1000872c
0x1000872f
0x10008736
0x100087f1
0x100087f1
0x00000000
0x1000873c
0x1000873e
0x100087a8
0x100087a8
0x100087ab
0x100087ad
0x100087b0
0x100087b3
0x100087b7
0x100087ba
0x100087c0
0x100087c2
0x10008859
0x1000885c
0x1000885c
0x1000885f
0x10008860
0x10008862
0x10008862
0x100087c8
0x100087ce
0x10008869
0x1000886c
0x1000886f
0x10008872
0x10008875
0x10008875
0x100087d4
0x100087da
0x00000000
0x100087dc
0x100087de
0x100087e7
0x100087ea
0x100087ea
0x00000000
0x100087ea
0x100087bc
0x100087bc
0x100087bc
0x100087bc
0x00000000
0x100087bc
0x00000000
0x100087ba
0x10008740
0x10008740
0x10008743
0x00000000
0x10008743
0x10008736
0x1000872a
0x100087f8
0x10008804
0x10008807
0x1000880a
0x1000880c
0x1000880f
0x10008812
0x10008814
0x10008816
0x10008817
0x10008819
0x1000881f
0x00000000
0x1000881f
0x1000882a
0x00000000
0x1000882a
0x10008833
0x10008839
0x1000883c
0x1000883f
0x10008844
0x10008846
0x10008848
0x1000884a
0x1000884a
0x1000884c
0x1000884c
0x1000884f
0x10008850
0x10008850
0x10008854
0x10008854
0x00000000
0x10009758
0x10009758
0x1000975b
0x10009808
0x1000980b
0x1000980d
0x1000980f
0x10009812
0x10009930
0x10009935
0x10009939
0x1000993b
0x1000993d
0x10009c70
0x10009c80
0x10009c80
0x10009c87
0x10009c8a
0x10009c8e
0x10009c93
0x10009c97
0x10009c9e
0x10009ca2
0x10009ca7
0x10009ca9
0x00000000
0x00000000
0x10009cab
0x10009cab
0x10009cb0
0x10009cb2
0x10009cb7
0x10009cb7
0x10009cba
0x10009cbc
0x10009cbd
0x10009cc2
0x10009cc5
0x10009cc7
0x10009ccd
0x10009ccf
0x10009ce0
0x10009cd1
0x10009cd1
0x10009cd5
0x10009cd5
0x00000000
0x10009ccf
0x00000000
0x10009cf0
0x10009cf0
0x10009cf4
0x10009cf6
0x10009cf8
0x10009cfd
0x00000000
0x10009cff
0x10009cff
0x10009d04
0x00000000
0x00000000
0x10009d06
0x10009d04
0x10009cfd
0x00000000
0x10009cf6
0x10009943
0x10009943
0x10009950
0x10009950
0x10009957
0x1000995a
0x1000995e
0x10009963
0x10009967
0x1000996b
0x1000996f
0x10009972
0x10009977
0x10009979
0x00000000
0x00000000
0x1000997f
0x1000997f
0x10009984
0x10009986
0x1000998b
0x1000998b
0x1000998e
0x10009990
0x10009991
0x10009996
0x10009999
0x1000999b
0x100099a1
0x100099a3
0x10009ba0
0x100099a9
0x100099a9
0x100099ad
0x100099ad
0x00000000
0x100099a3
0x00000000
0x10009b40
0x10009b4b
0x10009b50
0x10009b52
0x00000000
0x10009b58
0x10009b58
0x10009b5c
0x10009b5e
0x10009b64
0x10009b69
0x00000000
0x10009b6f
0x10009b6f
0x10009b74
0x00000000
0x00000000
0x10009b7a
0x10009b74
0x10009b69
0x10009b5e
0x00000000
0x10009b52
0x10009950
0x10009818
0x10009818
0x1000981c
0x1000981e
0x100099b8
0x100099b8
0x100099bb
0x100099bd
0x100099be
0x100099c3
0x100099c6
0x00000000
0x00000000
0x100099cc
0x100099cf
0x100099d1
0x100099d2
0x100099d7
0x100099da
0x00000000
0x00000000
0x100099da
0x00000000
0x10009830
0x10009830
0x10009834
0x10009838
0x1000983b
0x10009840
0x10009842
0x10009844
0x10009849
0x1000984b
0x1000984b
0x10009850
0x10009853
0x10009855
0x10009856
0x1000985b
0x1000985e
0x1000985e
0x10009830
0x1000981e
0x10009812
0x10009761
0x10009761
0x10009764
0x10009766
0x1000976c
0x1000976e
0x10009771
0x10009774
0x100099e8
0x100099ea
0x00000000
0x100099f0
0x100099f0
0x100099f0
0x100099f2
0x100099f5
0x100099f8
0x10009a88
0x10009a88
0x10009a8b
0x10009a8d
0x00000000
0x10009a8d
0x100099fe
0x10009a01
0x00000000
0x10009b17
0x10009b1a
0x10009b1f
0x10009b23
0x10009b28
0x10009b2c
0x00000000
0x00000000
0x00000000
0x00000000
0x10009aa4
0x10009aa7
0x10009aac
0x10009ab0
0x10009ab5
0x10009ab9
0x00000000
0x00000000
0x10009af8
0x10009afb
0x10009b00
0x10009b04
0x10009b09
0x10009b0d
0x00000000
0x00000000
0x10009adc
0x10009adf
0x10009ae4
0x10009ae9
0x10009aed
0x10009af1
0x00000000
0x00000000
0x10009ac0
0x10009ac3
0x10009ac8
0x10009acd
0x10009ad1
0x10009ad5
0x00000000
0x00000000
0x10009a92
0x10009a92
0x10009a96
0x10009a97
0x10009a97
0x00000000
0x100099f0
0x10009a4d
0x00000000
0x10009a40
0x10009a40
0x10009a44
0x10009a45
0x10009a45
0x00000000
0x10009a4d
0x10009a4d
0x10009a4f
0x10009c10
0x10009c13
0x10009c18
0x10009c1d
0x10009c21
0x10009c25
0x10009a55
0x10009a55
0x10009a10
0x10009a12
0x10009c30
0x10009c33
0x10009c38
0x10009c3c
0x10009c41
0x10009c45
0x10009a18
0x10009a18
0x10009a1a
0x00000000
0x10009a20
0x10009a20
0x10009a23
0x10009a28
0x10009a2d
0x10009a31
0x10009a35
0x10009a35
0x10009a1a
0x10009a57
0x10009a57
0x10009a60
0x10009b90
0x10009b90
0x10009b93
0x10009b95
0x10009a66
0x10009a66
0x10009a69
0x10009a6e
0x10009a73
0x10009a77
0x10009a7b
0x10009a7b
0x10009a60
0x10009a55
0x00000000
0x1000977a
0x1000977a
0x1000977c
0x100098ff
0x100098ff
0x10009901
0x10009bd0
0x10009bd3
0x10009bd8
0x10009bdd
0x10009be1
0x10009be5
0x10009907
0x10009907
0x10009909
0x100098e0
0x100098e2
0x10009bb0
0x10009bb3
0x10009bb8
0x10009bbc
0x10009bc1
0x10009bc5
0x100098e8
0x100098e8
0x100098eb
0x100098ed
0x100098ed
0x1000990b
0x1000990b
0x1000990e
0x10009913
0x10009918
0x1000991c
0x10009920
0x10009920
0x10009909
0x100098f2
0x100098f6
0x100098f7
0x100098f7
0x10009782
0x100097cd
0x100097cd
0x100097cf
0x10009bf0
0x10009bf3
0x10009bf8
0x10009bfd
0x10009c01
0x10009c05
0x100097d5
0x100097d5
0x10009788
0x1000978a
0x10009c50
0x10009c53
0x10009c58
0x10009c5c
0x10009c61
0x10009c65
0x10009790
0x10009790
0x10009792
0x00000000
0x10009798
0x10009798
0x1000979b
0x100097a0
0x100097a4
0x100097a9
0x100097ad
0x100097ad
0x10009792
0x100097d7
0x100097d7
0x100097e0
0x10009b80
0x10009b80
0x10009b83
0x10009b85
0x100097e6
0x100097e6
0x100097e9
0x100097ee
0x100097f3
0x100097f7
0x100097fb
0x100097fb
0x100097e0
0x100097d5
0x00000000
0x100097c0
0x100097c0
0x100097c4
0x100097c5
0x100097c5
0x100097cd
0x1000977c
0x10009774
0x10009766
0x10009869
0x10009869
0x10009869
0x00000000

APIs

mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
strchr.MSVCRT ref: 1000983B
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009920
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05

Strings

<, xrefs: 10009ADF, 10009BD3, 10009BF3, 10009C13
&, xrefs: 1000979B, 10009AA7, 10009BB3, 10009C33
', xrefs: 10009A23, 10009AFB
", xrefs: 10009B1A, 10009C53
>, xrefs: 100097E9, 1000990E, 10009A69, 10009AC3
'\'', xrefs: 100098C3

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf$strchr
String ID: &$'$>$<$"$'\''
API String ID: 2626076477-3929336650
Opcode ID: 4d3215f32d1e7072e86e6aa446e4fa65e4d3290bde3b119a889ed9f3e12215f6
Instruction ID: 4cad4ceb1349a5dbac3916fb8057f47bb241a6bf44f33620574422d9e36815b4
Opcode Fuzzy Hash: 4d3215f32d1e7072e86e6aa446e4fa65e4d3290bde3b119a889ed9f3e12215f6
Instruction Fuzzy Hash: 49D16D74908B91CBE710DF69808036EBBE1FB826C0F55885EE9D58B24ADB35D945CB83

Uniqueness

Uniqueness Score: -1.00%

Function 10015A2B Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 10016E19: mv_mallocz.LICKING ref: 10016ECF

mv_mallocz.LICKING ref: 10015A99

Strings

*, xrefs: 10015A8F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz
String ID: *
API String ID: 1901900789-163128923
Opcode ID: 029aa66d8a0125d30b2f3eed8a7f8f27550348d4d539916d2760fdc60cc293c3
Instruction ID: 7c755b5e81ebbcb6fb62b139319a352fd19dd05f7f3ad5d610ebc54a685ee70e
Opcode Fuzzy Hash: 029aa66d8a0125d30b2f3eed8a7f8f27550348d4d539916d2760fdc60cc293c3
Instruction Fuzzy Hash: F691C1B96087068FC344DF64D0C191ABBE1FF88254F558A2DE8D89B312D735E982CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1002B460 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 142COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1002B54C
mv_log.LICKING ref: 1002B595

Strings

INT_MIN, xrefs: 1002B55B
FLT_MIN, xrefs: 1002B643
I64_MIN, xrefs: 1002B5C3
I64_MAX, xrefs: 1002B5A3
DBL_MAX, xrefs: 1002B682
DBL_MIN, xrefs: 1002B6A1
-DBL_MIN, xrefs: 1002B53A
-FLT_MIN, xrefs: 1002B663
UINT32_MAX, xrefs: 1002B5E3
INT_MAX, xrefs: 1002B583
FLT_MAX, xrefs: 1002B623
-FLT_MAX, xrefs: 1002B603
-DBL_MAX, xrefs: 1002B6E5

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: -DBL_MAX$-DBL_MIN$-FLT_MAX$-FLT_MIN$DBL_MAX$DBL_MIN$FLT_MAX$FLT_MIN$I64_MAX$I64_MIN$INT_MAX$INT_MIN$UINT32_MAX
API String ID: 2418673259-2628725902
Opcode ID: 4b69fef14bdbb6910b69d575034c011d7efd4a86ec80ae8f31d44e7f23f84011
Instruction ID: d7664abcd9faac0ce6b62ddf477cf7159e8170a1b3dfe873e1d3bd3be2708879
Opcode Fuzzy Hash: 4b69fef14bdbb6910b69d575034c011d7efd4a86ec80ae8f31d44e7f23f84011
Instruction Fuzzy Hash: 62512EB9908F548FC354EF25E49531EBAE1FF84380FD4C92D94C99B325E73989859B02

Uniqueness

Uniqueness Score: -1.00%

Function 1004F8F0 Relevance: 45.1, APIs: 30, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1004F8F0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t30;

				_v16 = __ebx;
				_v12 = __esi;
				_v8 = __edi;
				_v4 = __ebp;
				if(_a4 != 0) {
					__esi =  *__ebx;
					if(__esi != 0) {
						__edi =  *__esi;
						if(__edi != 0) {
							__ebp =  *__edi;
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							__ebp =  *((intOrPtr*)(__edi + 4));
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							 *__esp = __edi;
							L1();
						}
						__edi =  *((intOrPtr*)(__esi + 4));
						if(__edi != 0) {
							__ebp =  *__edi;
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							__ebp =  *((intOrPtr*)(__edi + 4));
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							 *__esp = __edi;
							L1();
						}
						 *__esp = __esi;
						L1();
					}
					__esi =  *((intOrPtr*)(__ebx + 4));
					if(__esi != 0) {
						__edi =  *__esi;
						if(__edi != 0) {
							__ebp =  *__edi;
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							__ebp =  *((intOrPtr*)(__edi + 4));
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							 *__esp = __edi;
							L1();
						}
						__edi =  *((intOrPtr*)(__esi + 4));
						if(__edi != 0) {
							__ebp =  *__edi;
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							__ebp =  *((intOrPtr*)(__edi + 4));
							if(__ebp != 0) {
								E1004F8F0(__ebx, __edi, __esi, __ebp,  *__ebp);
								E1004F8F0(__ebx, __edi, __esi, __ebp, _a4);
								 *__esp = __ebp;
								L1();
							}
							 *__esp = __edi;
							L1();
						}
						 *__esp = __esi;
						L1();
					}
					_a4 = __ebx;
					__esi = _v12;
					__ebx = _v16;
					__edi = _v8;
					__ebp = _v4;
					__esp = __esp + 0x2c;
					return __imp___aligned_free();
				}
				return _t30;
			}

0x1004f8f3
0x1004f8fb
0x1004f8ff
0x1004f903
0x1004f909
0x1004f90f
0x1004f913
0x1004f919
0x1004f91d
0x1004f91f
0x1004f923
0x1004f92b
0x1004f936
0x1004f93b
0x1004f93e
0x1004f93e
0x1004f943
0x1004f948
0x1004f950
0x1004f95b
0x1004f960
0x1004f963
0x1004f963
0x1004f968
0x1004f96b
0x1004f96b
0x1004f970
0x1004f975
0x1004f977
0x1004f97b
0x1004f983
0x1004f98e
0x1004f993
0x1004f996
0x1004f996
0x1004f99b
0x1004f9a0
0x1004f9a8
0x1004f9b3
0x1004f9b8
0x1004f9bb
0x1004f9bb
0x1004f9c0
0x1004f9c3
0x1004f9c3
0x1004f9c8
0x1004f9cb
0x1004f9cb
0x1004f9d0
0x1004f9d5
0x1004f9db
0x1004f9df
0x1004f9e1
0x1004f9e5
0x1004f9ed
0x1004f9f8
0x1004f9fd
0x1004fa00
0x1004fa00
0x1004fa05
0x1004fa0a
0x1004fa12
0x1004fa1d
0x1004fa22
0x1004fa25
0x1004fa25
0x1004fa2a
0x1004fa2d
0x1004fa2d
0x1004fa32
0x1004fa37
0x1004fa39
0x1004fa3d
0x1004fa45
0x1004fa50
0x1004fa55
0x1004fa58
0x1004fa58
0x1004fa5d
0x1004fa62
0x1004fa6a
0x1004fa75
0x1004fa7a
0x1004fa7d
0x1004fa7d
0x1004fa82
0x1004fa85
0x1004fa85
0x1004fa8a
0x1004fa8d
0x1004fa8d
0x1004fa92
0x1004fa96
0x1004fa9a
0x1004fa9e
0x1004faa2
0x1004faa6
0x100290d0
0x100290d0
0x1004fac3

APIs

mv_tree_destroy.LICKING ref: 1004F92B
mv_tree_destroy.LICKING ref: 1004F950
mv_tree_destroy.LICKING ref: 1004F95B
mv_tree_destroy.LICKING ref: 1004F983
mv_tree_destroy.LICKING ref: 1004F98E
mv_tree_destroy.LICKING ref: 1004F9A8
mv_tree_destroy.LICKING ref: 1004F9B3
mv_tree_destroy.LICKING ref: 1004F9ED
mv_tree_destroy.LICKING ref: 1004F9F8
mv_tree_destroy.LICKING ref: 1004FA12
mv_tree_destroy.LICKING ref: 1004FA1D
mv_tree_destroy.LICKING ref: 1004FA45
mv_tree_destroy.LICKING ref: 1004FA50
mv_tree_destroy.LICKING ref: 1004FA6A
mv_tree_destroy.LICKING ref: 1004FA75

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_destroy
String ID:
API String ID: 2561461430-0
Opcode ID: e35d0cec199218e119780d357c796d697295f2cac61dda04ddeeb3a1a2033d19
Instruction ID: 83093fb0ff0346f9d73214d8fd7ea90e924bf39c9d735657395848fb7b157647
Opcode Fuzzy Hash: e35d0cec199218e119780d357c796d697295f2cac61dda04ddeeb3a1a2033d19
Instruction Fuzzy Hash: C05164B96087489FC750EFA4908562EB7F0FF54740F62492CEDD89B302DB74A950CB96

Uniqueness

Uniqueness Score: -1.00%

Function 100195E0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
mv_calloc.LICKING ref: 1001964E
MultiByteToWideChar.KERNEL32 ref: 10019685
mv_calloc.LICKING ref: 100196D7
mv_freep.LICKING ref: 10019713
wcslen.MSVCRT ref: 1001971F
_wsopen.MSVCRT ref: 1001974B
mv_freep.LICKING ref: 10019758
_sopen.MSVCRT ref: 1001978A
_errno.MSVCRT ref: 100197F5
wcslen.MSVCRT ref: 1001981B
mv_calloc.LICKING ref: 10019857
wcscpy.MSVCRT ref: 10019872
wcscat.MSVCRT ref: 10019882
mv_freep.LICKING ref: 1001988A
_errno.MSVCRT ref: 100198E1
mv_freep.LICKING ref: 100198F4
mv_calloc.LICKING ref: 10019912
wcscpy.MSVCRT ref: 10019929
wcscat.MSVCRT ref: 1001993C
_errno.MSVCRT ref: 10019946
_errno.MSVCRT ref: 10019958

Strings

\\?\, xrefs: 10019869
\\?\UNC\, xrefs: 10019920

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errnomv_callocmv_freep$ByteCharMultiWidewcscatwcscpywcslen$_sopen_wsopen
String ID: \\?\$\\?\UNC\
API String ID: 2585690843-3019864461
Opcode ID: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction ID: 3dc82464431d1485f9b1200b51e46201d74a27639f097cc6c66f11d6c06c393f
Opcode Fuzzy Hash: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction Fuzzy Hash: 9391D3B49093059FC350EF69848421EBBE0FF89794F51892EF8D8CB290E774D980DB82

Uniqueness

Uniqueness Score: -1.00%

Function 100118C0 Relevance: 43.8, APIs: 29, Instructions: 289stringCOMMON

Download Yara Rule

APIs

mv_get_token.LICKING ref: 10011913

Part of subcall function 10006940: strlen.MSVCRT ref: 10006950
Part of subcall function 10006940: mv_malloc.LICKING ref: 10006959
Part of subcall function 10006940: strspn.MSVCRT ref: 10006980
Part of subcall function 10006940: strspn.MSVCRT ref: 100069C1

mv_freep.LICKING ref: 10011930
mv_freep.LICKING ref: 1001193C
strspn.MSVCRT ref: 1001195F
mv_get_token.LICKING ref: 1001197C
mv_strdup.LICKING ref: 100119B2
mv_strdup.LICKING ref: 100119CA
mv_freep.LICKING ref: 10011A5F
mv_freep.LICKING ref: 10011A6B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$strspn$mv_get_tokenmv_strdup$mv_mallocstrlen
String ID:
API String ID: 2603649322-0
Opcode ID: 14e30868631fe97fec9574a02c61a58dcf1b4eabab0966b469b8327e310c11fc
Instruction ID: 0a4ec6a1b9aa069a5158d076d08d96fd34d6cbd746a5e0d91f44dd485dd0fbed
Opcode Fuzzy Hash: 14e30868631fe97fec9574a02c61a58dcf1b4eabab0966b469b8327e310c11fc
Instruction Fuzzy Hash: 87B106759097459FC744DF65D18069EBBE5FF88290F96892DF8C89B311E730E980CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100A7C1C Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100A7C1C(char* __eax, signed char __ecx, struct HINSTANCE__* __edx) {
				signed int _v32;
				short* _v36;
				int _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				void* _v56;
				void* _v60;
				void* _v64;
				long _v68;
				WCHAR* _v72;
				long _v76;
				WCHAR* _v80;
				int _t57;
				short* _t58;
				struct HINSTANCE__* _t60;
				_Unknown_base(*)()* _t61;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t65;
				WCHAR* _t67;
				long _t68;
				wchar_t* _t69;
				short* _t71;
				int _t72;
				WCHAR* _t73;
				struct HINSTANCE__* _t76;
				int _t79;
				void* _t80;
				struct HINSTANCE__* _t83;
				wchar_t* _t84;
				CHAR* _t87;
				struct HINSTANCE__* _t88;
				long _t89;
				signed char _t91;
				signed int _t93;
				WCHAR* _t97;
				WCHAR* _t98;
				struct HINSTANCE__* _t99;
				int _t101;
				wchar_t* _t103;
				WCHAR* _t104;
				wchar_t* _t107;
				long _t109;
				WCHAR* _t112;
				void* _t113;
				WCHAR** _t115;

				_t99 = __edx;
				_t91 = __ecx;
				_t87 = __eax;
				_t57 = MultiByteToWideChar(0xfde9, 8, __eax, 0xffffffff, 0, 0);
				_t115 = _t113 - 0x24;
				if(_t57 > 0) {
					_v72 = 2;
					_t101 = _t57;
					_v76 = _t57;
					_t58 = E100291F0();
					_t104 = _t58;
					if(_t58 != 0) {
						MultiByteToWideChar(0xfde9, 0, _t87, 0xffffffff, _t58, _t101);
						_t115 = _t115 - 0x18;
						L5:
						_t60 = GetModuleHandleW(L"kernel32.dll");
						_v72 = "SetDefaultDllDirectories";
						_v76 = _t60;
						_t61 = GetProcAddress(_t99, ??);
						_push(_t91);
						_push(_t91);
						if(_t61 != 0) {
							_v68 = 0xa00;
							_v72 = 0;
							if(_t104 != 0) {
								_t63 = LoadLibraryExW(_t104);
								_t115 = _t115 - 0xc;
								_t88 = _t63;
								_v76 = _t104;
								L100290D0();
							} else {
								_t65 = LoadLibraryExA(_t87);
								_t115 = _t115 - 0xc;
								_t88 = _t65;
							}
							L30:
							return _t88;
						}
						if(_t104 == 0) {
							L17:
							_t103 = 0;
							_t88 = 0;
							L26:
							_v76 = _t103;
							L100290D0();
							_v76 = _t104;
							L100290D0();
							goto L30;
						}
						_v76 = _t104;
						_t107 = 0;
						_t89 = 0x104;
						_v40 = wcslen(??);
						while(1) {
							_v68 = 2;
							_t67 = E10029010(_t107, _t89);
							_t103 = _t67;
							if(_t67 == 0) {
								break;
							}
							_t68 = GetModuleFileNameW(0, _t67, _t89);
							_t115 = _t115 - 0xc;
							_t91 = _t91 & 0xffffff00 | _t68 != 0x00000000;
							_t99 = _t99 & 0xffffff00 | _t68 - _t89 >= 0x00000000;
							_t109 = _t68;
							if((_t91 & _t99) == 0 || _t89 > 0x7fff) {
								if(_t109 == 0) {
									_v76 = _t103;
									L100290D0();
									goto L17;
								}
								_t69 = wcsrchr(_t103, 0x5c);
								_t88 = _t69;
								if(_t69 != 0) {
									_v68 = 2;
									_v76 = _t103;
									_t93 = _t69 - _t103;
									_t88 = 0;
									_v32 = _t93;
									_t71 =  &(_v40[1]);
									_v36 = _t71;
									_t72 = _t71 + (_t93 >> 1);
									_v72 = _t72;
									_v40 = _t72;
									_t73 = E10029010();
									_t112 = _t73;
									if(_t73 == 0) {
										goto L26;
									}
									_v72 = _t104;
									_t103 = _t112;
									_v76 = _t73 + _v32 + 2;
									wcscpy(??, ??);
									_t76 = LoadLibraryExW(_t112, 0, 8);
									_t115 = _t115 - 0xc;
									_t88 = _t76;
									if(_t76 != 0) {
										goto L26;
									}
									_v76 = _t112;
									_v72 = _v40;
									_v32 = GetSystemDirectoryW;
									_t79 = GetSystemDirectoryW(??, ??);
									_push(_t99);
									_push(_t99);
									if(GetSystemDirectoryW == 0) {
										L23:
										_t103 = _t112;
										goto L26;
									}
									_t97 = _v44 + GetSystemDirectoryW;
									if(_v48 >= _t97) {
										L25:
										_t80 = _t79 + _t79;
										 *((short*)(_t103 + _t80)) = 0x5c;
										_t50 = _t80 + 2; // 0x2
										_v80 = _t104;
										 *_t115 = _t103 + _t50;
										wcscpy(??, ??);
										_v76 = 8;
										_v80 = 0;
										 *_t115 = _t103;
										_t83 = LoadLibraryExW(??, ??, ??);
										_t115 = _t115 - 0xc;
										_t88 = _t83;
										goto L26;
									}
									_v80 = _t97;
									_v76 = 2;
									 *_t115 = _t112;
									_v48 = _t97;
									_t84 = E10029010();
									_t98 = _v48;
									_t103 = _t84;
									if(_t84 != 0) {
										_v80 = _t98;
										 *_t115 = _t84;
										_t79 =  *_v40();
										_push(_t98);
										_push(_t98);
										if(_t79 == 0) {
											goto L26;
										}
										goto L25;
									}
									goto L23;
								}
								goto L26;
							} else {
								_t107 = _t103;
								_t89 =  >  ? 0x8000 : _t89 + _t89;
								continue;
							}
						}
						_v76 = _t107;
						L100290D0();
						goto L17;
					}
					__imp___errno();
					 *_t58 = 0xc;
				}
				_t104 = 0;
				goto L5;
			}

0x100a7c1c
0x100a7c1c
0x100a7c22
0x100a7c50
0x100a7c52
0x100a7c57
0x100a7c5d
0x100a7c65
0x100a7c67
0x100a7c6a
0x100a7c71
0x100a7c73
0x100a7ca4
0x100a7ca6
0x100a7ca9
0x100a7cb0
0x100a7cb7
0x100a7cbf
0x100a7cc2
0x100a7cc8
0x100a7ccb
0x100a7ccc
0x100a7e9d
0x100a7ea9
0x100a7ead
0x100a7ec2
0x100a7ec8
0x100a7ecb
0x100a7ecd
0x100a7ed0
0x100a7eaf
0x100a7eb2
0x100a7eb8
0x100a7ebb
0x100a7ebb
0x100a7ed5
0x100a7ede
0x100a7ede
0x100a7cd4
0x100a7d76
0x100a7d76
0x100a7d78
0x100a7e8b
0x100a7e8b
0x100a7e8e
0x100a7e93
0x100a7e96
0x00000000
0x100a7e96
0x100a7cda
0x100a7cdd
0x100a7cdf
0x100a7ce9
0x100a7ced
0x100a7ced
0x100a7cfc
0x100a7d03
0x100a7d05
0x00000000
0x00000000
0x100a7d1e
0x100a7d24
0x100a7d29
0x100a7d2e
0x100a7d31
0x100a7d35
0x100a7d51
0x100a7d6e
0x100a7d71
0x00000000
0x100a7d71
0x100a7d5e
0x100a7d65
0x100a7d67
0x100a7d7f
0x100a7d8d
0x100a7d90
0x100a7d92
0x100a7d94
0x100a7d9c
0x100a7d9f
0x100a7da3
0x100a7da5
0x100a7da9
0x100a7dad
0x100a7db4
0x100a7db6
0x00000000
0x00000000
0x100a7dbc
0x100a7dc4
0x100a7dca
0x100a7dcd
0x100a7de3
0x100a7de9
0x100a7dee
0x100a7df0
0x00000000
0x00000000
0x100a7df6
0x100a7dfd
0x100a7e06
0x100a7e0a
0x100a7e0c
0x100a7e0f
0x100a7e10
0x100a7e40
0x100a7e40
0x00000000
0x100a7e40
0x100a7e16
0x100a7e1c
0x100a7e57
0x100a7e57
0x100a7e59
0x100a7e5f
0x100a7e63
0x100a7e67
0x100a7e6a
0x100a7e71
0x100a7e79
0x100a7e7d
0x100a7e80
0x100a7e86
0x100a7e89
0x00000000
0x100a7e89
0x100a7e1e
0x100a7e22
0x100a7e2a
0x100a7e2d
0x100a7e31
0x100a7e36
0x100a7e3c
0x100a7e3e
0x100a7e44
0x100a7e48
0x100a7e4f
0x100a7e51
0x100a7e54
0x100a7e55
0x00000000
0x00000000
0x00000000
0x100a7e55
0x00000000
0x100a7e3e
0x00000000
0x100a7d3f
0x100a7d48
0x100a7d4a
0x00000000
0x100a7d4a
0x100a7d35
0x100a7d07
0x100a7d0a
0x00000000
0x100a7d0a
0x100a7c75
0x100a7c7b
0x100a7c7b
0x100a7c59
0x00000000

APIs

MultiByteToWideChar.KERNEL32 ref: 100A7C50
mv_calloc.LICKING ref: 100A7C6A
_errno.MSVCRT ref: 100A7C75
MultiByteToWideChar.KERNEL32 ref: 100A7CA4
GetModuleHandleW.KERNEL32 ref: 100A7CB0
GetProcAddress.KERNEL32 ref: 100A7CC2
wcslen.MSVCRT ref: 100A7CE4
mv_realloc_array.LICKING ref: 100A7CFC
GetModuleFileNameW.KERNEL32 ref: 100A7D1E
wcsrchr.MSVCRT ref: 100A7D5E
mv_realloc_array.LICKING ref: 100A7DAD
wcscpy.MSVCRT ref: 100A7DCD
LoadLibraryExW.KERNEL32 ref: 100A7DE3
mv_realloc_array.LICKING ref: 100A7E31
wcscpy.MSVCRT ref: 100A7E6A
LoadLibraryExW.KERNEL32 ref: 100A7E80
LoadLibraryExA.KERNEL32 ref: 100A7EB2
LoadLibraryExW.KERNEL32 ref: 100A7EC2

Strings

\, xrefs: 100A7D53

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$mv_realloc_array$ByteCharModuleMultiWidewcscpy$AddressFileHandleNameProc_errnomv_callocwcslenwcsrchr
String ID: \
API String ID: 1053637131-2967466578
Opcode ID: bad948dc888ca7b8fe45ed86bdb40432ed6f04d219cba8fed4b1c981d5e2befc
Instruction ID: b443f8b5a0a689592232babdffcb8399bc6d9c8df0cdae325e16511af354ecc2
Opcode Fuzzy Hash: bad948dc888ca7b8fe45ed86bdb40432ed6f04d219cba8fed4b1c981d5e2befc
Instruction Fuzzy Hash: F77104B0509706DFD350EFA9C98962EBBE0FF88744F41892DE88DC7211EB789844DB46

Uniqueness

Uniqueness Score: -1.00%

Function 10015CEB Relevance: 42.2, APIs: 28, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 10015A2B: mv_mallocz.LICKING ref: 10015A99

mv_expr_free.LICKING ref: 10015DA4
mv_expr_free.LICKING ref: 10015DB3
mv_expr_free.LICKING ref: 10015DC2
mv_freep.LICKING ref: 10015DD1
mv_freep.LICKING ref: 10015DDD
mv_expr_free.LICKING ref: 10015DFF
mv_expr_free.LICKING ref: 10015E0E
mv_expr_free.LICKING ref: 10015E1D
mv_freep.LICKING ref: 10015E2C
mv_freep.LICKING ref: 10015E38
mv_expr_free.LICKING ref: 10015E5A
mv_expr_free.LICKING ref: 10015E69
mv_expr_free.LICKING ref: 10015E78
mv_freep.LICKING ref: 10015E87
mv_freep.LICKING ref: 10015E93
mv_freep.LICKING ref: 10015EAA
mv_freep.LICKING ref: 10015EB6
mv_freep.LICKING ref: 10015F16
mv_freep.LICKING ref: 10015F22
mv_expr_free.LICKING ref: 10015F07

Part of subcall function 10015280: mv_freep.LICKING ref: 10015588
Part of subcall function 10015280: mv_freep.LICKING ref: 10015594
Part of subcall function 10015280: mv_freep.LICKING ref: 100155DB
Part of subcall function 10015280: mv_freep.LICKING ref: 100155E7
Part of subcall function 10015280: mv_freep.LICKING ref: 100155F6
Part of subcall function 10015280: mv_freep.LICKING ref: 10015602
Part of subcall function 10015280: mv_freep.LICKING ref: 10015667
Part of subcall function 10015280: mv_freep.LICKING ref: 10015673
Part of subcall function 10015280: mv_freep.LICKING ref: 100156BA

mv_expr_free.LICKING ref: 10015EF8

Part of subcall function 10015280: mv_freep.LICKING ref: 1001542C
Part of subcall function 10015280: mv_freep.LICKING ref: 10015438
Part of subcall function 10015280: mv_freep.LICKING ref: 10015447
Part of subcall function 10015280: mv_freep.LICKING ref: 10015453
Part of subcall function 10015280: mv_freep.LICKING ref: 1001549A
Part of subcall function 10015280: mv_freep.LICKING ref: 100154A6
Part of subcall function 10015280: mv_freep.LICKING ref: 100154B5
Part of subcall function 10015280: mv_freep.LICKING ref: 100154C1
Part of subcall function 10015280: mv_freep.LICKING ref: 10015517
Part of subcall function 10015280: mv_freep.LICKING ref: 10015523

mv_expr_free.LICKING ref: 10015EE9

Part of subcall function 10015280: mv_freep.LICKING ref: 100152FA
Part of subcall function 10015280: mv_freep.LICKING ref: 10015306
Part of subcall function 10015280: mv_freep.LICKING ref: 1001534D
Part of subcall function 10015280: mv_freep.LICKING ref: 10015359
Part of subcall function 10015280: mv_freep.LICKING ref: 10015368
Part of subcall function 10015280: mv_freep.LICKING ref: 10015374
Part of subcall function 10015280: mv_freep.LICKING ref: 100153D9
Part of subcall function 10015280: mv_freep.LICKING ref: 100153E5

mv_expr_free.LICKING ref: 10015F35
mv_expr_free.LICKING ref: 10015F44
mv_expr_free.LICKING ref: 10015F53
mv_freep.LICKING ref: 10015F62
mv_freep.LICKING ref: 10015F6E

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_mallocz
String ID:
API String ID: 3790364031-0
Opcode ID: e996e5f91ad57c4dc7bb7989f75560456d4920faeb29814724ac59779d0817be
Instruction ID: b8a8a0f0b8c1a02a0ba16ef79dd5ecb6b3edcdc9322a88dc3cdfee30d6bbf24d
Opcode Fuzzy Hash: e996e5f91ad57c4dc7bb7989f75560456d4920faeb29814724ac59779d0817be
Instruction Fuzzy Hash: FA81B0B96087058FC744EF64D08191ABBE1FF88255F458A6DE8D89F305D735EA82CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C790 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 231
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E1001C790(void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v40;
				intOrPtr _t10;
				void* _t11;
				intOrPtr* _t12;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;

				_t10 = 0x100b5e05;
				_t16 = 0;
				_t23 = _t22 - 0x1c;
				_t21 = _a4;
				_t17 = _a8;
				 *_t21 = 0;
				while(1) {
					_v40 = _t10;
					 *_t23 = _t17;
					_t11 = E10006B30();
					_t19 = _t11;
					if(_t11 == 0) {
						break;
					}
					_t16 = _t16 + 1;
					if(_t16 != 0xf) {
						_t10 =  *((intOrPtr*)(0x100b6000 + _t16 * 8));
						continue;
					} else {
						return 0xffffffea;
					}
					L19:
				}
				 *_t23 = 0x10;
				_t12 = E10029100();
				_t18 = _t12;
				if(_t12 == 0) {
					L18:
					_t19 = 0xfffffff4;
				} else {
					 *(_t12 + 4) = _t16;
					if(_t16 > 0xd) {
						L10:
						 *_t21 = _t18;
					} else {
						switch( *((intOrPtr*)(_t16 * 4 +  &M100B5E0C))) {
							case 0:
								__eax = E10028790();
								goto L9;
							case 1:
								__eax = E10029FC0();
								goto L9;
							case 2:
								__eax = E1003C470();
								goto L9;
							case 3:
								__eax = E100411A0();
								goto L9;
							case 4:
								_t14 = E1004C260();
								L9:
								 *_t18 = _t14;
								if(_t14 == 0) {
									 *_t23 = _t18;
									L100290D0();
									goto L18;
								} else {
									goto L10;
								}
								goto L11;
							case 5:
								 *((intOrPtr*)(__edi + 8)) = E1000FDB0(__ebx, 4);
								goto L10;
						}
					}
				}
				L11:
				return _t19;
				goto L19;
			}

0x1001c791
0x1001c799
0x1001c79b
0x1001c79e
0x1001c7a2
0x1001c7a6
0x1001c7b7
0x1001c7b7
0x1001c7bb
0x1001c7be
0x1001c7c5
0x1001c7c7
0x00000000
0x00000000
0x1001c7c9
0x1001c7cd
0x1001c7b0
0x00000000
0x1001c7cf
0x1001c7dd
0x1001c7dd
0x00000000
0x1001c7cd
0x1001c7e0
0x1001c7e7
0x1001c7ee
0x1001c7f0
0x1001c865
0x1001c865
0x1001c7f2
0x1001c7f2
0x1001c7f8
0x1001c813
0x1001c813
0x1001c7fa
0x1001c7fa
0x00000000
0x1001c848
0x00000000
0x00000000
0x1001c852
0x00000000
0x00000000
0x1001c820
0x00000000
0x00000000
0x1001c830
0x00000000
0x00000000
0x1001c808
0x1001c80d
0x1001c80d
0x1001c811
0x1001c859
0x1001c860
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c843
0x00000000
0x00000000
0x1001c7fa
0x1001c7f8
0x1001c816
0x1001c81f
0x00000000

APIs

mv_strcasecmp.LICKING ref: 1001C7BE
mv_mallocz.LICKING ref: 1001C7E7

Strings

MD5, xrefs: 1001C791

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloczmv_strcasecmp
String ID: MD5
API String ID: 1451953452-1168476579
Opcode ID: 05d541b0a02844c6fa927b2182f2bf38f1bce2312da876daaceceafae4a04c82
Instruction ID: 67cf48b984792008eb9918d7ca6f9d2bd109b0f8cd42104998243e9ea9d1147f
Opcode Fuzzy Hash: 05d541b0a02844c6fa927b2182f2bf38f1bce2312da876daaceceafae4a04c82
Instruction Fuzzy Hash: 2691D2B8909704DFC750DF68C58091ABBE0FF89354F14896EF9888B361E734D981EB56

Uniqueness

Uniqueness Score: -1.00%

Function 10011560 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 216
stringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E10011560(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int* _a4, signed int* _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v50;
				void* _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v92;
				signed int _v96;
				signed int* _v100;
				signed int* _v104;
				signed int* _t89;
				signed int* _t98;
				signed int* _t99;
				signed int _t104;
				void* _t105;
				int _t109;
				int _t110;
				void* _t112;
				signed int _t116;
				signed int* _t121;
				signed int _t127;
				int _t129;
				signed int _t130;
				intOrPtr* _t133;
				signed int* _t134;
				void* _t136;
				signed int* _t140;
				signed int* _t142;
				int _t143;
				void* _t144;
				signed int* _t149;
				void* _t150;
				signed int* _t152;
				signed int _t153;
				int _t155;
				signed int _t156;
				void _t158;
				signed int** _t162;
				signed int** _t163;

				_v16 = __ebx;
				_v12 = __esi;
				_v104 = 0x16;
				_t149 =  &_v50;
				 *_t163 = _t149;
				_v92 = _a16;
				_v96 = _a12;
				_v100 = 0x100b4200;
				_v8 = __edi;
				_t140 = _a8;
				_v4 = __ebp;
				E10011040();
				_v60 = 0;
				_t121 =  *_a4;
				 *_t163 = _t149;
				_v56 = 0;
				_t89 = E100292E0(_t121, _t140, _t149, 0);
				_v56 = _t89;
				if(_t140 == 0) {
					_t150 = 0xffffffea;
					L24:
					if(_t121 == 0) {
						L16:
						 *_t163 = _v60;
						L100290D0();
						 *_t163 = _v56;
						L100290D0();
						L17:
						return _t150;
					}
					L15:
					if( *_t121 == 0) {
						 *_t163 =  &(_t121[1]);
						E100290E0();
						 *_t163 = _a4;
						E100290E0();
					}
					goto L16;
				}
				_t162 = 0;
				_t152 = _t89;
				if((_a20 & 0x00000040) == 0) {
					_v104 = _t140;
					_v100 = 0;
					 *_t163 = _t121;
					_v96 = _a20 & 0xfffffff7;
					_t162 = E100110D0();
				}
				if((_a20 & 0x00000004) == 0) {
					 *_t163 = _t140;
					_t98 = E100292E0(_t121, _t140, _t152, _t162);
					_v60 = _t98;
					_t142 = _t98;
					if(_t121 == 0) {
						L19:
						 *_t163 = 8;
						_t99 = E10029100();
						_t142 = _v60;
						_t121 = _t99;
						 *_a4 = _t121;
						if(_t121 == 0 || _t142 == 0) {
							_t150 = 0xfffffff4;
							goto L24;
						} else {
							L21:
							_t152 = _v56;
							L4:
							if(_t152 == 0) {
								L14:
								_t150 = 0xfffffff4;
								goto L15;
							}
							if(_t162 == 0) {
								_v100 = 8;
								_v104 =  *_t121 + 1;
								 *_t163 = _t121[1];
								_t104 = E10029010();
								_t153 = _t104;
								if(_t104 == 0) {
									goto L14;
								}
								_t121[1] = _t104;
								_t127 =  *_t121;
								L10:
								_t105 = _v56;
								if(_t105 == 0) {
									if(_t127 == 0) {
										 *_t163 =  &(_t121[1]);
										E100290E0();
										 *_t163 = _a4;
										E100290E0();
									}
									_t150 = 0;
									 *_t163 =  &_v60;
									E100290E0();
								} else {
									_t133 = _t153 + _t127 * 8;
									 *((intOrPtr*)(_t133 + 4)) = _t105;
									 *_t133 = _v60;
									_t150 = 0;
									 *_t121 = _t127 + 1;
								}
								goto L17;
							}
							if((_a20 & 0x00000010) != 0) {
								 *_t163 = _t142;
								_t150 = 0;
								L100290D0();
								 *_t163 = _v56;
								L100290D0();
								goto L17;
							}
							_t134 = _a4;
							 *_t163 = _t134;
							if((_a20 & 0x00000020) != 0) {
								_v64 = _t134;
								_t109 = strlen(??);
								 *_t163 = _t152;
								_t143 = _t109;
								_t110 = strlen(??);
								 *_t163 = _v64;
								_t155 = _t110;
								_t68 = _t110 + 1; // 0x1
								_v104 = _t143 + _t68;
								_t112 = E10028DA0();
								if(_t112 == 0) {
									goto L14;
								}
								_t70 = _t155 + 1; // 0x1
								_t129 = _t70;
								_t144 = _t143 + _t112;
								_t136 = _v56;
								if(_t129 >= 8) {
									if((_t144 & 0x00000001) != 0) {
										_t130 =  *_t136 & 0x000000ff;
										_t144 = _t144 + 1;
										_t136 = _t136 + 1;
										 *(_t144 - 1) = _t130;
										_t129 = _t155;
									}
									if((_t144 & 0x00000002) != 0) {
										_t156 =  *_t136 & 0x0000ffff;
										_t144 = _t144 + 2;
										_t136 = _t136 + 2;
										_t129 = _t129 - 2;
										 *(_t144 - 2) = _t156;
									}
									if((_t144 & 0x00000004) != 0) {
										_t158 =  *_t136;
										_t144 = _t144 + 4;
										_t136 = _t136 + 4;
										_t129 = _t129 - 4;
										 *(_t144 - 4) = _t158;
									}
								}
								_v64 = _t112;
								memcpy(_t144, _t136, _t129);
								_t163 =  &(_t163[3]);
								 *_t163 =  &_v56;
								E100290E0();
								_v56 = _v64;
								goto L9;
							} else {
								L100290D0();
								L9:
								 *_t163 =  *_t162;
								L100290D0();
								_t116 =  *_t121;
								_t153 = _t121[1];
								_t32 = _t116 - 1; // -1
								_t127 = _t32;
								 *_t121 = _t127;
								 *_t162 =  *(_t153 + _t127 * 8);
								_a4 =  *(_t153 + 4 + _t127 * 8);
								goto L10;
							}
						}
					}
					if(_t98 != 0) {
						goto L21;
					}
					goto L14;
				}
				_v60 = _t140;
				if(_t121 == 0) {
					goto L19;
				}
				goto L4;
			}

0x10011563
0x1001156b
0x10011578
0x1001157c
0x10011580
0x10011583
0x1001158c
0x10011590
0x10011594
0x10011598
0x1001159c
0x100115a2
0x100115ab
0x100115af
0x100115b3
0x100115b6
0x100115ba
0x100115c1
0x100115c5
0x10011758
0x1001175d
0x1001175f
0x10011699
0x1001169d
0x100116a0
0x100116a9
0x100116ac
0x100116b1
0x100116c6
0x100116c6
0x1001168f
0x10011693
0x10011773
0x10011776
0x1001177f
0x10011782
0x10011782
0x00000000
0x10011693
0x100115cb
0x100115cd
0x100115d7
0x100116d0
0x100116dd
0x100116e1
0x100116e7
0x100116f0
0x100116f0
0x100115e5
0x10011670
0x10011673
0x1001167a
0x1001167e
0x10011680
0x10011700
0x10011700
0x10011707
0x1001170c
0x10011710
0x10011718
0x1001171a
0x10011840
0x00000000
0x10011728
0x10011728
0x10011728
0x100115f7
0x100115f9
0x1001168a
0x1001168a
0x00000000
0x1001168a
0x10011601
0x100117b5
0x100117bc
0x100117c3
0x100117c6
0x100117cd
0x100117cf
0x00000000
0x00000000
0x100117d5
0x100117d8
0x10011650
0x10011650
0x10011656
0x10011792
0x10011853
0x10011856
0x1001185f
0x10011862
0x10011862
0x1001179c
0x1001179e
0x100117a1
0x1001165c
0x1001165c
0x10011664
0x10011667
0x10011669
0x1001166b
0x1001166b
0x00000000
0x10011656
0x1001160f
0x10011738
0x1001173b
0x1001173d
0x10011746
0x10011749
0x00000000
0x10011749
0x10011615
0x10011620
0x10011623
0x100117e0
0x100117e4
0x100117e9
0x100117ec
0x100117ee
0x100117f7
0x100117fa
0x100117fc
0x10011800
0x10011804
0x1001180b
0x00000000
0x00000000
0x10011811
0x10011811
0x10011814
0x10011816
0x1001181d
0x10011876
0x10011898
0x1001189b
0x1001189c
0x1001189d
0x100118a0
0x100118a0
0x1001187e
0x100118a4
0x100118a7
0x100118aa
0x100118ad
0x100118b0
0x100118b0
0x10011886
0x10011888
0x1001188a
0x1001188d
0x10011890
0x10011893
0x10011893
0x10011886
0x1001181f
0x10011825
0x10011825
0x1001182b
0x1001182e
0x10011837
0x00000000
0x10011629
0x10011629
0x1001162e
0x10011631
0x10011634
0x10011639
0x1001163b
0x1001163e
0x1001163e
0x10011641
0x1001164a
0x1001164d
0x00000000
0x1001164d
0x10011623
0x1001171a
0x10011684
0x00000000
0x00000000
0x00000000
0x10011684
0x100115eb
0x100115f1
0x00000000
0x00000000
0x00000000

APIs

mv_strdup.LICKING ref: 100115BA

Part of subcall function 100292E0: strlen.MSVCRT ref: 100292FE
Part of subcall function 100292E0: _aligned_realloc.MSVCRT ref: 10029325

mv_strdup.LICKING ref: 10011673
mv_dict_get.LICKING ref: 100116EB
mv_mallocz.LICKING ref: 10011707
mv_freep.LICKING ref: 100117A1
mv_realloc_array.LICKING ref: 100117C6
strlen.MSVCRT ref: 100117E4
strlen.MSVCRT ref: 100117EE
mv_realloc.LICKING ref: 10011804
mv_freep.LICKING ref: 1001182E

Strings

, xrefs: 10011618
%lld, xrefs: 10011587

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$mv_freepmv_strdup$_aligned_reallocmv_dict_getmv_malloczmv_reallocmv_realloc_array
String ID: $%lld
API String ID: 420417855-3617178099
Opcode ID: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction ID: 8f6e5ec8c3f0a619e422cb1a926671cc568e29337de09296a572835a12694a18
Opcode Fuzzy Hash: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction Fuzzy Hash: 539117B59097458FC754DF68C18066EBBE0FF88380F56892DED889B341DB74E880CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100192E0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 150fileCOMMON

Download Yara Rule

APIs

mvpriv_open.LICKING ref: 1001933F

Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
Part of subcall function 100195E0: mv_calloc.LICKING ref: 1001964E
Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32 ref: 10019685
Part of subcall function 100195E0: mv_calloc.LICKING ref: 100196D7
Part of subcall function 100195E0: mv_freep.LICKING ref: 10019713
Part of subcall function 100195E0: wcslen.MSVCRT ref: 1001971F
Part of subcall function 100195E0: _wsopen.MSVCRT ref: 1001974B

_fstat64.MSVCRT ref: 10019366
_close.MSVCRT ref: 10019394
_get_osfhandle.MSVCRT ref: 100193C5
CreateFileMappingA.KERNEL32 ref: 100193ED
MapViewOfFile.KERNEL32 ref: 10019422
CloseHandle.KERNEL32 ref: 10019434
mv_log.LICKING ref: 1001945D
_close.MSVCRT ref: 10019465
_errno.MSVCRT ref: 10019480
mv_strerror.LICKING ref: 100194A1
mv_log.LICKING ref: 100194C7
_errno.MSVCRT ref: 100194D8
mv_strerror.LICKING ref: 100194FE
mv_log.LICKING ref: 1001951B
_close.MSVCRT ref: 10019523
mv_log.LICKING ref: 1001954F
_close.MSVCRT ref: 10019557

Strings

File size for file '%s' is too big, xrefs: 10019535
Error occurred in CreateFileMapping(), xrefs: 10019561
Cannot read file '%s': %s, xrefs: 100194A6
Error occurred in fstat(): %s, xrefs: 1001950B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _closemv_log$ByteCharFileMultiWide_errnomv_callocmv_strerror$CloseCreateHandleMappingView_fstat64_get_osfhandle_wsopenmv_freepmvpriv_openwcslen
String ID: Cannot read file '%s': %s$Error occurred in CreateFileMapping()$Error occurred in fstat(): %s$File size for file '%s' is too big
API String ID: 2213036534-2445208470
Opcode ID: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction ID: a1ac4bca67f905ea7eb530c9fec20e9fe0d2cf07c5fae6ebec99be3d32fbbfc6
Opcode Fuzzy Hash: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction Fuzzy Hash: 8561BDB59097459FC310DF29C48429EBBE4FF88710F51892EE8D98B350EB78D9808F82

Uniqueness

Uniqueness Score: -1.00%

Function 10012850 Relevance: 37.7, APIs: 25, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10012850(intOrPtr* __eax) {
				intOrPtr _t65;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				intOrPtr* _t98;
				intOrPtr* _t102;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t109;
				void* _t110;
				intOrPtr* _t111;

				_t107 = __eax;
				_t111 = _t110 - 0x2c;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					_t96 = 0;
					do {
						_t90 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 8)) + _t96 * 4));
						_t96 = _t96 + 1;
						 *_t111 = _t90;
						L100290D0();
					} while (_t96 <  *((intOrPtr*)(__eax + 0xc)));
				}
				_t106 =  *((intOrPtr*)(_t107 + 0x1c));
				if(_t106 != 0) {
					if( *((intOrPtr*)(_t106 + 0xc)) != 0) {
						_t95 = 0;
						do {
							_t88 =  *((intOrPtr*)( *((intOrPtr*)(_t106 + 8)) + _t95 * 4));
							_t95 = _t95 + 1;
							 *_t111 = _t88;
							L100290D0();
						} while (_t95 <  *((intOrPtr*)(_t106 + 0xc)));
					}
					_t109 =  *((intOrPtr*)(_t106 + 0x1c));
					if(_t109 != 0) {
						if( *((intOrPtr*)(_t109 + 0xc)) != 0) {
							_t94 = 0;
							do {
								_t86 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 8)) + _t94 * 4));
								_t94 = _t94 + 1;
								 *_t111 = _t86;
								L100290D0();
							} while (_t94 <  *((intOrPtr*)(_t109 + 0xc)));
						}
						_t102 =  *((intOrPtr*)(_t109 + 0x1c));
						if(_t102 != 0) {
							if( *((intOrPtr*)(_t102 + 0xc)) != 0) {
								_t93 = 0;
								do {
									 *((intOrPtr*)(_t111 + 0x18)) = _t102;
									_t84 =  *((intOrPtr*)( *((intOrPtr*)(_t102 + 8)) + _t93 * 4));
									_t93 = _t93 + 1;
									 *_t111 = _t84;
									L100290D0();
									_t102 =  *((intOrPtr*)(_t111 + 0x18));
								} while (_t93 <  *((intOrPtr*)(_t102 + 0xc)));
							}
							_t98 =  *((intOrPtr*)(_t102 + 0x1c));
							if(_t98 != 0) {
								if( *((intOrPtr*)(_t98 + 0xc)) != 0) {
									_t92 = 0;
									do {
										 *((intOrPtr*)(_t111 + 0x1c)) = _t102;
										 *((intOrPtr*)(_t111 + 0x18)) = _t98;
										_t82 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 8)) + _t92 * 4));
										_t92 = _t92 + 1;
										 *_t111 = _t82;
										L100290D0();
										_t98 =  *((intOrPtr*)(_t111 + 0x18));
										_t102 =  *((intOrPtr*)(_t111 + 0x1c));
									} while (_t92 <  *((intOrPtr*)(_t98 + 0xc)));
								}
								_t76 =  *((intOrPtr*)(_t98 + 0x1c));
								if( *((intOrPtr*)(_t98 + 0x1c)) != 0) {
									 *((intOrPtr*)(_t111 + 0x1c)) = _t98;
									 *((intOrPtr*)(_t111 + 0x18)) = _t102;
									E10012850(_t76);
									_t98 =  *((intOrPtr*)(_t111 + 0x1c));
									_t102 =  *((intOrPtr*)(_t111 + 0x18));
								}
								 *((intOrPtr*)(_t111 + 0x1c)) = _t102;
								 *((intOrPtr*)(_t111 + 0x18)) = _t98;
								 *_t111 =  *_t98;
								L100290D0();
								 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 8));
								L100290D0();
								 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 0x14));
								L100290D0();
								 *_t111 =  *((intOrPtr*)(_t111 + 0x18));
								L100290D0();
								_t102 =  *((intOrPtr*)(_t111 + 0x1c));
							}
							 *((intOrPtr*)(_t111 + 0x18)) = _t102;
							 *_t111 =  *_t102;
							L100290D0();
							 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 8));
							L100290D0();
							 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 0x14));
							L100290D0();
							 *_t111 =  *((intOrPtr*)(_t111 + 0x18));
							L100290D0();
						}
						 *_t111 =  *_t109;
						L100290D0();
						 *_t111 =  *((intOrPtr*)(_t109 + 8));
						L100290D0();
						 *_t111 =  *((intOrPtr*)(_t109 + 0x14));
						L100290D0();
						 *_t111 = _t109;
						L100290D0();
					}
					 *_t111 =  *_t106;
					L100290D0();
					 *_t111 =  *((intOrPtr*)(_t106 + 8));
					L100290D0();
					 *_t111 =  *((intOrPtr*)(_t106 + 0x14));
					L100290D0();
					 *_t111 = _t106;
					L100290D0();
				}
				 *_t111 =  *_t107;
				L100290D0();
				 *_t111 =  *((intOrPtr*)(_t107 + 8));
				L100290D0();
				_t65 =  *((intOrPtr*)(_t107 + 0x14));
				 *_t111 = _t65;
				L100290D0();
				 *_t111 = _t107;
				L100290D0();
				return _t65;
			}

0x10012853
0x10012856
0x1001285e
0x10012860
0x10012870
0x10012873
0x10012876
0x10012877
0x1001287a
0x1001287f
0x10012870
0x10012884
0x10012889
0x10012894
0x10012896
0x100128a0
0x100128a3
0x100128a6
0x100128a7
0x100128aa
0x100128af
0x100128a0
0x100128b4
0x100128b9
0x100128c4
0x100128c6
0x100128d0
0x100128d3
0x100128d6
0x100128d7
0x100128da
0x100128df
0x100128d0
0x100128e4
0x100128e9
0x100128f4
0x100128f6
0x10012900
0x10012900
0x10012907
0x1001290a
0x1001290b
0x1001290e
0x10012913
0x10012917
0x10012900
0x1001291c
0x10012921
0x1001292c
0x1001292e
0x10012930
0x10012930
0x10012937
0x1001293b
0x1001293e
0x1001293f
0x10012942
0x10012947
0x1001294b
0x1001294f
0x10012930
0x10012954
0x10012959
0x1001295b
0x1001295f
0x10012963
0x10012968
0x1001296c
0x1001296c
0x10012970
0x10012976
0x1001297a
0x1001297d
0x10012989
0x1001298c
0x10012998
0x1001299b
0x100129a4
0x100129a7
0x100129ac
0x100129ac
0x100129b0
0x100129b6
0x100129b9
0x100129c5
0x100129c8
0x100129d4
0x100129d7
0x100129e0
0x100129e3
0x100129e3
0x100129eb
0x100129ee
0x100129f6
0x100129f9
0x10012a01
0x10012a04
0x10012a09
0x10012a0c
0x10012a0c
0x10012a13
0x10012a16
0x10012a1e
0x10012a21
0x10012a29
0x10012a2c
0x10012a31
0x10012a34
0x10012a34
0x10012a3b
0x10012a3e
0x10012a46
0x10012a49
0x10012a4e
0x10012a51
0x10012a54
0x10012a59
0x10012a5c
0x10012a68

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c5c0080483c316d8fb3254759ed7aa0dc5a53fbde58ff4e0ccf9ebadb92cac
Instruction ID: c3f6ecf513ba740120e9a0fe32152a8751e6e1c522ce6fff76888c91f6e7b3cc
Opcode Fuzzy Hash: a8c5c0080483c316d8fb3254759ed7aa0dc5a53fbde58ff4e0ccf9ebadb92cac
Instruction Fuzzy Hash: 166184B8A047098FC754EFA9D0D1A1AF7F0FF54290F51891CE4998B312D671F895CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10011D20 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10011D20(signed int* _a4, intOrPtr* _a8, signed int _a12) {
				signed char* _v32;
				signed int* _v36;
				signed char _v48;
				void* _v52;
				void* _v56;
				int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int** _v76;
				signed char _v80;
				signed int* _v84;
				signed int* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t155;
				signed int** _t165;
				signed int* _t167;
				signed int* _t168;
				int _t170;
				signed int _t172;
				signed int* _t178;
				int _t186;
				signed char _t188;
				signed char* _t191;
				signed int _t193;
				signed int** _t194;
				void* _t195;
				signed int* _t200;
				intOrPtr* _t201;
				signed int* _t202;
				signed char _t205;
				void* _t218;
				intOrPtr* _t220;
				intOrPtr _t222;
				signed int** _t223;
				signed char _t224;
				intOrPtr _t225;
				signed int* _t226;
				signed int _t229;
				int _t231;
				short* _t232;
				signed int* _t237;
				signed int* _t238;
				signed char* _t240;
				int _t242;
				signed char* _t243;
				signed short* _t245;
				intOrPtr* _t247;
				intOrPtr* _t248;
				signed int* _t249;
				void* _t251;
				signed int** _t252;

				_t252 = _t251 - 0x4c;
				_t248 = _a8;
				if(_t248 == 0) {
					L23:
					return 0;
				} else {
					_t193 = 0;
					_t220 = _t248;
					_v72 = _a12 & 0x00000008;
					_v68 = _a12 & 0x00000040;
					_v64 = _a12 & 0x00000004;
					if( *_t220 > 0) {
						while(1) {
							_t194 =  *((intOrPtr*)(_t220 + 4)) + _t193 * 8;
							if(_t194 == 0) {
								goto L23;
							}
							_t237 =  *_t194;
							_v36 = 0;
							_t226 = _t194[1];
							_t249 =  *_a4;
							_v32 = 0;
							if(_v72 == 0) {
								if(_t226 == 0) {
									goto L5;
								} else {
									 *_t252 = _t226;
									_a8 = _t220;
									_t191 = E100292E0(_t194, _t226, _t237, _t249);
									_t220 = _a8;
									_v32 = _t191;
									if(_t237 != 0) {
										goto L6;
									} else {
										goto L26;
									}
								}
							} else {
								_v32 = _t226;
								L5:
								if(_t237 == 0) {
									L26:
									_t155 = _t249;
									_t195 = 0xffffffea;
									goto L27;
								} else {
									L6:
									_v76 = 0;
									if(_v68 == 0) {
										_v88 = _t237;
										 *_t252 = _t249;
										_a8 = _t220;
										_v80 = _a12;
										_v84 = 0;
										_t165 = E100110D0();
										_t220 = _a8;
										_v76 = _t165;
									}
									if(_v64 == 0) {
										 *_t252 = _t237;
										_a8 = _t220;
										_t167 = E100292E0(_t194, _t226, _t237, _t249);
										_t220 = _a8;
										_v36 = _t167;
										_t238 = _t167;
										if(_t249 == 0) {
											goto L34;
										} else {
											if(_t167 == 0) {
												goto L11;
											} else {
												goto L9;
											}
										}
									} else {
										_v36 = _t237;
										if(_t249 == 0) {
											L34:
											 *_t252 = 8;
											_a8 = _t220;
											_t168 = E10029100();
											_t238 = _v36;
											_t249 = _t168;
											 *_a4 = _t249;
											if(_t249 == 0) {
												L36:
												_t155 = _t249;
												_t195 = 0xfffffff4;
												L27:
												if(_t155 != 0) {
													goto L12;
												}
												goto L13;
											} else {
												_t220 = _a8;
												if(_t238 != 0) {
													goto L9;
												} else {
													goto L36;
												}
											}
										} else {
											L9:
											_t170 = _v32;
											_v60 = _t170;
											if(_t226 == 0 || _t170 != 0) {
												if(_v76 == 0) {
													_t172 =  *_t249;
													if(_v60 == 0) {
														goto L40;
													} else {
														_a8 = _t220;
														_v84 = 8;
														_v88 = _t172 + 1;
														 *_t252 = _a4;
														_t178 = E10029010();
														_t220 = _a8;
														_t200 = _t178;
														if(_t178 == 0) {
															goto L11;
														} else {
															_a4 = _t178;
															_t172 =  *_t249;
															goto L20;
														}
													}
												} else {
													if((_a12 & 0x00000010) != 0) {
														 *_t252 = _t238;
														_a8 = _t220;
														L100290D0();
														 *_t252 = _v32;
														L100290D0();
														_t220 = _a8;
														goto L22;
													} else {
														_t202 = _v76[1];
														if(_v60 == 0 || (_a12 & 0x00000020) == 0) {
															 *_t252 = _t202;
															_a8 = _t220;
															L100290D0();
															_t222 = _a8;
															L19:
															_a8 = _t222;
															 *_t252 =  *_v76;
															L100290D0();
															_t229 =  *_t249;
															_t200 = _a4;
															_t223 = _v76;
															_t41 = _t229 - 1; // 0x3
															_t172 = _t41;
															 *_t249 = _t172;
															 *_t223 =  *(_t200 + _t172 * 8);
															_t223[1] =  *(_t200 + 4 + _t172 * 8);
															_t220 = _a8;
															L20:
															_t240 = _v32;
															if(_t240 == 0) {
																L40:
																if(_t172 == 0) {
																	_a8 = _t220;
																	 *_t252 =  &_a4;
																	E100290E0();
																	 *_t252 = _a4;
																	E100290E0();
																	_t220 = _a8;
																}
																_a8 = _t220;
																 *_t252 =  &_v36;
																E100290E0();
																_t220 = _a8;
															} else {
																_t201 = _t200 + _t172 * 8;
																 *((intOrPtr*)(_t201 + 4)) = _t240;
																 *_t201 = _v36;
																 *_t249 = _t172 + 1;
															}
															L22:
															_t193 = (_t194 -  *((intOrPtr*)(_t220 + 4)) >> 3) + 1;
															if( *_t220 > _t193) {
																continue;
															} else {
																goto L23;
															}
														} else {
															 *_t252 = _t202;
															_a8 = _t220;
															_v56 = _t202;
															_t242 = strlen(??);
															 *_t252 = _v60;
															_t186 = strlen(??);
															 *_t252 = _v56;
															_t231 = _t186;
															_t91 = _t186 + 1; // 0x1
															_v88 = _t242 + _t91;
															_t188 = E10028DA0();
															if(_t188 == 0) {
																goto L11;
															} else {
																_t93 = _t231 + 1; // 0x1
																_v60 = _t93;
																_t224 = _t188 + _t242;
																_t243 = _v32;
																_t205 = _t224;
																_v48 = _t224;
																_v56 = _t224;
																_t225 = _a8;
																_v52 = _t243;
																if(_v60 >= 8) {
																	if((_t205 & 0x00000001) != 0) {
																		 *_v48 =  *_t243 & 0x000000ff;
																		_v60 = _t231;
																		_v56 = _v56 + 1;
																		_v52 = _v52 + 1;
																	}
																	if((_v56 & 0x00000002) != 0) {
																		_t245 = _v52;
																		_t232 = _v56;
																		 *_t232 =  *_t245 & 0x0000ffff;
																		_t138 = _t232 + 2; // 0x4
																		_v56 = _t138;
																		_v60 = _v60 - 2;
																		_v52 =  &(_t245[1]);
																	}
																	if((_v56 & 0x00000004) != 0) {
																		_t247 = _v52;
																		_t218 = _v56 + 4;
																		 *((intOrPtr*)(_t218 - 4)) =  *_t247;
																		_v56 = _t218;
																		_v60 = _v60 - 4;
																		_v52 = _t247 + 4;
																	}
																}
																_a8 = _t225;
																_v48 = _t188;
																memcpy(_v56, _v52, _v60);
																_t252 =  &(_t252[3]);
																 *_t252 =  &_v32;
																E100290E0();
																_t222 = _a8;
																_v32 = _v48;
																goto L19;
															}
														}
													}
												}
											} else {
												L11:
												_t155 = _t249;
												_t195 = 0xfffffff4;
												L12:
												if( *_t155 == 0) {
													 *_t252 =  &(_t155[1]);
													E100290E0();
													 *_t252 = _a4;
													E100290E0();
												}
												L13:
												 *_t252 = _v36;
												L100290D0();
												 *_t252 = _v32;
												L100290D0();
												return _t195;
											}
										}
									}
								}
							}
							goto L53;
						}
					}
					goto L23;
				}
				L53:
			}

0x10011d24
0x10011d27
0x10011d2d
0x10011eb0
0x10011ebb
0x10011d33
0x10011d37
0x10011d39
0x10011d3e
0x10011d49
0x10011d56
0x10011d5a
0x10011d60
0x10011d63
0x10011d68
0x00000000
0x00000000
0x10011d74
0x10011d76
0x10011d7a
0x10011d7d
0x10011d81
0x10011d8b
0x10011ec2
0x00000000
0x10011ec8
0x10011ec8
0x10011ecb
0x10011ecf
0x10011ed6
0x10011eda
0x10011ede
0x00000000
0x00000000
0x00000000
0x00000000
0x10011ede
0x10011d91
0x10011d91
0x10011d95
0x10011d97
0x10011ee4
0x10011ee4
0x10011ee6
0x00000000
0x10011d9d
0x10011d9d
0x10011d9f
0x10011da9
0x10011f30
0x10011f38
0x10011f3b
0x10011f3f
0x10011f45
0x10011f49
0x10011f4e
0x10011f52
0x10011f52
0x10011db5
0x10011f00
0x10011f03
0x10011f07
0x10011f0e
0x10011f12
0x10011f16
0x10011f18
0x00000000
0x10011f1a
0x10011f1c
0x00000000
0x10011f22
0x00000000
0x10011f22
0x10011f1c
0x10011dbb
0x10011dbb
0x10011dc1
0x10011f80
0x10011f80
0x10011f87
0x10011f8b
0x10011f90
0x10011f94
0x10011f9c
0x10011f9e
0x10011fac
0x10011fac
0x10011fae
0x10011eeb
0x10011eed
0x00000000
0x10011ef3
0x00000000
0x10011fa0
0x10011fa2
0x10011fa6
0x00000000
0x00000000
0x00000000
0x00000000
0x10011fa6
0x10011dc7
0x10011dc7
0x10011dc7
0x10011dcd
0x10011dd1
0x10011e16
0x10011fc4
0x10011fc9
0x00000000
0x10011fcb
0x10011fcb
0x10011fd5
0x10011fd9
0x10011fe0
0x10011fe3
0x10011fe8
0x10011fee
0x10011ff0
0x00000000
0x10011ff6
0x10011ff6
0x10011ff9
0x00000000
0x10011ff9
0x10011ff0
0x10011e1c
0x10011e21
0x100120f0
0x100120f3
0x100120f7
0x10012100
0x10012103
0x10012108
0x00000000
0x10011e27
0x10011e31
0x10011e34
0x10011e41
0x10011e44
0x10011e48
0x10011e4d
0x10011e51
0x10011e51
0x10011e5b
0x10011e5e
0x10011e63
0x10011e66
0x10011e69
0x10011e6d
0x10011e6d
0x10011e70
0x10011e7a
0x10011e7c
0x10011e7f
0x10011e83
0x10011e83
0x10011e89
0x10012008
0x1001200a
0x10012028
0x1001202f
0x10012032
0x1001203b
0x1001203e
0x10012043
0x10012043
0x1001200c
0x10012014
0x10012017
0x1001201c
0x10011e8f
0x10011e93
0x10011e97
0x10011e9a
0x10011e9c
0x10011e9c
0x10011e9f
0x10011ea7
0x10011eaa
0x00000000
0x00000000
0x00000000
0x00000000
0x10012050
0x10012050
0x10012053
0x10012057
0x10012060
0x10012066
0x10012069
0x10012072
0x10012075
0x10012077
0x1001207b
0x1001207f
0x10012086
0x00000000
0x1001208c
0x1001208c
0x1001208f
0x10012093
0x10012096
0x1001209f
0x100120a1
0x100120a5
0x100120a9
0x100120ad
0x100120b1
0x1001211b
0x10012157
0x10012159
0x10012162
0x1001216b
0x1001216b
0x10012122
0x10012171
0x10012175
0x1001217c
0x1001217f
0x10012182
0x10012189
0x1001218e
0x1001218e
0x10012129
0x1001212b
0x10012135
0x10012138
0x1001213b
0x10012142
0x10012147
0x10012147
0x10012129
0x100120b3
0x100120bb
0x100120c7
0x100120c7
0x100120cd
0x100120d0
0x100120d9
0x100120dd
0x00000000
0x100120dd
0x10012086
0x10011e34
0x10011e21
0x10011dd7
0x10011dd7
0x10011dd7
0x10011dd9
0x10011dde
0x10011de2
0x10011f63
0x10011f66
0x10011f6f
0x10011f72
0x10011f72
0x10011de8
0x10011dec
0x10011def
0x10011df8
0x10011dfb
0x10011e09
0x10011e09
0x10011dd1
0x10011dc1
0x10011db5
0x10011d97
0x00000000
0x10011d8b
0x10011d60
0x00000000
0x10011d5a
0x00000000

APIs

mv_strdup.LICKING ref: 10011ECF
mv_strdup.LICKING ref: 10011F07
mv_dict_get.LICKING ref: 10011F49
mv_mallocz.LICKING ref: 10011F8B

Strings

, xrefs: 10011E36

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strdup$mv_dict_getmv_mallocz
String ID:
API String ID: 3834523185-3916222277
Opcode ID: f30a2ccdc57a5dc09484d862070b881fff98bdf4c5b3196019a84854b3ce5ba3
Instruction ID: 17e11810d8b0030fce721e696df50892c7dce502bccf2b88fff91ce3398c2909
Opcode Fuzzy Hash: f30a2ccdc57a5dc09484d862070b881fff98bdf4c5b3196019a84854b3ce5ba3
Instruction Fuzzy Hash: 03D1F2B4A083458FC744CF69D18065AFBE1FF88794F558A2DF8889B311E730E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100505B0 Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100505B0(intOrPtr __eax, signed int __ecx, signed int __edx) {
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v68;
				char* _v72;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr _t63;
				intOrPtr _t68;
				intOrPtr _t79;
				intOrPtr _t96;
				signed int _t108;
				signed int _t120;
				intOrPtr _t123;
				signed int _t130;
				intOrPtr _t139;
				void* _t145;
				intOrPtr* _t146;

				_t130 = __edx;
				_t139 = __eax;
				_t146 = _t145 - 0x3c;
				_t108 = __ecx;
				_v72 = "flags: [";
				 *_t146 = __eax;
				E100089C0();
				_v44 = _t108;
				_t120 = _t130 & 0x00000002;
				_v48 = _t130 & 0x00000001;
				_v40 = _t108 & 0x10000000;
				_v36 = _t108 & 0x08000000;
				if((_t108 & 0x40000000) != 0) {
					 *_t146 = _t139;
					_v72 = "aligned";
					_v32 = _t120;
					E100089C0();
					if(_v32 != 0) {
						_t54 = 0x100c01c0;
						goto L3;
					} else {
						if(_v48 != 0) {
							goto L4;
						} else {
							goto L30;
						}
					}
				} else {
					if(_t120 == 0) {
						if(_v48 != 0) {
							_t96 = 0x100c01c3;
							goto L5;
						} else {
							if(_v44 < 0) {
								_t58 = 0x100c01c3;
								goto L38;
							} else {
								if(_v36 != 0) {
									_t63 = 0x100c01c3;
									goto L8;
								} else {
									if(_v40 == 0) {
										_t79 = 0x100c01c3;
										if((_t108 & 0x20000000) != 0) {
											goto L24;
										} else {
											if((_t130 & 0x00000004) != 0) {
												goto L13;
											} else {
												_t123 = 0x100c01c3;
												if((_t108 & 0x04000000) != 0) {
													goto L27;
												} else {
												}
											}
										}
									} else {
										_t68 = 0x100c01c3;
										goto L22;
									}
								}
							}
						}
					} else {
						_t54 = 0x100c01c3;
						L3:
						_v68 = _t54;
						_v72 = "%sunaligned";
						 *_t146 = _t139;
						E100089C0();
						if(_v48 == 0) {
							L30:
							if(_v44 < 0) {
								goto L43;
							} else {
								if(_v36 != 0) {
									goto L7;
								} else {
									if(_v40 != 0) {
										goto L21;
									} else {
										if((_t108 & 0x20000000) != 0) {
											goto L23;
										} else {
											goto L11;
										}
									}
								}
							}
						} else {
							L4:
							_t96 = 0x100c01c0;
							L5:
							_v68 = _t96;
							_v72 = "%sinplace";
							 *_t146 = _t139;
							E100089C0();
							if(_v44 < 0) {
								L43:
								_t58 = 0x100c01c0;
								L38:
								_v68 = _t58;
								_v72 = "%sout_of_place";
								 *_t146 = _t139;
								E100089C0();
								if(_v36 != 0) {
									goto L7;
								} else {
									if(_v40 != 0) {
										goto L21;
									} else {
										if((_t108 & 0x20000000) != 0) {
											goto L23;
										} else {
											if((_t130 & 0x00000004) == 0) {
												goto L14;
											} else {
												goto L12;
											}
											L49:
										}
									}
								}
							} else {
								if(_v36 != 0) {
									L7:
									_t63 = 0x100c01c0;
									L8:
									_v68 = _t63;
									_v72 = "%sfwd_only";
									 *_t146 = _t139;
									E100089C0();
								}
								if(_v40 != 0) {
									L21:
									_t68 = 0x100c01c0;
									L22:
									_v68 = _t68;
									_v72 = "%sinv_only";
									 *_t146 = _t139;
									E100089C0();
									if((_t108 & 0x20000000) == 0) {
										goto L11;
									} else {
										goto L23;
									}
								} else {
									if((_t108 & 0x20000000) != 0) {
										L23:
										_t79 = 0x100c01c0;
										L24:
										_v68 = _t79;
										_v72 = "%spreshuf";
										 *_t146 = _t139;
										E100089C0();
										if((_t130 & 0x00000004) != 0) {
											goto L12;
										} else {
											if((_t108 & 0x04000000) != 0) {
												goto L26;
											}
										}
									} else {
										L11:
										if((_t130 & 0x00000004) != 0) {
											L12:
											L13:
											_v68 = 0x100c01c0;
											_v72 = "%simdct_full";
											 *_t146 = _t139;
											E100089C0();
										}
										L14:
										if((_t108 & 0x04000000) != 0) {
											L26:
											_t123 = 0x100c01c0;
											L27:
											_v68 = _t123;
											_v72 = "%sasm_call";
											 *_t146 = _t139;
											E100089C0();
										}
									}
								}
							}
						}
					}
				}
				 *_t146 = _t139;
				_v72 = 0x100c0232;
				return E100089C0();
				goto L49;
			}

0x100505b4
0x100505b7
0x100505bf
0x100505c2
0x100505c4
0x100505c8
0x100505cb
0x100505d4
0x100505db
0x100505de
0x100505e9
0x100505f4
0x10050602
0x100507b0
0x100507b8
0x100507bc
0x100507c0
0x100507cd
0x10050828
0x00000000
0x100507cf
0x100507d3
0x00000000
0x00000000
0x00000000
0x00000000
0x100507d3
0x10050608
0x1005060c
0x100506f4
0x10050818
0x00000000
0x100506fa
0x10050700
0x10050838
0x00000000
0x10050706
0x1005070d
0x100508a0
0x00000000
0x10050713
0x1005071a
0x100508ac
0x100508ba
0x00000000
0x100508c0
0x100508c6
0x00000000
0x100508cc
0x100508ce
0x100508db
0x00000000
0x00000000
0x100508e1
0x100508db
0x100508c6
0x10050720
0x10050720
0x00000000
0x10050720
0x1005071a
0x1005070d
0x10050700
0x10050612
0x10050612
0x10050617
0x10050617
0x10050620
0x10050624
0x10050627
0x10050630
0x100507d9
0x100507df
0x00000000
0x100507e5
0x100507ec
0x00000000
0x100507f2
0x100507f9
0x00000000
0x100507ff
0x10050809
0x00000000
0x1005080f
0x00000000
0x1005080f
0x10050809
0x100507f9
0x100507ec
0x10050636
0x10050636
0x10050636
0x1005063b
0x1005063b
0x10050644
0x10050648
0x1005064b
0x10050656
0x10050890
0x10050890
0x1005083d
0x1005083d
0x10050846
0x1005084a
0x1005084d
0x10050859
0x00000000
0x1005085f
0x10050866
0x00000000
0x1005086c
0x10050876
0x00000000
0x1005087c
0x10050882
0x00000000
0x10050888
0x00000000
0x10050888
0x00000000
0x10050882
0x10050876
0x10050866
0x1005065c
0x10050663
0x10050665
0x10050665
0x1005066a
0x1005066a
0x10050673
0x10050677
0x1005067a
0x1005067a
0x10050686
0x10050730
0x10050730
0x10050735
0x10050735
0x1005073e
0x10050742
0x10050745
0x10050754
0x00000000
0x00000000
0x00000000
0x00000000
0x1005068c
0x10050696
0x1005075a
0x1005075a
0x1005075f
0x1005075f
0x1005076b
0x1005076f
0x10050772
0x1005077a
0x00000000
0x10050780
0x10050789
0x00000000
0x00000000
0x10050789
0x1005069c
0x1005069c
0x100506a2
0x100506a4
0x100506a9
0x100506a9
0x100506b2
0x100506b6
0x100506b9
0x100506b9
0x100506be
0x100506c7
0x1005078f
0x1005078f
0x10050794
0x10050794
0x1005079d
0x100507a1
0x100507a4
0x100507a4
0x100506c7
0x10050696
0x10050686
0x10050656
0x10050630
0x1005060c
0x100506cd
0x100506d5
0x100506e5
0x00000000

APIs

mv_bprintf.LICKING ref: 100505CB
mv_bprintf.LICKING ref: 10050627
mv_bprintf.LICKING ref: 1005064B
mv_bprintf.LICKING ref: 1005067A
mv_bprintf.LICKING ref: 100506B9
mv_bprintf.LICKING ref: 100506D9
mv_bprintf.LICKING ref: 10050745
mv_bprintf.LICKING ref: 10050772
mv_bprintf.LICKING ref: 100507A4
mv_bprintf.LICKING ref: 100507C0
mv_bprintf.LICKING ref: 1005084D

Strings

%simdct_full, xrefs: 100506AD
%sout_of_place, xrefs: 10050841
%sunaligned, xrefs: 1005061B
%sinv_only, xrefs: 10050739
aligned, xrefs: 100507B3
flags: [, xrefs: 100505BA
%sinplace, xrefs: 1005063F
%spreshuf, xrefs: 10050763
%sfwd_only, xrefs: 1005066E
%sasm_call, xrefs: 10050798

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %sasm_call$%sfwd_only$%simdct_full$%sinplace$%sinv_only$%sout_of_place$%spreshuf$%sunaligned$aligned$flags: [
API String ID: 3083893021-1441846183
Opcode ID: f7560bcae40726025c833b75032046c415eba19f37e25a828cda8a4bfa30bfa4
Instruction ID: 98ebaba0383f99122815c9ca60a2ed79f5bfd2d26fbb1c98e8a047975511df12
Opcode Fuzzy Hash: f7560bcae40726025c833b75032046c415eba19f37e25a828cda8a4bfa30bfa4
Instruction Fuzzy Hash: 0D610AB1E19A858FF300DE19CA8171EBAD1EB84794F598C6DF4C8CB240DA38DD45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1002C1F4 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 221COMMON

Download Yara Rule

APIs

mv_freep.LICKING ref: 1002C1FC
mv_freep.LICKING ref: 1002C208
mv_freep.LICKING ref: 1002C241
mv_freep.LICKING ref: 1002C24D
mv_log.LICKING ref: 1002C29B

Strings

%d/%d, xrefs: 1002C5AB
(default , xrefs: 1002C282
%-15s , xrefs: 1002BDF4
%lld, xrefs: 1002C396
"%s", xrefs: 1002C2CF

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_log
String ID: %-15s $ (default $"%s"$%d/%d$%lld
API String ID: 2749705325-3616743394
Opcode ID: 980a76943a0335aee30f922a9d190d9bdb0ce562017a62854cf0290bc96f8399
Instruction ID: e291881e513b933ead242bebe0381d4369face5adc3570e656dab592c6f763c7
Opcode Fuzzy Hash: 980a76943a0335aee30f922a9d190d9bdb0ce562017a62854cf0290bc96f8399
Instruction Fuzzy Hash: D591A278A08B458FC750DF68D580A5EBBE1FF89390F91892EF99987311E774E841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10031420 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 199stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10031468
mv_strlcpy.LICKING ref: 1003148B
strchr.MSVCRT ref: 1003149C
strlen.MSVCRT ref: 100314B6
mv_strcasecmp.LICKING ref: 100314CF
mv_strcasecmp.LICKING ref: 100314E4
mv_get_random_seed.LICKING ref: 100314F1
strtoul.MSVCRT ref: 10031526

Strings

bikeshed, xrefs: 100314DB
Invalid alpha value specifier '%s' in '%s', xrefs: 100316E4
Invalid 0xRRGGBB[AA] color string: '%s', xrefs: 10031717
random, xrefs: 100314C6
0123456789ABCDEFabcdef, xrefs: 100315EB

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strcasecmpstrlen$mv_get_random_seedmv_strlcpystrchrstrtoul
String ID: 0123456789ABCDEFabcdef$Invalid 0xRRGGBB[AA] color string: '%s'$Invalid alpha value specifier '%s' in '%s'$bikeshed$random
API String ID: 887406882-1143575717
Opcode ID: c0171da440a50a3ac54d9c683c706d3676e2163e985c2b92080aa2cb108a1475
Instruction ID: 8bd814382b19517d639cc9fd4417e09b44f3e243961e33b67ed5873bedcaf9bd
Opcode Fuzzy Hash: c0171da440a50a3ac54d9c683c706d3676e2163e985c2b92080aa2cb108a1475
Instruction Fuzzy Hash: 0F817A749087859ED342DF78C48129EBBF4EF89381F55CA2EE4C99B251E734D880DB52

Uniqueness

Uniqueness Score: -1.00%

Function 10011210 Relevance: 30.2, APIs: 20, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10011210(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int _a4, signed int _a8, void* _a12, signed int _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				void* _v36;
				int _v48;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _t94;
				signed int* _t95;
				signed int _t101;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				int _t108;
				int _t109;
				int _t111;
				signed int* _t118;
				int _t122;
				signed int _t123;
				int _t126;
				signed int _t127;
				signed int* _t130;
				int _t133;
				signed int _t134;
				void _t136;
				signed int _t138;
				void* _t142;
				signed int _t146;
				void* _t147;
				signed int _t149;
				signed int _t150;
				int _t153;
				void* _t154;
				signed int* _t157;
				signed int* _t158;

				_v8 = __edi;
				_v16 = __ebx;
				_t138 = _a16;
				_v12 = __esi;
				_t146 = _a8;
				_v4 = __ebp;
				_t118 =  *_a4;
				_v36 = 0;
				_v32 = 0;
				if((_t138 & 0x00000008) == 0) {
					if(_a12 == 0) {
						goto L2;
					}
					 *_t158 = _a12;
					_v32 = E100292E0(_t118, _t138, _t146, __ebp);
					if(_t146 != 0) {
						goto L3;
					}
					goto L22;
				} else {
					_v32 = _a12;
					L2:
					if(_t146 == 0) {
						L22:
						_t147 = 0xffffffea;
						L23:
						if(_t118 == 0) {
							L10:
							 *_t158 = _v36;
							L100290D0();
							 *_t158 = _v32;
							L100290D0();
							L11:
							return _t147;
						}
						L9:
						if( *_t118 == 0) {
							 *_t158 =  &(_t118[1]);
							E100290E0();
							 *_t158 = _a4;
							E100290E0();
						}
						goto L10;
					}
					L3:
					_t157 = 0;
					if((_t138 & 0x00000040) == 0) {
						_v64 = _t138;
						_v68 = 0;
						_v72 = _t146;
						 *_t158 = _t118;
						_t157 = E100110D0();
					}
					if((_t138 & 0x00000004) == 0) {
						 *_t158 = _t146;
						_t94 = E100292E0(_t118, _t138, _t146, _t157);
						_v36 = _t94;
						_t149 = _t94;
						if(_t118 == 0) {
							goto L29;
						}
						if(_t94 == 0) {
							goto L8;
						}
						goto L6;
					} else {
						_v36 = _t146;
						if(_t118 == 0) {
							L29:
							 *_t158 = 8;
							_t95 = E10029100();
							_t149 = _v36;
							_t118 = _t95;
							 *_a4 = _t118;
							if(_t118 == 0 || _t149 == 0) {
								_t147 = 0xfffffff4;
								goto L23;
							} else {
								goto L6;
							}
						}
						L6:
						_t122 = _v32;
						if(_a12 == 0 || _t122 != 0) {
							if(_t157 == 0) {
								_t150 =  *_t118;
								if(_t122 == 0) {
									L37:
									if(_t150 == 0) {
										 *_t158 =  &(_t118[1]);
										E100290E0();
										 *_t158 = _a4;
										E100290E0();
									}
									_t147 = 0;
									 *_t158 =  &_v36;
									E100290E0();
									goto L11;
								}
								_v68 = 8;
								_v72 = _t150 + 1;
								 *_t158 = _t118[1];
								_t101 = E10029010();
								_t123 = _t101;
								if(_t101 == 0) {
									goto L8;
								}
								_t118[1] = _t101;
								_t150 =  *_t118;
								L18:
								_t102 = _v32;
								if(_t102 == 0) {
									goto L37;
								}
								_t130 = _t123 + _t150 * 8;
								_t130[1] = _t102;
								 *_t130 = _v36;
								 *_t118 = _t150 + 1;
								_t147 = 0;
								goto L11;
							}
							if((_t138 & 0x00000010) != 0) {
								 *_t158 = _t149;
								_t147 = 0;
								L100290D0();
								 *_t158 = _v32;
								L100290D0();
								goto L11;
							}
							_t104 = _a4;
							if(_t122 == 0 || (_t138 & 0x00000020) == 0) {
								 *_t158 = _t104;
								L100290D0();
								goto L17;
							} else {
								 *_t158 = _t104;
								_v48 = _t122;
								_t108 = strlen(??);
								 *_t158 = _v48;
								_t153 = _t108;
								_t109 = strlen(??);
								 *_t158 = _t104;
								_v48 = _t109;
								_t63 = _t109 + 1; // 0x1
								_v72 = _t153 + _t63;
								_t111 = E10028DA0();
								if(_t111 == 0) {
									goto L8;
								}
								_t133 = _v48;
								_t142 = _t111 + _t153;
								_t154 = _v32;
								_t126 = _t133 + 1;
								if(_t126 >= 8) {
									if((_t142 & 0x00000001) != 0) {
										_t127 =  *_t154 & 0x000000ff;
										_t142 = _t142 + 1;
										_t154 = _t154 + 1;
										 *(_t142 - 1) = _t127;
										_t126 = _t133;
									}
									if((_t142 & 0x00000002) != 0) {
										_t134 =  *_t154 & 0x0000ffff;
										_t142 = _t142 + 2;
										_t154 = _t154 + 2;
										_t126 = _t126 - 2;
										 *(_t142 - 2) = _t134;
									}
									if((_t142 & 0x00000004) != 0) {
										_t136 =  *_t154;
										_t142 = _t142 + 4;
										_t154 = _t154 + 4;
										_t126 = _t126 - 4;
										 *(_t142 - 4) = _t136;
									}
								}
								_v48 = _t111;
								memcpy(_t142, _t154, _t126);
								_t158 =  &(_t158[3]);
								 *_t158 =  &_v32;
								E100290E0();
								_v32 = _v48;
								L17:
								 *_t158 =  *_t157;
								L100290D0();
								_t106 =  *_t118;
								_t123 = _t118[1];
								_t31 = _t106 - 1; // -1
								_t150 = _t31;
								 *_t118 = _t150;
								 *_t157 =  *(_t123 + _t150 * 8);
								_a4 =  *(_t123 + 4 + _t150 * 8);
								goto L18;
							}
						} else {
							L8:
							_t147 = 0xfffffff4;
							goto L9;
						}
					}
				}
			}

0x10011213
0x1001121b
0x1001121f
0x10011223
0x10011227
0x1001122b
0x1001122f
0x10011233
0x1001123f
0x10011243
0x10011346
0x00000000
0x00000000
0x10011350
0x1001135a
0x1001135e
0x00000000
0x00000000
0x00000000
0x10011249
0x1001124d
0x10011251
0x10011253
0x10011364
0x10011364
0x10011369
0x1001136b
0x1001129e
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x100112b6
0x100112cb
0x100112cb
0x10011294
0x10011298
0x10011413
0x10011416
0x1001141f
0x10011422
0x10011422
0x00000000
0x10011298
0x10011259
0x10011259
0x10011261
0x100113a0
0x100113a6
0x100113aa
0x100113ae
0x100113b6
0x100113b6
0x1001126d
0x10011380
0x10011383
0x1001138a
0x1001138e
0x10011390
0x00000000
0x00000000
0x10011394
0x00000000
0x00000000
0x00000000
0x10011273
0x10011273
0x10011279
0x100113c0
0x100113c0
0x100113c7
0x100113cc
0x100113d0
0x100113d8
0x100113da
0x100113e4
0x00000000
0x00000000
0x00000000
0x00000000
0x100113da
0x1001127f
0x10011283
0x10011289
0x100112d2
0x10011432
0x10011434
0x10011468
0x1001146a
0x100114fb
0x100114fe
0x10011507
0x1001150a
0x1001150a
0x10011474
0x10011476
0x10011479
0x00000000
0x10011479
0x1001143c
0x10011440
0x10011447
0x1001144a
0x10011451
0x10011453
0x00000000
0x00000000
0x10011459
0x1001145c
0x1001131e
0x1001131e
0x10011324
0x00000000
0x00000000
0x1001132a
0x10011332
0x10011335
0x10011337
0x10011339
0x00000000
0x10011339
0x100112de
0x100113f0
0x100113f3
0x100113f5
0x100113fe
0x10011401
0x00000000
0x10011401
0x100112e6
0x100112e9
0x100112f4
0x100112f7
0x00000000
0x10011488
0x10011488
0x1001148d
0x10011491
0x1001149a
0x1001149d
0x1001149f
0x100114a4
0x100114a9
0x100114ad
0x100114b1
0x100114b5
0x100114bc
0x00000000
0x00000000
0x100114c2
0x100114c6
0x100114c9
0x100114cd
0x100114d3
0x1001151e
0x10011540
0x10011543
0x10011544
0x10011545
0x10011548
0x10011548
0x10011526
0x1001154c
0x1001154f
0x10011552
0x10011555
0x10011558
0x10011558
0x1001152e
0x10011530
0x10011532
0x10011535
0x10011538
0x1001153b
0x1001153b
0x1001152e
0x100114d5
0x100114dd
0x100114dd
0x100114df
0x100114e2
0x100114eb
0x100112fc
0x100112ff
0x10011302
0x10011307
0x10011309
0x1001130c
0x1001130c
0x1001130f
0x10011318
0x1001131b
0x00000000
0x1001131b
0x1001128f
0x1001128f
0x1001128f
0x00000000
0x1001128f
0x10011289
0x1001126d

APIs

mv_strdup.LICKING ref: 10011353
mv_strdup.LICKING ref: 10011383
mv_dict_get.LICKING ref: 100113B1
mv_mallocz.LICKING ref: 100113C7

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strdup$mv_dict_getmv_mallocz
String ID:
API String ID: 3834523185-0
Opcode ID: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction ID: 56232f5dd71c1c11c53de360d97ca929451fd6b060f0d926ddb83f3af19d46ac
Opcode Fuzzy Hash: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction Fuzzy Hash: 2E9127B5A087158FC754DF68C08065EBBE1EF98790F52892DED999B340E770E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001A6C0 Relevance: 28.8, APIs: 19, Instructions: 325
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A6C0(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t251;
				signed int _t259;
				void* _t262;
				signed int* _t263;
				void* _t264;
				void* _t269;
				signed int _t275;
				void* _t278;
				signed int _t290;
				signed int _t291;
				void _t293;
				void* _t294;
				signed int _t307;
				signed int _t308;
				int _t311;
				signed int _t315;
				int _t321;
				void* _t323;
				int _t324;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t333;
				signed int _t335;
				void _t337;
				void* _t338;
				signed char* _t340;
				void* _t341;
				signed short* _t342;
				void _t343;
				signed int _t344;
				void* _t345;
				void* _t346;
				void** _t347;

				_t345 = __eax;
				_t347 = _t346 - 0x4c;
				_t347[8] = __ecx;
				 *((intOrPtr*)(__eax + 0x54)) =  *((intOrPtr*)(__edx + 0x54));
				 *((intOrPtr*)(__eax + 0x5c)) =  *((intOrPtr*)(__edx + 0x5c));
				 *((intOrPtr*)(__eax + 0x60)) =  *((intOrPtr*)(__edx + 0x60));
				 *((intOrPtr*)(__eax + 0x58)) =  *((intOrPtr*)(__edx + 0x58));
				 *((intOrPtr*)(__eax + 0x130)) =  *((intOrPtr*)(__edx + 0x130));
				 *((intOrPtr*)(__eax + 0x134)) =  *((intOrPtr*)(__edx + 0x134));
				 *((intOrPtr*)(__eax + 0x138)) =  *((intOrPtr*)(__edx + 0x138));
				 *((intOrPtr*)(__eax + 0x68)) =  *((intOrPtr*)(__edx + 0x68));
				 *((intOrPtr*)(__eax + 0x6c)) =  *((intOrPtr*)(__edx + 0x6c));
				 *((intOrPtr*)(__eax + 0x13c)) =  *((intOrPtr*)(__edx + 0x13c));
				 *((intOrPtr*)(__eax + 0x160)) =  *((intOrPtr*)(__edx + 0x160));
				 *((intOrPtr*)(__eax + 0x164)) =  *((intOrPtr*)(__edx + 0x164));
				 *((intOrPtr*)(__eax + 0x90)) =  *((intOrPtr*)(__edx + 0x90));
				 *((intOrPtr*)(__eax + 0x94)) =  *((intOrPtr*)(__edx + 0x94));
				 *((intOrPtr*)(__eax + 0x98)) =  *((intOrPtr*)(__edx + 0x98));
				 *((intOrPtr*)(__eax + 0x9c)) =  *((intOrPtr*)(__edx + 0x9c));
				 *((intOrPtr*)(__eax + 0xa8)) =  *((intOrPtr*)(__edx + 0xa8));
				 *((intOrPtr*)(__eax + 0x70)) =  *((intOrPtr*)(__edx + 0x70));
				 *((intOrPtr*)(__eax + 0x74)) =  *((intOrPtr*)(__edx + 0x74));
				 *((intOrPtr*)(__eax + 0x8c)) =  *((intOrPtr*)(__edx + 0x8c));
				 *((intOrPtr*)(__eax + 0x108)) =  *((intOrPtr*)(__edx + 0x108));
				 *((intOrPtr*)(__eax + 0x10c)) =  *((intOrPtr*)(__edx + 0x10c));
				 *((intOrPtr*)(__eax + 0x124)) =  *((intOrPtr*)(__edx + 0x124));
				 *((intOrPtr*)(__eax + 0x110)) =  *((intOrPtr*)(__edx + 0x110));
				 *((intOrPtr*)(__eax + 0x114)) =  *((intOrPtr*)(__edx + 0x114));
				 *((intOrPtr*)(__eax + 0x78)) =  *((intOrPtr*)(__edx + 0x78));
				 *((intOrPtr*)(__eax + 0x7c)) =  *((intOrPtr*)(__edx + 0x7c));
				 *((intOrPtr*)(__eax + 0xa0)) =  *((intOrPtr*)(__edx + 0xa0));
				 *((intOrPtr*)(__eax + 0xa4)) =  *((intOrPtr*)(__edx + 0xa4));
				_t347[6] = __edx;
				_t304 =  *(__edx + 0x100);
				_t289 =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x88)) =  *((intOrPtr*)(__edx + 0x88));
				 *(__eax + 0x100) =  *(__edx + 0x100);
				 *(__eax + 0x104) =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x80)) =  *((intOrPtr*)(__edx + 0x80));
				 *((intOrPtr*)(__eax + 0x84)) =  *((intOrPtr*)(__edx + 0x84));
				 *((intOrPtr*)(__eax + 0xe8)) =  *((intOrPtr*)(__edx + 0xe8));
				 *((intOrPtr*)(__eax + 0x11c)) =  *((intOrPtr*)(__edx + 0x11c));
				 *((intOrPtr*)(__eax + 0xf0)) =  *((intOrPtr*)(__edx + 0xf0));
				 *((intOrPtr*)(__eax + 0xf4)) =  *((intOrPtr*)(__edx + 0xf4));
				 *((intOrPtr*)(__eax + 0xf8)) =  *((intOrPtr*)(__edx + 0xf8));
				 *((intOrPtr*)(__eax + 0xec)) =  *((intOrPtr*)(__edx + 0xec));
				 *((intOrPtr*)(__eax + 0xfc)) =  *((intOrPtr*)(__edx + 0xfc));
				_t347[2] = 0;
				_t347[1] =  *(__edx + 0x118);
				 *_t347 = __eax + 0x118;
				E10011D20();
				_t321 = _t347[6];
				if( *((intOrPtr*)(_t321 + 0xe4)) <= 0) {
					L31:
					_t347[6] = _t321;
					_t347[1] =  *(_t321 + 0x12c);
					 *_t347 = _t345 + 0x12c;
					_t290 = E1000A480(_t289, _t326, _t334, _t345);
					_t347[1] =  *(_t347[6] + 0x140);
					 *_t347 = _t345 + 0x140;
					return E1000A480(_t290, _t326, _t334, _t345) | _t290;
				} else {
					_t347[6] = 0;
					do {
						_t334 = _t347[6];
						_t289 =  *( *((intOrPtr*)(_t321 + 0xe0)) + _t347[6] * 4);
						_t326 =  *_t289;
						if(_t326 != 0 ||  *((intOrPtr*)(_t321 + 0x44)) ==  *((intOrPtr*)(_t345 + 0x44)) &&  *((intOrPtr*)(_t321 + 0x48)) ==  *((intOrPtr*)(_t345 + 0x48))) {
							if(_t347[8] != 0) {
								_t347[0xa] = _t321;
								 *_t347 =  *(_t289 + 8);
								_t251 = E10009DC0(_t289, _t304, _t326, _t334);
								_t347[0xf] = _t251;
								_t335 = _t251;
								if(_t251 == 0) {
									L19:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t335);
									if( *(_t345 + 0xe4) > 0) {
										_t291 = 0;
										do {
											_t327 =  *(_t345 + 0xe0) + _t291 * 4;
											_t291 = _t291 + 1;
											_t337 =  *_t327;
											_t338 = _t337 + 0xc;
											 *_t347 = _t337 + 0x10;
											E1000A000(_t291, _t338);
											 *_t347 = _t338;
											E10011CC0();
											 *_t347 = _t327;
											E100290E0();
										} while (_t291 <  *(_t345 + 0xe4));
									}
									goto L22;
								} else {
									_t259 =  *(_t345 + 0xe4);
									if(_t259 > 0x1ffffffe) {
										goto L19;
									} else {
										_t347[1] = 4 + _t259 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t262 = E10028DA0();
										if(_t262 == 0) {
											goto L19;
										} else {
											 *(_t345 + 0xe0) = _t262;
											 *_t347 = 0x14;
											_t263 = E10029100();
											if(_t263 == 0) {
												goto L19;
											} else {
												_t263[4] = _t335;
												_t323 =  *(_t335 + 4);
												 *_t263 = _t326;
												_t263[2] =  *(_t335 + 8);
												_t307 =  *(_t345 + 0xe4);
												_t263[1] = _t323;
												_t347[0xb] = _t323;
												 *(_t345 + 0xe4) = _t307 + 1;
												 *( *(_t345 + 0xe0) + _t307 * 4) = _t263;
												_t340 =  *(_t289 + 4);
												_t347[7] =  *(_t289 + 8);
												_t330 = _t323;
												_t324 = _t347[0xa];
												_t347[9] = _t340;
												if(_t347[7] >= 8) {
													if((_t330 & 0x00000001) != 0) {
														_t308 =  *_t340 & 0x000000ff;
														_t330 = _t330 + 1;
														_t347[0xa] = _t308;
														 *(_t330 - 1) = _t308;
														_t347[7] = _t347[7] - 1;
														_t347[9] = _t347[9] + 1;
														if((_t330 & 0x00000002) != 0) {
															goto L34;
														}
													} else {
														if((_t330 & 0x00000002) != 0) {
															L34:
															_t342 = _t347[9];
															_t330 = _t330 + 2;
															 *((short*)(_t330 - 2)) =  *_t342 & 0x0000ffff;
															_t347[7] = _t347[7] - 2;
															_t347[9] =  &(_t342[1]);
														}
													}
													if((_t330 & 0x00000004) != 0) {
														_t341 = _t347[9];
														_t330 = _t330 + 4;
														 *(_t330 - 4) =  *_t341;
														_t347[7] = _t347[7] - 4;
														_t347[9] = _t341 + 4;
													}
												}
												_t334 = _t347[9];
												_t311 = _t347[7];
												_t264 = memcpy(_t330, _t334, _t311);
												_t347 =  &(_t347[3]);
												_t326 = _t334 + _t311 + _t311;
												goto L8;
											}
										}
									}
								}
							} else {
								_t347[7] = _t321;
								 *_t347 =  *(_t289 + 0x10);
								_t269 = E10009FC0(_t289, _t304);
								_t343 =  *_t289;
								_t347[0xf] = _t269;
								_t332 = _t269;
								if(_t269 == 0) {
									L23:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t343);
									if( *(_t345 + 0xe4) > 0) {
										_t344 = _t347[8];
										do {
											_t333 =  *(_t345 + 0xe0) + _t344 * 4;
											_t344 = _t344 + 1;
											_t293 =  *_t333;
											_t294 = _t293 + 0xc;
											 *_t347 = _t293 + 0x10;
											E1000A000(_t294, _t344);
											 *_t347 = _t294;
											E10011CC0();
											 *_t347 = _t333;
											E100290E0();
										} while (_t344 <  *(_t345 + 0xe4));
									}
									L22:
									 *(_t345 + 0xe4) = 0;
									 *_t347 = _t345 + 0xe0;
									E100290E0();
									return 0xfffffff4;
								} else {
									_t275 =  *(_t345 + 0xe4);
									if(_t275 > 0x1ffffffe) {
										goto L23;
									} else {
										_t347[1] = 4 + _t275 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t278 = E10028DA0();
										if(_t278 == 0) {
											goto L23;
										} else {
											 *(_t345 + 0xe0) = _t278;
											 *_t347 = 0x14;
											_t264 = E10029100();
											if(_t264 == 0) {
												goto L23;
											} else {
												 *(_t264 + 0x10) = _t332;
												_t324 = _t347[7];
												 *((intOrPtr*)(_t264 + 4)) =  *((intOrPtr*)(_t332 + 4));
												 *_t264 = _t343;
												_t334 =  *(_t345 + 0xe0);
												 *((intOrPtr*)(_t264 + 8)) =  *((intOrPtr*)(_t332 + 8));
												_t315 =  *(_t345 + 0xe4);
												_t326 = _t315 + 1;
												 *(_t345 + 0xe4) = _t315 + 1;
												 *( *(_t345 + 0xe0) + _t315 * 4) = _t264;
												L8:
												_t347[7] = _t324;
												_t347[2] = 0;
												_t304 =  *(_t289 + 0xc);
												 *_t347 = _t264 + 0xc;
												_t347[1] =  *(_t289 + 0xc);
												E10011D20();
												_t321 = _t347[7];
												goto L9;
											}
										}
									}
								}
							}
						} else {
							goto L9;
						}
						goto L35;
						L9:
						_t347[6] = _t347[6] + 1;
					} while ( *((intOrPtr*)(_t321 + 0xe4)) > _t347[6]);
					goto L31;
				}
				L35:
			}

0x1001a6c1
0x1001a6c6
0x1001a6c9
0x1001a6d6
0x1001a6dc
0x1001a6e2
0x1001a6e8
0x1001a6f1
0x1001a6fd
0x1001a709
0x1001a715
0x1001a71e
0x1001a727
0x1001a733
0x1001a739
0x1001a73f
0x1001a751
0x1001a75d
0x1001a769
0x1001a775
0x1001a781
0x1001a78a
0x1001a793
0x1001a79f
0x1001a7ab
0x1001a7b7
0x1001a7bd
0x1001a7c6
0x1001a7cf
0x1001a7d8
0x1001a7e1
0x1001a7e7
0x1001a7f3
0x1001a7f7
0x1001a7fd
0x1001a803
0x1001a80f
0x1001a815
0x1001a81b
0x1001a827
0x1001a833
0x1001a83f
0x1001a84b
0x1001a857
0x1001a863
0x1001a86f
0x1001a87b
0x1001a883
0x1001a88d
0x1001a897
0x1001a89a
0x1001a89f
0x1001a8ab
0x1001ab88
0x1001ab88
0x1001ab92
0x1001ab9c
0x1001aba8
0x1001abb0
0x1001abba
0x1001abcb
0x1001a8b1
0x1001a8b3
0x1001a9b3
0x1001a9b9
0x1001a9bd
0x1001a9c0
0x1001a9c4
0x1001a9dc
0x1001a8c0
0x1001a8c7
0x1001a8ca
0x1001a8cf
0x1001a8d5
0x1001a8d7
0x1001aa80
0x1001aa84
0x1001aa87
0x1001aa94
0x1001aa96
0x1001aa98
0x1001aa9e
0x1001aaa1
0x1001aaa2
0x1001aaa7
0x1001aaaa
0x1001aaad
0x1001aab2
0x1001aab5
0x1001aaba
0x1001aabd
0x1001aac2
0x1001aa98
0x00000000
0x1001a8dd
0x1001a8dd
0x1001a8e8
0x00000000
0x1001a8ee
0x1001a8f5
0x1001a8ff
0x1001a902
0x1001a909
0x00000000
0x1001a90f
0x1001a90f
0x1001a915
0x1001a91c
0x1001a923
0x00000000
0x1001a929
0x1001a929
0x1001a92f
0x1001a932
0x1001a93a
0x1001a93d
0x1001a943
0x1001a946
0x1001a94d
0x1001a956
0x1001a959
0x1001a95c
0x1001a960
0x1001a962
0x1001a96b
0x1001a96f
0x1001ab46
0x1001abd0
0x1001abd3
0x1001abd4
0x1001abd8
0x1001abdf
0x1001abea
0x1001abee
0x00000000
0x00000000
0x1001ab4c
0x1001ab52
0x1001ac00
0x1001ac00
0x1001ac04
0x1001ac0a
0x1001ac11
0x1001ac16
0x1001ac16
0x1001ab52
0x1001ab5e
0x1001ab64
0x1001ab68
0x1001ab6d
0x1001ab73
0x1001ab78
0x1001ab78
0x1001ab5e
0x1001a975
0x1001a979
0x1001a97d
0x1001a97d
0x1001a97d
0x00000000
0x1001a97d
0x1001a923
0x1001a909
0x1001a8e8
0x1001a9e2
0x1001a9e2
0x1001a9e9
0x1001a9ec
0x1001a9f1
0x1001a9f3
0x1001a9f9
0x1001a9fb
0x1001aaf0
0x1001aaf4
0x1001aaf7
0x1001ab04
0x1001ab06
0x1001ab0a
0x1001ab10
0x1001ab13
0x1001ab14
0x1001ab19
0x1001ab1c
0x1001ab1f
0x1001ab24
0x1001ab27
0x1001ab2c
0x1001ab2f
0x1001ab34
0x1001ab3c
0x1001aaca
0x1001aad2
0x1001aad8
0x1001aadb
0x1001aaec
0x1001aa01
0x1001aa01
0x1001aa0c
0x00000000
0x1001aa12
0x1001aa19
0x1001aa23
0x1001aa26
0x1001aa2d
0x00000000
0x1001aa33
0x1001aa33
0x1001aa39
0x1001aa40
0x1001aa47
0x00000000
0x1001aa4d
0x1001aa4d
0x1001aa53
0x1001aa57
0x1001aa5d
0x1001aa5f
0x1001aa65
0x1001aa68
0x1001aa6e
0x1001aa71
0x1001aa77
0x1001a97f
0x1001a97f
0x1001a988
0x1001a98c
0x1001a98f
0x1001a992
0x1001a996
0x1001a99b
0x00000000
0x1001a99b
0x1001aa47
0x1001aa2d
0x1001aa0c
0x1001a9fb
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a99f
0x1001a99f
0x1001a9a7
0x00000000
0x1001a9b3
0x00000000

APIs

mv_dict_copy.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A89A
mv_dict_copy.LICKING ref: 1001A996
mv_buffer_ref.LICKING ref: 1001A9EC
mv_realloc.LICKING ref: 1001AA26
mv_mallocz.LICKING ref: 1001AA40
mv_buffer_replace.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001AB9F
mv_buffer_replace.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001ABBD

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_replacemv_dict_copy$mv_buffer_refmv_malloczmv_realloc
String ID:
API String ID: 1780483662-0
Opcode ID: 3861e8adcd179e933f9009bb7fa2dda5d09e50d5a5c7a36caa6a21cb84e0f4c5
Instruction ID: 4f31049026451c5eff94bb509f486bba90e5ec7b997a8c78013bd9afd2acced3
Opcode Fuzzy Hash: 3861e8adcd179e933f9009bb7fa2dda5d09e50d5a5c7a36caa6a21cb84e0f4c5
Instruction Fuzzy Hash: 3EF1C3B49043468FCB64CF29C5807D9BBE1FF49350F458A6EE9899B312D730A984CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10026250 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E10026250(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t100;
				signed int _t104;
				void* _t108;
				char* _t112;
				intOrPtr _t127;
				char* _t128;
				void* _t131;
				char* _t132;
				signed int _t136;
				signed int _t138;
				void* _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int _t150;
				signed int _t153;
				signed int _t156;
				signed int _t159;
				signed int _t162;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				void* _t168;
				signed int* _t169;

				_t169 = _t168 - E100918A0(0x103c);
				_t136 = _t169[0x414];
				if(_t136 == 0) {
					_t169[2] = 1;
					 *_t169 =  &(_t169[0xc]);
					_t169[1] = 0;
					E10008880(0, 0, 1, 1);
					_t169[2] = 1;
					_t162 =  &(_t169[0x20c]);
					_t169[1] = 0;
					_t159 =  &(_t169[0x30c]);
					 *_t169 =  &(_t169[0x10c]);
					E10008880(0, _t159, _t162, 1);
					_t169[1] = 0;
					_t169[2] = 1;
					 *_t169 = _t162;
					E10008880(0, _t159, _t162, 1);
					_t169[2] = 0x10000;
					_t169[1] = 0;
					 *_t169 = _t159;
					E10008880(0, _t159, _t162, 1);
					_t100 =  *(_t169[0x41a]) & 0xffffff00 |  *(_t169[0x41a]) != 0x00000000;
					L8:
					if(_t169[0x415] >= 0xfffffff9 && _t100 != 0 && ( *0x100d76ac & 0x00000002) != 0) {
						_t67 = _t169[0x415] + 8; // 0x101
						_t153 = _t67;
						_t112 = 0x100b6d3b;
						if(_t153 <= 0x40) {
							_t112 =  *(0x100b6f40 + _t153 * 4);
						}
						_t169[2] = _t112;
						_t169[1] = "[%s] ";
						 *_t169 = _t162;
						E100089C0();
					}
					 *_t169 = _t159;
					_t169[2] = _t169[0x417];
					_t169[1] = _t169[0x416];
					E10008B70();
					_t104 = _t169[0xc];
					_t142 = _t169[0x10c];
					_t163 = _t169[0x20c];
					_t138 = _t169[0x30c];
					if( *_t104 != 0 ||  *_t142 != 0 ||  *_t163 != 0) {
						L12:
						_t165 = _t169[0x30d];
						_t148 = 0;
						if(_t165 != 0 && _t169[0x30e] >= _t165) {
							_t150 =  *(_t138 + _t165 - 1) & 0x000000ff;
							_t169[0xa] = _t150 == 0xa;
							_t148 = (_t150 & 0xffffff00 | _t150 == 0x0000000d | _t169[0xa]) & 0x000000ff;
						}
						 *(_t169[0x41a]) = _t148;
						goto L16;
					} else {
						if( *_t138 == 0) {
							L16:
							_t169[3] = _t104;
							_t169[2] = "%s%s%s%s";
							_t169[6] = _t138;
							_t169[5] = _t163;
							_t169[4] = _t142;
							_t169[1] = _t169[0x419];
							 *_t169 = _t169[0x418];
							_t108 = E10025AE0();
							 *_t169 = _t159;
							_t169[1] = 0;
							_t139 = _t108;
							E10009690(_t139, _t142, _t159, _t163);
							return _t139;
						}
						goto L12;
					}
				}
				_t169[2] = 1;
				_t167 =  &(_t169[0x10c]);
				_t169[1] = 0;
				 *_t169 =  &(_t169[0xc]);
				_t162 =  &(_t169[0x20c]);
				_t169[0xa] =  *_t136;
				E10008880(_t136, 0x10000, _t162, _t167);
				_t169[2] = 1;
				_t169[1] = 0;
				 *_t169 = _t167;
				E10008880(_t136, 0x10000, _t162, _t167);
				_t169[2] = 1;
				_t169[1] = 0;
				 *_t169 = _t162;
				E10008880(_t136, 0x10000, _t162, _t167);
				_t169[2] = 0x10000;
				_t159 =  &(_t169[0x30c]);
				_t169[1] = 0;
				 *_t169 = _t159;
				E10008880(_t136, _t159, _t162, _t167);
				_t156 = _t169[0xa];
				_t144 = 0 |  *(_t169[0x41a]) != 0x00000000;
				_t100 = _t144;
				if(_t156 != 0 && _t144 != 0) {
					_t127 =  *((intOrPtr*)(_t156 + 0x14));
					if(_t127 != 0) {
						_t146 =  *(_t136 + _t127);
						if(_t146 != 0) {
							_t131 =  *_t146;
							if(_t131 != 0) {
								 *_t169 = _t146;
								_t169[0xb] = _t156;
								_t169[0xa] = _t146;
								_t132 =  *((intOrPtr*)(_t131 + 4))();
								_t169[3] = _t169[0xa];
								_t169[2] = _t132;
								_t169[1] = "[%s @ %p] ";
								 *_t169 =  &(_t169[0xc]);
								E100089C0();
								_t156 = _t169[0xb];
							}
						}
					}
					 *_t169 = _t136;
					_t128 =  *((intOrPtr*)(_t156 + 4))();
					_t169[3] = _t136;
					_t169[1] = "[%s @ %p] ";
					 *_t169 = _t167;
					_t169[2] = _t128;
					E100089C0();
					_t100 = _t169[0x41a] & 0xffffff00 |  *(_t169[0x41a]) != 0x00000000;
				}
			}

0x1002625e
0x10026260
0x10026269
0x100264c7
0x100264d1
0x100264de
0x100264e2
0x100264ee
0x100264f2
0x100264f9
0x100264fd
0x10026504
0x10026507
0x1002650e
0x10026512
0x10026516
0x10026519
0x10026523
0x10026529
0x1002652d
0x10026530
0x10026540
0x1002637a
0x10026382
0x1002648c
0x1002648c
0x1002648f
0x10026497
0x10026499
0x10026499
0x100264a0
0x100264a9
0x100264ad
0x100264b0
0x100264b0
0x1002638c
0x10026396
0x100263a1
0x100263a5
0x100263aa
0x100263ae
0x100263b5
0x100263bc
0x100263c6
0x100263d1
0x100263d1
0x100263d8
0x100263dc
0x100263e7
0x100263ef
0x100263fe
0x100263fe
0x10026408
0x00000000
0x10026469
0x1002646c
0x1002640b
0x1002640b
0x10026414
0x1002641f
0x10026423
0x10026427
0x1002642b
0x10026436
0x10026439
0x10026440
0x10026443
0x10026447
0x10026449
0x1002645a
0x1002645a
0x00000000
0x10026470
0x100263c6
0x1002627b
0x1002627f
0x10026288
0x10026290
0x10026293
0x1002629a
0x1002629e
0x100262a8
0x100262ae
0x100262b2
0x100262b5
0x100262c1
0x100262c5
0x100262c9
0x100262cc
0x100262d3
0x100262d7
0x100262de
0x100262e2
0x100262e5
0x100262f1
0x100262f9
0x100262fe
0x10026300
0x10026306
0x1002630b
0x1002630d
0x10026312
0x10026314
0x10026318
0x1002631a
0x1002631d
0x10026321
0x10026325
0x1002632c
0x10026330
0x10026339
0x10026341
0x10026344
0x10026349
0x10026349
0x10026318
0x10026312
0x1002634d
0x10026350
0x10026358
0x1002635c
0x10026360
0x10026363
0x10026367
0x10026377
0x10026377

APIs

mv_bprint_init.LICKING ref: 1002629E
mv_bprint_init.LICKING ref: 100262B5
mv_bprint_init.LICKING ref: 100262CC
mv_bprint_init.LICKING ref: 100262E5
mv_bprintf.LICKING ref: 10026344
mv_bprintf.LICKING ref: 10026367
mv_vbprintf.LICKING ref: 100263A5
mv_bprint_finalize.LICKING ref: 10026449
mv_bprint_init.LICKING ref: 100264E2
mv_bprint_init.LICKING ref: 10026507
mv_bprint_init.LICKING ref: 10026519
mv_bprint_init.LICKING ref: 10026530

Strings

%s%s%s%s, xrefs: 1002640F
[%s @ %p] , xrefs: 10026334, 10026353
[%s] , xrefs: 100264A4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init$mv_bprintf$mv_bprint_finalizemv_vbprintf
String ID: %s%s%s%s$[%s @ %p] $[%s]
API String ID: 2514531573-1798253436
Opcode ID: 3f2bd632272b9df47179aee3b67c56da7bd7b79c66d3fadd9b491fc2fadde794
Instruction ID: c71d304a02298176911f7b5d9492a31840536d8b4fe4b07b2d7bce997b72d9a0
Opcode Fuzzy Hash: 3f2bd632272b9df47179aee3b67c56da7bd7b79c66d3fadd9b491fc2fadde794
Instruction Fuzzy Hash: 808119B49097809FD350DF28D48069FBBE1FF88340F85892EE8C887355DB75AA84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002E9D7 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 182
stringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1002E9D7(void* __ebx, void* __ecx, void* __edi, signed int __esi, char* __ebp, int __fp0, char* _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a40, char* _a44, char _a60) {
				signed int _t80;
				void* _t84;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t96;
				signed int _t98;
				char* _t100;
				intOrPtr* _t102;
				int _t110;

				_t110 = __fp0;
				_t100 = __ebp;
				_t98 = __esi;
				_t96 = __edi;
				_t84 = __ebx;
				while(1) {
					L28:
					__ecx[4] = 0;
					 *__ecx = 0;
					while(1) {
						L10:
						_t91 =  *((intOrPtr*)(_t84 + 0x30));
						if(_t91 == 0) {
							break;
						}
						_t84 = _t84 + 0x30;
						_t80 =  *(_t84 + 0x28);
						if((_t80 & _t98) != _t96 || (_t80 & 0x00000080) != 0) {
							continue;
						} else {
							_t80 =  *(_t84 + 0xc);
							_t90 =  *((intOrPtr*)(_t84 + 8)) + _t100;
							if(_t80 > 0x13) {
								_a16 = _t91;
								_a12 = _t80;
								_a8 = "AVOption type %d of option %s not implemented yet\n";
								_a4 = 0x30;
								 *_t102 = _t100;
								_t80 = E10026560();
								continue;
							}
							switch( *((intOrPtr*)(_t80 * 4 +  &M100B7C60))) {
								case 0:
									goto L12;
								case 1:
									__eax = 1;
									asm("movsd xmm0, [ebx+0x10]");
									__edx = __ebx;
									_a4 = 1;
									__eax = 0;
									_a8 = 0;
									__eax = __ebp;
									 *__esp = 1;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 2:
									_a40 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a44 = __ebx[0x10];
									E100290E0();
									__eax = _a44;
									__eax = E100292E0(__ebx, __edi, __esi, __ebp, _a44);
									__ecx = _a40;
									 *__ecx = __eax;
									goto L10;
								case 3:
									_a40 = __ecx;
									__eax = 0x7fffffff;
									_a8 = 0x7fffffff;
									asm("movsd xmm0, [ebx+0x10]");
									asm("movsd [esp], xmm0");
									__eax = E10035AA0(0x7fffffff, __ebx, __edi, __esi);
									__ecx = _a40;
									asm("movsd xmm0, [0x100b80b8]");
									_a4 = __eax;
									_a8 = __eax;
									__eax = __ebp;
									 *__esp = __edx;
									__edx = __ebx;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 4:
									__eax = __ebx[0x10];
									__edx = __ecx;
									__eax = E1002B710(__ebx[0x10], __ecx);
									goto L10;
								case 5:
									__eax = __ebx[0x10];
									__edx = 0;
									_a60 = 0;
									if(__eax == 0) {
										L26:
										 *__esp = __ecx;
										_a40 = __ecx;
										E10011CC0();
										__eax = _a60;
										__ecx = _a40;
										 *__ecx = _a60;
										goto L10;
									}
									_a40 = __ecx;
									__edx = L":=";
									__ecx = 0;
									_a16 = 0;
									__ecx = 0x100b7c27;
									_a12 = L":=";
									__edx =  &_a60;
									_a8 = 0x100b7c27;
									 *__esp =  &_a60;
									_a4 = __eax;
									__eax = E100118C0();
									__ecx = _a40;
									__edx =  &_a60;
									if(__eax < 0) {
										E10011CC0( &_a60);
										goto L10;
									}
									goto L26;
								case 6:
									goto L10;
								case 7:
									__edx = __ebx[0x10];
									if(__edx == 0) {
										while(1) {
											L28:
											__ecx[4] = 0;
											 *__ecx = 0;
											goto L10;
										}
									}
									 *__esp = __edx;
									__eax = 0x100b729c;
									_a4 = 0x100b729c;
									_a44 = __ecx;
									_a40 = __edx;
									__eax = strcmp(??, ??);
									__edx = _a40;
									__ecx = _a44;
									if(__eax == 0) {
										goto L28;
									} else {
										_a8 = __edx;
										__eax =  &(__ecx[4]);
										_a4 =  &(__ecx[4]);
										 *__esp = __ecx;
										_a40 = __edx;
										__eax = E10031200();
										__edx = _a40;
										if(__eax < 0) {
											_a12 = __edx;
											__eax = "Unable to parse option value \"%s\" as image size\n";
											_a8 = "Unable to parse option value \"%s\" as image size\n";
											__eax = 0x10;
											_a4 = 0x10;
											 *__esp = __ebp;
											__eax = E10026560();
										}
										goto L10;
									}
								case 8:
									__edx = __ebx[0x10];
									 *__esp = __ecx;
									_a4 = __edx;
									_a40 = __edx;
									__eax = E100312C0();
									__edx = _a40;
									if(__eax < 0) {
										_a12 = __edx;
										__ecx = "Unable to parse option value \"%s\" as video rate\n";
										__eax = 0x10;
										_a8 = "Unable to parse option value \"%s\" as video rate\n";
										_a4 = 0x10;
										 *__esp = __ebp;
										__eax = E10026560();
									}
									goto L10;
								case 9:
									_t93 =  *((intOrPtr*)(_t84 + 0x10));
									if(_t93 == 0) {
										goto L10;
									}
									_a4 = _t93;
									_a12 = _t100;
									_a8 = 0xffffffff;
									 *_t102 = _t90;
									_a40 = _t93;
									_t80 = E10031420(_t110);
									_t94 = _a40;
									if(_t80 < 0) {
										_a12 = _t94;
										_a8 = "Unable to parse option value \"%s\" as color\n";
										_a4 = 0x10;
										 *_t102 = _t100;
										_t80 = E10026560();
										goto L10;
									}
									if(_t84 != 0) {
										goto L10;
									}
									goto L8;
								case 0xa:
									_a44 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a40 = __ebx[0x10];
									__eax = E1000D270();
									__eax = _a40;
									if(__eax != 0) {
										_a4 = __eax;
										__ecx = _a44;
										 *__esp = _a44;
										__eax = E1000DD40(__fp0);
									}
									goto L10;
							}
						}
						L12:
						asm("movsd xmm0, [0x100b80b8]");
						__edx = __ebx[0x14];
						 *__esp = 1;
						_a4 = __ebx[0x10];
						_a8 = __ebx[0x14];
						__edx = __ebx;
						E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					}
					L8:
					return _t80;
				}
			}

0x1002e9d7
0x1002e9d7
0x1002e9d7
0x1002e9d7
0x1002e9d7
0x1002e9e0
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x1002e780
0x1002e780
0x1002e780
0x1002e785
0x00000000
0x00000000
0x1002e787
0x1002e6db
0x1002e6e4
0x00000000
0x1002e6f2
0x1002e6f5
0x1002e6f8
0x1002e6fd
0x1002e9b0
0x1002e9b9
0x1002e9c2
0x1002e9c6
0x1002e9ca
0x1002e9cd
0x00000000
0x1002e9cd
0x1002e703
0x00000000
0x00000000
0x00000000
0x1002e7c0
0x1002e7c5
0x1002e7ca
0x1002e7cc
0x1002e7d0
0x1002e7d2
0x1002e7d6
0x1002e7d8
0x1002e7df
0x00000000
0x00000000
0x1002e750
0x1002e754
0x1002e757
0x1002e75a
0x1002e75e
0x1002e763
0x1002e76a
0x1002e76f
0x1002e773
0x00000000
0x00000000
0x1002e840
0x1002e844
0x1002e849
0x1002e84d
0x1002e852
0x1002e857
0x1002e85c
0x1002e860
0x1002e868
0x1002e86f
0x1002e873
0x1002e875
0x1002e878
0x1002e87a
0x00000000
0x00000000
0x1002e828
0x1002e82b
0x1002e82d
0x00000000
0x00000000
0x1002e950
0x1002e953
0x1002e955
0x1002e95b
0x1002e995
0x1002e995
0x1002e998
0x1002e99c
0x1002e9a1
0x1002e9a5
0x1002e9a9
0x00000000
0x1002e9a9
0x1002e95d
0x1002e961
0x1002e966
0x1002e968
0x1002e96c
0x1002e971
0x1002e975
0x1002e979
0x1002e97d
0x1002e980
0x1002e984
0x1002e989
0x1002e98d
0x1002e993
0x1002e9f5
0x00000000
0x1002e9f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e8d0
0x1002e8d5
0x1002e9e0
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x00000000
0x1002e9ed
0x1002e9e0
0x1002e8db
0x1002e8de
0x1002e8e3
0x1002e8e7
0x1002e8eb
0x1002e8ef
0x1002e8f4
0x1002e8f8
0x1002e8fe
0x00000000
0x1002e904
0x1002e904
0x1002e908
0x1002e90b
0x1002e90f
0x1002e912
0x1002e916
0x1002e91b
0x1002e921
0x1002e927
0x1002e92b
0x1002e930
0x1002e934
0x1002e939
0x1002e93d
0x1002e940
0x1002e940
0x00000000
0x1002e921
0x00000000
0x1002e888
0x1002e88b
0x1002e88e
0x1002e892
0x1002e896
0x1002e89b
0x1002e8a1
0x1002e8a7
0x1002e8ab
0x1002e8b0
0x1002e8b5
0x1002e8b9
0x1002e8bd
0x1002e8c0
0x1002e8c0
0x00000000
0x00000000
0x1002e710
0x1002e715
0x00000000
0x00000000
0x1002e717
0x1002e720
0x1002e724
0x1002e728
0x1002e72b
0x1002e72f
0x1002e734
0x1002e73a
0x1002e9ff
0x1002ea0d
0x1002ea11
0x1002ea15
0x1002ea18
0x00000000
0x1002ea18
0x1002e742
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e7f0
0x1002e7f4
0x1002e7f7
0x1002e7fa
0x1002e7fe
0x1002e803
0x1002e809
0x1002e80f
0x1002e813
0x1002e817
0x1002e81a
0x1002e81a
0x00000000
0x00000000
0x1002e703
0x1002e790
0x1002e793
0x1002e79b
0x1002e79e
0x1002e7a5
0x1002e7ab
0x1002e7af
0x1002e7b1
0x1002e7b1
0x1002e744
0x1002e74b
0x1002e74b

APIs

mv_parse_color.LICKING ref: 1002E72F
mv_freep.LICKING ref: 1002E75E
mv_strdup.LICKING ref: 1002E76A
mv_channel_layout_uninit.LICKING ref: 1002E7FE
mv_channel_layout_from_string.LICKING ref: 1002E81A
mv_d2q.LICKING ref: 1002E857
mv_parse_video_rate.LICKING ref: 1002E896
mv_log.LICKING ref: 1002E8C0
strcmp.MSVCRT ref: 1002E8EF
mv_parse_video_size.LICKING ref: 1002E916
mv_log.LICKING ref: 1002E940
mv_dict_parse_string.LICKING ref: 1002E984
mv_dict_free.LICKING ref: 1002E99C
mv_log.LICKING ref: 1002E9CD

Strings

Unable to parse option value "%s" as image size, xrefs: 1002E92B
Unable to parse option value "%s" as video rate, xrefs: 1002E8AB
none, xrefs: 1002E8DE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_channel_layout_from_stringmv_channel_layout_uninitmv_d2qmv_dict_freemv_dict_parse_stringmv_freepmv_parse_colormv_parse_video_ratemv_parse_video_sizemv_strdupstrcmp
String ID: Unable to parse option value "%s" as image size$Unable to parse option value "%s" as video rate$none
API String ID: 1998427758-3528850829
Opcode ID: 05cfac4aa9665df0fd5dc547b382abd2b3ad88334bc7dcdc768499bb3df06f8b
Instruction ID: 3c1adbe8acce8bdcb6acecf77a4fdc96571b445930456c93ab4e2227fb0a7aae
Opcode Fuzzy Hash: 05cfac4aa9665df0fd5dc547b382abd2b3ad88334bc7dcdc768499bb3df06f8b
Instruction Fuzzy Hash: B271D4B86087408FD748DF29D08061BBBE1FF88394F55CE2EE8999B315D630D9819B86

Uniqueness

Uniqueness Score: -1.00%

Function 1002E7B8 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179
stringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1002E7B8(void* __ebx, void* __ecx, void* __edi, signed int __esi, char* __ebp, int __fp0, char* _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a40, char* _a44, char _a60) {
				signed int _t80;
				void* _t84;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t96;
				signed int _t98;
				char* _t100;
				intOrPtr* _t102;
				int _t110;

				_t110 = __fp0;
				_t100 = __ebp;
				_t98 = __esi;
				_t96 = __edi;
				_t84 = __ebx;
				while(1) {
					L13:
					asm("movsd xmm0, [ebx+0x10]");
					__edx = __ebx;
					_a4 = 1;
					_a8 = 0;
					 *__esp = 1;
					E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					while(1) {
						L10:
						_t91 =  *((intOrPtr*)(_t84 + 0x30));
						if(_t91 == 0) {
							break;
						}
						_t84 = _t84 + 0x30;
						_t80 =  *(_t84 + 0x28);
						if((_t80 & _t98) != _t96 || (_t80 & 0x00000080) != 0) {
							continue;
						} else {
							_t80 =  *(_t84 + 0xc);
							_t90 =  *((intOrPtr*)(_t84 + 8)) + _t100;
							if(_t80 > 0x13) {
								_a16 = _t91;
								_a12 = _t80;
								_a8 = "AVOption type %d of option %s not implemented yet\n";
								_a4 = 0x30;
								 *_t102 = _t100;
								_t80 = E10026560();
								continue;
							}
							switch( *((intOrPtr*)(_t80 * 4 +  &M100B7C60))) {
								case 0:
									goto L12;
								case 1:
									goto L13;
								case 2:
									_a40 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a44 = __ebx[0x10];
									E100290E0();
									__eax = _a44;
									__eax = E100292E0(__ebx, __edi, __esi, __ebp, _a44);
									__ecx = _a40;
									 *__ecx = __eax;
									goto L10;
								case 3:
									_a40 = __ecx;
									__eax = 0x7fffffff;
									_a8 = 0x7fffffff;
									asm("movsd xmm0, [ebx+0x10]");
									asm("movsd [esp], xmm0");
									__eax = E10035AA0(0x7fffffff, __ebx, __edi, __esi);
									__ecx = _a40;
									asm("movsd xmm0, [0x100b80b8]");
									_a4 = __eax;
									_a8 = __eax;
									__eax = __ebp;
									 *__esp = __edx;
									__edx = __ebx;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 4:
									__eax = __ebx[0x10];
									__edx = __ecx;
									__eax = E1002B710(__ebx[0x10], __ecx);
									goto L10;
								case 5:
									__eax = __ebx[0x10];
									__edx = 0;
									_a60 = 0;
									if(__eax == 0) {
										L26:
										 *__esp = __ecx;
										_a40 = __ecx;
										E10011CC0();
										__eax = _a60;
										__ecx = _a40;
										 *__ecx = _a60;
										goto L10;
									}
									_a40 = __ecx;
									__edx = L":=";
									__ecx = 0;
									_a16 = 0;
									__ecx = 0x100b7c27;
									_a12 = L":=";
									__edx =  &_a60;
									_a8 = 0x100b7c27;
									 *__esp =  &_a60;
									_a4 = __eax;
									__eax = E100118C0();
									__ecx = _a40;
									__edx =  &_a60;
									if(__eax < 0) {
										E10011CC0( &_a60);
										goto L10;
									}
									goto L26;
								case 6:
									goto L10;
								case 7:
									__edx = __ebx[0x10];
									if(__edx == 0) {
										L28:
										__ecx[4] = 0;
										 *__ecx = 0;
										goto L10;
									}
									 *__esp = __edx;
									__eax = 0x100b729c;
									_a4 = 0x100b729c;
									_a44 = __ecx;
									_a40 = __edx;
									__eax = strcmp(??, ??);
									__edx = _a40;
									__ecx = _a44;
									if(__eax == 0) {
										goto L28;
									} else {
										_a8 = __edx;
										__eax =  &(__ecx[4]);
										_a4 =  &(__ecx[4]);
										 *__esp = __ecx;
										_a40 = __edx;
										__eax = E10031200();
										__edx = _a40;
										if(__eax < 0) {
											_a12 = __edx;
											__eax = "Unable to parse option value \"%s\" as image size\n";
											_a8 = "Unable to parse option value \"%s\" as image size\n";
											__eax = 0x10;
											_a4 = 0x10;
											 *__esp = __ebp;
											__eax = E10026560();
										}
										goto L10;
									}
								case 8:
									__edx = __ebx[0x10];
									 *__esp = __ecx;
									_a4 = __edx;
									_a40 = __edx;
									__eax = E100312C0();
									__edx = _a40;
									if(__eax < 0) {
										_a12 = __edx;
										__ecx = "Unable to parse option value \"%s\" as video rate\n";
										__eax = 0x10;
										_a8 = "Unable to parse option value \"%s\" as video rate\n";
										_a4 = 0x10;
										 *__esp = __ebp;
										__eax = E10026560();
									}
									goto L10;
								case 9:
									_t93 =  *((intOrPtr*)(_t84 + 0x10));
									if(_t93 == 0) {
										goto L10;
									}
									_a4 = _t93;
									_a12 = _t100;
									_a8 = 0xffffffff;
									 *_t102 = _t90;
									_a40 = _t93;
									_t80 = E10031420(_t110);
									_t94 = _a40;
									if(_t80 < 0) {
										_a12 = _t94;
										_a8 = "Unable to parse option value \"%s\" as color\n";
										_a4 = 0x10;
										 *_t102 = _t100;
										_t80 = E10026560();
										goto L10;
									}
									if(_t84 != 0) {
										goto L10;
									}
									goto L8;
								case 0xa:
									_a44 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a40 = __ebx[0x10];
									__eax = E1000D270();
									__eax = _a40;
									if(__eax != 0) {
										_a4 = __eax;
										__ecx = _a44;
										 *__esp = _a44;
										__eax = E1000DD40(__fp0);
									}
									goto L10;
							}
						}
						L12:
						asm("movsd xmm0, [0x100b80b8]");
						__edx = __ebx[0x14];
						 *__esp = 1;
						_a4 = __ebx[0x10];
						_a8 = __ebx[0x14];
						__edx = __ebx;
						E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					}
					L8:
					return _t80;
				}
			}

0x1002e7b8
0x1002e7b8
0x1002e7b8
0x1002e7b8
0x1002e7b8
0x1002e7c0
0x1002e7c0
0x1002e7c5
0x1002e7ca
0x1002e7cc
0x1002e7d2
0x1002e7d8
0x1002e7df
0x1002e780
0x1002e780
0x1002e780
0x1002e785
0x00000000
0x00000000
0x1002e787
0x1002e6db
0x1002e6e4
0x00000000
0x1002e6f2
0x1002e6f5
0x1002e6f8
0x1002e6fd
0x1002e9b0
0x1002e9b9
0x1002e9c2
0x1002e9c6
0x1002e9ca
0x1002e9cd
0x00000000
0x1002e9cd
0x1002e703
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e750
0x1002e754
0x1002e757
0x1002e75a
0x1002e75e
0x1002e763
0x1002e76a
0x1002e76f
0x1002e773
0x00000000
0x00000000
0x1002e840
0x1002e844
0x1002e849
0x1002e84d
0x1002e852
0x1002e857
0x1002e85c
0x1002e860
0x1002e868
0x1002e86f
0x1002e873
0x1002e875
0x1002e878
0x1002e87a
0x00000000
0x00000000
0x1002e828
0x1002e82b
0x1002e82d
0x00000000
0x00000000
0x1002e950
0x1002e953
0x1002e955
0x1002e95b
0x1002e995
0x1002e995
0x1002e998
0x1002e99c
0x1002e9a1
0x1002e9a5
0x1002e9a9
0x00000000
0x1002e9a9
0x1002e95d
0x1002e961
0x1002e966
0x1002e968
0x1002e96c
0x1002e971
0x1002e975
0x1002e979
0x1002e97d
0x1002e980
0x1002e984
0x1002e989
0x1002e98d
0x1002e993
0x1002e9f5
0x00000000
0x1002e9f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e8d0
0x1002e8d5
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x00000000
0x1002e9e7
0x1002e8db
0x1002e8de
0x1002e8e3
0x1002e8e7
0x1002e8eb
0x1002e8ef
0x1002e8f4
0x1002e8f8
0x1002e8fe
0x00000000
0x1002e904
0x1002e904
0x1002e908
0x1002e90b
0x1002e90f
0x1002e912
0x1002e916
0x1002e91b
0x1002e921
0x1002e927
0x1002e92b
0x1002e930
0x1002e934
0x1002e939
0x1002e93d
0x1002e940
0x1002e940
0x00000000
0x1002e921
0x00000000
0x1002e888
0x1002e88b
0x1002e88e
0x1002e892
0x1002e896
0x1002e89b
0x1002e8a1
0x1002e8a7
0x1002e8ab
0x1002e8b0
0x1002e8b5
0x1002e8b9
0x1002e8bd
0x1002e8c0
0x1002e8c0
0x00000000
0x00000000
0x1002e710
0x1002e715
0x00000000
0x00000000
0x1002e717
0x1002e720
0x1002e724
0x1002e728
0x1002e72b
0x1002e72f
0x1002e734
0x1002e73a
0x1002e9ff
0x1002ea0d
0x1002ea11
0x1002ea15
0x1002ea18
0x00000000
0x1002ea18
0x1002e742
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e7f0
0x1002e7f4
0x1002e7f7
0x1002e7fa
0x1002e7fe
0x1002e803
0x1002e809
0x1002e80f
0x1002e813
0x1002e817
0x1002e81a
0x1002e81a
0x00000000
0x00000000
0x1002e703
0x1002e790
0x1002e793
0x1002e79b
0x1002e79e
0x1002e7a5
0x1002e7ab
0x1002e7af
0x1002e7b1
0x1002e7b1
0x1002e744
0x1002e74b
0x1002e74b

APIs

mv_parse_color.LICKING ref: 1002E72F
mv_freep.LICKING ref: 1002E75E
mv_strdup.LICKING ref: 1002E76A
mv_channel_layout_uninit.LICKING ref: 1002E7FE
mv_channel_layout_from_string.LICKING ref: 1002E81A
mv_d2q.LICKING ref: 1002E857
mv_parse_video_rate.LICKING ref: 1002E896
mv_log.LICKING ref: 1002E8C0
strcmp.MSVCRT ref: 1002E8EF
mv_parse_video_size.LICKING ref: 1002E916
mv_log.LICKING ref: 1002E940
mv_dict_parse_string.LICKING ref: 1002E984
mv_dict_free.LICKING ref: 1002E99C
mv_log.LICKING ref: 1002E9CD

Strings

Unable to parse option value "%s" as image size, xrefs: 1002E92B
Unable to parse option value "%s" as video rate, xrefs: 1002E8AB
none, xrefs: 1002E8DE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_channel_layout_from_stringmv_channel_layout_uninitmv_d2qmv_dict_freemv_dict_parse_stringmv_freepmv_parse_colormv_parse_video_ratemv_parse_video_sizemv_strdupstrcmp
String ID: Unable to parse option value "%s" as image size$Unable to parse option value "%s" as video rate$none
API String ID: 1998427758-3528850829
Opcode ID: 18087ed649909ac3232b21fd4e046e9df97ac5ad99457572ee0c55c43c4e2b13
Instruction ID: 28a49b2ce0d6553c16a219e4c5d46a23de7f044e89b57d2250bfa4e8b40cb84a
Opcode Fuzzy Hash: 18087ed649909ac3232b21fd4e046e9df97ac5ad99457572ee0c55c43c4e2b13
Instruction Fuzzy Hash: 4571C4B86087408FD748DF29D48061BBBE1FF88394F55CE2EF8999B315D630D9819B86

Uniqueness

Uniqueness Score: -1.00%

Function 1002E7E6 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1002E7E6(void* __ebx, void* __ecx, void* __edi, signed int __esi, char* __ebp, int __fp0, char* _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a40, char* _a44, char _a60) {
				signed int _t80;
				void* _t84;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t96;
				signed int _t98;
				char* _t100;
				intOrPtr* _t102;
				int _t110;

				_t110 = __fp0;
				_t100 = __ebp;
				_t98 = __esi;
				_t96 = __edi;
				_t84 = __ebx;
				while(1) {
					L14:
					_a44 = __ecx;
					__eax = __ebx[0x10];
					 *__esp = __ecx;
					_a40 = __ebx[0x10];
					__eax = E1000D270();
					__eax = _a40;
					if(__eax != 0) {
						_a4 = __eax;
						__ecx = _a44;
						 *__esp = _a44;
						__eax = E1000DD40(__fp0);
					}
					while(1) {
						L10:
						_t91 =  *((intOrPtr*)(_t84 + 0x30));
						if(_t91 == 0) {
							break;
						}
						_t84 = _t84 + 0x30;
						_t80 =  *(_t84 + 0x28);
						if((_t80 & _t98) != _t96 || (_t80 & 0x00000080) != 0) {
							continue;
						} else {
							_t80 =  *(_t84 + 0xc);
							_t90 =  *((intOrPtr*)(_t84 + 8)) + _t100;
							if(_t80 > 0x13) {
								_a16 = _t91;
								_a12 = _t80;
								_a8 = "AVOption type %d of option %s not implemented yet\n";
								_a4 = 0x30;
								 *_t102 = _t100;
								_t80 = E10026560();
								continue;
							}
							switch( *((intOrPtr*)(_t80 * 4 +  &M100B7C60))) {
								case 0:
									goto L12;
								case 1:
									__eax = 1;
									asm("movsd xmm0, [ebx+0x10]");
									__edx = __ebx;
									_a4 = 1;
									__eax = 0;
									_a8 = 0;
									__eax = __ebp;
									 *__esp = 1;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 2:
									_a40 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a44 = __ebx[0x10];
									E100290E0();
									__eax = _a44;
									__eax = E100292E0(__ebx, __edi, __esi, __ebp, _a44);
									__ecx = _a40;
									 *__ecx = __eax;
									goto L10;
								case 3:
									_a40 = __ecx;
									__eax = 0x7fffffff;
									_a8 = 0x7fffffff;
									asm("movsd xmm0, [ebx+0x10]");
									asm("movsd [esp], xmm0");
									__eax = E10035AA0(0x7fffffff, __ebx, __edi, __esi);
									__ecx = _a40;
									asm("movsd xmm0, [0x100b80b8]");
									_a4 = __eax;
									_a8 = __eax;
									__eax = __ebp;
									 *__esp = __edx;
									__edx = __ebx;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 4:
									__eax = __ebx[0x10];
									__edx = __ecx;
									__eax = E1002B710(__ebx[0x10], __ecx);
									goto L10;
								case 5:
									__eax = __ebx[0x10];
									__edx = 0;
									_a60 = 0;
									if(__eax == 0) {
										L26:
										 *__esp = __ecx;
										_a40 = __ecx;
										E10011CC0();
										__eax = _a60;
										__ecx = _a40;
										 *__ecx = _a60;
										goto L10;
									}
									_a40 = __ecx;
									__edx = L":=";
									__ecx = 0;
									_a16 = 0;
									__ecx = 0x100b7c27;
									_a12 = L":=";
									__edx =  &_a60;
									_a8 = 0x100b7c27;
									 *__esp =  &_a60;
									_a4 = __eax;
									__eax = E100118C0();
									__ecx = _a40;
									__edx =  &_a60;
									if(__eax < 0) {
										E10011CC0( &_a60);
										goto L10;
									}
									goto L26;
								case 6:
									goto L10;
								case 7:
									__edx = __ebx[0x10];
									if(__edx == 0) {
										L28:
										__ecx[4] = 0;
										 *__ecx = 0;
										goto L10;
									}
									 *__esp = __edx;
									__eax = 0x100b729c;
									_a4 = 0x100b729c;
									_a44 = __ecx;
									_a40 = __edx;
									__eax = strcmp(??, ??);
									__edx = _a40;
									__ecx = _a44;
									if(__eax == 0) {
										goto L28;
									} else {
										_a8 = __edx;
										__eax =  &(__ecx[4]);
										_a4 =  &(__ecx[4]);
										 *__esp = __ecx;
										_a40 = __edx;
										__eax = E10031200();
										__edx = _a40;
										if(__eax < 0) {
											_a12 = __edx;
											__eax = "Unable to parse option value \"%s\" as image size\n";
											_a8 = "Unable to parse option value \"%s\" as image size\n";
											__eax = 0x10;
											_a4 = 0x10;
											 *__esp = __ebp;
											__eax = E10026560();
										}
										goto L10;
									}
								case 8:
									__edx = __ebx[0x10];
									 *__esp = __ecx;
									_a4 = __edx;
									_a40 = __edx;
									__eax = E100312C0();
									__edx = _a40;
									if(__eax < 0) {
										_a12 = __edx;
										__ecx = "Unable to parse option value \"%s\" as video rate\n";
										__eax = 0x10;
										_a8 = "Unable to parse option value \"%s\" as video rate\n";
										_a4 = 0x10;
										 *__esp = __ebp;
										__eax = E10026560();
									}
									goto L10;
								case 9:
									_t93 =  *((intOrPtr*)(_t84 + 0x10));
									if(_t93 == 0) {
										goto L10;
									}
									_a4 = _t93;
									_a12 = _t100;
									_a8 = 0xffffffff;
									 *_t102 = _t90;
									_a40 = _t93;
									_t80 = E10031420(_t110);
									_t94 = _a40;
									if(_t80 < 0) {
										_a12 = _t94;
										_a8 = "Unable to parse option value \"%s\" as color\n";
										_a4 = 0x10;
										 *_t102 = _t100;
										_t80 = E10026560();
										goto L10;
									}
									if(_t84 != 0) {
										goto L10;
									}
									goto L8;
								case 0xa:
									goto L14;
							}
						}
						L12:
						__eax = __ebx[0x10];
						asm("movsd xmm0, [0x100b80b8]");
						__edx = __ebx[0x14];
						 *__esp = 1;
						_a4 = __ebx[0x10];
						__eax = __ebp;
						_a8 = __ebx[0x14];
						__edx = __ebx;
						__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					}
					L8:
					return _t80;
				}
			}

0x1002e7e6
0x1002e7e6
0x1002e7e6
0x1002e7e6
0x1002e7e6
0x1002e7f0
0x1002e7f0
0x1002e7f0
0x1002e7f4
0x1002e7f7
0x1002e7fa
0x1002e7fe
0x1002e803
0x1002e809
0x1002e80f
0x1002e813
0x1002e817
0x1002e81a
0x1002e81a
0x1002e780
0x1002e780
0x1002e780
0x1002e785
0x00000000
0x00000000
0x1002e787
0x1002e6db
0x1002e6e4
0x00000000
0x1002e6f2
0x1002e6f5
0x1002e6f8
0x1002e6fd
0x1002e9b0
0x1002e9b9
0x1002e9c2
0x1002e9c6
0x1002e9ca
0x1002e9cd
0x00000000
0x1002e9cd
0x1002e703
0x00000000
0x00000000
0x00000000
0x1002e7c0
0x1002e7c5
0x1002e7ca
0x1002e7cc
0x1002e7d0
0x1002e7d2
0x1002e7d6
0x1002e7d8
0x1002e7df
0x00000000
0x00000000
0x1002e750
0x1002e754
0x1002e757
0x1002e75a
0x1002e75e
0x1002e763
0x1002e76a
0x1002e76f
0x1002e773
0x00000000
0x00000000
0x1002e840
0x1002e844
0x1002e849
0x1002e84d
0x1002e852
0x1002e857
0x1002e85c
0x1002e860
0x1002e868
0x1002e86f
0x1002e873
0x1002e875
0x1002e878
0x1002e87a
0x00000000
0x00000000
0x1002e828
0x1002e82b
0x1002e82d
0x00000000
0x00000000
0x1002e950
0x1002e953
0x1002e955
0x1002e95b
0x1002e995
0x1002e995
0x1002e998
0x1002e99c
0x1002e9a1
0x1002e9a5
0x1002e9a9
0x00000000
0x1002e9a9
0x1002e95d
0x1002e961
0x1002e966
0x1002e968
0x1002e96c
0x1002e971
0x1002e975
0x1002e979
0x1002e97d
0x1002e980
0x1002e984
0x1002e989
0x1002e98d
0x1002e993
0x1002e9f5
0x00000000
0x1002e9f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e8d0
0x1002e8d5
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x00000000
0x1002e9e7
0x1002e8db
0x1002e8de
0x1002e8e3
0x1002e8e7
0x1002e8eb
0x1002e8ef
0x1002e8f4
0x1002e8f8
0x1002e8fe
0x00000000
0x1002e904
0x1002e904
0x1002e908
0x1002e90b
0x1002e90f
0x1002e912
0x1002e916
0x1002e91b
0x1002e921
0x1002e927
0x1002e92b
0x1002e930
0x1002e934
0x1002e939
0x1002e93d
0x1002e940
0x1002e940
0x00000000
0x1002e921
0x00000000
0x1002e888
0x1002e88b
0x1002e88e
0x1002e892
0x1002e896
0x1002e89b
0x1002e8a1
0x1002e8a7
0x1002e8ab
0x1002e8b0
0x1002e8b5
0x1002e8b9
0x1002e8bd
0x1002e8c0
0x1002e8c0
0x00000000
0x00000000
0x1002e710
0x1002e715
0x00000000
0x00000000
0x1002e717
0x1002e720
0x1002e724
0x1002e728
0x1002e72b
0x1002e72f
0x1002e734
0x1002e73a
0x1002e9ff
0x1002ea0d
0x1002ea11
0x1002ea15
0x1002ea18
0x00000000
0x1002ea18
0x1002e742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e703
0x1002e790
0x1002e790
0x1002e793
0x1002e79b
0x1002e79e
0x1002e7a5
0x1002e7a9
0x1002e7ab
0x1002e7af
0x1002e7b1
0x1002e7b1
0x1002e744
0x1002e74b
0x1002e74b

APIs

mv_channel_layout_uninit.LICKING ref: 1002E7FE
mv_channel_layout_from_string.LICKING ref: 1002E81A

Part of subcall function 1000DD40: strcmp.MSVCRT ref: 1000DD7C

Strings

Unable to parse option value "%s" as image size, xrefs: 1002E92B
Unable to parse option value "%s" as video rate, xrefs: 1002E8AB
none, xrefs: 1002E8DE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_from_stringmv_channel_layout_uninitstrcmp
String ID: Unable to parse option value "%s" as image size$Unable to parse option value "%s" as video rate$none
API String ID: 3643031241-3528850829
Opcode ID: 4cbc7f77e3fb1b2ca93576a4efb7cebd48922989bd5837ecfb01a10ef16ab226
Instruction ID: 9802f85130ea231eebcfeb957ec174d87e9cd8d26e63e575a961901119855b45
Opcode Fuzzy Hash: 4cbc7f77e3fb1b2ca93576a4efb7cebd48922989bd5837ecfb01a10ef16ab226
Instruction Fuzzy Hash: 0871D6B86087408FD744DF29D08061BBBE1FF88394F55CE2EE8999B315D630E9819B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002E837 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179
stringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1002E837(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, signed int __esi, char* __ebp, int __fp0, char* _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a40, char* _a44, char _a60) {
				signed int _t80;
				void* _t84;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t96;
				signed int _t98;
				char* _t100;
				intOrPtr* _t102;
				int _t110;

				_t110 = __fp0;
				_t100 = __ebp;
				_t98 = __esi;
				_t96 = __edi;
				_t91 = __edx;
				_t84 = __ebx;
				while(1) {
					L17:
					_a40 = __ecx;
					__eax = 0x7fffffff;
					_a8 = 0x7fffffff;
					asm("movsd xmm0, [ebx+0x10]");
					asm("movsd [esp], xmm0");
					__eax = E10035AA0(0x7fffffff, __ebx, __edi, __esi);
					__ecx = _a40;
					asm("movsd xmm0, [0x100b80b8]");
					_a4 = __eax;
					_a8 = __eax;
					__eax = __ebp;
					 *__esp = __edx;
					__edx = __ebx;
					__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					while(1) {
						L10:
						_t91 =  *((intOrPtr*)(_t84 + 0x30));
						if(_t91 == 0) {
							break;
						}
						_t84 = _t84 + 0x30;
						_t80 =  *(_t84 + 0x28);
						if((_t80 & _t98) != _t96 || (_t80 & 0x00000080) != 0) {
							continue;
						} else {
							_t80 =  *(_t84 + 0xc);
							_t90 =  *((intOrPtr*)(_t84 + 8)) + _t100;
							if(_t80 > 0x13) {
								_a16 = _t91;
								_a12 = _t80;
								_a8 = "AVOption type %d of option %s not implemented yet\n";
								_a4 = 0x30;
								 *_t102 = _t100;
								_t80 = E10026560();
								continue;
							}
							switch( *((intOrPtr*)(_t80 * 4 +  &M100B7C60))) {
								case 0:
									goto L12;
								case 1:
									__eax = 1;
									asm("movsd xmm0, [ebx+0x10]");
									__edx = __ebx;
									_a4 = 1;
									__eax = 0;
									_a8 = 0;
									__eax = __ebp;
									 *__esp = 1;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 2:
									_a40 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a44 = __ebx[0x10];
									E100290E0();
									__eax = _a44;
									__eax = E100292E0(__ebx, __edi, __esi, __ebp, _a44);
									__ecx = _a40;
									 *__ecx = __eax;
									goto L10;
								case 3:
									goto L17;
								case 4:
									__eax = __ebx[0x10];
									__edx = __ecx;
									__eax = E1002B710(__ebx[0x10], __ecx);
									goto L10;
								case 5:
									__eax = __ebx[0x10];
									__edx = 0;
									_a60 = 0;
									if(__eax == 0) {
										L26:
										 *__esp = __ecx;
										_a40 = __ecx;
										E10011CC0();
										__eax = _a60;
										__ecx = _a40;
										 *__ecx = _a60;
										goto L10;
									}
									_a40 = __ecx;
									__edx = L":=";
									__ecx = 0;
									_a16 = 0;
									__ecx = 0x100b7c27;
									_a12 = L":=";
									__edx =  &_a60;
									_a8 = 0x100b7c27;
									 *__esp =  &_a60;
									_a4 = __eax;
									__eax = E100118C0();
									__ecx = _a40;
									__edx =  &_a60;
									if(__eax < 0) {
										E10011CC0( &_a60);
										goto L10;
									}
									goto L26;
								case 6:
									goto L10;
								case 7:
									__edx = __ebx[0x10];
									if(__edx == 0) {
										L28:
										__ecx[4] = 0;
										 *__ecx = 0;
										goto L10;
									}
									 *__esp = __edx;
									__eax = 0x100b729c;
									_a4 = 0x100b729c;
									_a44 = __ecx;
									_a40 = __edx;
									__eax = strcmp(??, ??);
									__edx = _a40;
									__ecx = _a44;
									if(__eax == 0) {
										goto L28;
									} else {
										_a8 = __edx;
										__eax =  &(__ecx[4]);
										_a4 =  &(__ecx[4]);
										 *__esp = __ecx;
										_a40 = __edx;
										__eax = E10031200();
										__edx = _a40;
										if(__eax < 0) {
											_a12 = __edx;
											__eax = "Unable to parse option value \"%s\" as image size\n";
											_a8 = "Unable to parse option value \"%s\" as image size\n";
											__eax = 0x10;
											_a4 = 0x10;
											 *__esp = __ebp;
											__eax = E10026560();
										}
										goto L10;
									}
								case 8:
									__edx = __ebx[0x10];
									 *__esp = __ecx;
									_a4 = __edx;
									_a40 = __edx;
									__eax = E100312C0();
									__edx = _a40;
									if(__eax < 0) {
										_a12 = __edx;
										__ecx = "Unable to parse option value \"%s\" as video rate\n";
										__eax = 0x10;
										_a8 = "Unable to parse option value \"%s\" as video rate\n";
										_a4 = 0x10;
										 *__esp = __ebp;
										__eax = E10026560();
									}
									goto L10;
								case 9:
									_t93 =  *((intOrPtr*)(_t84 + 0x10));
									if(_t93 == 0) {
										goto L10;
									}
									_a4 = _t93;
									_a12 = _t100;
									_a8 = 0xffffffff;
									 *_t102 = _t90;
									_a40 = _t93;
									_t80 = E10031420(_t110);
									_t94 = _a40;
									if(_t80 < 0) {
										_a12 = _t94;
										_a8 = "Unable to parse option value \"%s\" as color\n";
										_a4 = 0x10;
										 *_t102 = _t100;
										_t80 = E10026560();
										goto L10;
									}
									if(_t84 != 0) {
										goto L10;
									}
									goto L8;
								case 0xa:
									_a44 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a40 = __ebx[0x10];
									__eax = E1000D270();
									__eax = _a40;
									if(__eax != 0) {
										_a4 = __eax;
										__ecx = _a44;
										 *__esp = _a44;
										__eax = E1000DD40(__fp0);
									}
									goto L10;
							}
						}
						L12:
						__eax = __ebx[0x10];
						asm("movsd xmm0, [0x100b80b8]");
						__edx = __ebx[0x14];
						 *__esp = 1;
						_a4 = __ebx[0x10];
						__eax = __ebp;
						_a8 = __ebx[0x14];
						__edx = __ebx;
						__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					}
					L8:
					return _t80;
				}
			}

0x1002e837
0x1002e837
0x1002e837
0x1002e837
0x1002e837
0x1002e837
0x1002e840
0x1002e840
0x1002e840
0x1002e844
0x1002e849
0x1002e84d
0x1002e852
0x1002e857
0x1002e85c
0x1002e860
0x1002e868
0x1002e86f
0x1002e873
0x1002e875
0x1002e878
0x1002e87a
0x1002e780
0x1002e780
0x1002e780
0x1002e785
0x00000000
0x00000000
0x1002e787
0x1002e6db
0x1002e6e4
0x00000000
0x1002e6f2
0x1002e6f5
0x1002e6f8
0x1002e6fd
0x1002e9b0
0x1002e9b9
0x1002e9c2
0x1002e9c6
0x1002e9ca
0x1002e9cd
0x00000000
0x1002e9cd
0x1002e703
0x00000000
0x00000000
0x00000000
0x1002e7c0
0x1002e7c5
0x1002e7ca
0x1002e7cc
0x1002e7d0
0x1002e7d2
0x1002e7d6
0x1002e7d8
0x1002e7df
0x00000000
0x00000000
0x1002e750
0x1002e754
0x1002e757
0x1002e75a
0x1002e75e
0x1002e763
0x1002e76a
0x1002e76f
0x1002e773
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e828
0x1002e82b
0x1002e82d
0x00000000
0x00000000
0x1002e950
0x1002e953
0x1002e955
0x1002e95b
0x1002e995
0x1002e995
0x1002e998
0x1002e99c
0x1002e9a1
0x1002e9a5
0x1002e9a9
0x00000000
0x1002e9a9
0x1002e95d
0x1002e961
0x1002e966
0x1002e968
0x1002e96c
0x1002e971
0x1002e975
0x1002e979
0x1002e97d
0x1002e980
0x1002e984
0x1002e989
0x1002e98d
0x1002e993
0x1002e9f5
0x00000000
0x1002e9f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e8d0
0x1002e8d5
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x00000000
0x1002e9e7
0x1002e8db
0x1002e8de
0x1002e8e3
0x1002e8e7
0x1002e8eb
0x1002e8ef
0x1002e8f4
0x1002e8f8
0x1002e8fe
0x00000000
0x1002e904
0x1002e904
0x1002e908
0x1002e90b
0x1002e90f
0x1002e912
0x1002e916
0x1002e91b
0x1002e921
0x1002e927
0x1002e92b
0x1002e930
0x1002e934
0x1002e939
0x1002e93d
0x1002e940
0x1002e940
0x00000000
0x1002e921
0x00000000
0x1002e888
0x1002e88b
0x1002e88e
0x1002e892
0x1002e896
0x1002e89b
0x1002e8a1
0x1002e8a7
0x1002e8ab
0x1002e8b0
0x1002e8b5
0x1002e8b9
0x1002e8bd
0x1002e8c0
0x1002e8c0
0x00000000
0x00000000
0x1002e710
0x1002e715
0x00000000
0x00000000
0x1002e717
0x1002e720
0x1002e724
0x1002e728
0x1002e72b
0x1002e72f
0x1002e734
0x1002e73a
0x1002e9ff
0x1002ea0d
0x1002ea11
0x1002ea15
0x1002ea18
0x00000000
0x1002ea18
0x1002e742
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e7f0
0x1002e7f4
0x1002e7f7
0x1002e7fa
0x1002e7fe
0x1002e803
0x1002e809
0x1002e80f
0x1002e813
0x1002e817
0x1002e81a
0x1002e81a
0x00000000
0x00000000
0x1002e703
0x1002e790
0x1002e790
0x1002e793
0x1002e79b
0x1002e79e
0x1002e7a5
0x1002e7a9
0x1002e7ab
0x1002e7af
0x1002e7b1
0x1002e7b1
0x1002e744
0x1002e74b
0x1002e74b

APIs

mv_parse_color.LICKING ref: 1002E72F
mv_freep.LICKING ref: 1002E75E
mv_strdup.LICKING ref: 1002E76A
mv_channel_layout_uninit.LICKING ref: 1002E7FE
mv_channel_layout_from_string.LICKING ref: 1002E81A
mv_d2q.LICKING ref: 1002E857
mv_parse_video_rate.LICKING ref: 1002E896
mv_log.LICKING ref: 1002E8C0
strcmp.MSVCRT ref: 1002E8EF
mv_parse_video_size.LICKING ref: 1002E916
mv_log.LICKING ref: 1002E940
mv_dict_parse_string.LICKING ref: 1002E984
mv_dict_free.LICKING ref: 1002E99C
mv_log.LICKING ref: 1002E9CD

Strings

Unable to parse option value "%s" as image size, xrefs: 1002E92B
Unable to parse option value "%s" as video rate, xrefs: 1002E8AB
none, xrefs: 1002E8DE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_channel_layout_from_stringmv_channel_layout_uninitmv_d2qmv_dict_freemv_dict_parse_stringmv_freepmv_parse_colormv_parse_video_ratemv_parse_video_sizemv_strdupstrcmp
String ID: Unable to parse option value "%s" as image size$Unable to parse option value "%s" as video rate$none
API String ID: 1998427758-3528850829
Opcode ID: 63b910e090f6d84bdf3bf1989c09e96d5970c6fb79b958ea6806ae0b9d6dd20c
Instruction ID: 72ee429db93cb5dda0ca38e999c027375d35eaf3b803c1610f8c4437a6edc7ee
Opcode Fuzzy Hash: 63b910e090f6d84bdf3bf1989c09e96d5970c6fb79b958ea6806ae0b9d6dd20c
Instruction Fuzzy Hash: 8E71C4B86087408FD748DF29D48061BBBE1FF88394F55CE2EF8999B315D630D9819B86

Uniqueness

Uniqueness Score: -1.00%

Function 1002E74C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1002E74C(void* __ebx, void* __ecx, void* __edi, signed int __esi, char* __ebp, int __fp0, char* _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a40, char* _a44, char _a60) {
				signed int _t80;
				void* _t84;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t96;
				signed int _t98;
				char* _t100;
				intOrPtr* _t102;
				int _t110;

				_t110 = __fp0;
				_t100 = __ebp;
				_t98 = __esi;
				_t96 = __edi;
				_t84 = __ebx;
				while(1) {
					L9:
					_a40 = __ecx;
					__eax = __ebx[0x10];
					 *__esp = __ecx;
					_a44 = __ebx[0x10];
					E100290E0();
					__eax = _a44;
					__eax = E100292E0(__ebx, __edi, __esi, __ebp, _a44);
					__ecx = _a40;
					 *__ecx = __eax;
					while(1) {
						L10:
						_t91 =  *((intOrPtr*)(_t84 + 0x30));
						if(_t91 == 0) {
							break;
						}
						_t84 = _t84 + 0x30;
						_t80 =  *(_t84 + 0x28);
						if((_t80 & _t98) != _t96 || (_t80 & 0x00000080) != 0) {
							continue;
						} else {
							_t80 =  *(_t84 + 0xc);
							_t90 =  *((intOrPtr*)(_t84 + 8)) + _t100;
							if(_t80 > 0x13) {
								_a16 = _t91;
								_a12 = _t80;
								_a8 = "AVOption type %d of option %s not implemented yet\n";
								_a4 = 0x30;
								 *_t102 = _t100;
								_t80 = E10026560();
								continue;
							}
							switch( *((intOrPtr*)(_t80 * 4 +  &M100B7C60))) {
								case 0:
									goto L12;
								case 1:
									__eax = 1;
									asm("movsd xmm0, [ebx+0x10]");
									__edx = __ebx;
									_a4 = 1;
									__eax = 0;
									_a8 = 0;
									__eax = __ebp;
									 *__esp = 1;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 2:
									goto L9;
								case 3:
									_a40 = __ecx;
									__eax = 0x7fffffff;
									_a8 = 0x7fffffff;
									asm("movsd xmm0, [ebx+0x10]");
									asm("movsd [esp], xmm0");
									__eax = E10035AA0(0x7fffffff, __ebx, __edi, __esi);
									__ecx = _a40;
									asm("movsd xmm0, [0x100b80b8]");
									_a4 = __eax;
									_a8 = __eax;
									__eax = __ebp;
									 *__esp = __edx;
									__edx = __ebx;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 4:
									__eax = __ebx[0x10];
									__edx = __ecx;
									__eax = E1002B710(__ebx[0x10], __ecx);
									goto L10;
								case 5:
									__eax = __ebx[0x10];
									__edx = 0;
									_a60 = 0;
									if(__eax == 0) {
										L26:
										 *__esp = __ecx;
										_a40 = __ecx;
										E10011CC0();
										__eax = _a60;
										__ecx = _a40;
										 *__ecx = _a60;
										goto L10;
									}
									_a40 = __ecx;
									__edx = L":=";
									__ecx = 0;
									_a16 = 0;
									__ecx = 0x100b7c27;
									_a12 = L":=";
									__edx =  &_a60;
									_a8 = 0x100b7c27;
									 *__esp =  &_a60;
									_a4 = __eax;
									__eax = E100118C0();
									__ecx = _a40;
									__edx =  &_a60;
									if(__eax < 0) {
										E10011CC0( &_a60);
										goto L10;
									}
									goto L26;
								case 6:
									goto L10;
								case 7:
									__edx = __ebx[0x10];
									if(__edx == 0) {
										L28:
										__ecx[4] = 0;
										 *__ecx = 0;
										goto L10;
									}
									 *__esp = __edx;
									__eax = 0x100b729c;
									_a4 = 0x100b729c;
									_a44 = __ecx;
									_a40 = __edx;
									__eax = strcmp(??, ??);
									__edx = _a40;
									__ecx = _a44;
									if(__eax == 0) {
										goto L28;
									} else {
										_a8 = __edx;
										__eax =  &(__ecx[4]);
										_a4 =  &(__ecx[4]);
										 *__esp = __ecx;
										_a40 = __edx;
										__eax = E10031200();
										__edx = _a40;
										if(__eax < 0) {
											_a12 = __edx;
											__eax = "Unable to parse option value \"%s\" as image size\n";
											_a8 = "Unable to parse option value \"%s\" as image size\n";
											__eax = 0x10;
											_a4 = 0x10;
											 *__esp = __ebp;
											__eax = E10026560();
										}
										goto L10;
									}
								case 8:
									__edx = __ebx[0x10];
									 *__esp = __ecx;
									_a4 = __edx;
									_a40 = __edx;
									__eax = E100312C0();
									__edx = _a40;
									if(__eax < 0) {
										_a12 = __edx;
										__ecx = "Unable to parse option value \"%s\" as video rate\n";
										__eax = 0x10;
										_a8 = "Unable to parse option value \"%s\" as video rate\n";
										_a4 = 0x10;
										 *__esp = __ebp;
										__eax = E10026560();
									}
									goto L10;
								case 9:
									_t93 =  *((intOrPtr*)(_t84 + 0x10));
									if(_t93 == 0) {
										goto L10;
									}
									_a4 = _t93;
									_a12 = _t100;
									_a8 = 0xffffffff;
									 *_t102 = _t90;
									_a40 = _t93;
									_t80 = E10031420(_t110);
									_t94 = _a40;
									if(_t80 < 0) {
										_a12 = _t94;
										_a8 = "Unable to parse option value \"%s\" as color\n";
										_a4 = 0x10;
										 *_t102 = _t100;
										_t80 = E10026560();
										goto L10;
									}
									if(_t84 != 0) {
										goto L10;
									}
									goto L8;
								case 0xa:
									_a44 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a40 = __ebx[0x10];
									__eax = E1000D270();
									__eax = _a40;
									if(__eax != 0) {
										_a4 = __eax;
										__ecx = _a44;
										 *__esp = _a44;
										__eax = E1000DD40(__fp0);
									}
									goto L10;
							}
						}
						L12:
						__eax = __ebx[0x10];
						asm("movsd xmm0, [0x100b80b8]");
						__edx = __ebx[0x14];
						 *__esp = 1;
						_a4 = __ebx[0x10];
						__eax = __ebp;
						_a8 = __ebx[0x14];
						__edx = __ebx;
						__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					}
					L8:
					return _t80;
				}
			}

0x1002e74c
0x1002e74c
0x1002e74c
0x1002e74c
0x1002e74c
0x1002e750
0x1002e750
0x1002e750
0x1002e754
0x1002e757
0x1002e75a
0x1002e75e
0x1002e763
0x1002e76a
0x1002e76f
0x1002e773
0x1002e780
0x1002e780
0x1002e780
0x1002e785
0x00000000
0x00000000
0x1002e787
0x1002e6db
0x1002e6e4
0x00000000
0x1002e6f2
0x1002e6f5
0x1002e6f8
0x1002e6fd
0x1002e9b0
0x1002e9b9
0x1002e9c2
0x1002e9c6
0x1002e9ca
0x1002e9cd
0x00000000
0x1002e9cd
0x1002e703
0x00000000
0x00000000
0x00000000
0x1002e7c0
0x1002e7c5
0x1002e7ca
0x1002e7cc
0x1002e7d0
0x1002e7d2
0x1002e7d6
0x1002e7d8
0x1002e7df
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e840
0x1002e844
0x1002e849
0x1002e84d
0x1002e852
0x1002e857
0x1002e85c
0x1002e860
0x1002e868
0x1002e86f
0x1002e873
0x1002e875
0x1002e878
0x1002e87a
0x00000000
0x00000000
0x1002e828
0x1002e82b
0x1002e82d
0x00000000
0x00000000
0x1002e950
0x1002e953
0x1002e955
0x1002e95b
0x1002e995
0x1002e995
0x1002e998
0x1002e99c
0x1002e9a1
0x1002e9a5
0x1002e9a9
0x00000000
0x1002e9a9
0x1002e95d
0x1002e961
0x1002e966
0x1002e968
0x1002e96c
0x1002e971
0x1002e975
0x1002e979
0x1002e97d
0x1002e980
0x1002e984
0x1002e989
0x1002e98d
0x1002e993
0x1002e9f5
0x00000000
0x1002e9f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e8d0
0x1002e8d5
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x00000000
0x1002e9e7
0x1002e8db
0x1002e8de
0x1002e8e3
0x1002e8e7
0x1002e8eb
0x1002e8ef
0x1002e8f4
0x1002e8f8
0x1002e8fe
0x00000000
0x1002e904
0x1002e904
0x1002e908
0x1002e90b
0x1002e90f
0x1002e912
0x1002e916
0x1002e91b
0x1002e921
0x1002e927
0x1002e92b
0x1002e930
0x1002e934
0x1002e939
0x1002e93d
0x1002e940
0x1002e940
0x00000000
0x1002e921
0x00000000
0x1002e888
0x1002e88b
0x1002e88e
0x1002e892
0x1002e896
0x1002e89b
0x1002e8a1
0x1002e8a7
0x1002e8ab
0x1002e8b0
0x1002e8b5
0x1002e8b9
0x1002e8bd
0x1002e8c0
0x1002e8c0
0x00000000
0x00000000
0x1002e710
0x1002e715
0x00000000
0x00000000
0x1002e717
0x1002e720
0x1002e724
0x1002e728
0x1002e72b
0x1002e72f
0x1002e734
0x1002e73a
0x1002e9ff
0x1002ea0d
0x1002ea11
0x1002ea15
0x1002ea18
0x00000000
0x1002ea18
0x1002e742
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e7f0
0x1002e7f4
0x1002e7f7
0x1002e7fa
0x1002e7fe
0x1002e803
0x1002e809
0x1002e80f
0x1002e813
0x1002e817
0x1002e81a
0x1002e81a
0x00000000
0x00000000
0x1002e703
0x1002e790
0x1002e790
0x1002e793
0x1002e79b
0x1002e79e
0x1002e7a5
0x1002e7a9
0x1002e7ab
0x1002e7af
0x1002e7b1
0x1002e7b1
0x1002e744
0x1002e74b
0x1002e74b

APIs

mv_parse_color.LICKING ref: 1002E72F
mv_freep.LICKING ref: 1002E75E
mv_strdup.LICKING ref: 1002E76A

Part of subcall function 100292E0: strlen.MSVCRT ref: 100292FE
Part of subcall function 100292E0: _aligned_realloc.MSVCRT ref: 10029325

mv_channel_layout_uninit.LICKING ref: 1002E7FE
mv_channel_layout_from_string.LICKING ref: 1002E81A
mv_d2q.LICKING ref: 1002E857
mv_parse_video_rate.LICKING ref: 1002E896
mv_log.LICKING ref: 1002E8C0
strcmp.MSVCRT ref: 1002E8EF
mv_parse_video_size.LICKING ref: 1002E916
mv_log.LICKING ref: 1002E940
mv_dict_parse_string.LICKING ref: 1002E984
mv_dict_free.LICKING ref: 1002E99C
mv_log.LICKING ref: 1002E9CD

Strings

Unable to parse option value "%s" as image size, xrefs: 1002E92B
Unable to parse option value "%s" as video rate, xrefs: 1002E8AB
none, xrefs: 1002E8DE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$_aligned_reallocmv_channel_layout_from_stringmv_channel_layout_uninitmv_d2qmv_dict_freemv_dict_parse_stringmv_freepmv_parse_colormv_parse_video_ratemv_parse_video_sizemv_strdupstrcmpstrlen
String ID: Unable to parse option value "%s" as image size$Unable to parse option value "%s" as video rate$none
API String ID: 1619538473-3528850829
Opcode ID: 9e50e7fe426a0488145ef4f18ecf0bd386860cb9a641fc07f3b3f1338f6e5e31
Instruction ID: 83692d95612f673ca492e14c840e2275f457c258c063007bd67ceb2e5a874e87
Opcode Fuzzy Hash: 9e50e7fe426a0488145ef4f18ecf0bd386860cb9a641fc07f3b3f1338f6e5e31
Instruction Fuzzy Hash: 5B71C4B86087408FD748DF29D48061BBBE1FF88394F55CE2EF8999B315D630D9819B86

Uniqueness

Uniqueness Score: -1.00%

Function 1002E824 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1002E824(void* __ebx, void* __ecx, void* __edi, signed int __esi, char* __ebp, int __fp0, char* _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a40, char* _a44, char _a60) {
				signed int _t80;
				void* _t84;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t96;
				signed int _t98;
				char* _t100;
				intOrPtr* _t102;
				int _t110;

				_t110 = __fp0;
				_t100 = __ebp;
				_t98 = __esi;
				_t96 = __edi;
				_t84 = __ebx;
				while(1) {
					L16:
					__eax = __ebx[0x10];
					__edx = __ecx;
					__eax = E1002B710(__ebx[0x10], __ecx);
					while(1) {
						L10:
						_t91 =  *((intOrPtr*)(_t84 + 0x30));
						if(_t91 == 0) {
							break;
						}
						_t84 = _t84 + 0x30;
						_t80 =  *(_t84 + 0x28);
						if((_t80 & _t98) != _t96 || (_t80 & 0x00000080) != 0) {
							continue;
						} else {
							_t80 =  *(_t84 + 0xc);
							_t90 =  *((intOrPtr*)(_t84 + 8)) + _t100;
							if(_t80 > 0x13) {
								_a16 = _t91;
								_a12 = _t80;
								_a8 = "AVOption type %d of option %s not implemented yet\n";
								_a4 = 0x30;
								 *_t102 = _t100;
								_t80 = E10026560();
								continue;
							}
							switch( *((intOrPtr*)(_t80 * 4 +  &M100B7C60))) {
								case 0:
									goto L12;
								case 1:
									__eax = 1;
									asm("movsd xmm0, [ebx+0x10]");
									__edx = __ebx;
									_a4 = 1;
									__eax = 0;
									_a8 = 0;
									__eax = __ebp;
									 *__esp = 1;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 2:
									_a40 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a44 = __ebx[0x10];
									E100290E0();
									__eax = _a44;
									__eax = E100292E0(__ebx, __edi, __esi, __ebp, _a44);
									__ecx = _a40;
									 *__ecx = __eax;
									goto L10;
								case 3:
									_a40 = __ecx;
									__eax = 0x7fffffff;
									_a8 = 0x7fffffff;
									asm("movsd xmm0, [ebx+0x10]");
									asm("movsd [esp], xmm0");
									__eax = E10035AA0(0x7fffffff, __ebx, __edi, __esi);
									__ecx = _a40;
									asm("movsd xmm0, [0x100b80b8]");
									_a4 = __eax;
									_a8 = __eax;
									__eax = __ebp;
									 *__esp = __edx;
									__edx = __ebx;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 4:
									goto L16;
								case 5:
									__eax = __ebx[0x10];
									__edx = 0;
									_a60 = 0;
									if(__eax == 0) {
										L26:
										 *__esp = __ecx;
										_a40 = __ecx;
										E10011CC0();
										__eax = _a60;
										__ecx = _a40;
										 *__ecx = _a60;
										goto L10;
									}
									_a40 = __ecx;
									__edx = L":=";
									__ecx = 0;
									_a16 = 0;
									__ecx = 0x100b7c27;
									_a12 = L":=";
									__edx =  &_a60;
									_a8 = 0x100b7c27;
									 *__esp =  &_a60;
									_a4 = __eax;
									__eax = E100118C0();
									__ecx = _a40;
									__edx =  &_a60;
									if(__eax < 0) {
										E10011CC0( &_a60);
										goto L10;
									}
									goto L26;
								case 6:
									goto L10;
								case 7:
									__edx = __ebx[0x10];
									if(__edx == 0) {
										L28:
										__ecx[4] = 0;
										 *__ecx = 0;
										goto L10;
									}
									 *__esp = __edx;
									__eax = 0x100b729c;
									_a4 = 0x100b729c;
									_a44 = __ecx;
									_a40 = __edx;
									__eax = strcmp(??, ??);
									__edx = _a40;
									__ecx = _a44;
									if(__eax == 0) {
										goto L28;
									} else {
										_a8 = __edx;
										__eax =  &(__ecx[4]);
										_a4 =  &(__ecx[4]);
										 *__esp = __ecx;
										_a40 = __edx;
										__eax = E10031200();
										__edx = _a40;
										if(__eax < 0) {
											_a12 = __edx;
											__eax = "Unable to parse option value \"%s\" as image size\n";
											_a8 = "Unable to parse option value \"%s\" as image size\n";
											__eax = 0x10;
											_a4 = 0x10;
											 *__esp = __ebp;
											__eax = E10026560();
										}
										goto L10;
									}
								case 8:
									__edx = __ebx[0x10];
									 *__esp = __ecx;
									_a4 = __edx;
									_a40 = __edx;
									__eax = E100312C0();
									__edx = _a40;
									if(__eax < 0) {
										_a12 = __edx;
										__ecx = "Unable to parse option value \"%s\" as video rate\n";
										__eax = 0x10;
										_a8 = "Unable to parse option value \"%s\" as video rate\n";
										_a4 = 0x10;
										 *__esp = __ebp;
										__eax = E10026560();
									}
									goto L10;
								case 9:
									_t93 =  *((intOrPtr*)(_t84 + 0x10));
									if(_t93 == 0) {
										goto L10;
									}
									_a4 = _t93;
									_a12 = _t100;
									_a8 = 0xffffffff;
									 *_t102 = _t90;
									_a40 = _t93;
									_t80 = E10031420(_t110);
									_t94 = _a40;
									if(_t80 < 0) {
										_a12 = _t94;
										_a8 = "Unable to parse option value \"%s\" as color\n";
										_a4 = 0x10;
										 *_t102 = _t100;
										_t80 = E10026560();
										goto L10;
									}
									if(_t84 != 0) {
										goto L10;
									}
									goto L8;
								case 0xa:
									_a44 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a40 = __ebx[0x10];
									__eax = E1000D270();
									__eax = _a40;
									if(__eax != 0) {
										_a4 = __eax;
										__ecx = _a44;
										 *__esp = _a44;
										__eax = E1000DD40(__fp0);
									}
									goto L10;
							}
						}
						L12:
						__eax = __ebx[0x10];
						asm("movsd xmm0, [0x100b80b8]");
						__edx = __ebx[0x14];
						 *__esp = 1;
						_a4 = __ebx[0x10];
						__eax = __ebp;
						_a8 = __ebx[0x14];
						__edx = __ebx;
						__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					}
					L8:
					return _t80;
				}
			}

0x1002e824
0x1002e824
0x1002e824
0x1002e824
0x1002e824
0x1002e828
0x1002e828
0x1002e828
0x1002e82b
0x1002e82d
0x1002e780
0x1002e780
0x1002e780
0x1002e785
0x00000000
0x00000000
0x1002e787
0x1002e6db
0x1002e6e4
0x00000000
0x1002e6f2
0x1002e6f5
0x1002e6f8
0x1002e6fd
0x1002e9b0
0x1002e9b9
0x1002e9c2
0x1002e9c6
0x1002e9ca
0x1002e9cd
0x00000000
0x1002e9cd
0x1002e703
0x00000000
0x00000000
0x00000000
0x1002e7c0
0x1002e7c5
0x1002e7ca
0x1002e7cc
0x1002e7d0
0x1002e7d2
0x1002e7d6
0x1002e7d8
0x1002e7df
0x00000000
0x00000000
0x1002e750
0x1002e754
0x1002e757
0x1002e75a
0x1002e75e
0x1002e763
0x1002e76a
0x1002e76f
0x1002e773
0x00000000
0x00000000
0x1002e840
0x1002e844
0x1002e849
0x1002e84d
0x1002e852
0x1002e857
0x1002e85c
0x1002e860
0x1002e868
0x1002e86f
0x1002e873
0x1002e875
0x1002e878
0x1002e87a
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e950
0x1002e953
0x1002e955
0x1002e95b
0x1002e995
0x1002e995
0x1002e998
0x1002e99c
0x1002e9a1
0x1002e9a5
0x1002e9a9
0x00000000
0x1002e9a9
0x1002e95d
0x1002e961
0x1002e966
0x1002e968
0x1002e96c
0x1002e971
0x1002e975
0x1002e979
0x1002e97d
0x1002e980
0x1002e984
0x1002e989
0x1002e98d
0x1002e993
0x1002e9f5
0x00000000
0x1002e9f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e8d0
0x1002e8d5
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x00000000
0x1002e9e7
0x1002e8db
0x1002e8de
0x1002e8e3
0x1002e8e7
0x1002e8eb
0x1002e8ef
0x1002e8f4
0x1002e8f8
0x1002e8fe
0x00000000
0x1002e904
0x1002e904
0x1002e908
0x1002e90b
0x1002e90f
0x1002e912
0x1002e916
0x1002e91b
0x1002e921
0x1002e927
0x1002e92b
0x1002e930
0x1002e934
0x1002e939
0x1002e93d
0x1002e940
0x1002e940
0x00000000
0x1002e921
0x00000000
0x1002e888
0x1002e88b
0x1002e88e
0x1002e892
0x1002e896
0x1002e89b
0x1002e8a1
0x1002e8a7
0x1002e8ab
0x1002e8b0
0x1002e8b5
0x1002e8b9
0x1002e8bd
0x1002e8c0
0x1002e8c0
0x00000000
0x00000000
0x1002e710
0x1002e715
0x00000000
0x00000000
0x1002e717
0x1002e720
0x1002e724
0x1002e728
0x1002e72b
0x1002e72f
0x1002e734
0x1002e73a
0x1002e9ff
0x1002ea0d
0x1002ea11
0x1002ea15
0x1002ea18
0x00000000
0x1002ea18
0x1002e742
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e7f0
0x1002e7f4
0x1002e7f7
0x1002e7fa
0x1002e7fe
0x1002e803
0x1002e809
0x1002e80f
0x1002e813
0x1002e817
0x1002e81a
0x1002e81a
0x00000000
0x00000000
0x1002e703
0x1002e790
0x1002e790
0x1002e793
0x1002e79b
0x1002e79e
0x1002e7a5
0x1002e7a9
0x1002e7ab
0x1002e7af
0x1002e7b1
0x1002e7b1
0x1002e744
0x1002e74b
0x1002e74b

APIs

Part of subcall function 1002B710: mv_freep.LICKING ref: 1002B71E
Part of subcall function 1002B710: strlen.MSVCRT ref: 1002B735
Part of subcall function 1002B710: mv_malloc.LICKING ref: 1002B751

mv_parse_color.LICKING ref: 1002E72F
mv_freep.LICKING ref: 1002E75E
mv_strdup.LICKING ref: 1002E76A
mv_channel_layout_uninit.LICKING ref: 1002E7FE
mv_channel_layout_from_string.LICKING ref: 1002E81A
mv_d2q.LICKING ref: 1002E857
mv_parse_video_rate.LICKING ref: 1002E896
mv_log.LICKING ref: 1002E8C0
strcmp.MSVCRT ref: 1002E8EF
mv_parse_video_size.LICKING ref: 1002E916
mv_log.LICKING ref: 1002E940
mv_dict_parse_string.LICKING ref: 1002E984
mv_dict_free.LICKING ref: 1002E99C
mv_log.LICKING ref: 1002E9CD

Strings

Unable to parse option value "%s" as image size, xrefs: 1002E92B
Unable to parse option value "%s" as video rate, xrefs: 1002E8AB
none, xrefs: 1002E8DE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_freep$mv_channel_layout_from_stringmv_channel_layout_uninitmv_d2qmv_dict_freemv_dict_parse_stringmv_mallocmv_parse_colormv_parse_video_ratemv_parse_video_sizemv_strdupstrcmpstrlen
String ID: Unable to parse option value "%s" as image size$Unable to parse option value "%s" as video rate$none
API String ID: 1160367768-3528850829
Opcode ID: aed905d31240b7d19edcf952b4e8cc7e240d3b966edbf42388cc63f6fb8eaf2e
Instruction ID: 1720e54dc2cd0849f5aebe72428f8e29e384ba65a7b5399295b356ed7eb72bd1
Opcode Fuzzy Hash: aed905d31240b7d19edcf952b4e8cc7e240d3b966edbf42388cc63f6fb8eaf2e
Instruction Fuzzy Hash: CB71C4B86087408FD748DF29D48061BBBE1FF88394F55CE2EF8999B315D630D9819B86

Uniqueness

Uniqueness Score: -1.00%

Function 1002E884 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1002E884(void* __ebx, void* __ecx, void* __edi, signed int __esi, char* __ebp, int __fp0, char* _a4, char* _a8, char* _a12, intOrPtr _a16, char* _a40, char* _a44, char* _a60) {
				signed int _t80;
				void* _t84;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t96;
				signed int _t98;
				char* _t100;
				intOrPtr* _t102;
				int _t110;

				_t110 = __fp0;
				_t100 = __ebp;
				_t98 = __esi;
				_t96 = __edi;
				_t84 = __ebx;
				while(1) {
					L18:
					__edx = __ebx[0x10];
					 *__esp = __ecx;
					_a4 = __edx;
					_a40 = __edx;
					__eax = E100312C0();
					__edx = _a40;
					if(__eax < 0) {
						_a12 = __edx;
						__ecx = "Unable to parse option value \"%s\" as video rate\n";
						__eax = 0x10;
						_a8 = "Unable to parse option value \"%s\" as video rate\n";
						_a4 = 0x10;
						 *__esp = __ebp;
						__eax = E10026560();
					}
					while(1) {
						L10:
						_t91 =  *((intOrPtr*)(_t84 + 0x30));
						if(_t91 == 0) {
							break;
						}
						_t84 = _t84 + 0x30;
						_t80 =  *(_t84 + 0x28);
						if((_t80 & _t98) != _t96 || (_t80 & 0x00000080) != 0) {
							continue;
						} else {
							_t80 =  *(_t84 + 0xc);
							_t90 =  *((intOrPtr*)(_t84 + 8)) + _t100;
							if(_t80 > 0x13) {
								_a16 = _t91;
								_a12 = _t80;
								_a8 = "AVOption type %d of option %s not implemented yet\n";
								_a4 = 0x30;
								 *_t102 = _t100;
								_t80 = E10026560();
								continue;
							}
							switch( *((intOrPtr*)(_t80 * 4 +  &M100B7C60))) {
								case 0:
									goto L12;
								case 1:
									__eax = 1;
									asm("movsd xmm0, [ebx+0x10]");
									__edx = __ebx;
									_a4 = 1;
									__eax = 0;
									_a8 = 0;
									__eax = __ebp;
									 *__esp = 1;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 2:
									_a40 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a44 = __ebx[0x10];
									E100290E0();
									__eax = _a44;
									__eax = E100292E0(__ebx, __edi, __esi, __ebp, _a44);
									__ecx = _a40;
									 *__ecx = __eax;
									goto L10;
								case 3:
									_a40 = __ecx;
									__eax = 0x7fffffff;
									_a8 = 0x7fffffff;
									asm("movsd xmm0, [ebx+0x10]");
									asm("movsd [esp], xmm0");
									__eax = E10035AA0(0x7fffffff, __ebx, __edi, __esi);
									__ecx = _a40;
									asm("movsd xmm0, [0x100b80b8]");
									_a4 = __eax;
									_a8 = __eax;
									__eax = __ebp;
									 *__esp = __edx;
									__edx = __ebx;
									__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
									goto L10;
								case 4:
									__eax = __ebx[0x10];
									__edx = __ecx;
									__eax = E1002B710(__ebx[0x10], __ecx);
									goto L10;
								case 5:
									__eax = __ebx[0x10];
									__edx = 0;
									_a60 = 0;
									if(__eax == 0) {
										L26:
										 *__esp = __ecx;
										_a40 = __ecx;
										E10011CC0();
										__eax = _a60;
										__ecx = _a40;
										 *__ecx = _a60;
										goto L10;
									}
									_a40 = __ecx;
									__edx = L":=";
									__ecx = 0;
									_a16 = 0;
									__ecx = 0x100b7c27;
									_a12 = L":=";
									__edx =  &_a60;
									_a8 = 0x100b7c27;
									 *__esp =  &_a60;
									_a4 = __eax;
									__eax = E100118C0();
									__ecx = _a40;
									__edx =  &_a60;
									if(__eax < 0) {
										E10011CC0( &_a60);
										goto L10;
									}
									goto L26;
								case 6:
									goto L10;
								case 7:
									__edx = __ebx[0x10];
									if(__edx == 0) {
										L28:
										__ecx[4] = 0;
										 *__ecx = 0;
										goto L10;
									}
									 *__esp = __edx;
									__eax = 0x100b729c;
									_a4 = 0x100b729c;
									_a44 = __ecx;
									_a40 = __edx;
									__eax = strcmp(??, ??);
									__edx = _a40;
									__ecx = _a44;
									if(__eax == 0) {
										goto L28;
									} else {
										_a8 = __edx;
										__eax =  &(__ecx[4]);
										_a4 =  &(__ecx[4]);
										 *__esp = __ecx;
										_a40 = __edx;
										__eax = E10031200();
										__edx = _a40;
										if(__eax < 0) {
											_a12 = __edx;
											__eax = "Unable to parse option value \"%s\" as image size\n";
											_a8 = "Unable to parse option value \"%s\" as image size\n";
											__eax = 0x10;
											_a4 = 0x10;
											 *__esp = __ebp;
											__eax = E10026560();
										}
										goto L10;
									}
								case 8:
									goto L18;
								case 9:
									_t93 =  *((intOrPtr*)(_t84 + 0x10));
									if(_t93 == 0) {
										goto L10;
									}
									_a4 = _t93;
									_a12 = _t100;
									_a8 = 0xffffffff;
									 *_t102 = _t90;
									_a40 = _t93;
									_t80 = E10031420(_t110);
									_t94 = _a40;
									if(_t80 < 0) {
										_a12 = _t94;
										_a8 = "Unable to parse option value \"%s\" as color\n";
										_a4 = 0x10;
										 *_t102 = _t100;
										_t80 = E10026560();
										goto L10;
									}
									if(_t84 != 0) {
										goto L10;
									}
									goto L8;
								case 0xa:
									_a44 = __ecx;
									__eax = __ebx[0x10];
									 *__esp = __ecx;
									_a40 = __ebx[0x10];
									__eax = E1000D270();
									__eax = _a40;
									if(__eax != 0) {
										_a4 = __eax;
										__ecx = _a44;
										 *__esp = _a44;
										__eax = E1000DD40(__fp0);
									}
									goto L10;
							}
						}
						L12:
						__eax = __ebx[0x10];
						asm("movsd xmm0, [0x100b80b8]");
						__edx = __ebx[0x14];
						 *__esp = 1;
						_a4 = __ebx[0x10];
						__eax = __ebp;
						_a8 = __ebx[0x14];
						__edx = __ebx;
						__eax = E1002ACF0(__ebx, __ecx, __ebx, __edi, __esi, __fp0);
					}
					L8:
					return _t80;
				}
			}

0x1002e884
0x1002e884
0x1002e884
0x1002e884
0x1002e884
0x1002e888
0x1002e888
0x1002e888
0x1002e88b
0x1002e88e
0x1002e892
0x1002e896
0x1002e89b
0x1002e8a1
0x1002e8a7
0x1002e8ab
0x1002e8b0
0x1002e8b5
0x1002e8b9
0x1002e8bd
0x1002e8c0
0x1002e8c0
0x1002e780
0x1002e780
0x1002e780
0x1002e785
0x00000000
0x00000000
0x1002e787
0x1002e6db
0x1002e6e4
0x00000000
0x1002e6f2
0x1002e6f5
0x1002e6f8
0x1002e6fd
0x1002e9b0
0x1002e9b9
0x1002e9c2
0x1002e9c6
0x1002e9ca
0x1002e9cd
0x00000000
0x1002e9cd
0x1002e703
0x00000000
0x00000000
0x00000000
0x1002e7c0
0x1002e7c5
0x1002e7ca
0x1002e7cc
0x1002e7d0
0x1002e7d2
0x1002e7d6
0x1002e7d8
0x1002e7df
0x00000000
0x00000000
0x1002e750
0x1002e754
0x1002e757
0x1002e75a
0x1002e75e
0x1002e763
0x1002e76a
0x1002e76f
0x1002e773
0x00000000
0x00000000
0x1002e840
0x1002e844
0x1002e849
0x1002e84d
0x1002e852
0x1002e857
0x1002e85c
0x1002e860
0x1002e868
0x1002e86f
0x1002e873
0x1002e875
0x1002e878
0x1002e87a
0x00000000
0x00000000
0x1002e828
0x1002e82b
0x1002e82d
0x00000000
0x00000000
0x1002e950
0x1002e953
0x1002e955
0x1002e95b
0x1002e995
0x1002e995
0x1002e998
0x1002e99c
0x1002e9a1
0x1002e9a5
0x1002e9a9
0x00000000
0x1002e9a9
0x1002e95d
0x1002e961
0x1002e966
0x1002e968
0x1002e96c
0x1002e971
0x1002e975
0x1002e979
0x1002e97d
0x1002e980
0x1002e984
0x1002e989
0x1002e98d
0x1002e993
0x1002e9f5
0x00000000
0x1002e9f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e8d0
0x1002e8d5
0x1002e9e0
0x1002e9e0
0x1002e9e7
0x00000000
0x1002e9e7
0x1002e8db
0x1002e8de
0x1002e8e3
0x1002e8e7
0x1002e8eb
0x1002e8ef
0x1002e8f4
0x1002e8f8
0x1002e8fe
0x00000000
0x1002e904
0x1002e904
0x1002e908
0x1002e90b
0x1002e90f
0x1002e912
0x1002e916
0x1002e91b
0x1002e921
0x1002e927
0x1002e92b
0x1002e930
0x1002e934
0x1002e939
0x1002e93d
0x1002e940
0x1002e940
0x00000000
0x1002e921
0x00000000
0x00000000
0x00000000
0x1002e710
0x1002e715
0x00000000
0x00000000
0x1002e717
0x1002e720
0x1002e724
0x1002e728
0x1002e72b
0x1002e72f
0x1002e734
0x1002e73a
0x1002e9ff
0x1002ea0d
0x1002ea11
0x1002ea15
0x1002ea18
0x00000000
0x1002ea18
0x1002e742
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e7f0
0x1002e7f4
0x1002e7f7
0x1002e7fa
0x1002e7fe
0x1002e803
0x1002e809
0x1002e80f
0x1002e813
0x1002e817
0x1002e81a
0x1002e81a
0x00000000
0x00000000
0x1002e703
0x1002e790
0x1002e790
0x1002e793
0x1002e79b
0x1002e79e
0x1002e7a5
0x1002e7a9
0x1002e7ab
0x1002e7af
0x1002e7b1
0x1002e7b1
0x1002e744
0x1002e74b
0x1002e74b

APIs

mv_parse_video_rate.LICKING ref: 1002E896

Part of subcall function 100312C0: strcmp.MSVCRT ref: 100312D8
Part of subcall function 100312C0: strcmp.MSVCRT ref: 100312F0
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031308
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031320
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031338
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031350
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031368
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031380
Part of subcall function 100312C0: mv_parse_ratio.LICKING(?,?,?,?,?,?,?,?,1002E89B), ref: 100313AC

mv_log.LICKING ref: 1002E8C0

Strings

Unable to parse option value "%s" as image size, xrefs: 1002E92B
Unable to parse option value "%s" as video rate, xrefs: 1002E8AB
none, xrefs: 1002E8DE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_logmv_parse_ratiomv_parse_video_rate
String ID: Unable to parse option value "%s" as image size$Unable to parse option value "%s" as video rate$none
API String ID: 3172953258-3528850829
Opcode ID: 22d8e81f1de2524d8f903a54a0d85b30004592b7b4a08e109ba683e1d30321ca
Instruction ID: a16d42cbd7f7d114d0e9e11e949a8ac00f942617777bf6e0f5eed10d2b22d138
Opcode Fuzzy Hash: 22d8e81f1de2524d8f903a54a0d85b30004592b7b4a08e109ba683e1d30321ca
Instruction Fuzzy Hash: 7F71C4B86087408FD748DF29D48061BBBE1FF88394F55CE2EF8999B315D630D9819B86

Uniqueness

Uniqueness Score: -1.00%

Function 1002FD50 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 128stringCOMMON

Download Yara Rule

APIs

mv_get_token.LICKING ref: 1002FD87

Part of subcall function 10006940: strlen.MSVCRT ref: 10006950
Part of subcall function 10006940: mv_malloc.LICKING ref: 10006959
Part of subcall function 10006940: strspn.MSVCRT ref: 10006980
Part of subcall function 10006940: strspn.MSVCRT ref: 100069C1

strspn.MSVCRT ref: 1002FDB2
mv_get_token.LICKING ref: 1002FDD5
mv_log.LICKING ref: 1002FE05
mv_opt_set.LICKING ref: 1002FE22
mv_log.LICKING ref: 1002FE99
mv_log.LICKING ref: 1002FEE9
mv_freep.LICKING ref: 1002FF0E

Strings

Key '%s' not found., xrefs: 1002FE84
Missing key or no key/value separator found after key '%s', xrefs: 1002FED4
Setting entry with key '%s' to value '%s', xrefs: 1002FDEC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrspn$mv_get_token$mv_freepmv_mallocmv_opt_setstrlen
String ID: Key '%s' not found.$Missing key or no key/value separator found after key '%s'$Setting entry with key '%s' to value '%s'
API String ID: 3679258194-2858522012
Opcode ID: 9bdd3232f97ec0260beab08dc20f92d4b0022e57db76bcf83867fa0e345537b1
Instruction ID: 181b57feb46cd02316d05ff32b1c753a562189d423e209573ee31e279fb0ce3b
Opcode Fuzzy Hash: 9bdd3232f97ec0260beab08dc20f92d4b0022e57db76bcf83867fa0e345537b1
Instruction Fuzzy Hash: 1A41E4B5A083049FD741DF29E480A2EBBE4EF88794F85892EF49887361D675D840CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1000FDB0 Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E1000FDB0(intOrPtr __ebx, signed int _a4) {
				intOrPtr _v4;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				char* _v60;
				char* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _t77;

				_v4 = __ebx;
				_t77 = _a4;
				if(_t77 > 7) {
					_v40 = 0x182;
					_v44 = "libavutil/crc.c";
					_v48 = 0x100b31c2;
					L28:
					E10026560(0, 0, "Assertion %s failed at %s:%d\n");
					abort();
					L29:
					_v40 = 0x152;
					_v44 = "libavutil/crc.c";
					_v48 = "av_crc_init(av_crc_table[AV_CRC_16_ANSI_LE], 1, 16, 0xA001, sizeof(av_crc_table[AV_CRC_16_ANSI_LE])) >= 0";
					goto L28;
				}
				_v16 = 0;
				_v48 = 0;
				_v52 =  &_v16;
				_v56 = 0;
				switch( *((intOrPtr*)(_t77 * 4 +  &M100B31C4))) {
					case 0:
						_v60 = 0x100cf25c;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 7;
							__edx = 8;
							__eax = 0x100cf260;
							if(E1000FAE0(0x100cf260, 7, 8) < 0) {
								_v56 = 0x14b;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_8_ATM], 0, 8, 0x07, sizeof(av_crc_table[AV_CRC_8_ATM])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf25c;
						__edx = 0;
						__ecx = 0;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 1:
						_v60 = 0x100cf254;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0x8005;
							__edx = 0x10;
							__eax = 0x100d0260;
							if(E1000FAE0(0x100d0260, 0x8005, 0x10) < 0) {
								_v56 = 0x14d;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_16_ANSI], 0, 16, 0x8005, sizeof(av_crc_table[AV_CRC_16_ANSI])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf254;
						__edx = 0;
						__ecx = 0;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 2:
						_v60 = 0x100cf250;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0x1021;
							__edx = 0x10;
							__eax = 0x100d1260;
							if(E1000FAE0(0x100d1260, 0x1021, 0x10) < 0) {
								_v56 = 0x14e;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_16_CCITT], 0, 16, 0x1021, sizeof(av_crc_table[AV_CRC_16_CCITT])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf250;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 3:
						_v60 = 0x100cf248;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__edx = _v32;
						if(_v32 != 0) {
							__ecx = 0x4c11db7;
							__edx = 0x20;
							__eax = 0x100d2260;
							if(E1000FAE0(0x100d2260, 0x4c11db7, 0x20) < 0) {
								_v56 = 0x150;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_32_IEEE], 0, 32, 0x04C11DB7, sizeof(av_crc_table[AV_CRC_32_IEEE])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf248;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 4:
						_v60 = 0x100cf244;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0xedb88320;
							__edx = 0x20;
							__eax = 0x100d3260;
							if(E1000FA00(0x100d3260, 0xedb88320) < 0) {
								_v56 = 0x151;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_32_IEEE_LE], 1, 32, 0xEDB88320, sizeof(av_crc_table[AV_CRC_32_IEEE_LE])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf244;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 5:
						_v60 = 0x100cf240;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__ecx = _v32;
						if(_v32 != 0) {
							__ecx = 0xa001;
							__edx = 0x10;
							__eax = 0x100d4260;
							if(E1000FA00(0x100d4260, 0xa001) < 0) {
								goto L29;
							}
						}
						 *__esp = 0x100cf240;
						__eax = 0;
						__edx = 0;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 6:
						_v60 = 0x100cf24c;
						__imp__InitOnceBeginInitialize();
						_t84 =  &_v60 - 0x10;
						if(_v32 != 0 && E1000FAE0(0x100d5260, 0x864cfb, 0x18) < 0) {
							_v56 = 0x14f;
							_v60 = "libavutil/crc.c";
							_v64 = "av_crc_init(av_crc_table[AV_CRC_24_IEEE], 0, 24, 0x864CFB, sizeof(av_crc_table[AV_CRC_24_IEEE])) >= 0";
							goto L28;
						}
						 *_t84 = 0x100cf24c;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						goto L5;
					case 7:
						_v60 = 0x100cf258;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0x1d;
							__edx = 8;
							__eax = 0x100d6260;
							if(E1000FAE0(0x100d6260, 0x1d, 8) < 0) {
								_v56 = 0x14c;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_8_EBU], 0, 8, 0x1D, sizeof(av_crc_table[AV_CRC_8_EBU])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf258;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						L5:
						return (_t77 << 0xc) + 0x100cf260;
				}
			}

0x1000fdb3
0x1000fdb7
0x1000fdbe
0x100100b1
0x100100b9
0x100100c1
0x100100c9
0x100100da
0x100100df
0x100100e4
0x100100e4
0x100100ec
0x100100f4
0x00000000
0x100100f4
0x1000fdc6
0x1000fdcc
0x1000fdd4
0x1000fdda
0x1000fdde
0x00000000
0x1000fea8
0x1000feaf
0x1000feb5
0x1000feb8
0x1000febe
0x1000fec0
0x1000fec5
0x1000feca
0x1000fed6
0x1001016c
0x10010174
0x1001017c
0x00000000
0x1001017c
0x1000fed6
0x1000fedc
0x1000fee3
0x1000fee5
0x1000fee7
0x1000feeb
0x1000feef
0x1000fef5
0x00000000
0x00000000
0x1000ff00
0x1000ff07
0x1000ff0d
0x1000ff10
0x1000ff16
0x1000ff18
0x1000ff1d
0x1000ff22
0x1000ff2e
0x1001014f
0x10010157
0x1001015f
0x00000000
0x1001015f
0x1000ff2e
0x1000ff34
0x1000ff3b
0x1000ff3d
0x1000ff3f
0x1000ff43
0x1000ff47
0x1000ff4d
0x00000000
0x00000000
0x1000ff58
0x1000ff5f
0x1000ff65
0x1000ff68
0x1000ff6e
0x1000ff70
0x1000ff75
0x1000ff7a
0x1000ff86
0x10010132
0x1001013a
0x10010142
0x00000000
0x10010142
0x1000ff86
0x1000ff8c
0x1000ff93
0x1000ff95
0x1000ff99
0x1000ff9b
0x1000ff9f
0x1000ffa5
0x00000000
0x00000000
0x1000ffb0
0x1000ffb7
0x1000ffbd
0x1000ffc0
0x1000ffc6
0x1000ffc8
0x1000ffcd
0x1000ffd2
0x1000ffde
0x10010118
0x10010120
0x10010128
0x00000000
0x10010128
0x1000ffde
0x1000ffe4
0x1000ffeb
0x1000ffed
0x1000fff1
0x1000fff3
0x1000fff7
0x1000fffd
0x00000000
0x00000000
0x10010008
0x1001000f
0x10010015
0x10010018
0x1001001e
0x10010020
0x10010025
0x1001002a
0x10010036
0x100100fe
0x10010106
0x1001010e
0x00000000
0x1001010e
0x10010036
0x1001003c
0x10010043
0x10010045
0x10010049
0x1001004b
0x1001004f
0x10010055
0x00000000
0x00000000
0x10010060
0x10010067
0x1001006d
0x10010070
0x10010076
0x10010078
0x1001007d
0x10010082
0x1001008e
0x00000000
0x00000000
0x1001008e
0x10010090
0x10010097
0x10010099
0x1001009b
0x1001009f
0x100100a3
0x100100a9
0x00000000
0x00000000
0x1000fde8
0x1000fdef
0x1000fdf5
0x1000fdfe
0x100101a6
0x100101ae
0x100101b6
0x00000000
0x100101b6
0x1000fe1c
0x1000fe27
0x1000fe2b
0x1000fe2f
0x00000000
0x00000000
0x1000fe50
0x1000fe57
0x1000fe5d
0x1000fe60
0x1000fe66
0x1000fe68
0x1000fe6d
0x1000fe72
0x1000fe7e
0x10010189
0x10010191
0x10010199
0x00000000
0x10010199
0x1000fe7e
0x1000fe84
0x1000fe8b
0x1000fe8d
0x1000fe91
0x1000fe93
0x1000fe97
0x1000fe9d
0x1000fe38
0x1000fe48
0x00000000

APIs

InitOnceBeginInitialize.KERNEL32 ref: 1000FDEF
InitOnceComplete.KERNEL32 ref: 1000FE2F
InitOnceBeginInitialize.KERNEL32 ref: 1000FE57
InitOnceComplete.KERNEL32 ref: 1000FE97
InitOnceBeginInitialize.KERNEL32 ref: 1000FEAF
InitOnceComplete.KERNEL32 ref: 1000FEEF
InitOnceBeginInitialize.KERNEL32 ref: 1000FF07
InitOnceComplete.KERNEL32 ref: 1000FF47
InitOnceBeginInitialize.KERNEL32 ref: 1000FF5F
InitOnceComplete.KERNEL32 ref: 1000FF9F
InitOnceBeginInitialize.KERNEL32 ref: 1000FFB7
InitOnceComplete.KERNEL32 ref: 1000FFF7
InitOnceBeginInitialize.KERNEL32 ref: 1001000F
InitOnceComplete.KERNEL32 ref: 1001004F
InitOnceBeginInitialize.KERNEL32 ref: 10010067
InitOnceComplete.KERNEL32 ref: 100100A3
mv_log.LICKING ref: 100100DA
abort.MSVCRT ref: 100100DF

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitOnce$BeginCompleteInitialize$abortmv_log
String ID:
API String ID: 3291523196-0
Opcode ID: 2b47c2bf3e3fa6c795a3dc23ffaf2896f32faa1e7336acce23502dd64e08b7d6
Instruction ID: aeed45a4e90bad649361631328d9bf363d386ce5facdec37279137bd03f57fef
Opcode Fuzzy Hash: 2b47c2bf3e3fa6c795a3dc23ffaf2896f32faa1e7336acce23502dd64e08b7d6
Instruction Fuzzy Hash: 429105746093819FD340EF69C54822EBBE1FF85340F81C92DE899CB614DBB9C5449B53

Uniqueness

Uniqueness Score: -1.00%

Function 10015D21 Relevance: 27.1, APIs: 18, Instructions: 116COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 10015D33
mv_expr_free.LICKING ref: 10015DA4
mv_expr_free.LICKING ref: 10015DB3
mv_expr_free.LICKING ref: 10015DC2
mv_freep.LICKING ref: 10015DD1
mv_freep.LICKING ref: 10015DDD
mv_expr_free.LICKING ref: 10015DFF
mv_expr_free.LICKING ref: 10015E0E
mv_expr_free.LICKING ref: 10015E1D
mv_freep.LICKING ref: 10015E2C
mv_freep.LICKING ref: 10015E38
mv_expr_free.LICKING ref: 10015E5A
mv_expr_free.LICKING ref: 10015E69
mv_expr_free.LICKING ref: 10015E78
mv_freep.LICKING ref: 10015E87
mv_freep.LICKING ref: 10015E93
mv_freep.LICKING ref: 10015EAA
mv_freep.LICKING ref: 10015EB6
mv_expr_free.LICKING ref: 10015EE9
mv_expr_free.LICKING ref: 10015EF8
mv_expr_free.LICKING ref: 10015F07
mv_freep.LICKING ref: 10015F16
mv_freep.LICKING ref: 10015F22
mv_expr_free.LICKING ref: 10015F35
mv_expr_free.LICKING ref: 10015F44
mv_expr_free.LICKING ref: 10015F53
mv_freep.LICKING ref: 10015F62
mv_freep.LICKING ref: 10015F6E

Part of subcall function 10015A2B: mv_mallocz.LICKING ref: 10015A99

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_mallocz
String ID:
API String ID: 83030161-0
Opcode ID: cedd425efbf2f9177d794371f5334c4b88e835c2cfef34e4e6e27e8324e12137
Instruction ID: 0ff1b914b972770665bab29417398d322990ddb109f90b5d6908dac23094119d
Opcode Fuzzy Hash: cedd425efbf2f9177d794371f5334c4b88e835c2cfef34e4e6e27e8324e12137
Instruction Fuzzy Hash: 01518EB85087058FC344EF65C08191ABBE1FF88355F55CA5DE8985B305D735EA86CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100202B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 171COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.LICKING ref: 10020395
mv_log.LICKING ref: 100203B3
mv_log.LICKING ref: 100203D6
mv_log.LICKING ref: 100203FD

Strings

Error creating an internal frame pool, xrefs: 100203C6
Unsupported pixel format: %s, xrefs: 100203A1
Unknown surface type: %lu, xrefs: 100203E8
Failed to open device handle, xrefs: 10020522
P010, xrefs: 100204BE
NV12, xrefs: 1002040C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_get_pix_fmt_name
String ID: Error creating an internal frame pool$Failed to open device handle$NV12$P010$Unknown surface type: %lu$Unsupported pixel format: %s
API String ID: 2830795485-4196069199
Opcode ID: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction ID: dbfc9fc73534cf50ff89b72e71a8ef33aba9b4af1470f45bc046c89c466e1acb
Opcode Fuzzy Hash: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction Fuzzy Hash: 3371C2B46087459FC750DF29D58460ABBE1FF88300F91C96EF9998B356E774E840DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1004F1D7 Relevance: 25.9, APIs: 17, Instructions: 379COMMON

Download Yara Rule

APIs

mv_tree_find.LICKING ref: 1004F277
mv_tree_find.LICKING ref: 1004F296
mv_tree_find.LICKING ref: 1004F30F
mv_tree_find.LICKING ref: 1004F32E
mv_tree_find.LICKING ref: 1004F3EF
mv_tree_find.LICKING ref: 1004F40E
mv_tree_find.LICKING ref: 1004F478
mv_tree_find.LICKING ref: 1004F493

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: a2a5cd09734139798f1fd845032fbc4d271d5e899faa0ed1a3b262cc80cb7db8
Instruction ID: 10347d840d05b216583f0c99bd3977a2b28e1ad78328ba6578458fb5db6f5e94
Opcode Fuzzy Hash: a2a5cd09734139798f1fd845032fbc4d271d5e899faa0ed1a3b262cc80cb7db8
Instruction Fuzzy Hash: 9AF18EB4A097469FC300DF6AC18441AFBE5FFC8A54F61892EE898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1004F224 Relevance: 25.9, APIs: 17, Instructions: 363COMMON

Download Yara Rule

APIs

mv_tree_find.LICKING ref: 1004F277
mv_tree_find.LICKING ref: 1004F296
mv_tree_find.LICKING ref: 1004F30F
mv_tree_find.LICKING ref: 1004F32E
mv_tree_find.LICKING ref: 1004F3EF
mv_tree_find.LICKING ref: 1004F40E

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: 2e39002f0947aa2d0dcfdfe7d57795e1a31c696425fd7e0b4506f071d05121fc
Instruction ID: 8114381493718004402c8e9f9bec72280e252baf9b6a713c21554cb975316836
Opcode Fuzzy Hash: 2e39002f0947aa2d0dcfdfe7d57795e1a31c696425fd7e0b4506f071d05121fc
Instruction Fuzzy Hash: BFF18DB490974A9FC300DF6AC18441AFBE5FFC8A54F61892EE898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001ADF0 Relevance: 25.9, APIs: 17, Instructions: 360
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1001ADF0() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t155;
				void* _t160;
				signed int _t163;
				signed int _t164;
				signed int _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				signed int _t176;
				signed int _t182;
				signed int _t188;
				signed int _t198;
				signed int _t199;
				signed int _t207;
				signed int _t210;
				signed int _t211;
				void* _t212;
				void* _t213;
				signed int _t214;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t233;
				signed int _t235;
				signed int _t239;
				void* _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t247;
				signed int _t250;
				signed int _t252;
				signed int _t253;
				signed int _t260;
				signed int _t266;
				signed int _t267;
				void* _t268;
				signed int _t269;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t275;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t280;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				void* _t293;
				void* _t294;
				signed int* _t295;

				_t295 = _t294 - 0x5c;
				_t235 = _t295[0x1c];
				_t155 =  *(_t235 + 0x50);
				if(_t155 < 0) {
					L62:
					_t252 = 0xffffffea;
					goto L19;
				} else {
					_t237 =  *(_t235 + 0x44);
					if( *(_t235 + 0x44) <= 0) {
						L3:
						if( *(_t235 + 0x4c) <= 0) {
							goto L62;
						} else {
							_t284 = _t235 + 0x148;
							 *_t295 = _t284;
							if(E1000EC10() != 0 || ( *(_t235 + 0xb4) |  *(_t235 + 0xb0)) != 0 ||  *(_t235 + 0x120) > 0) {
								 *_t295 =  *(_t235 + 0x50);
								_t160 = E1003CB70();
								_t269 =  *(_t235 + 0x14c);
								_t275 = _t160;
								if(_t269 != 0) {
									L21:
									 *(_t235 + 0x120) = _t269;
									__eflags =  *(_t235 + 0x148) != 1;
									if( *(_t235 + 0x148) != 1) {
										_t253 = 0;
										_t163 = 0;
									} else {
										_t253 =  *(_t235 + 0x150);
										_t163 =  *(_t235 + 0x154);
									}
								} else {
									_t163 =  *(_t235 + 0xb4);
									_t253 =  *(_t235 + 0xb0);
									_t237 = _t163 | _t253;
									if((_t163 | _t253) != 0) {
										_t295[1] = _t253;
										_t295[2] = _t163;
										 *_t295 = _t284;
										E1000D1B0();
										_t269 =  *(_t235 + 0x14c);
										goto L21;
									} else {
										_t269 =  *(_t235 + 0x120);
										 *(_t235 + 0x148) = 0;
										 *(_t235 + 0x14c) = _t269;
									}
								}
								 *(_t235 + 0xb4) = _t163;
								_t164 =  *(_t235 + 0x20);
								 *(_t235 + 0xb0) = _t253;
								if(_t275 != 0) {
									__eflags = _t164;
									if(_t164 == 0) {
										_t295[4] = _t295[0x1d];
										_t295[3] =  *(_t235 + 0x50);
										_t295[1] = _t269;
										_t295[2] =  *(_t235 + 0x4c);
										 *_t295 = _t235 + 0x20;
										_t169 = E1003CB90(_t235, _t253, _t269, _t275);
										__eflags = _t169;
										_t252 = _t169;
										if(_t169 >= 0) {
											goto L24;
										} else {
											goto L19;
										}
									} else {
										L24:
										__eflags = _t269 - 8;
										if(_t269 <= 8) {
											 *(_t235 + 0x40) = _t235;
											__eflags = _t269;
											if(_t269 > 0) {
												goto L67;
											} else {
												goto L34;
											}
										} else {
											 *_t295 = _t269;
											_t280 = _t269 - 8;
											_t295[1] = 4;
											 *(_t235 + 0x40) = E100291F0();
											_t295[1] = 4;
											 *_t295 = _t280;
											_t182 = E100291F0();
											_t237 =  *(_t235 + 0x40);
											__eflags =  *(_t235 + 0x40);
											 *(_t235 + 0xd8) = _t182;
											if( *(_t235 + 0x40) == 0) {
												L70:
												 *_t295 = _t235 + 0x40;
												E100290E0();
												 *_t295 = _t235 + 0xd8;
												E100290E0();
												goto L18;
											} else {
												__eflags = _t182;
												if(_t182 == 0) {
													goto L70;
												} else {
													 *(_t235 + 0xdc) = _t280;
													_t164 =  *(_t235 + 0x20);
													goto L13;
												}
											}
										}
									}
								} else {
									if(_t164 == 0) {
										_t295[4] = _t295[0x1d];
										_t295[3] =  *(_t235 + 0x50);
										_t295[1] = _t269;
										_t295[2] =  *(_t235 + 0x4c);
										 *_t295 = _t235 + 0x20;
										_t188 = E1003CB90(_t235, _t253, _t269, _t275);
										__eflags = _t188;
										_t252 = _t188;
										if(_t188 < 0) {
											goto L19;
										} else {
											 *(_t235 + 0x40) = _t235;
											_t269 = 1;
											L67:
											_t164 =  *(_t235 + 0x20);
											goto L13;
										}
									} else {
										 *(_t235 + 0x40) = _t235;
										_t269 = 1;
										L13:
										_t285 = 0;
										_t277 =  <=  ? _t269 : 8;
										while(1) {
											 *_t295 = _t164;
											_t170 = E10009DC0(_t235, _t237, _t269, _t277);
											 *((intOrPtr*)(_t235 + 0xb8 + _t285 * 4)) = _t170;
											if(_t170 == 0) {
												break;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											 *((intOrPtr*)(_t235 + _t285 * 4)) = _t171;
											 *((intOrPtr*)( *(_t235 + 0x40) + _t285 * 4)) = _t171;
											_t285 = _t285 + 1;
											__eflags = _t285 - _t277;
											if(_t285 >= _t277) {
												__eflags = _t269 - 8;
												_t295[0xb] = _t269 - 8;
												if(_t269 <= 8) {
													L34:
													__eflags = 0;
													return 0;
												} else {
													_t278 =  *(_t235 + 0xd8);
													_t286 = 0;
													while(1) {
														_t270 = _t286 * 4;
														_t279 = _t278 + _t270;
														 *_t295 =  *(_t235 + 0x20);
														 *_t279 = E10009DC0(_t235, _t237, _t270, _t279);
														_t278 =  *(_t235 + 0xd8);
														_t176 =  *(_t278 + _t270);
														__eflags = _t176;
														if(_t176 == 0) {
															break;
														}
														_t237 =  *(_t176 + 4);
														_t286 = _t286 + 1;
														__eflags = _t295[0xb] - _t286;
														 *( *(_t235 + 0x40) + _t270 + 0x20) =  *(_t176 + 4);
														if(_t295[0xb] == _t286) {
															goto L34;
														} else {
															continue;
														}
														goto L71;
													}
													break;
												}
											} else {
												_t164 =  *(_t235 + 0x20);
												continue;
											}
											goto L71;
										}
										E1001A460(_t235);
										L18:
										_t252 = 0xfffffff4;
										goto L19;
									}
								}
							} else {
								goto L62;
							}
						}
					} else {
						_t257 =  *(_t235 + 0x48);
						if( *(_t235 + 0x48) > 0) {
							 *_t295 = _t155;
							__eflags = E10034790();
							if(__eflags == 0) {
								goto L62;
							} else {
								_t295[3] = 0;
								_t295[2] = 0;
								_t295[1] =  *(_t235 + 0x48);
								 *_t295 =  *(_t235 + 0x44);
								_t198 = E100221C0(_t235, _t257, _t268, _t274, _t283, __eflags);
								__eflags = _t198;
								_t252 = _t198;
								if(_t198 >= 0) {
									_t199 =  *(_t235 + 0x20);
									__eflags = _t199;
									if(__eflags != 0) {
										L48:
										_t295[0xc] = _t199;
										_t295[0xd] =  *(_t235 + 0x24);
										_t295[0xe] =  *(_t235 + 0x28);
										_t295[0xf] =  *(_t235 + 0x2c);
										_t272 =  *(_t235 + 0x48) + 0x0000001f & 0xffffffe0;
										_t295[3] =  &(_t295[0xc]);
										_t295[2] = _t272;
										_t295[1] =  *(_t235 + 0x50);
										 *_t295 =  &(_t295[0x10]);
										_t207 = E100219B0(_t235, _t272, _t274, _t283, __eflags);
										__eflags = _t207;
										_t252 = _t207;
										if(_t207 >= 0) {
											_t239 = _t295[0x10];
											__eflags = _t295[0x1d] - 0x20;
											_t209 =  >=  ? _t295[0x1d] : 0x20;
											_t210 = ( >=  ? _t295[0x1d] : 0x20) * 4;
											__eflags = 0x7fffffdf - _t239;
											if(0x7fffffdf < _t239) {
												goto L62;
											} else {
												_t240 = _t239 + _t210;
												_t211 = _t295[0x11];
												__eflags = 0x7fffffff - _t240 - _t211;
												if(0x7fffffff - _t240 < _t211) {
													goto L62;
												} else {
													_t212 = _t211 + _t240;
													_t241 = _t295[0x12];
													_t293 = 0x7fffffff - _t212;
													__eflags = 0x7fffffff - _t241;
													if(0x7fffffff < _t241) {
														goto L62;
													} else {
														_t213 = _t212 + _t241;
														_t242 = _t295[0x13];
														__eflags = 0x7fffffff - _t213 - _t242;
														if(0x7fffffff - _t213 < _t242) {
															goto L62;
														} else {
															 *_t295 = _t242 + _t213;
															_t214 = E10009DC0(_t235, _t242 + _t213, _t272, 0x20);
															 *(_t235 + 0xb8) = _t214;
															__eflags = _t214;
															if(_t214 == 0) {
																_t260 = 0xfffffff4;
																goto L69;
															} else {
																_t295[4] = _t235 + 0x20;
																_t295[2] = _t272;
																_t295[3] =  *(_t214 + 4);
																 *_t295 = _t235;
																_t295[1] =  *(_t235 + 0x50);
																_t219 = E10021AF0(_t235, _t272, 0x20, _t293);
																__eflags = _t219;
																_t260 = _t219;
																if(_t219 < 0) {
																	L69:
																	_t295[0xb] = _t260;
																	E1001A460(_t235);
																	_t252 = _t295[0xb];
																} else {
																	_t220 =  *(_t235 + 4);
																	__eflags = _t220;
																	if(_t220 != 0) {
																		_t225 = _t220 + 0x20;
																		__eflags = _t225;
																		 *(_t235 + 4) = _t225;
																	}
																	_t221 =  *(_t235 + 8);
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *(_t235 + 8) = _t221 + 0x40;
																	}
																	_t222 =  *(_t235 + 0xc);
																	__eflags = _t222;
																	if(_t222 != 0) {
																		_t223 = _t222 + 0x60;
																		__eflags = _t223;
																		 *(_t235 + 0xc) = _t223;
																	}
																	 *(_t235 + 0x40) = _t235;
																	_t252 = 0;
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t283 = 1;
										_t273 = _t235 + 0x20;
										__eflags = _t295[0x1d];
										_t274 =  >  ? _t295[0x1d] : 0x20;
										_t295[0xb] = 0x1f;
										while(1) {
											_t295[2] =  *(_t235 + 0x44) + _t283 - 0x00000001 &  ~_t283;
											 *_t295 = _t273;
											_t295[1] =  *(_t235 + 0x50);
											_t233 = E100215D0(__eflags);
											__eflags = _t233;
											_t252 = _t233;
											if(_t233 < 0) {
												goto L19;
											}
											_t199 =  *(_t235 + 0x20);
											__eflags = _t295[0xb] & _t199;
											if((_t295[0xb] & _t199) != 0) {
												_t283 = _t283 + _t283;
												__eflags = _t283 - _t274;
												if(__eflags > 0) {
													goto L44;
												} else {
													continue;
												}
											} else {
												__eflags = _t199;
												if(__eflags != 0) {
													L44:
													_t244 =  *(_t235 + 0x24);
													_t266 =  ~_t274;
													_t199 = _t274 + _t199 - 0x00000001 & _t266;
													 *(_t235 + 0x20) = _t199;
													__eflags = _t244;
													if(__eflags != 0) {
														 *(_t235 + 0x24) = _t274 + _t244 - 0x00000001 & _t266;
														_t247 =  *(_t235 + 0x28);
														__eflags = _t247;
														if(__eflags != 0) {
															 *(_t235 + 0x28) = _t274 + _t247 - 0x00000001 & _t266;
															_t250 =  *(_t235 + 0x2c);
															__eflags = _t250;
															if(__eflags != 0) {
																_t267 = _t266 & _t274 + _t250 - 0x00000001;
																__eflags = _t267;
																 *(_t235 + 0x2c) = _t267;
															}
														}
													}
												}
												goto L48;
											}
											goto L19;
										}
									}
								}
							}
							L19:
							return _t252;
						} else {
							goto L3;
						}
					}
				}
				L71:
			}

0x1001adf4
0x1001adf7
0x1001adfb
0x1001ae00
0x1001b23d
0x1001b23d
0x00000000
0x1001ae06
0x1001ae06
0x1001ae0b
0x1001ae18
0x1001ae1d
0x00000000
0x1001ae23
0x1001ae23
0x1001ae29
0x1001ae33
0x1001ae54
0x1001ae57
0x1001ae5c
0x1001ae64
0x1001ae66
0x1001af2e
0x1001af2e
0x1001af3a
0x1001af3b
0x1001b030
0x1001b032
0x1001af41
0x1001af41
0x1001af47
0x1001af47
0x1001ae6c
0x1001ae6c
0x1001ae72
0x1001ae7a
0x1001ae7c
0x1001af18
0x1001af1c
0x1001af20
0x1001af23
0x1001af28
0x00000000
0x1001ae82
0x1001ae82
0x1001ae8a
0x1001ae90
0x1001ae90
0x1001ae7c
0x1001ae96
0x1001ae9e
0x1001aea1
0x1001aea7
0x1001af58
0x1001af5a
0x1001b254
0x1001b25b
0x1001b262
0x1001b266
0x1001b26d
0x1001b270
0x1001b275
0x1001b277
0x1001b279
0x00000000
0x1001b27f
0x00000000
0x1001b27f
0x1001af60
0x1001af60
0x1001af60
0x1001af63
0x1001b019
0x1001b01c
0x1001b01e
0x00000000
0x00000000
0x00000000
0x00000000
0x1001af69
0x1001af69
0x1001af6c
0x1001af74
0x1001af82
0x1001af85
0x1001af89
0x1001af8c
0x1001af91
0x1001af94
0x1001af96
0x1001af9c
0x1001b2e0
0x1001b2e9
0x1001b2ec
0x1001b2f1
0x1001b2f4
0x00000000
0x1001afa2
0x1001afa2
0x1001afa4
0x00000000
0x1001afaa
0x1001afaa
0x1001afb0
0x00000000
0x1001afb0
0x1001afa4
0x1001af9c
0x1001af63
0x1001aead
0x1001aeaf
0x1001b28c
0x1001b293
0x1001b29a
0x1001b29e
0x1001b2a5
0x1001b2a8
0x1001b2ad
0x1001b2af
0x1001b2b1
0x00000000
0x1001b2b7
0x1001b2b7
0x1001b2ba
0x1001b2bf
0x1001b2bf
0x00000000
0x1001b2bf
0x1001aeb5
0x1001aeb5
0x1001aeb8
0x1001aebd
0x1001aec2
0x1001aec6
0x1001aee8
0x1001aee8
0x1001aeeb
0x1001aef0
0x1001aef9
0x00000000
0x00000000
0x1001aed0
0x1001aed6
0x1001aed9
0x1001aedc
0x1001aedd
0x1001aedf
0x1001afc3
0x1001afc6
0x1001afca
0x1001b024
0x1001b027
0x1001b02f
0x1001afcc
0x1001afcc
0x1001afd2
0x1001aff1
0x1001aff4
0x1001affb
0x1001affd
0x1001b005
0x1001b007
0x1001b00d
0x1001b010
0x1001b012
0x00000000
0x00000000
0x1001afe0
0x1001afe3
0x1001afe7
0x1001afeb
0x1001afef
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001afef
0x00000000
0x1001b014
0x1001aee5
0x1001aee5
0x00000000
0x1001aee5
0x00000000
0x1001aedf
0x1001aefd
0x1001af02
0x1001af02
0x00000000
0x1001af02
0x1001aeaf
0x00000000
0x00000000
0x00000000
0x1001ae33
0x1001ae0d
0x1001ae0d
0x1001ae12
0x1001b040
0x1001b048
0x1001b04a
0x00000000
0x1001b050
0x1001b052
0x1001b058
0x1001b05f
0x1001b066
0x1001b069
0x1001b06e
0x1001b070
0x1001b072
0x1001b078
0x1001b07b
0x1001b07d
0x1001b121
0x1001b121
0x1001b128
0x1001b12f
0x1001b136
0x1001b144
0x1001b147
0x1001b14b
0x1001b152
0x1001b15a
0x1001b15d
0x1001b162
0x1001b164
0x1001b166
0x1001b171
0x1001b17a
0x1001b180
0x1001b187
0x1001b190
0x1001b192
0x00000000
0x1001b198
0x1001b198
0x1001b19a
0x1001b1a2
0x1001b1a4
0x00000000
0x1001b1aa
0x1001b1aa
0x1001b1ac
0x1001b1b2
0x1001b1b4
0x1001b1b6
0x00000000
0x1001b1bc
0x1001b1bc
0x1001b1be
0x1001b1c4
0x1001b1c6
0x00000000
0x1001b1c8
0x1001b1ca
0x1001b1cd
0x1001b1d2
0x1001b1d8
0x1001b1da
0x1001b2c7
0x00000000
0x1001b1e0
0x1001b1e3
0x1001b1ea
0x1001b1ee
0x1001b1f5
0x1001b1f8
0x1001b1fc
0x1001b201
0x1001b203
0x1001b205
0x1001b2cc
0x1001b2cc
0x1001b2d2
0x1001b2d7
0x1001b20b
0x1001b20b
0x1001b20e
0x1001b210
0x1001b212
0x1001b212
0x1001b214
0x1001b214
0x1001b217
0x1001b21a
0x1001b21c
0x1001b221
0x1001b221
0x1001b224
0x1001b227
0x1001b229
0x1001b22e
0x1001b22e
0x1001b230
0x1001b230
0x1001b233
0x1001b236
0x1001b236
0x1001b205
0x1001b1da
0x1001b1c6
0x1001b1b6
0x1001b1a4
0x1001b192
0x1001b083
0x1001b08c
0x1001b091
0x1001b094
0x1001b096
0x1001b09e
0x1001b0ae
0x1001b0ba
0x1001b0c1
0x1001b0c4
0x1001b0c8
0x1001b0cd
0x1001b0cf
0x1001b0d1
0x00000000
0x00000000
0x1001b0d7
0x1001b0da
0x1001b0de
0x1001b0a8
0x1001b0aa
0x1001b0ac
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b0e0
0x1001b0e0
0x1001b0e2
0x1001b0e4
0x1001b0e4
0x1001b0ed
0x1001b0ef
0x1001b0f1
0x1001b0f4
0x1001b0f6
0x1001b0fe
0x1001b101
0x1001b104
0x1001b106
0x1001b10e
0x1001b111
0x1001b114
0x1001b116
0x1001b11c
0x1001b11c
0x1001b11e
0x1001b11e
0x1001b116
0x1001b106
0x1001b0f6
0x00000000
0x1001b0e2
0x00000000
0x1001b0de
0x1001b0ae
0x1001b07d
0x1001b072
0x1001af07
0x1001af10
0x00000000
0x00000000
0x00000000
0x1001ae12
0x1001ae0b
0x00000000

APIs

mv_channel_layout_check.LICKING ref: 1001AE2C
mv_sample_fmt_is_planar.LICKING ref: 1001AE57
mv_buffer_alloc.LICKING ref: 1001AEEB
mv_pix_fmt_desc_get.LICKING ref: 1001B043
mv_image_check_size.LICKING ref: 1001B069
mv_image_fill_linesizes.LICKING ref: 1001B0C8
mv_image_fill_plane_sizes.LICKING ref: 1001B15D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_allocmv_channel_layout_checkmv_image_check_sizemv_image_fill_linesizesmv_image_fill_plane_sizesmv_pix_fmt_desc_getmv_sample_fmt_is_planar
String ID:
API String ID: 4186645151-0
Opcode ID: 8ac2ae951e9e117c99fdb1c80981e7178d04aeaa248e9b3bce8de1dcaa7b4838
Instruction ID: d7c315c9dbec08b39786ac2ee7420e369ebdde1d8f2297274312f61b200237b8
Opcode Fuzzy Hash: 8ac2ae951e9e117c99fdb1c80981e7178d04aeaa248e9b3bce8de1dcaa7b4838
Instruction Fuzzy Hash: C1E1D2B4A047058FCB54DF69C58065ABBE1FF88244F1689BEED48CF21AE731E885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10025C23 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 320
stringCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E10025C23(void* __ebx, void* __edx, signed char __esi, signed char __ebp, char* _a4, char* _a8, signed char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, unsigned int _a36, signed char _a40, signed char _a44, char _a48, signed char* _a1072, signed char* _a2096, signed char* _a3120, signed char* _a4144, intOrPtr _a4148, intOrPtr _a4152, signed char _a5200, signed int _a5204, char* _a5208, char* _a5212) {
				signed int _t97;
				signed int _t101;
				signed int _t105;
				signed int _t108;
				signed int _t111;
				signed int _t114;
				signed int _t119;
				void* _t122;
				signed char _t123;
				signed char _t127;
				char* _t132;
				intOrPtr _t135;
				char* _t137;
				signed char _t141;
				void* _t144;
				char* _t145;
				signed char _t148;
				intOrPtr _t150;
				void* _t154;
				intOrPtr _t155;
				signed char _t156;
				signed int _t165;
				char* _t167;
				signed char* _t168;
				signed char* _t169;
				signed char* _t170;
				signed char* _t171;
				signed char _t174;
				signed char _t176;
				signed char _t179;
				signed int _t193;
				void* _t195;
				intOrPtr* _t196;
				intOrPtr* _t198;
				signed char _t199;
				char* _t200;
				signed int _t201;
				char* _t204;
				void* _t211;
				signed char _t212;
				signed char* _t214;

				_t212 = __ebp;
				_t154 = __ebx;
				if(__edx == 0) {
					_a44 = 0x10;
					_a40 = 0x10;
					L18:
					if(_a5204 >= 0xfffffff9 && _t97 != 0 && ( *0x100d76ac & 0x00000002) != 0) {
						_t86 = _a5204 + 8; // 0x101
						_t193 = _t86;
						_t132 = 0x100b6d3b;
						if(_t193 <= 0x40) {
							_t132 =  *((intOrPtr*)(0x100b6f40 + _t193 * 4));
						}
						_a8 = _t132;
						_a4 = "[%s] ";
						 *_t214 = _t199;
						E100089C0();
					}
					 *_t214 = _t212;
					_a8 = _a5212;
					_a4 = _a5208;
					E10008B70();
					_t179 = _a1072;
					_t167 = _a2096;
					_t200 = _a3120;
					_t204 = _a4144;
					if( *_t179 != 0 ||  *_t167 != 0 ||  *_t200 != 0 ||  *_t204 != 0) {
						_t155 = _a4148;
						_t101 = 0;
						if(_t155 != 0 && _a4152 >= _t155) {
							_t101 = (0 | ( *(_t204 + _t155 - 1) & 0x000000ff) == 0x0000000a |  *(_t204 + _t155 - 1) & 0 | ( *(_t204 + _t155 - 1) & 0x000000ff) == 0x0000000d) & 0x000000ff;
						}
						 *0x100ad00c = _t101;
					}
					_a24 = _t204;
					_t156 =  &_a48;
					_a8 = "%s%s%s%s";
					_a20 = _t200;
					_a16 = _t167;
					_a12 = _t179;
					_a4 = 0x400;
					 *_t214 = _t156;
					E10025AE0();
					_t105 =  *0x100d76a0;
					if(_t105 == 0) {
						 *_t214 = 2;
						L100A0860();
						asm("sbb eax, eax");
						 *0x100d76a0 = _t105 | 0x00000001;
					}
					_t201 =  *0x100ad00c; // 0x1
					_t205 =  *0x100d7280;
					if(_t201 == 0 || ( *0x100d76ac & 0x00000001) == 0) {
						L31:
						if(_t205 > 0) {
							 *_t214 = 2;
							_t201 = 0;
							_t123 =  *0x100ad0cc();
							_a8 = _t205;
							_t205 = "    Last message repeated %d times\n";
							_a4 = "    Last message repeated %d times\n";
							 *_t214 = _t123;
							E10025610();
							 *0x100d7280 = 0;
						}
						_a4 = _t156;
						 *_t214 = 0x100d72a0;
						strcpy(??, ??);
						_t168 = _a1072;
						_t108 =  *_t168 & 0x000000ff;
						if(_t108 == 0) {
							L39:
							L100257B0(_a40, _t156, _t168, 0, _t201, _t205);
							_t169 = _a2096;
							_t111 =  *_t169 & 0x000000ff;
							if(_t111 == 0) {
								L45:
								L100257B0(_a44, _t156, _t169, 0, _t201, _t205);
								_t170 = _a3120;
								_t114 =  *_t170 & 0x000000ff;
								if(_t114 == 0) {
									L51:
									_t207 = _a36 >> 8;
									_t159 =  >  ? 7 : _a5204 >> 3;
									_t160 =  <  ? 0 :  >  ? 7 : _a5204 >> 3;
									L100257B0( <  ? 0 :  >  ? 7 : _a5204 >> 3,  <  ? 0 :  >  ? 7 : _a5204 >> 3, _t170, _a36 >> 8, _t201, _a36 >> 8);
									_t171 = _a4144;
									_t119 =  *_t171 & 0x000000ff;
									if(_t119 == 0) {
										L57:
										L100257B0(_t160, _t160, _t171, _t207, _t201, _t207);
										goto L58;
									}
									L53:
									while(_t119 - 0xe > 0x11 && _t119 > 7) {
										_t119 = _t171[1] & 0x000000ff;
										_t171 =  &(_t171[1]);
										if(_t119 != 0) {
											continue;
										}
										L56:
										_t171 = _a4144;
										goto L57;
									}
									 *_t171 = 0x3f;
									_t171 =  &(_t171[1]);
									_t119 =  *_t171 & 0x000000ff;
									if(_t119 != 0) {
										goto L53;
									}
									goto L56;
								}
								L47:
								while(_t114 - 0xe > 0x11 && _t114 > 7) {
									_t114 = _t170[1] & 0x000000ff;
									_t170 =  &(_t170[1]);
									if(_t114 != 0) {
										continue;
									}
									L50:
									_t170 = _a3120;
									goto L51;
								}
								 *_t170 = 0x3f;
								_t170 =  &(_t170[1]);
								_t114 =  *_t170 & 0x000000ff;
								if(_t114 != 0) {
									goto L47;
								}
								goto L50;
							}
							L41:
							while(_t111 - 0xe > 0x11 && _t111 > 7) {
								_t111 = _t169[1] & 0x000000ff;
								_t169 =  &(_t169[1]);
								if(_t111 != 0) {
									continue;
								}
								L44:
								_t169 = _a2096;
								goto L45;
							}
							 *_t169 = 0x3f;
							_t169 =  &(_t169[1]);
							_t111 =  *_t169 & 0x000000ff;
							if(_t111 != 0) {
								goto L41;
							}
							goto L44;
						} else {
							L35:
							while(_t108 - 0xe > 0x11 && _t108 > 7) {
								_t108 = _t168[1] & 0x000000ff;
								_t168 =  &(_t168[1]);
								if(_t108 != 0) {
									continue;
								}
								L38:
								_t168 = _a1072;
								goto L39;
							}
							 *_t168 = 0x3f;
							_t168 =  &(_t168[1]);
							_t108 =  *_t168 & 0x000000ff;
							if(_t108 != 0) {
								goto L35;
							}
							goto L38;
						}
					} else {
						 *_t214 = _t156;
						_t171 = 0x100d72a0;
						_a4 = 0x100d72a0;
						if(strcmp(??, ??) != 0) {
							goto L31;
						}
						if(_a48 != 0) {
							 *_t214 = _t156;
							if(_t214[strlen(??) + 0x2f] == 0xd) {
								goto L31;
							}
							_t207 =  &(_t205[1]);
							 *0x100d7280 = _t207;
							if( *0x100d76a0 == 1) {
								 *_t214 = 2;
								_t127 =  *0x100ad0cc();
								_a8 = _t207;
								_a4 = "    Last message repeated %d times\r";
								 *_t214 = _t127;
								E10025610();
							}
							L58:
							 *_t214 = _t212;
							_a4 = 0;
							_t122 = E10009690(0, _t171, _t201, _t207);
							 *_t214 = 0x100d76b0;
							L100A0978();
							return _t122;
						}
						goto L31;
					}
				}
				_t135 =  *((intOrPtr*)(__ebx + 0x14));
				_a40 = 0x10;
				if(_t135 == 0) {
					L10:
					 *_t214 = _a5200;
					_t137 =  *((intOrPtr*)(_t154 + 4))();
					_a12 = _a5200;
					_a8 = _t137;
					_a4 = "[%s @ %p] ";
					 *_t214 =  &_a2096;
					E100089C0();
					_t141 = _a5200;
					_t195 =  *_t141;
					if(_t195 == 0) {
						L75:
						_a44 = 0x10;
						L16:
						_t165 =  *0x100ad00c; // 0x1
						_t97 = _t141 & 0xffffff00 | _t165 != 0x00000000;
						goto L18;
					}
					_t141 =  *(_t195 + 0xc);
					if((_t141 & 0x000000ff) <= 0x63 || _t141 <= 0x333aff) {
						goto L75;
					} else {
						_t141 =  *(_t195 + 0x18);
						if(_t141 > 0x2d) {
							goto L75;
						}
						_t196 =  *((intOrPtr*)(_t195 + 0x1c));
						_t141 = _t141 + 0x10;
						_a44 = _t141;
						if(_t196 != 0) {
							 *_t214 = _a5200;
							_t141 =  *_t196() + 0x10;
							_a44 = _t141;
						}
						goto L16;
					}
				}
				_t174 =  *(_a5200 + _t135);
				if(_t174 == 0) {
					goto L10;
				}
				_t144 =  *_t174;
				if(_t144 == 0) {
					goto L10;
				}
				 *_t214 = _t174;
				_a44 = _t174;
				_t145 =  *((intOrPtr*)(_t144 + 4))();
				 *_t214 = __esi;
				_a12 = _a44;
				_a8 = _t145;
				_a4 = "[%s @ %p] ";
				E100089C0();
				_t176 = _a44;
				_t211 =  *_t176;
				if(_t211 == 0) {
					goto L10;
				}
				_t148 =  *(_t211 + 0xc);
				if((_t148 & 0x000000ff) <= 0x63 || _t148 <= 0x333aff) {
					L80:
					_a40 = 0x10;
				} else {
					_t150 =  *((intOrPtr*)(_t211 + 0x18));
					if(_t150 > 0x2d) {
						goto L80;
					}
					_t198 =  *((intOrPtr*)(_t211 + 0x1c));
					_a40 = _t150 + 0x10;
					if(_t198 != 0) {
						 *_t214 = _t176;
						_a40 =  *_t198() + 0x10;
					}
				}
			}

0x10025c23
0x10025c23
0x10025c25
0x10025d7a
0x10025d7e
0x10025d82
0x10025d8a
0x10026184
0x10026184
0x10026187
0x1002618f
0x100261be
0x100261be
0x10026191
0x1002619a
0x1002619e
0x100261a1
0x100261a1
0x10025d94
0x10025d9e
0x10025da9
0x10025dad
0x10025db2
0x10025db9
0x10025dc0
0x10025dc7
0x10025dd1
0x10026010
0x10026017
0x1002601b
0x10026039
0x10026039
0x1002603c
0x1002603c
0x10025e00
0x10025e04
0x10025e0d
0x10025e16
0x10025e1a
0x10025e1e
0x10025e22
0x10025e26
0x10025e29
0x10025e2e
0x10025e35
0x100260b0
0x100260b7
0x100260bf
0x100260c4
0x100260c4
0x10025e3b
0x10025e41
0x10025e49
0x10025e80
0x10025e82
0x10025e84
0x10025e8b
0x10025e8d
0x10025e93
0x10025e97
0x10025e9c
0x10025ea0
0x10025ea3
0x10025ea8
0x10025ea8
0x10025eae
0x10025eb2
0x10025eb9
0x10025ebe
0x10025ec5
0x10025eca
0x10025ef6
0x10025efc
0x10025f01
0x10025f08
0x10025f0d
0x10025f36
0x10025f3c
0x10025f41
0x10025f48
0x10025f4d
0x10025f76
0x10025f89
0x10025f8e
0x10025f97
0x10025f9c
0x10025fa1
0x10025fa8
0x10025fad
0x10025fd6
0x10025fda
0x00000000
0x10025fda
0x00000000
0x10025fb0
0x10025fc6
0x10025fca
0x10025fcd
0x00000000
0x00000000
0x10025fcf
0x10025fcf
0x00000000
0x10025fcf
0x10026068
0x1002606b
0x1002606c
0x10026071
0x00000000
0x00000000
0x00000000
0x10026077
0x00000000
0x10025f50
0x10025f66
0x10025f6a
0x10025f6d
0x00000000
0x00000000
0x10025f6f
0x10025f6f
0x00000000
0x10025f6f
0x10026050
0x10026053
0x10026054
0x10026059
0x00000000
0x00000000
0x00000000
0x1002605f
0x00000000
0x10025f10
0x10025f26
0x10025f2a
0x10025f2d
0x00000000
0x00000000
0x10025f2f
0x10025f2f
0x00000000
0x10025f2f
0x10026080
0x10026083
0x10026084
0x10026089
0x00000000
0x00000000
0x00000000
0x10025ed0
0x00000000
0x10025ed0
0x10025ee6
0x10025eea
0x10025eed
0x00000000
0x00000000
0x10025eef
0x10025eef
0x00000000
0x10025eef
0x10026098
0x1002609b
0x1002609c
0x100260a1
0x00000000
0x00000000
0x00000000
0x100260a7
0x10025e54
0x10025e54
0x10025e57
0x10025e5c
0x10025e67
0x00000000
0x00000000
0x10025e6e
0x100261c7
0x100261d4
0x00000000
0x00000000
0x100261da
0x100261e2
0x100261e8
0x100261ee
0x100261f5
0x10026200
0x10026204
0x10026208
0x1002620b
0x1002620b
0x10025fdf
0x10025fdf
0x10025fe4
0x10025fe8
0x10025fed
0x10025ff4
0x10026006
0x10026006
0x00000000
0x10025e6e
0x10025e49
0x10025c2b
0x10025c33
0x10025c39
0x10025cd0
0x10025cd7
0x10025cda
0x10025ce4
0x10025ce8
0x10025cf1
0x10025cfc
0x10025cff
0x10025d04
0x10025d0b
0x10025d0f
0x100261b0
0x100261b5
0x10025d5c
0x10025d5c
0x10025d64
0x00000000
0x10025d64
0x10025d15
0x10025d1e
0x00000000
0x10025d2f
0x10025d2f
0x10025d35
0x00000000
0x00000000
0x10025d3b
0x10025d3e
0x10025d41
0x10025d47
0x10025d50
0x10025d55
0x10025d58
0x10025d58
0x00000000
0x10025d47
0x10025d1e
0x10025c46
0x10025c4b
0x00000000
0x00000000
0x10025c51
0x10025c55
0x00000000
0x00000000
0x10025c57
0x10025c5a
0x10025c5e
0x10025c65
0x10025c68
0x10025c6c
0x10025c75
0x10025c79
0x10025c7e
0x10025c82
0x10025c86
0x00000000
0x00000000
0x10025c88
0x10025c91
0x10026215
0x1002621a
0x10025ca2
0x10025ca2
0x10025ca8
0x00000000
0x00000000
0x10025cae
0x10025cb4
0x10025cba
0x10025cbc
0x10025cc4
0x10025cc4
0x10025cba

APIs

mv_bprintf.LICKING ref: 10025C79
mv_bprintf.LICKING ref: 10025CFF
mv_vbprintf.LICKING ref: 10025DAD
strcmp.MSVCRT ref: 10025E60

Strings

Last message repeated %d times, xrefs: 10025E97
%s%s%s%s, xrefs: 10025E08
[%s @ %p] , xrefs: 10025C70, 10025CEC
[%s] , xrefs: 10026195
Last message repeated %d times, xrefs: 100261FB

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf$mv_vbprintfstrcmp
String ID: Last message repeated %d times$ Last message repeated %d times$%s%s%s%s$[%s @ %p] $[%s]
API String ID: 1593517385-1125969584
Opcode ID: 4a9a3edf32ed4559cc0d9ed8a3c2ea35ae1cac4f0579a65891b909f782335fbc
Instruction ID: bd45c732072a464572c0cc4a22cab40f512121fa8933a6dd497cb74cf7e83d90
Opcode Fuzzy Hash: 4a9a3edf32ed4559cc0d9ed8a3c2ea35ae1cac4f0579a65891b909f782335fbc
Instruction Fuzzy Hash: 4DD1D1749083818FD754DF24D48036ABBE1FF89344FA5885EE8CA9B352D736E845CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1001E450 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001E450(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _t213;
				signed int _t214;
				intOrPtr _t215;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t224;
				signed int _t227;
				signed int _t228;
				signed int _t230;
				signed int _t247;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t257;
				void* _t258;
				void* _t259;
				signed int _t261;
				void* _t262;
				void* _t263;
				signed char _t267;
				signed int _t268;
				signed int _t269;
				signed int _t273;
				intOrPtr _t275;
				intOrPtr _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t289;
				signed int _t291;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t304;
				signed short* _t309;
				signed short* _t310;
				int _t314;
				signed int _t324;
				intOrPtr* _t326;
				intOrPtr _t327;
				signed char _t335;
				short* _t336;
				signed char _t337;
				short* _t338;
				signed int _t339;
				signed int _t341;
				char* _t343;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				signed int _t352;
				void* _t353;
				void* _t356;
				signed int _t362;
				signed int _t364;
				signed int _t368;
				signed int _t370;
				signed int _t373;
				signed short* _t374;
				signed short* _t375;
				signed int _t376;
				void* _t378;
				signed int _t381;
				intOrPtr _t382;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				void* _t389;
				intOrPtr* _t390;
				signed int* _t392;
				signed int* _t396;

				_t390 = _t389 - 0x4c;
				 *((intOrPtr*)(_t390 + 0x44)) = __edi;
				 *((intOrPtr*)(_t390 + 0x3c)) = __ebx;
				_t343 =  *(_t390 + 0x54);
				 *((intOrPtr*)(_t390 + 0x48)) = _t382;
				_t289 =  *((intOrPtr*)(_t390 + 0x50));
				 *((intOrPtr*)(_t390 + 0x40)) = __esi;
				 *(_t390 + 0x28) =  *(_t390 + 0x58);
				_t383 =  *(_t289 + 0x50);
				_t362 =  *(_t289 + 0x128);
				 *(_t390 + 0x24) = _t383;
				if(_t343[0x128] == 0) {
					_t213 = _t362;
					goto L83;
				} else {
					__eflags = __esi;
					__edx =  *(__eax + 4);
					if(__esi == 0) {
						__eax = __edi[0x50];
						__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
						if( *((intOrPtr*)(__edx + 0x24)) != __edi[0x50]) {
							goto L91;
						} else {
							 *(__edx + 4) =  *( *(__edx + 4));
							__eax =  *( *( *(__edx + 4)) + 0x50);
							__eflags = __eax;
							if(__eax == 0) {
								goto L91;
							} else {
								goto L79;
							}
						}
					} else {
						__eax =  *(__esi + 4);
						__eflags = __eax - __edx;
						if(__eax == __edx) {
							__ecx =  *(__eax + 0x28);
							__eflags = __edi[0x50] -  *(__eax + 0x28);
							if(__edi[0x50] !=  *(__eax + 0x28)) {
								goto L66;
							} else {
								__eflags =  *((intOrPtr*)(__eax + 0x24)) - __ebp;
								if( *((intOrPtr*)(__eax + 0x24)) != __ebp) {
									goto L66;
								} else {
									goto L89;
								}
							}
						} else {
							L66:
							__ecx =  *(__edx + 4);
							__esp[0xb] = __ecx;
							__ecx = __ecx[0xc];
							__eflags = __ecx;
							if(__ecx == 0) {
								L68:
								__ecx = __edi[0x50];
								__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
								if( *((intOrPtr*)(__edx + 0x24)) == __edi[0x50]) {
									__esp[0xb] =  *(__esp[0xb]);
									__eax =  *( *(__esp[0xb]) + 0x50);
									__eflags = __eax;
									if(__eax != 0) {
										L79:
										__esp[2] = __edi;
										__ecx = __esp[0xa];
										__esp[1] = __ebx;
										 *__esp = __edx;
										__esp[3] = __esp[0xa];
										__eax =  *__eax();
										__eflags = __eax;
										if(__eax >= 0) {
											goto L76;
										} else {
											__eflags = __eax - 0xffffffd8;
											if(__eax != 0xffffffd8) {
												goto L73;
											} else {
												__eax =  *(__ebx + 0x128);
												L83:
												__eflags = _t213;
												if(_t213 == 0) {
													goto L91;
												} else {
													 *(_t390 + 0x24) =  *(_t289 + 0x50);
													goto L85;
												}
											}
										}
									} else {
										__eax = __esi;
										L85:
										_t215 =  *((intOrPtr*)(_t213 + 4));
										goto L69;
									}
								} else {
									L69:
									__eflags =  *((intOrPtr*)(_t215 + 0x24)) -  *(_t390 + 0x24);
									if( *((intOrPtr*)(_t215 + 0x24)) !=  *(_t390 + 0x24)) {
										L91:
										_t214 = 0xffffffd8;
										goto L76;
									} else {
										_t324 =  *( *((intOrPtr*)( *((intOrPtr*)(_t215 + 4)))) + 0x4c);
										__eflags = _t324;
										if(_t324 == 0) {
											goto L91;
										} else {
											 *(_t390 + 8) = _t343;
											 *((intOrPtr*)(_t390 + 4)) = _t289;
											 *_t390 = _t215;
											 *(_t390 + 0xc) =  *(_t390 + 0x28);
											_t214 =  *_t324();
											__eflags = _t214;
											if(_t214 >= 0) {
												goto L76;
											} else {
												__eflags = _t214 - 0xffffffd8;
												if(_t214 == 0xffffffd8) {
													goto L91;
												} else {
													L73:
													__eflags = _t362;
													if(_t362 == 0) {
														L75:
														 *(_t390 + 0x24) = _t214;
														__eflags = 0;
														 *(_t289 + 0x128) = 0;
														 *_t390 = _t289;
														E1001B300();
														_t214 =  *(_t390 + 0x24);
														 *(_t289 + 0x128) = _t362;
														 *(_t289 + 0x50) = _t383;
														goto L76;
													} else {
														__eflags =  *(_t289 + 0x128) - _t362;
														if( *(_t289 + 0x128) != _t362) {
															 *((intOrPtr*)(_t390 + 0x14)) = 0x358;
															__eflags = 0;
															 *((intOrPtr*)(_t390 + 4)) = 0;
															 *_t390 = 0;
															 *(_t390 + 0x10) = "libavutil/hwcontext.c";
															 *(_t390 + 0xc) = "orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx";
															 *(_t390 + 8) = "Assertion %s failed at %s:%d\n";
															E10026560();
															abort();
															_push(_t362);
															_push(_t289);
															_t392 = _t390 - 0x34;
															_t219 = _t392[0x10];
															_t291 = _t392[0x11];
															_t364 =  *(_t219 + 4);
															_t326 =  *((intOrPtr*)(_t364 + 4));
															_t306 =  *(_t326 + 0xc);
															__eflags =  *(_t326 + 0xc);
															if( *(_t326 + 0xc) == 0) {
																_t327 =  *_t326;
																_t307 =  *(_t327 + 0x3c);
																__eflags =  *(_t327 + 0x3c);
																if( *(_t327 + 0x3c) == 0) {
																	_t220 = 0xffffffd8;
																	goto L103;
																} else {
																	__eflags =  *(_t364 + 0x1c);
																	if( *(_t364 + 0x1c) == 0) {
																		_t220 = 0xffffffea;
																		goto L103;
																	} else {
																		 *_t392 = _t219;
																		_t221 = E10009FC0(_t291, _t307);
																		 *(_t291 + 0x128) = _t221;
																		__eflags = _t221;
																		if(_t221 == 0) {
																			goto L102;
																		} else {
																			_t392[1] = _t291;
																			 *_t392 = _t364;
																			_t224 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)))) + 0x3c))();
																			__eflags = _t224;
																			if(_t224 < 0) {
																				_t392[7] = _t224;
																				 *_t392 = _t291 + 0x128;
																				E1000A000(_t291 + 0x128, _t364);
																				_t220 = _t392[7];
																				goto L103;
																			} else {
																				 *(_t291 + 0x40) = _t291;
																				__eflags = 0;
																				return 0;
																			}
																		}
																	}
																}
															} else {
																 *((intOrPtr*)(_t291 + 0x50)) =  *((intOrPtr*)(_t364 + 0x24));
																 *_t392 = _t219;
																_t227 = E10009FC0(_t291, _t306);
																 *(_t291 + 0x128) = _t227;
																__eflags = _t227;
																if(_t227 == 0) {
																	L102:
																	_t220 = 0xfffffff4;
																	goto L103;
																} else {
																	_t228 = E1001AC40(_t291, _t343, _t364);
																	_t392[0xb] = _t228;
																	__eflags = _t228;
																	if(_t228 == 0) {
																		goto L102;
																	} else {
																		_t392[1] = _t228;
																		_t392[2] = 0;
																		_t230 =  *( *((intOrPtr*)(_t364 + 4)) + 0xc);
																		 *_t392 = _t230;
																		L96();
																		__eflags = _t230;
																		if(_t230 < 0) {
																			L109:
																			_t392[7] = _t230;
																			 *_t392 =  &(_t392[0xb]);
																			E1001ADB0(_t291);
																			return _t392[7];
																		} else {
																			 *_t392 = _t291;
																			_t392[2] =  *( *((intOrPtr*)(_t364 + 4)) + 0x10);
																			_t392[1] = _t392[0xb];
																			_t230 = E1001E450(_t291, _t343, _t364);
																			__eflags = _t230;
																			if(_t230 == 0) {
																				goto L109;
																			} else {
																				_t392[3] = _t230;
																				_t392[7] = _t230;
																				_t392[1] = 0x10;
																				_t392[2] = "Failed to map frame into derived frame context: %d.\n";
																				 *_t392 = _t364;
																				E10026560();
																				 *_t392 =  &(_t392[0xb]);
																				E1001ADB0("Failed to map frame into derived frame context: %d.\n");
																				_t220 = _t392[7];
																				L103:
																				return _t220;
																			}
																		}
																	}
																}
															}
														} else {
															goto L75;
														}
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = __ecx[4] - __eax;
								if(__ecx[4] == __eax) {
									L89:
									__eax = __edi[0xb8];
									__eflags = __eax;
									if(__eax == 0) {
										 *__esp = __edx;
										__ecx = "Invalid mapping found when attempting unmap.\n";
										__ebx = 0x10;
										__esp[2] = "Invalid mapping found when attempting unmap.\n";
										__esp[1] = 0x10;
										E10026560() = 0xffffffea;
										L76:
										return _t214;
									} else {
										__esi =  *(__eax + 4);
										__eax = E1001B300(__ebx);
										__edi = __esp[0x11];
										__ebp = __esp[0x12];
										__eax =  *__esi;
										__esp[0x14] = __ebx;
										__esi = __esp[0x10];
										__ebx = __esp[0xf];
										__esp[0x15] = __eax;
										__esp =  &(__esp[0x13]);
										_push(_t383);
										_push(_t343);
										_push(_t362);
										_t396 = _t390 - 0x1c;
										_t297 = _t396[0xd];
										_t385 = _t396[0xc];
										_t345 = _t297 + 0x148;
										 *((intOrPtr*)(_t385 + 0x50)) =  *((intOrPtr*)(_t297 + 0x50));
										 *((intOrPtr*)(_t385 + 0x44)) =  *((intOrPtr*)(_t297 + 0x44));
										 *((intOrPtr*)(_t385 + 0x48)) =  *((intOrPtr*)(_t297 + 0x48));
										 *((intOrPtr*)(_t385 + 0x4c)) =  *((intOrPtr*)(_t297 + 0x4c));
										 *(_t385 + 0x120) =  *(_t297 + 0x120);
										 *(_t385 + 0xb4) =  *(_t297 + 0xb4);
										 *(_t385 + 0xb0) =  *(_t297 + 0xb0);
										 *_t396 = _t345;
										if(E1000EC10(_t289) == 0) {
											_t283 =  *(_t297 + 0xb4);
											_t341 =  *(_t297 + 0xb0);
											if((_t283 | _t341) != 0) {
												_t396[2] = _t283;
												_t396[1] = _t341;
												 *_t396 = _t385 + 0x148;
												E1000D1B0();
											} else {
												 *(_t385 + 0x14c) =  *(_t297 + 0x120);
												 *(_t385 + 0x148) = 0;
											}
										}
										_t308 = 0;
										_t247 = E1001A6C0(_t385, 0, _t297, 0);
										_t368 = _t247;
										if(_t247 < 0) {
											L20:
											E1001A460(_t385);
											return _t368;
										} else {
											 *_t396 = _t345;
											if(E1000EC10() != 0) {
												_t396[1] = _t345;
												 *_t396 = _t385 + 0x148;
												_t253 = E1000D340();
												__eflags = _t253;
												_t368 = _t253;
												if(_t253 < 0) {
													goto L20;
												} else {
													_t254 =  *(_t297 + 0xb8);
													__eflags = _t254;
													if(_t254 != 0) {
														goto L7;
													} else {
														goto L33;
													}
												}
											} else {
												_t254 =  *(_t297 + 0xb8);
												if(_t254 == 0) {
													L33:
													 *_t396 = _t385;
													_t396[1] = 0;
													_t281 = E1001ADF0();
													__eflags = _t281;
													_t368 = _t281;
													if(_t281 < 0) {
														goto L20;
													} else {
														_t396[1] = _t297;
														 *_t396 = _t385;
														_t282 = E1001B8D0();
														__eflags = _t282;
														_t368 = _t282;
														if(_t282 < 0) {
															goto L20;
														} else {
															goto L35;
														}
													}
												} else {
													L7:
													_t370 = 0;
													L9:
													while(1) {
														if(_t254 == 0) {
															L11:
															_t370 = _t370 + 1;
															if(_t370 != 8) {
																_t254 =  *(_t297 + 0xb8 + _t370 * 4);
																continue;
															} else {
																if( *((intOrPtr*)(_t297 + 0xd8)) == 0) {
																	L22:
																	_t255 =  *(_t297 + 0x128);
																	__eflags = _t255;
																	if(_t255 == 0) {
																		L24:
																		__eflags =  *(_t297 + 0x40) - _t297;
																		if( *(_t297 + 0x40) == _t297) {
																			 *(_t385 + 0x40) = _t385;
																			goto L38;
																		} else {
																			_t352 =  *(_t385 + 0x14c);
																			_t368 = 0xffffffea;
																			__eflags = _t352;
																			if(_t352 == 0) {
																				goto L20;
																			} else {
																				_t396[1] = _t352;
																				 *_t396 = 4;
																				_t267 = E10028EC0();
																				 *(_t385 + 0x40) = _t267;
																				__eflags = _t267;
																				if(_t267 == 0) {
																					goto L19;
																				} else {
																					_t314 = _t352 * 4;
																					_t378 =  *(_t297 + 0x40);
																					_t353 = _t267;
																					__eflags = _t314 - 8;
																					if(_t314 >= 8) {
																						__eflags = _t267 & 0x00000001;
																						if((_t267 & 0x00000001) != 0) {
																							_t268 =  *_t378 & 0x000000ff;
																							_t353 = _t353 + 1;
																							_t378 = _t378 + 1;
																							_t314 = _t314 - 1;
																							 *(_t353 - 1) = _t268;
																						}
																						__eflags = _t353 & 0x00000002;
																						if((_t353 & 0x00000002) != 0) {
																							_t269 =  *_t378 & 0x0000ffff;
																							_t353 = _t353 + 2;
																							_t378 = _t378 + 2;
																							_t314 = _t314 - 2;
																							 *(_t353 - 2) = _t269;
																						}
																						__eflags = _t353 & 0x00000004;
																						if((_t353 & 0x00000004) == 0) {
																							goto L28;
																						} else {
																							_t356 = _t353 + 4;
																							 *(_t356 - 4) =  *_t378;
																							memcpy(_t356, _t378 + 4, _t314 - 4);
																							_t396 =  &(_t396[3]);
																							goto L38;
																						}
																						L50:
																						_t338 = _t337 + _t262;
																						_t375 = _t374 + _t262;
																						_t263 = 0;
																						__eflags = _t349 & 0x00000002;
																						if((_t349 & 0x00000002) != 0) {
																							 *_t338 =  *_t375 & 0x0000ffff;
																							_t263 = 2;
																						}
																						__eflags = _t349 & 0x00000001;
																						if((_t349 & 0x00000001) == 0) {
																							L35:
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							_t376 = 0;
																							 *((char*)(_t338 + _t263)) =  *(_t375 + _t263) & 0x000000ff;
																						}
																						return _t376;
																						goto L113;
																					} else {
																						L28:
																						memcpy(_t353, _t378, _t314);
																						_t396 =  &(_t396[3]);
																					}
																					L38:
																					__eflags = _t385 & 0x00000001;
																					_t335 = _t385;
																					_t309 = _t297;
																					_t347 = 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t335 = _t385 + 1;
																						_t347 = 0x1f;
																						_t309 = _t297 + 1;
																						 *_t385 =  *_t297 & 0x000000ff;
																					}
																					__eflags = _t335 & 0x00000002;
																					if((_t335 & 0x00000002) != 0) {
																						_t257 =  *_t309 & 0x0000ffff;
																						_t335 = _t335 + 2;
																						_t309 =  &(_t309[1]);
																						_t347 = _t347 - 2;
																						 *(_t335 - 2) = _t257;
																					}
																					_t396[0xd] = _t297;
																					_t258 = 0;
																					_t373 = _t347 & 0xfffffffc;
																					__eflags = _t373;
																					do {
																						 *(_t335 + _t258) =  *(_t309 + _t258);
																						_t258 = _t258 + 4;
																						__eflags = _t258 - _t373;
																					} while (_t258 < _t373);
																					_t336 = _t335 + _t258;
																					_t310 = _t309 + _t258;
																					_t300 = _t396[0xd];
																					_t259 = 0;
																					__eflags = _t347 & 0x00000002;
																					if((_t347 & 0x00000002) != 0) {
																						 *_t336 =  *_t310 & 0x0000ffff;
																						_t259 = 2;
																					}
																					__eflags = _t347 & 0x00000001;
																					if((_t347 & 0x00000001) != 0) {
																						 *((char*)(_t336 + _t259)) =  *(_t310 + _t259) & 0x000000ff;
																					}
																					__eflags = _t385 & 0x00000001;
																					_t349 = 0x20;
																					_t337 = _t385 + 0x20;
																					_t374 = _t300 + 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t337 = _t385 + 0x21;
																						_t349 = 0x1f;
																						_t374 = _t300 + 0x21;
																						 *(_t385 + 0x20) =  *(_t300 + 0x20) & 0x000000ff;
																					}
																					__eflags = _t337 & 0x00000002;
																					if((_t337 & 0x00000002) != 0) {
																						_t261 =  *_t374 & 0x0000ffff;
																						_t337 = _t337 + 2;
																						_t374 =  &(_t374[1]);
																						_t349 = _t349 - 2;
																						 *(_t337 - 2) = _t261;
																					}
																					_t262 = 0;
																					_t302 = _t349 & 0xfffffffc;
																					__eflags = _t302;
																					do {
																						 *(_t337 + _t262) =  *(_t374 + _t262);
																						_t262 = _t262 + 4;
																						__eflags = _t262 - _t302;
																					} while (_t262 < _t302);
																					goto L50;
																				}
																			}
																		}
																	} else {
																		 *_t396 = _t255;
																		_t273 = E10009FC0(_t297, _t308);
																		 *(_t385 + 0x128) = _t273;
																		__eflags = _t273;
																		if(_t273 == 0) {
																			goto L19;
																		} else {
																			goto L24;
																		}
																	}
																} else {
																	_t308 = 4;
																	_t396[1] = 4;
																	 *_t396 =  *(_t297 + 0xdc);
																	_t275 = E100291F0();
																	 *((intOrPtr*)(_t385 + 0xd8)) = _t275;
																	if(_t275 == 0) {
																		goto L19;
																	} else {
																		_t339 =  *(_t297 + 0xdc);
																		 *(_t385 + 0xdc) = _t339;
																		if(_t339 <= 0) {
																			goto L22;
																		} else {
																			_t396[0xc] = _t385;
																			_t388 = _t297;
																			_t304 = 0;
																			while(1) {
																				_t381 = _t304 * 4;
																				 *_t396 =  *( *((intOrPtr*)(_t388 + 0xd8)) + _t381);
																				 *((intOrPtr*)(_t275 + _t381)) = E10009FC0(_t304, _t308);
																				_t275 =  *((intOrPtr*)(_t396[0xc] + 0xd8));
																				if( *((intOrPtr*)(_t275 + _t381)) == 0) {
																					break;
																				}
																				_t304 = _t304 + 1;
																				__eflags =  *((intOrPtr*)(_t388 + 0xdc)) - _t304;
																				if( *((intOrPtr*)(_t388 + 0xdc)) <= _t304) {
																					_t297 = _t388;
																					_t385 = _t396[0xc];
																					goto L22;
																				} else {
																					continue;
																				}
																				goto L113;
																			}
																			_t385 = _t396[0xc];
																			goto L19;
																		}
																	}
																}
															}
														} else {
															 *_t396 = _t254;
															_t280 = E10009FC0(_t297, _t308);
															 *((intOrPtr*)(_t385 + 0xb8 + _t370 * 4)) = _t280;
															if(_t280 == 0) {
																L19:
																_t368 = 0xfffffff4;
																goto L20;
															} else {
																goto L11;
															}
														}
														goto L113;
													}
												}
											}
										}
									}
								} else {
									goto L68;
								}
							}
						}
					}
				}
				L113:
			}

0x1001e450
0x1001e453
0x1001e45b
0x1001e45f
0x1001e463
0x1001e467
0x1001e46b
0x1001e46f
0x1001e479
0x1001e47c
0x1001e484
0x1001e488
0x1001e5a0
0x00000000
0x1001e48e
0x1001e48e
0x1001e490
0x1001e493
0x1001e550
0x1001e553
0x1001e556
0x00000000
0x1001e55c
0x1001e55f
0x1001e561
0x1001e564
0x1001e566
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e566
0x1001e499
0x1001e499
0x1001e49c
0x1001e49e
0x1001e5b8
0x1001e5bb
0x1001e5be
0x00000000
0x1001e5c4
0x1001e5c4
0x1001e5c7
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e5c7
0x1001e4a4
0x1001e4a4
0x1001e4a4
0x1001e4a7
0x1001e4ab
0x1001e4ae
0x1001e4b0
0x1001e4bb
0x1001e4bb
0x1001e4be
0x1001e4c1
0x1001e61e
0x1001e620
0x1001e623
0x1001e625
0x1001e56c
0x1001e56c
0x1001e570
0x1001e574
0x1001e578
0x1001e57b
0x1001e57f
0x1001e581
0x1001e583
0x00000000
0x1001e585
0x1001e585
0x1001e588
0x00000000
0x1001e58e
0x1001e58e
0x1001e5a2
0x1001e5a2
0x1001e5a4
0x00000000
0x1001e5a6
0x1001e5a9
0x00000000
0x1001e5a9
0x1001e5a4
0x1001e588
0x1001e62b
0x1001e62b
0x1001e5ad
0x1001e5ad
0x00000000
0x1001e5ad
0x1001e4c7
0x1001e4c7
0x1001e4cb
0x1001e4ce
0x1001e610
0x1001e610
0x00000000
0x1001e4d4
0x1001e4d9
0x1001e4dc
0x1001e4de
0x00000000
0x1001e4e4
0x1001e4e4
0x1001e4ec
0x1001e4f0
0x1001e4f3
0x1001e4f7
0x1001e4f9
0x1001e4fb
0x00000000
0x1001e4fd
0x1001e4fd
0x1001e500
0x00000000
0x1001e506
0x1001e506
0x1001e506
0x1001e508
0x1001e516
0x1001e516
0x1001e51a
0x1001e51c
0x1001e522
0x1001e525
0x1001e52a
0x1001e52e
0x1001e534
0x00000000
0x1001e50a
0x1001e50a
0x1001e510
0x1001e656
0x1001e65e
0x1001e660
0x1001e664
0x1001e667
0x1001e66f
0x1001e677
0x1001e67f
0x1001e684
0x1001e690
0x1001e691
0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a6
0x1001e6a8
0x1001e760
0x1001e762
0x1001e765
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76c
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e77e
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e791
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79b
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c2
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d3
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e4
0x1001e6e7
0x1001e6ea
0x1001e6ef
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e711
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4
0x00000000
0x00000000
0x00000000
0x1001e510
0x1001e508
0x1001e500
0x1001e4fb
0x1001e4de
0x1001e4ce
0x1001e4b2
0x1001e4b2
0x1001e4b5
0x1001e5d0
0x1001e5d0
0x1001e5d6
0x1001e5d8
0x1001e632
0x1001e635
0x1001e63a
0x1001e63f
0x1001e643
0x1001e64c
0x1001e537
0x1001e54a
0x1001e5da
0x1001e5da
0x1001e5e0
0x1001e5e5
0x1001e5e9
0x1001e5ed
0x1001e5ef
0x1001e5f3
0x1001e5f7
0x1001e5fb
0x1001e5ff
0x1001bc40
0x1001bc41
0x1001bc42
0x1001bc44
0x1001bc47
0x1001bc4b
0x1001bc52
0x1001bc5e
0x1001bc64
0x1001bc6a
0x1001bc70
0x1001bc79
0x1001bc85
0x1001bc8b
0x1001bc91
0x1001bc9b
0x1001bc9d
0x1001bca3
0x1001bcad
0x1001be70
0x1001be7a
0x1001be7e
0x1001be81
0x1001bcb3
0x1001bcb9
0x1001bcc1
0x1001bcc1
0x1001bcad
0x1001bcc7
0x1001bccd
0x1001bcd4
0x1001bcd6
0x1001bdb8
0x1001bdba
0x1001bdc8
0x1001bcdc
0x1001bcdc
0x1001bce6
0x1001be40
0x1001be4a
0x1001be4d
0x1001be52
0x1001be54
0x1001be56
0x00000000
0x1001be5c
0x1001be5c
0x1001be62
0x1001be64
0x00000000
0x1001be6a
0x00000000
0x1001be6a
0x1001be64
0x1001bcec
0x1001bcec
0x1001bcf4
0x1001be90
0x1001be90
0x1001be95
0x1001be99
0x1001be9e
0x1001bea0
0x1001bea2
0x00000000
0x1001bea8
0x1001bea8
0x1001beac
0x1001beaf
0x1001beb4
0x1001beb6
0x1001beb8
0x00000000
0x00000000
0x00000000
0x00000000
0x1001beb8
0x1001bcfa
0x1001bcfa
0x1001bcfa
0x00000000
0x1001bd07
0x1001bd09
0x1001bd22
0x1001bd22
0x1001bd26
0x1001bd00
0x00000000
0x1001bd28
0x1001bd30
0x1001bdd6
0x1001bdd6
0x1001bddc
0x1001bdde
0x1001bdf2
0x1001bdf2
0x1001bdf5
0x1001bed0
0x00000000
0x1001bdfb
0x1001bdfb
0x1001be01
0x1001be06
0x1001be08
0x00000000
0x1001be0a
0x1001be0a
0x1001be0e
0x1001be15
0x1001be1a
0x1001be1d
0x1001be1f
0x00000000
0x1001be21
0x1001be21
0x1001be28
0x1001be2b
0x1001be2d
0x1001be30
0x1001bf96
0x1001bf98
0x1001c033
0x1001c036
0x1001c037
0x1001c038
0x1001c039
0x1001c039
0x1001bf9e
0x1001bfa4
0x1001c01e
0x1001c021
0x1001c024
0x1001c027
0x1001c02a
0x1001c02a
0x1001bfa6
0x1001bfac
0x00000000
0x1001bfb2
0x1001bfb4
0x1001bfbd
0x1001bfc0
0x1001bfc0
0x00000000
0x1001bfc0
0x1001bf66
0x1001bf66
0x1001bf68
0x1001bf6a
0x1001bf6c
0x1001bf72
0x1001bf77
0x1001bf7a
0x1001bf7a
0x1001bf7f
0x1001bf82
0x1001bebe
0x1001bebe
0x1001bebe
0x1001bf88
0x1001bf8c
0x1001bf8e
0x1001bf8e
0x1001bec9
0x00000000
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001bed3
0x1001bed3
0x1001bed9
0x1001bedb
0x1001bedd
0x1001bee2
0x1001bfdf
0x1001bfe2
0x1001bfe7
0x1001bfea
0x1001bfea
0x1001bee8
0x1001beeb
0x1001bfc7
0x1001bfca
0x1001bfcd
0x1001bfd0
0x1001bfd3
0x1001bfd3
0x1001bef1
0x1001bef7
0x1001bef9
0x1001bef9
0x1001befc
0x1001beff
0x1001bf02
0x1001bf05
0x1001bf05
0x1001bf09
0x1001bf0b
0x1001bf0d
0x1001bf11
0x1001bf13
0x1001bf19
0x1001bf1e
0x1001bf21
0x1001bf21
0x1001bf26
0x1001bf29
0x1001bf2f
0x1001bf2f
0x1001bf32
0x1001bf38
0x1001bf3d
0x1001bf40
0x1001bf43
0x1001c00b
0x1001c00e
0x1001c013
0x1001c016
0x1001c016
0x1001bf49
0x1001bf4c
0x1001bff2
0x1001bff5
0x1001bff8
0x1001bffb
0x1001bffe
0x1001bffe
0x1001bf54
0x1001bf56
0x1001bf56
0x1001bf59
0x1001bf5c
0x1001bf5f
0x1001bf62
0x1001bf62
0x00000000
0x1001bf59
0x1001be1f
0x1001be08
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde8
0x1001bdee
0x1001bdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdf0
0x1001bd36
0x1001bd36
0x1001bd3b
0x1001bd45
0x1001bd48
0x1001bd4d
0x1001bd55
0x00000000
0x1001bd57
0x1001bd57
0x1001bd5d
0x1001bd65
0x00000000
0x1001bd67
0x1001bd67
0x1001bd6d
0x1001bd6f
0x1001bd81
0x1001bd81
0x1001bd94
0x1001bd9c
0x1001bda2
0x1001bdad
0x00000000
0x00000000
0x1001bd78
0x1001bd79
0x1001bd7f
0x1001bdd0
0x1001bdd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd7f
0x1001bdaf
0x00000000
0x1001bdaf
0x1001bd65
0x1001bd55
0x1001bd30
0x1001bd0b
0x1001bd0b
0x1001bd0e
0x1001bd13
0x1001bd1c
0x1001bdb3
0x1001bdb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd1c
0x00000000
0x1001bd09
0x1001bd07
0x1001bcf4
0x1001bce6
0x1001bcd6
0x00000000
0x00000000
0x00000000
0x1001e4b5
0x1001e4b0
0x1001e49e
0x1001e493
0x00000000

APIs

mv_frame_unref.LICKING ref: 1001E525
mv_frame_unref.LICKING ref: 1001E5E0

Strings

Failed to map frame into derived frame context: %d., xrefs: 1001E71D
Invalid mapping found when attempting unmap., xrefs: 1001E635

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_frame_unref
String ID: Failed to map frame into derived frame context: %d.$Invalid mapping found when attempting unmap.
API String ID: 3522828444-968520014
Opcode ID: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction ID: 1d7c3b7aca9d3417cd3ea7e1bcd086570995cae0267e84f3f0b04429ecccd582
Opcode Fuzzy Hash: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction Fuzzy Hash: F991A0B4A09B418FC744DF29C58051EBBE1FF88794F55896DE8998B351E730ED81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1004CE48 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1004CE7C
mv_calloc.LICKING ref: 1004CEA9
AcquireSRWLockExclusive.KERNEL32 ref: 1004CF94
_beginthreadex.MSVCRT ref: 1004CFD6
ReleaseSRWLockExclusive.KERNEL32 ref: 1004D00D
ReleaseSRWLockExclusive.KERNEL32 ref: 1004D04F
mvpriv_slicethread_free.LICKING ref: 1004D05E
mv_cpu_count.LICKING ref: 1004D070
mv_mallocz.LICKING ref: 1004D0AA
mv_log.LICKING ref: 1004D0F1
abort.MSVCRT ref: 1004D0F6
mv_freep.LICKING ref: 1004D102

Strings

j, xrefs: 1004D0C8

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Releasemv_mallocz$Acquire_beginthreadexabortmv_callocmv_cpu_countmv_freepmv_logmvpriv_slicethread_free
String ID: j
API String ID: 2987404029-2137352139
Opcode ID: b4d5f506cff1f2b8f286322260e64abac841ad9d120f12fbc9d283c2ebf53eb6
Instruction ID: 3189d2e171a0ea3ceb7ce00679f7d5566ab50e9f73ac84ca4a753df61807b7c1
Opcode Fuzzy Hash: b4d5f506cff1f2b8f286322260e64abac841ad9d120f12fbc9d283c2ebf53eb6
Instruction Fuzzy Hash: C581E3B56093449FC740EF29D48461ABBE0FF88344F118A2EF8999B341D735E946CF86

Uniqueness

Uniqueness Score: -1.00%

Function 100A1310 Relevance: 24.5, APIs: 4, Strings: 10, Instructions: 48
threadCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E100A1310() {
				char _v16;
				void _v76;
				char _v79;
				char _v80;
				intOrPtr _v83;
				intOrPtr _v87;
				intOrPtr _v91;
				intOrPtr _v95;
				intOrPtr _v99;
				intOrPtr _v103;
				intOrPtr _v107;
				intOrPtr _v111;
				intOrPtr _v115;
				char _v119;
				long _v132;
				char* _v136;
				long _t28;
				void* _t30;
				void* _t33;
				void* _t34;
				long _t36;
				void* _t39;
				long* _t41;

				_v119 = 0x6f727245;
				_v115 = 0x6c632072;
				_v111 = 0x696e6165;
				_v107 = 0x7520676e;
				_v103 = 0x70732070;
				_v99 = 0x6b5f6e69;
				_v95 = 0x20737965;
				_v91 = 0x20726f66;
				_v87 = 0x65726874;
				_v83 = 0x206461;
				_v79 = 0;
				_v16 = 0;
				memset( &_v76, 0, 0x10 << 2);
				_t41 = _t39 - 0x88 + 0xc;
				_t28 = GetCurrentThreadId();
				_v132 = 0xa;
				_v136 =  &_v80;
				 *_t41 = _t28;
				__imp___ultoa();
				if(_v80 == 0) {
					L8:
					_t33 = 0x28;
					_t25 =  &_v119; // 0x6f727245
					_t36 = _t25;
					L6:
					_t41[0xf] = 0xa;
					 *((char*)(_t41 + _t33 + 0x15)) = 0;
					L7:
					 *_t41 = _t36;
					OutputDebugStringA(??);
					_t41 = _t41 - 4;
					abort();
					goto L8;
				}
				_t30 = 0x27;
				_t19 =  &_v119; // 0x6f727245
				_t36 = _t19;
				while(1) {
					_t34 = _t30;
					_t30 = _t30 + 1;
					if( *((char*)(_t36 + _t30)) == 0) {
						break;
					}
					if(_t30 == 0x6a) {
						goto L7;
					}
				}
				if(_t30 == 0x6a) {
					goto L7;
				}
				_t33 = _t34 + 2;
				goto L6;
			}

0x100a1322
0x100a132a
0x100a1332
0x100a133a
0x100a1342
0x100a134a
0x100a1352
0x100a135a
0x100a1362
0x100a136a
0x100a1372
0x100a137a
0x100a1382
0x100a1382
0x100a1384
0x100a138e
0x100a1396
0x100a139a
0x100a139d
0x100a13a8
0x100a13eb
0x100a13eb
0x100a13f5
0x100a13f5
0x100a13d0
0x100a13d0
0x100a13d5
0x100a13da
0x100a13da
0x100a13dd
0x100a13e3
0x100a13e6
0x00000000
0x100a13e6
0x100a13aa
0x100a13af
0x100a13af
0x100a13bd
0x100a13bd
0x100a13bf
0x100a13c6
0x00000000
0x00000000
0x100a13bb
0x00000000
0x00000000
0x100a13bb
0x100a13cb
0x00000000
0x00000000
0x100a13cd
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 100A1384
_ultoa.MSVCRT ref: 100A139D
OutputDebugStringA.KERNEL32 ref: 100A13DD
abort.MSVCRT ref: 100A13E6

Strings

ad , xrefs: 100A136A
ng u, xrefs: 100A133A
p sp, xrefs: 100A1342
eani, xrefs: 100A1332
thre, xrefs: 100A1362
eys , xrefs: 100A1352
in_k, xrefs: 100A134A
for , xrefs: 100A135A
r cl, xrefs: 100A132A
Erro, xrefs: 100A13AF

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentDebugOutputStringThread_ultoaabort
String ID: Erro$ad $eani$eys $for $in_k$ng u$p sp$r cl$thre
API String ID: 4191895893-3726152543
Opcode ID: c62f280eb55718159c0ae26c510020dff9fd4295b287b41223472a11c9806faf
Instruction ID: 933cb2fe384093e2151c96bc0b39a2ec9278c98079ab9a37e6148124f22308cd
Opcode Fuzzy Hash: c62f280eb55718159c0ae26c510020dff9fd4295b287b41223472a11c9806faf
Instruction Fuzzy Hash: C12122B010C341CEE754DF68D18935FBAE2EB81384F448D1CE0818A2A1C7B88A48CB47

Uniqueness

Uniqueness Score: -1.00%

Function 10016E19 Relevance: 24.2, APIs: 16, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E10016E19(signed char* __eax, void* __edx, void* __fp0) {
				signed int _t72;
				signed int _t75;
				signed char* _t81;
				signed char* _t83;
				signed int _t92;
				signed int _t121;
				signed char* _t124;
				signed int _t126;
				signed int _t132;
				signed int _t134;
				void* _t158;
				signed int _t167;
				void* _t169;
				signed char** _t170;
				void* _t190;

				_t190 = __fp0;
				_t158 = __edx;
				_t170 = _t169 - 0x3c;
				_t170[6] = __eax;
				_t124 =  *(__edx + 8);
				_t72 =  *_t124 & 0x000000ff;
				if(_t72 == 0x2d) {
					 *_t170 = _t124;
					_t170[1] =  &(_t170[0xb]);
					L10091F50();
					st0 = _t190;
					_t124 =  *(_t158 + 8);
					_t75 = _t170[0xb];
					if(_t124 == _t75 ||  *_t75 != 0x64 ||  *((char*)(_t75 + 1)) != 0x42) {
						_t72 =  *_t124 & 0x000000ff;
						goto L2;
					} else {
						_t81 = L100161E0( &(_t170[9]), _t124, _t158, _t190);
						_t170[7] = 0;
					}
				} else {
					L2:
					_t132 = (0 | _t72 == 0x0000002b) - ((_t72 & 0xffffff00 | _t72 == 0x0000002d) & 0x000000ff);
					_t170[7] = _t132;
					 *(_t158 + 8) =  &(_t124[_t132 & 0x00000001]);
					_t81 = L100161E0( &(_t170[9]),  &(_t124[_t132 & 0x00000001]), _t158, _t190);
				}
				if(_t81 < 0) {
					L16:
					return _t81;
				} else {
					_t134 =  *(_t158 + 8);
					_t121 = _t170[9];
					if( *_t134 != 0x5e) {
						L13:
						if(_t121 != 0) {
							asm("pxor xmm0, xmm0");
							asm("cvtsi2sd xmm0, ebp");
							asm("mulsd xmm0, [ebx+0x8]");
							asm("movsd [ebx+0x8], xmm0");
						}
						 *(_t170[6]) = _t121;
						_t81 = 0;
						goto L16;
					} else {
						do {
							_t83 = _t134 + 1;
							 *(_t158 + 8) = _t83;
							_t126 =  *(_t134 + 1) & 0x000000ff;
							if(_t126 == 0x2d) {
								 *_t170 = _t83;
								_t170[1] =  &(_t170[0xb]);
								L10091F50();
								st0 = _t190;
								_t83 =  *(_t158 + 8);
								_t134 = _t170[0xb];
								if(_t83 == _t134 ||  *_t134 != 0x64 ||  *(_t134 + 1) != 0x42) {
									_t126 =  *_t83 & 0x000000ff;
									goto L7;
								} else {
									_t81 = L100161E0( &(_t170[0xa]), _t126, _t158, _t190);
								}
							} else {
								L7:
								 *(_t158 + 8) =  &(_t83[((_t134 & 0xffffff00 | _t126 == 0x0000002b) & 0x000000ff) - ((_t126 & 0xffffff00 | _t126 == 0x0000002d) & 0x000000ff) & 0x00000001]);
								_t81 = L100161E0( &(_t170[0xa]), (_t126 & 0xffffff00 | _t126 == 0x0000002d) & 0x000000ff, _t158, _t190);
							}
							if(_t81 < 0) {
								_t170[0xb] = _t121;
								if(_t121 == 0) {
									goto L16;
								} else {
									_t170[6] = _t81;
									 *_t170 =  *(_t121 + 0x18);
									E10015280();
									 *_t170 = _t170[0xb][0x1c];
									E10015280();
									 *_t170 = _t170[0xb][0x20];
									E10015280();
									 *_t170 =  &(_t170[0xb][0x24]);
									E100290E0();
									 *_t170 =  &(_t170[0xb]);
									E100290E0();
									return _t170[6];
								}
							} else {
								 *_t170 = 0x28;
								_t167 = _t170[0xa];
								_t92 = E10029100();
								if(_t92 == 0) {
									_t170[0xb] = _t121;
									_t170[9] = 0;
									if(_t121 != 0) {
										 *_t170 =  *(_t121 + 0x18);
										E10015280();
										 *_t170 = _t170[0xb][0x1c];
										E10015280();
										 *_t170 = _t170[0xb][0x20];
										E10015280();
										 *_t170 =  &(_t170[0xb][0x24]);
										E100290E0();
										 *_t170 =  &(_t170[0xb]);
										E100290E0();
									}
									_t170[0xb] = _t167;
									if(_t167 != 0) {
										 *_t170 =  *(_t167 + 0x18);
										E10015280();
										 *_t170 = _t170[0xb][0x1c];
										E10015280();
										 *_t170 = _t170[0xb][0x20];
										E10015280();
										 *_t170 = _t170[0xb] + 0x24;
										E100290E0();
										 *_t170 =  &(_t170[0xb]);
										E100290E0();
									}
									return 0xfffffff4;
								} else {
									goto L10;
								}
							}
							goto L36;
							L10:
							 *_t92 = 0x12;
							 *((intOrPtr*)(_t92 + 8)) = 0;
							 *((intOrPtr*)(_t92 + 0xc)) = 0x3ff00000;
							 *(_t92 + 0x18) = _t121;
							 *(_t92 + 0x1c) = _t167;
							_t170[9] = _t92;
							if(_t167 != 0) {
								asm("pxor xmm0, xmm0");
								_t121 = _t92;
								asm("cvtsi2sd xmm0, edi");
								asm("mulsd xmm0, [ebp+0x8]");
								asm("movsd [ebp+0x8], xmm0");
							} else {
								_t121 = _t92;
							}
							_t134 =  *(_t158 + 8);
						} while ( *_t134 == 0x5e);
						goto L13;
					}
				}
				L36:
			}

0x10016e19
0x10016e23
0x10016e26
0x10016e29
0x10016e2d
0x10016e30
0x10016e35
0x10016fb0
0x10016fb7
0x10016fbb
0x10016fc0
0x10016fc2
0x10016fc5
0x10016fcb
0x10016fd2
0x00000000
0x10017046
0x1001704c
0x10017053
0x10017053
0x10016e3b
0x10016e3b
0x10016e4a
0x10016e4c
0x10016e59
0x10016e60
0x10016e60
0x10016e67
0x10016f35
0x10016f3c
0x10016e6d
0x10016e6d
0x10016e70
0x10016e77
0x10016f10
0x10016f12
0x10016f18
0x10016f1f
0x10016f23
0x10016f28
0x10016f28
0x10016f31
0x10016f33
0x00000000
0x10016e80
0x10016e80
0x10016e80
0x10016e83
0x10016e86
0x10016e8d
0x10016f40
0x10016f47
0x10016f4b
0x10016f50
0x10016f52
0x10016f55
0x10016f5b
0x10016f62
0x00000000
0x10016f76
0x10016f7e
0x10016f7e
0x10016e93
0x10016e93
0x10016eb0
0x10016eb7
0x10016eb7
0x10016ebe
0x10016fe0
0x10016fe6
0x00000000
0x10016fec
0x10016fec
0x10016ff3
0x10016ff6
0x10017002
0x10017005
0x10017011
0x10017014
0x10017020
0x10017023
0x1001702c
0x1001702f
0x1001703f
0x1001703f
0x10016ec4
0x10016ec4
0x10016ecb
0x10016ecf
0x10016ed6
0x1001705c
0x10017064
0x10017068
0x1001706d
0x10017070
0x1001707c
0x1001707f
0x1001708b
0x1001708e
0x1001709a
0x1001709d
0x100170a6
0x100170a9
0x100170a9
0x100170ae
0x100170b4
0x100170b9
0x100170bc
0x100170c8
0x100170cb
0x100170d7
0x100170da
0x100170e6
0x100170e9
0x100170f2
0x100170f5
0x100170f5
0x10017106
0x00000000
0x00000000
0x00000000
0x10016ed6
0x00000000
0x10016edc
0x10016edc
0x10016ee4
0x10016eeb
0x10016ef2
0x10016ef5
0x10016ef8
0x10016efc
0x10016f93
0x10016f97
0x10016f99
0x10016f9d
0x10016fa2
0x10016f02
0x10016f02
0x10016f02
0x10016f04
0x10016f07
0x00000000
0x10016e80
0x10016e77
0x00000000

APIs

Part of subcall function 100161D7: mv_mallocz.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,10017051), ref: 100161F4
Part of subcall function 100161D7: mv_strtod.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,10017051), ref: 1001621D

mv_mallocz.LICKING ref: 10016ECF

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_strtod
String ID:
API String ID: 3275254055-0
Opcode ID: ef02a44b0a533897543d2475adf67a49a34f772efc2d481bd1c148061a33acd9
Instruction ID: a96fb51638ba8a0bfcbb7737a0f0533294e9447c5af839fd67c50a89cbb49fc0
Opcode Fuzzy Hash: ef02a44b0a533897543d2475adf67a49a34f772efc2d481bd1c148061a33acd9
Instruction Fuzzy Hash: BF713DB96087058FC300DF75D88155AFBE1EF88344F458A6DE8989B315E735E9C2CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10025B10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E10025B10(void* __eflags, intOrPtr _a4, unsigned int _a16, signed int _a20, signed int _a24, char _a28, signed char* _a1052, signed char* _a2076, signed char* _a3100, signed char* _a4124, intOrPtr _a4128, intOrPtr _a4132, signed int _a5180, signed int _a5184, signed int _a5188, char* _a5192) {
				intOrPtr _v0;
				intOrPtr _v4;
				signed int _v8;
				char* _v12;
				char* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t138;
				signed int _t147;
				signed int _t148;
				signed int _t152;
				signed int _t156;
				signed int _t159;
				signed int _t162;
				signed int _t165;
				signed int _t170;
				void* _t173;
				signed int _t174;
				signed int _t178;
				char* _t183;
				signed int _t196;
				intOrPtr _t197;
				char* _t199;
				signed int _t203;
				void* _t206;
				char* _t207;
				signed char _t210;
				intOrPtr _t212;
				intOrPtr _t221;
				signed int _t222;
				void* _t230;
				signed int _t231;
				char* _t235;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				char* _t250;
				signed int _t264;
				signed int _t265;
				void* _t268;
				intOrPtr* _t269;
				intOrPtr* _t271;
				signed int _t273;
				char* _t274;
				signed int _t275;
				char* _t278;
				signed int _t283;
				void* _t286;
				signed int _t288;
				void* _t290;
				void* _t291;
				signed int* _t292;
				void* _t299;

				_t291 = _t290 - E100918A0(0x143c);
				_a20 = 0;
				if(_a5188 >= 0) {
					_a20 = _a5188 & 0x0000ff00;
					_a5188 = _a5188 & 0x000000ff;
				}
				_t138 = _a5188;
				_t299 =  *0x100ad018 - _t138; // 0x20
				if(_t299 >= 0) {
					_v16 = 0x100d76b0;
					L100A0980();
					_t292 = _t291 - 4;
					_t247 = _a5180;
					if(_t247 == 0) {
						_v12 = 1;
						_v16 = 0;
						 *_t292 =  &_a1052;
						E10008880(0, 0, 1, 0x10000);
						_v12 = 1;
						 *_t292 =  &_a2076;
						_v16 = 0;
						E10008880(0, 0, 1, 0x10000);
						_v16 = 0;
						_t273 =  &_a3100;
						_v12 = 1;
						 *_t292 = _t273;
						E10008880(0, _t273, 1, 0x10000);
						_v12 = 0x10000;
						_t288 =  &_a4124;
						_v16 = 0;
						 *_t292 = _t288;
						E10008880(0, _t273, 1, _t288);
						_t147 =  *0x100ad00c; // 0x1
						_a24 = 0x10;
						_a20 = 0x10;
						_t148 = _t147 & 0xffffff00 | _t147 != 0x00000000;
					} else {
						_t230 =  *_a5180;
						_v16 = 0;
						_t283 =  &_a1052;
						_v12 = 1;
						 *_t292 = _t283;
						E10008880(_t230, 1, _t283, 0);
						_v12 = 1;
						_t273 =  &_a3100;
						_v16 = 0;
						_t288 =  &_a4124;
						 *_t292 =  &_a2076;
						E10008880(_t230, _t273, _t283, _t288);
						_v12 = 1;
						_v16 = 0;
						 *_t292 = _t273;
						E10008880(_t230, _t273, _t283, _t288);
						_v12 = 0x10000;
						_v16 = 0;
						 *_t292 = _t288;
						E10008880(_t230, _t273, _t283, _t288);
						_t196 =  *0x100ad00c; // 0x1
						_t265 = _t247 & 0xffffff00 | _t196 != 0x00000000;
						_t148 = _t265;
						if(_t230 == 0 || _t265 == 0) {
							_a24 = 0x10;
							_a20 = 0x10;
						} else {
							_t197 =  *((intOrPtr*)(_t230 + 0x14));
							_a20 = 0x10;
							if(_t197 != 0) {
								_t244 =  *(_a5180 + _t197);
								if(_t244 != 0) {
									_t206 =  *_t244;
									if(_t206 != 0) {
										 *_t292 = _t244;
										_a24 = _t244;
										_t207 =  *((intOrPtr*)(_t206 + 4))();
										 *_t292 = _t283;
										_v8 = _a24;
										_v12 = _t207;
										_v16 = "[%s @ %p] ";
										E100089C0();
										_t246 = _a24;
										_t286 =  *_t246;
										if(_t286 != 0) {
											_t210 =  *(_t286 + 0xc);
											if((_t210 & 0x000000ff) <= 0x63 || _t210 <= 0x333aff) {
												L87:
												_a20 = 0x10;
											} else {
												_t212 =  *((intOrPtr*)(_t286 + 0x18));
												if(_t212 > 0x2d) {
													goto L87;
												} else {
													_t271 =  *((intOrPtr*)(_t286 + 0x1c));
													_a20 = _t212 + 0x10;
													if(_t271 != 0) {
														 *_t292 = _t246;
														_a20 =  *_t271() + 0x10;
													}
												}
											}
										}
									}
								}
							}
							 *_t292 = _a5180;
							_t199 =  *((intOrPtr*)(_t230 + 4))();
							_v8 = _a5180;
							_v12 = _t199;
							_v16 = "[%s @ %p] ";
							 *_t292 =  &_a2076;
							E100089C0();
							_t203 = _a5180;
							_t268 =  *_t203;
							if(_t268 == 0) {
								L82:
								_a24 = 0x10;
							} else {
								_t203 =  *(_t268 + 0xc);
								if((_t203 & 0x000000ff) <= 0x63 || _t203 <= 0x333aff) {
									goto L82;
								} else {
									_t203 =  *(_t268 + 0x18);
									if(_t203 > 0x2d) {
										goto L82;
									} else {
										_t269 =  *((intOrPtr*)(_t268 + 0x1c));
										_t203 = _t203 + 0x10;
										_a24 = _t203;
										if(_t269 != 0) {
											 *_t292 = _a5180;
											_t203 =  *_t269() + 0x10;
											_a24 = _t203;
										}
									}
								}
							}
							_t231 =  *0x100ad00c; // 0x1
							_t148 = _t203 & 0xffffff00 | _t231 != 0x00000000;
						}
					}
					if(_a5184 >= 0xfffffff9 && _t148 != 0 && ( *0x100d76ac & 0x00000002) != 0) {
						_t125 = _a5184 + 8; // 0x101
						_t264 = _t125;
						_t183 = 0x100b6d3b;
						if(_t264 <= 0x40) {
							_t183 =  *((intOrPtr*)(0x100b6f40 + _t264 * 4));
						}
						_v12 = _t183;
						_v16 = "[%s] ";
						 *_t292 = _t273;
						E100089C0();
					}
					 *_t292 = _t288;
					_v12 = _a5192;
					_v16 = _a5188;
					E10008B70();
					_t250 = _a1052;
					_t235 = _a2076;
					_t274 = _a3100;
					_t278 = _a4124;
					if( *_t250 != 0 ||  *_t235 != 0 ||  *_t274 != 0 ||  *_t278 != 0) {
						_t221 = _a4128;
						_t152 = 0;
						if(_t221 != 0 && _a4132 >= _t221) {
							_t152 = (0 | ( *(_t278 + _t221 - 1) & 0x000000ff) == 0x0000000a |  *(_t278 + _t221 - 1) & 0 | ( *(_t278 + _t221 - 1) & 0x000000ff) == 0x0000000d) & 0x000000ff;
						}
						 *0x100ad00c = _t152;
					}
					_a4 = _t278;
					_t222 =  &_a28;
					_v12 = "%s%s%s%s";
					_v0 = _t274;
					_v4 = _t235;
					_v8 = _t250;
					_v16 = 0x400;
					 *_t292 = _t222;
					E10025AE0();
					_t156 =  *0x100d76a0;
					if(_t156 == 0) {
						 *_t292 = 2;
						L100A0860();
						asm("sbb eax, eax");
						 *0x100d76a0 = _t156 | 0x00000001;
					}
					_t275 =  *0x100ad00c; // 0x1
					_t279 =  *0x100d7280;
					if(_t275 == 0 || ( *0x100d76ac & 0x00000001) == 0) {
						L37:
						if(_t279 > 0) {
							 *_t292 = 2;
							_t275 = 0;
							_t174 =  *0x100ad0cc();
							_v12 = _t279;
							_t279 = "    Last message repeated %d times\n";
							_v16 = "    Last message repeated %d times\n";
							 *_t292 = _t174;
							E10025610();
							 *0x100d7280 = 0;
						}
						_v16 = _t222;
						 *_t292 = 0x100d72a0;
						strcpy(??, ??);
						_t236 = _a1052;
						_t159 =  *_t236 & 0x000000ff;
						if(_t159 != 0) {
							L41:
							while(_t159 - 0xe > 0x11 && _t159 > 7) {
								_t159 = _t236[1] & 0x000000ff;
								_t236 =  &(_t236[1]);
								if(_t159 != 0) {
									continue;
								}
								L44:
								_t236 = _a1052;
								goto L45;
							}
							 *_t236 = 0x3f;
							_t236 =  &(_t236[1]);
							_t159 =  *_t236 & 0x000000ff;
							if(_t159 != 0) {
								goto L41;
							} else {
								goto L44;
							}
							goto L88;
						}
						L45:
						L100257B0(_a20, _t222, _t236, 0, _t275, _t279);
						_t237 = _a2076;
						_t162 =  *_t237 & 0x000000ff;
						if(_t162 != 0) {
							L47:
							while(_t162 - 0xe > 0x11 && _t162 > 7) {
								_t162 = _t237[1] & 0x000000ff;
								_t237 =  &(_t237[1]);
								if(_t162 != 0) {
									continue;
								}
								L50:
								_t237 = _a2076;
								goto L51;
							}
							 *_t237 = 0x3f;
							_t237 =  &(_t237[1]);
							_t162 =  *_t237 & 0x000000ff;
							if(_t162 != 0) {
								goto L47;
							} else {
								goto L50;
							}
							goto L64;
						}
						L51:
						L100257B0(_a24, _t222, _t237, 0, _t275, _t279);
						_t238 = _a3100;
						_t165 =  *_t238 & 0x000000ff;
						if(_t165 != 0) {
							L53:
							while(_t165 - 0xe > 0x11 && _t165 > 7) {
								_t165 = _t238[1] & 0x000000ff;
								_t238 =  &(_t238[1]);
								if(_t165 != 0) {
									continue;
								}
								L56:
								_t238 = _a3100;
								goto L57;
							}
							 *_t238 = 0x3f;
							_t238 =  &(_t238[1]);
							_t165 =  *_t238 & 0x000000ff;
							if(_t165 != 0) {
								goto L53;
							} else {
								goto L56;
							}
							goto L88;
						}
						L57:
						_t281 = _a16 >> 8;
						_t225 =  >  ? 7 : _a5184 >> 3;
						_t226 =  <  ? 0 :  >  ? 7 : _a5184 >> 3;
						L100257B0( <  ? 0 :  >  ? 7 : _a5184 >> 3,  <  ? 0 :  >  ? 7 : _a5184 >> 3, _t238, _a16 >> 8, _t275, _a16 >> 8);
						_t239 = _a4124;
						_t170 =  *_t239 & 0x000000ff;
						if(_t170 != 0) {
							L59:
							while(_t170 - 0xe > 0x11 && _t170 > 7) {
								_t170 = _t239[1] & 0x000000ff;
								_t239 =  &(_t239[1]);
								if(_t170 != 0) {
									continue;
								}
								L62:
								_t239 = _a4124;
								goto L63;
							}
							 *_t239 = 0x3f;
							_t239 =  &(_t239[1]);
							_t170 =  *_t239 & 0x000000ff;
							if(_t170 != 0) {
								goto L59;
							} else {
								goto L62;
							}
							goto L64;
						}
						L63:
						L100257B0(_t226, _t226, _t239, _t281, _t275, _t281);
					} else {
						 *_t292 = _t222;
						_t239 = 0x100d72a0;
						_v16 = 0x100d72a0;
						if(strcmp(??, ??) != 0) {
							goto L37;
						} else {
							if(_a28 != 0) {
								 *_t292 = _t222;
								if( *((char*)(_t292 + strlen(??) + 0x2f)) == 0xd) {
									goto L37;
								} else {
									_t281 =  &(_t279[1]);
									 *0x100d7280 = _t281;
									if( *0x100d76a0 == 1) {
										 *_t292 = 2;
										_t178 =  *0x100ad0cc();
										_v12 = _t281;
										_v16 = "    Last message repeated %d times\r";
										 *_t292 = _t178;
										E10025610();
									}
								}
							} else {
								goto L37;
							}
						}
					}
					L64:
					 *_t292 = _t288;
					_v16 = 0;
					_t173 = E10009690(0, _t239, _t275, _t281);
					 *_t292 = 0x100d76b0;
					L100A0978();
					return _t173;
				} else {
					return _t138;
				}
				L88:
			}

0x10025b20
0x10025b22
0x10025b2f
0x10025b3d
0x10025b49
0x10025b49
0x10025b50
0x10025b57
0x10025b5d
0x10025b70
0x10025b77
0x10025b7c
0x10025b7f
0x10025b88
0x100260d7
0x100260e4
0x100260ef
0x100260f7
0x10026108
0x1002610c
0x1002610f
0x10026113
0x10026118
0x1002611c
0x10026123
0x10026127
0x1002612a
0x10026131
0x10026135
0x1002613c
0x10026140
0x10026143
0x10026148
0x10026152
0x1002615b
0x10026161
0x10025b8e
0x10025ba3
0x10025ba5
0x10025ba9
0x10025bb0
0x10025bb4
0x10025bb7
0x10025bc3
0x10025bc7
0x10025bce
0x10025bd2
0x10025bd9
0x10025bdc
0x10025be6
0x10025bec
0x10025bf0
0x10025bf3
0x10025bfd
0x10025c03
0x10025c07
0x10025c0a
0x10025c0f
0x10025c16
0x10025c1b
0x10025c1d
0x10025d7a
0x10025d7e
0x10025c2b
0x10025c2b
0x10025c33
0x10025c39
0x10025c46
0x10025c4b
0x10025c51
0x10025c55
0x10025c57
0x10025c5a
0x10025c5e
0x10025c65
0x10025c68
0x10025c6c
0x10025c75
0x10025c79
0x10025c7e
0x10025c82
0x10025c86
0x10025c88
0x10025c91
0x10026215
0x1002621a
0x10025ca2
0x10025ca2
0x10025ca8
0x00000000
0x10025cae
0x10025cae
0x10025cb4
0x10025cba
0x10025cbc
0x10025cc4
0x10025cc4
0x10025cba
0x10025ca8
0x10025c91
0x10025c86
0x10025c55
0x10025c4b
0x10025cd7
0x10025cda
0x10025ce4
0x10025ce8
0x10025cf1
0x10025cfc
0x10025cff
0x10025d04
0x10025d0b
0x10025d0f
0x100261b0
0x100261b5
0x10025d15
0x10025d15
0x10025d1e
0x00000000
0x10025d2f
0x10025d2f
0x10025d35
0x00000000
0x10025d3b
0x10025d3b
0x10025d3e
0x10025d41
0x10025d47
0x10025d50
0x10025d55
0x10025d58
0x10025d58
0x10025d47
0x10025d35
0x10025d1e
0x10025d5c
0x10025d64
0x10025d64
0x10025c1d
0x10025d8a
0x10026184
0x10026184
0x10026187
0x1002618f
0x100261be
0x100261be
0x10026191
0x1002619a
0x1002619e
0x100261a1
0x100261a1
0x10025d94
0x10025d9e
0x10025da9
0x10025dad
0x10025db2
0x10025db9
0x10025dc0
0x10025dc7
0x10025dd1
0x10026010
0x10026017
0x1002601b
0x10026039
0x10026039
0x1002603c
0x1002603c
0x10025e00
0x10025e04
0x10025e0d
0x10025e16
0x10025e1a
0x10025e1e
0x10025e22
0x10025e26
0x10025e29
0x10025e2e
0x10025e35
0x100260b0
0x100260b7
0x100260bf
0x100260c4
0x100260c4
0x10025e3b
0x10025e41
0x10025e49
0x10025e80
0x10025e82
0x10025e84
0x10025e8b
0x10025e8d
0x10025e93
0x10025e97
0x10025e9c
0x10025ea0
0x10025ea3
0x10025ea8
0x10025ea8
0x10025eae
0x10025eb2
0x10025eb9
0x10025ebe
0x10025ec5
0x10025eca
0x00000000
0x10025ed0
0x10025ee6
0x10025eea
0x10025eed
0x00000000
0x00000000
0x10025eef
0x10025eef
0x00000000
0x10025eef
0x10026098
0x1002609b
0x1002609c
0x100260a1
0x00000000
0x100260a7
0x00000000
0x100260a7
0x00000000
0x100260a1
0x10025ef6
0x10025efc
0x10025f01
0x10025f08
0x10025f0d
0x00000000
0x10025f10
0x10025f26
0x10025f2a
0x10025f2d
0x00000000
0x00000000
0x10025f2f
0x10025f2f
0x00000000
0x10025f2f
0x10026080
0x10026083
0x10026084
0x10026089
0x00000000
0x10026090
0x00000000
0x10026090
0x00000000
0x10026089
0x10025f36
0x10025f3c
0x10025f41
0x10025f48
0x10025f4d
0x00000000
0x10025f50
0x10025f66
0x10025f6a
0x10025f6d
0x00000000
0x00000000
0x10025f6f
0x10025f6f
0x00000000
0x10025f6f
0x10026050
0x10026053
0x10026054
0x10026059
0x00000000
0x1002605f
0x00000000
0x1002605f
0x00000000
0x10026059
0x10025f76
0x10025f89
0x10025f8e
0x10025f97
0x10025f9c
0x10025fa1
0x10025fa8
0x10025fad
0x00000000
0x10025fb0
0x10025fc6
0x10025fca
0x10025fcd
0x00000000
0x00000000
0x10025fcf
0x10025fcf
0x00000000
0x10025fcf
0x10026068
0x1002606b
0x1002606c
0x10026071
0x00000000
0x10026077
0x00000000
0x10026077
0x00000000
0x10026071
0x10025fd6
0x10025fda
0x10025e54
0x10025e54
0x10025e57
0x10025e5c
0x10025e67
0x00000000
0x10025e69
0x10025e6e
0x100261c7
0x100261d4
0x00000000
0x100261da
0x100261da
0x100261e2
0x100261e8
0x100261ee
0x100261f5
0x10026200
0x10026204
0x10026208
0x1002620b
0x1002620b
0x100261e8
0x00000000
0x00000000
0x00000000
0x10025e6e
0x10025e67
0x10025fdf
0x10025fdf
0x10025fe4
0x10025fe8
0x10025fed
0x10025ff4
0x10026006
0x10025b5f
0x10025b69
0x10025b69
0x00000000

Strings

%s%s%s%s, xrefs: 10025E08

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %s%s%s%s
API String ID: 0-8588819
Opcode ID: ac2ddbe4c5e7eecdf6946e8e2144769ee9732fc12f1820fa6fe7c168fd11ac2b
Instruction ID: 3c8b5a5547449fe77cb1141cd1198b59db19ffc90cd804a37a060c8b88437588
Opcode Fuzzy Hash: ac2ddbe4c5e7eecdf6946e8e2144769ee9732fc12f1820fa6fe7c168fd11ac2b
Instruction Fuzzy Hash: E0713BB49097859FD360DF24C48079BBBE5FF88380F81882EE8C997351DB35A984DB56

Uniqueness

Uniqueness Score: -1.00%

Function 10010320 Relevance: 22.7, APIs: 15, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E10010320(intOrPtr* _a4) {
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				signed int _t100;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				signed int _t139;
				signed int _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				signed int _t172;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t199;
				void* _t200;
				intOrPtr* _t201;

				_t188 = 0x100b3200;
				_t201 = _t200 - 0x2c;
				_v40 = 0;
				_t189 = _a4;
				while(1) {
					_v40 = _v40 + 1;
					_t188 = _t188 + 0x40;
					if(_v40 == 0x17) {
						break;
					}
					_t6 = _t188 + 0x10; // 0x1000ffb0
					if( *_t6 == 0) {
						continue;
					} else {
						_t9 = _t188 + 0x10; // 0x1000ffb0
						_t10 = _t188 + 0x14; // 0x10010008
						_t172 =  *_t10;
						 *_t201 =  *((intOrPtr*)(_t189 + 0x10));
						_v56 =  *((intOrPtr*)(_t189 + 0x14));
						_v52 =  *_t9;
						_v48 = _t172;
						_t97 = E10035A10( *((intOrPtr*)(_t189 + 0x14)), _t188, _t189);
						_t147 = _t172;
						_t14 = _t188 + 0x1c; // 0x1000fde8
						_t192 =  <  ? _t97 :  ~_t97;
						_t15 = _t188 + 0x18; // 0x10010060
						_v48 =  *_t14;
						_v52 =  *_t15;
						_t174 =  *((intOrPtr*)(_t189 + 0x1c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x18));
						_v56 = _t174;
						_t100 = E10035A10(_t147, _t188, _t189);
						 *_t201 =  <  ? _t97 :  ~_t97;
						_v56 = _t147;
						_v48 = _t174;
						_t102 =  <  ? _t100 :  ~_t100;
						_v52 =  <  ? _t100 :  ~_t100;
						_t148 = E10035990(_t147, _t189);
						_t24 = _t188 + 0x20; // 0x1000fe50
						_t25 = _t188 + 0x24; // 0x0
						_v52 =  *_t24;
						_v48 =  *_t25;
						_t176 =  *((intOrPtr*)(_t189 + 0x24));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x20));
						_v56 = _t176;
						_t106 = E10035A10(_t148, _t188, _t189);
						 *_t201 = _t148;
						_v56 = _t174;
						_v48 = _t176;
						_t108 =  <  ? _t106 :  ~_t106;
						_v52 =  <  ? _t106 :  ~_t106;
						_t149 = E10035990(_t148, _t189);
						_t34 = _t188 + 0x28; // 0x0
						_t35 = _t188 + 0x2c; // 0x0
						_v52 =  *_t34;
						_v48 =  *_t35;
						_t178 =  *((intOrPtr*)(_t189 + 0x2c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x28));
						_v56 = _t178;
						_t112 = E10035A10(_t149, _t188, _t189);
						 *_t201 = _t149;
						_v56 = _t176;
						_v48 = _t178;
						_t114 =  <  ? _t112 :  ~_t112;
						_v52 =  <  ? _t112 :  ~_t112;
						_t150 = E10035990(_t149, _t189);
						_t44 = _t188 + 0x30; // 0x0
						_t45 = _t188 + 0x34; // 0x0
						_v52 =  *_t44;
						_v48 =  *_t45;
						_t180 =  *((intOrPtr*)(_t189 + 0x34));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x30));
						_v56 = _t180;
						_t118 = E10035A10(_t150, _t188, _t189);
						 *_t201 = _t150;
						_v56 = _t178;
						_v48 = _t180;
						_t120 =  <  ? _t118 :  ~_t118;
						_v52 =  <  ? _t118 :  ~_t118;
						_t151 = E10035990(_t150, _t189);
						_t54 = _t188 + 0x38; // 0x0
						_t55 = _t188 + 0x3c; // 0x0
						_v52 =  *_t54;
						_v48 =  *_t55;
						_t182 =  *((intOrPtr*)(_t189 + 0x3c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x38));
						_v56 = _t182;
						_t124 = E10035A10(_t151, _t188, _t189);
						 *_t201 = _t151;
						_v56 = _t180;
						_v48 = _t182;
						_t126 =  <  ? _t124 :  ~_t124;
						_v52 =  <  ? _t124 :  ~_t124;
						_t152 = E10035990(_t151, _t189);
						_t64 = _t188 + 4; // 0x1000fea8
						_v52 =  *_t188;
						_v48 =  *_t64;
						_t184 =  *(_t189 + 4);
						 *_t201 =  *_t189;
						_v56 = _t184;
						_t130 = E10035A10(_t152, _t188, _t189);
						 *_t201 = _t152;
						_v56 = _t182;
						_v48 = _t184;
						_t132 =  <  ? _t130 :  ~_t130;
						_v52 =  <  ? _t130 :  ~_t130;
						_t153 = E10035990(_t152, _t189);
						_t72 = _t188 + 8; // 0x1000ff00
						_t73 = _t188 + 0xc; // 0x1000ff58
						_v52 =  *_t72;
						_v48 =  *_t73;
						_t186 =  *(_t189 + 0xc);
						 *_t201 =  *((intOrPtr*)(_t189 + 8));
						_v56 = _t186;
						_t136 = E10035A10(_t153, _t188, _t189);
						 *_t201 = _t153;
						_v56 = _t184;
						_v48 = _t186;
						_t138 =  <  ? _t136 :  ~_t136;
						_v52 =  <  ? _t136 :  ~_t136;
						_t139 = E10035990(_t153, _t189);
						_v36 = _t186;
						_t154 = _t139;
						_t199 = _t186;
						_v32 = _t186 >> 0x1f;
						_t187 = 0x3e8 * _t154 >> 0x20;
						asm("sbb edx, [esp+0x1c]");
						if((_t187 | 0x000003e8 * _t154 - _v36) != 0) {
							_t158 = (_v32 ^ _t187) >> 0x0000001f | 0x00000001;
							goto L7;
						} else {
							if(_t199 != 0) {
								continue;
							} else {
								if(_t154 == 0) {
									L8:
									return _v40;
								} else {
									_t158 = _t154 >> 0x1f;
									L7:
									if(_t158 + 1 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
						}
					}
					L11:
				}
				_v40 = 2;
				return _v40;
				goto L11;
			}

0x10010324
0x1001032b
0x1001032e
0x10010332
0x10010340
0x10010340
0x10010344
0x1001034e
0x00000000
0x00000000
0x10010354
0x10010359
0x00000000
0x1001035b
0x10010361
0x10010364
0x10010364
0x10010367
0x1001036a
0x1001036e
0x10010372
0x10010376
0x1001037d
0x1001037f
0x10010384
0x10010387
0x1001038a
0x1001038e
0x10010395
0x10010398
0x1001039b
0x1001039f
0x100103a4
0x100103a7
0x100103ab
0x100103b3
0x100103b6
0x100103bf
0x100103c3
0x100103c6
0x100103c9
0x100103cd
0x100103d4
0x100103d7
0x100103da
0x100103de
0x100103e3
0x100103e6
0x100103ea
0x100103f2
0x100103f5
0x100103fe
0x10010402
0x10010405
0x10010408
0x1001040c
0x10010413
0x10010416
0x10010419
0x1001041d
0x10010422
0x10010425
0x10010429
0x10010431
0x10010434
0x1001043d
0x10010441
0x10010444
0x10010447
0x1001044b
0x10010452
0x10010455
0x10010458
0x1001045c
0x10010461
0x10010464
0x10010468
0x10010470
0x10010473
0x1001047c
0x10010480
0x10010483
0x10010486
0x1001048a
0x10010491
0x10010494
0x10010497
0x1001049b
0x100104a0
0x100104a3
0x100104a7
0x100104af
0x100104b2
0x100104bb
0x100104c1
0x100104c4
0x100104c8
0x100104ce
0x100104d1
0x100104d4
0x100104d8
0x100104dd
0x100104e0
0x100104e4
0x100104ec
0x100104ef
0x100104f8
0x100104fc
0x100104ff
0x10010502
0x10010506
0x1001050d
0x10010510
0x10010513
0x10010517
0x1001051c
0x1001051f
0x10010523
0x1001052b
0x1001052e
0x10010532
0x10010537
0x1001053b
0x10010542
0x10010544
0x1001054d
0x10010553
0x1001055b
0x10010591
0x00000000
0x1001055d
0x1001055f
0x00000000
0x10010565
0x10010567
0x10010576
0x10010581
0x10010569
0x10010569
0x1001056c
0x10010570
0x00000000
0x00000000
0x00000000
0x00000000
0x10010570
0x10010567
0x1001055f
0x1001055b
0x00000000
0x10010359
0x100105a5
0x100105b4
0x00000000

APIs

mv_sub_q.LICKING ref: 10010376
mv_sub_q.LICKING ref: 1001039F
mv_add_q.LICKING ref: 100103BA
mv_sub_q.LICKING ref: 100103DE
mv_add_q.LICKING ref: 100103F9
mv_sub_q.LICKING ref: 1001041D
mv_add_q.LICKING ref: 10010438
mv_sub_q.LICKING ref: 1001045C
mv_add_q.LICKING ref: 10010477
mv_sub_q.LICKING ref: 1001049B
mv_add_q.LICKING ref: 100104B6

Part of subcall function 10035990: mv_reduce.LICKING(?,?), ref: 100359E9

mv_sub_q.LICKING ref: 100104D8

Part of subcall function 10035A10: mv_reduce.LICKING(?), ref: 10035A81

mv_add_q.LICKING ref: 100104F3
mv_sub_q.LICKING ref: 10010517
mv_add_q.LICKING ref: 10010532

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sub_q$mv_add_q$mv_reduce
String ID:
API String ID: 416313997-0
Opcode ID: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction ID: 2bd5eacdd0496173cebd80a3581587597599a29e230854eb82bb207fe0e5f862
Opcode Fuzzy Hash: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction Fuzzy Hash: 0281A1B4A08B069FC748DF6AD18051AFBE1FF88211F50C92EE59DC7721E670E8519F82

Uniqueness

Uniqueness Score: -1.00%

Function 10021D20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E10021D20(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t98;
				signed int _t103;
				void* _t117;
				signed int _t121;
				signed int _t125;
				signed int _t129;
				signed int _t133;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;
				signed int _t143;
				signed int _t144;
				void* _t148;
				signed int _t159;
				signed int _t163;
				signed int* _t165;
				void* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				void* _t183;
				signed char _t184;
				signed int _t190;
				void* _t191;
				signed int _t192;
				signed int _t194;
				void* _t195;
				void* _t197;
				signed int* _t198;
				signed int _t210;

				_t174 = __edx;
				_t198 = _t197 - 0x5c;
				_t165 = _t198[0x1d];
				_t194 = _t198[0x1e];
				_t192 = _t198[0x21];
				 *_t198 = _t198[0x20];
				_t98 = E10034790();
				_t198[0xb] = _t98;
				_t201 = _t98;
				if(_t98 == 0) {
					L29:
					_t195 = 0xffffffea;
					goto L17;
				} else {
					_t198[1] = _t194;
					_t198[0x11] = 0;
					_t198[0x12] = 0;
					_t198[2] = 0;
					 *_t198 = 0xffffffff;
					_t198[0x10] = 0x100b6c20;
					_t103 = E10021480(_t201);
					asm("cdq");
					asm("sbb edi, edx");
					if(0 >= _t103) {
						_t174 = (0 << 0x00000020 | _t194) << 3;
						_t103 = _t194 << 3;
					}
					_t198[8] = _t103 + 0x400;
					_t105 = _t198[0x1f];
					asm("adc edx, 0x0");
					_t198[9] = _t174;
					if((_t198[0x1f] & 0xffffff00 | _t105 <= 0x00000000 | _t174 & 0xffffff00 | _t194 <= 0x00000000) != 0) {
						L28:
						_t198[3] = _t194;
						_t198[4] = _t198[0x1f];
						_t198[2] = "Picture size %ux%u is invalid\n";
						_t198[1] = 0x10;
						 *_t198 =  &(_t198[0x10]);
						E10026560();
						goto L29;
					}
					asm("sbb ecx, edx");
					if(0x7ffffffe < _t198[8]) {
						goto L28;
					}
					asm("sbb edi, edx");
					if(0x7ffffffe < (_t198[0x1f] + 0x80) * _t198[8]) {
						goto L28;
					}
					if(_t192 > 7) {
						_t163 = _t194 + 0x00000007 & 0xfffffff8;
						_t210 = _t163;
						_t194 = _t163;
					}
					_t198[2] = _t194;
					 *_t198 = _t165;
					_t198[1] = _t198[0x20];
					_t117 = E100215D0(_t210);
					_t211 = _t117;
					_t195 = _t117;
					if(_t117 < 0) {
						L17:
						return _t195;
					} else {
						_t180 =  ~_t192;
						_t121 =  *_t165 + _t192 - 0x00000001 & _t180;
						 *_t165 = _t121;
						_t198[0xc] = _t121;
						_t125 = _t165[1] + _t192 - 0x00000001 & _t180;
						_t165[1] = _t125;
						_t198[0xd] = _t125;
						_t129 = _t165[2] + _t192 - 0x00000001 & _t180;
						_t165[2] = _t129;
						_t198[0xe] = _t129;
						_t133 = _t165[3] + _t192 - 0x00000001 & _t180;
						_t165[3] = _t133;
						_t198[0xf] = _t133;
						_t198[3] =  &(_t198[0xc]);
						_t198[2] = _t198[0x1f];
						_t198[1] = _t198[0x20];
						 *_t198 =  &(_t198[0x10]);
						_t138 = E100219B0(_t165, 0, _t192, _t195, _t211);
						_t195 = _t138;
						if(_t138 < 0) {
							goto L17;
						}
						_t140 = _t192 + _t198[0x10];
						if(_t140 < 0) {
							goto L29;
						}
						_t141 = _t140 + _t198[0x11];
						if(_t141 < 0) {
							goto L29;
						}
						_t142 = _t141 + _t198[0x12];
						if(_t142 < 0) {
							goto L29;
						}
						_t143 = _t142 + _t198[0x13];
						if(_t143 < 0) {
							goto L29;
						}
						 *_t198 = _t143;
						_t144 = E10028D50();
						_t190 = _t144;
						if(_t144 == 0) {
							_t195 = 0xfffffff4;
							goto L17;
						}
						_t198[3] = _t144;
						_t198[4] = _t165;
						_t198[2] = _t198[0x1f];
						_t198[1] = _t198[0x20];
						 *_t198 = _t198[0x1c];
						_t148 = E10021AF0(_t165, _t190, _t192, _t195);
						_t195 = _t148;
						if(_t148 < 0) {
							 *_t198 = _t190;
							L100290D0();
							goto L17;
						}
						if(( *(_t198[0xb] + 8) & 0x00000002) != 0) {
							_t181 =  *(_t198[0x1c] + 4);
							 *_t198 = _t181;
							_t198[1] = _t198[0x20];
							_t198[8] = _t181;
							E10021BF0();
							__eflags = _t192 - 3;
							_t182 = _t198[8];
							if(_t192 <= 3) {
								_t198[2] = "Formats with a palette require a minimum alignment of 4\n";
								_t198[1] = 0x10;
								 *_t198 = 0;
								E10026560();
								 *_t198 = _t190;
								L100290D0();
								goto L29;
							}
							__eflags = _t182;
							if(_t182 != 0) {
								_t170 =  *(_t198[0x1c]);
								_t183 = _t182 - _t170;
								_t159 = _t198[0x1f] *  *_t165;
								__eflags = _t183 - _t159;
								if(_t183 > _t159) {
									_t191 = _t170 + _t159;
									_t184 = _t183 - _t159;
									__eflags = _t184 - 8;
									if(_t184 >= 8) {
										__eflags = _t191 & 0x00000001;
										if((_t191 & 0x00000001) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 1;
											_t191 = _t191 + 1;
										}
										__eflags = _t191 & 0x00000002;
										if((_t191 & 0x00000002) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 2;
											_t191 = _t191 + 2;
										}
										__eflags = _t191 & 0x00000004;
										if((_t191 & 0x00000004) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 4;
											_t191 = _t191 + 4;
										}
										_t172 = _t184 >> 2;
										_t184 = _t184 & 0x00000003;
										memset(_t191, 0, _t172 << 2);
										_t198 =  &(_t198[3]);
										_t191 = _t191 + _t172;
									}
									__eflags = _t184 & 0x00000004;
									if((_t184 & 0x00000004) != 0) {
										 *_t191 = 0;
										_t191 = _t191 + 4;
										__eflags = _t191;
									}
									__eflags = _t184 & 0x00000002;
									if((_t184 & 0x00000002) != 0) {
										 *_t191 = 0;
										_t191 = _t191 + 2;
										__eflags = _t191;
									}
									__eflags = _t184 & 0x00000001;
									if((_t184 & 0x00000001) != 0) {
										 *_t191 = 0;
									}
								}
							}
						}
						goto L17;
					}
				}
			}

0x10021d20
0x10021d24
0x10021d2e
0x10021d32
0x10021d36
0x10021d3d
0x10021d40
0x10021d45
0x10021d49
0x10021d4b
0x10021fca
0x10021fca
0x00000000
0x10021d51
0x10021d51
0x10021d5c
0x10021d62
0x10021d68
0x10021d6c
0x10021d73
0x10021d79
0x10021d7e
0x10021d81
0x10021d83
0x10021d89
0x10021d8d
0x10021d8d
0x10021d95
0x10021d99
0x10021d9d
0x10021da0
0x10021db0
0x10021fa0
0x10021fa0
0x10021fa8
0x10021fb1
0x10021fba
0x10021fc2
0x10021fc5
0x00000000
0x10021fc5
0x10021dca
0x10021dcc
0x00000000
0x00000000
0x10021df0
0x10021df2
0x00000000
0x00000000
0x10021dfb
0x10021e00
0x10021e00
0x10021e03
0x10021e03
0x10021e05
0x10021e10
0x10021e13
0x10021e17
0x10021e1c
0x10021e1e
0x10021e20
0x10021f0d
0x10021f16
0x10021e26
0x10021e2a
0x10021e2f
0x10021e31
0x10021e33
0x10021e3d
0x10021e3f
0x10021e42
0x10021e4c
0x10021e4e
0x10021e51
0x10021e5b
0x10021e5d
0x10021e60
0x10021e68
0x10021e70
0x10021e7b
0x10021e83
0x10021e86
0x10021e8d
0x10021e8f
0x00000000
0x00000000
0x10021e93
0x10021e97
0x00000000
0x00000000
0x10021e9d
0x10021ea1
0x00000000
0x00000000
0x10021ea7
0x10021eab
0x00000000
0x00000000
0x10021eb1
0x10021eb5
0x00000000
0x00000000
0x10021ebb
0x10021ebe
0x10021ec5
0x10021ec7
0x10022057
0x00000000
0x10022057
0x10021ecd
0x10021ed5
0x10021ed9
0x10021ee4
0x10021eec
0x10021eef
0x10021ef6
0x10021ef8
0x10021fd8
0x10021fdb
0x00000000
0x10021fdb
0x10021f0b
0x10021f24
0x10021f2e
0x10021f31
0x10021f35
0x10021f39
0x10021f3e
0x10021f41
0x10021f45
0x10022030
0x1002203a
0x10022042
0x10022045
0x1002204a
0x1002204d
0x00000000
0x1002204d
0x10021f4b
0x10021f4d
0x10021f55
0x10021f5b
0x10021f5d
0x10021f60
0x10021f62
0x10021f64
0x10021f67
0x10021f69
0x10021f6c
0x10021fe5
0x10021feb
0x1002200e
0x10022011
0x10022012
0x10022012
0x10021fed
0x10021ff3
0x10022023
0x10022028
0x1002202b
0x1002202b
0x10021ff5
0x10021ffb
0x10022015
0x1002201b
0x1002201e
0x1002201e
0x10022001
0x10022004
0x10022007
0x10022007
0x10022007
0x10022007
0x10021f6e
0x10021f71
0x10021f73
0x10021f79
0x10021f79
0x10021f79
0x10021f7c
0x10021f7f
0x10021f81
0x10021f86
0x10021f86
0x10021f86
0x10021f89
0x10021f8c
0x10021f92
0x10021f92
0x10021f8c
0x10021f62
0x10021f4d
0x00000000
0x10021f0b
0x10021e20

APIs

mv_pix_fmt_desc_get.LICKING ref: 10021D40
mv_image_get_linesize.LICKING ref: 10021D79

Part of subcall function 10021480: mv_pix_fmt_desc_get.LICKING(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_image_fill_linesizes.LICKING(?), ref: 10021E17
mv_image_fill_plane_sizes.LICKING(?), ref: 10021E86
mv_malloc.LICKING(?), ref: 10021EBE
mv_image_fill_pointers.LICKING(?), ref: 10021EEF

Part of subcall function 10021AF0: mv_image_fill_plane_sizes.LICKING ref: 10021B60

mvpriv_set_systematic_pal2.LICKING(?), ref: 10021F39

Strings

Picture size %ux%u is invalid, xrefs: 10021FAC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_fill_plane_sizesmv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_pointersmv_image_get_linesizemv_mallocmvpriv_set_systematic_pal2
String ID: Picture size %ux%u is invalid
API String ID: 3240037220-1963597007
Opcode ID: 9876d1e184f389c71c97007de054aa87a741ee42a6eba41553c53510f02f69e1
Instruction ID: 8cb245635b1259b91d7c6fd48338c50bb2a514cd442319aa5deed3162dc1c2a1
Opcode Fuzzy Hash: 9876d1e184f389c71c97007de054aa87a741ee42a6eba41553c53510f02f69e1
Instruction Fuzzy Hash: C091497AA087458FC390DF28D58175ABBE2FFD8240F95893DE9A8C7355E735E8408B42

Uniqueness

Uniqueness Score: -1.00%

Function 10030DC5 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E10030DC5(void* __ecx, void* __fp0, intOrPtr* _a4, signed int _a8, signed int _a12, intOrPtr* _a16, char _a20, signed int _a24) {
				char _v1052;
				char _v1056;
				char _v1057;
				char _v1058;
				signed int _v1059;
				char _v1072;
				signed int _v1076;
				signed int _v1080;
				intOrPtr _v1100;
				char* _v1104;
				char* _v1108;
				void* _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t84;
				void* _t89;
				intOrPtr _t96;
				char _t118;
				void* _t119;
				intOrPtr _t120;
				void* _t122;
				intOrPtr _t125;
				signed int _t128;
				intOrPtr _t131;
				signed int _t134;
				signed int _t135;
				intOrPtr* _t136;
				signed int _t137;
				signed int _t139;
				void* _t140;
				intOrPtr* _t141;
				void* _t168;

				_t168 = __fp0;
				_t141 = _t140 - 0x44c;
				_t128 = _a24;
				_t118 = _a20;
				_v1057 = 0;
				_t137 = _a8;
				_t134 = _a12;
				_v1076 = _t128;
				_v1072 = _t118;
				_v1059 = _t128;
				_v1058 = _t118;
				if(_t128 == 0 || _t118 == 0 || (_t128 & 0xffffff00 | _t128 == 0x0000005c | _t128 & 0xffffff00 | _t128 == _t118) != 0 || _t118 == 0x5c) {
					_v1108 = "Invalid separator(s) found.";
					_v1112 = 0x10;
					 *_t141 = _a4;
					E10026560();
					goto L34;
				} else {
					if(_a4 == 0 || _a16 == 0) {
						L34:
						_t119 = 0xffffffea;
						goto L30;
					} else {
						_t135 = _t134 & 0x00000001;
						_t139 = _t134 & 0x00000002;
						_t120 = 0;
						 *_a16 = 0;
						_v1108 = 0xffffffff;
						_v1112 = 0x40;
						 *_t141 =  &_v1052;
						E10008880(0, _t135, _t137, _t139);
						_v1080 = _t135;
						_t136 = 0;
						_t125 =  *_a4;
						L7:
						while(1) {
							L7:
							while(1) {
								L7:
								while(1) {
									if(_t136 != 0) {
										L23:
										_t131 =  *((intOrPtr*)(_t136 + 0x30));
										if(_t131 == 0) {
											goto L29;
										} else {
											_t136 = _t136 + 0x30;
											goto L11;
										}
									} else {
										L8:
										if(_t125 == 0) {
											if(_t136 != 0) {
												goto L23;
											} else {
												goto L29;
											}
										} else {
											_t136 =  *((intOrPtr*)(_t125 + 8));
											if(_t136 == 0) {
												L29:
												_v1112 = _a16;
												 *_t141 =  &_v1052;
												_t119 =  <=  ? E10009690(_t120, _t125, _t136, _t137) : 0;
												L30:
												return _t119;
											} else {
												_t131 =  *_t136;
												if(_t131 == 0) {
													goto L29;
												} else {
													L11:
													if( *((intOrPtr*)(_t136 + 0xc)) == 0xa) {
														continue;
													} else {
														_t84 =  *(_t136 + 0x28);
														if(_t139 == 0) {
															if((_t84 & _t137) != _t137) {
																continue;
															} else {
																goto L14;
															}
														} else {
															if(_t137 != _t84) {
																continue;
															} else {
																L14:
																if(_v1080 == 0) {
																	L17:
																	_v1112 = _t131;
																	_v1104 =  &_v1056;
																	_v1108 = 0;
																	 *_t141 = _a4;
																	_t89 = E1002D870(_t120, _t136, _t137, _t139);
																	if(_t89 < 0) {
																		_t122 = _t89;
																		_v1112 = 0;
																		 *_t141 =  &_v1052;
																		E10009690(_t122, 0, _t136, _t137);
																		return _t122;
																	} else {
																		if(_v1056 != 0) {
																			_t96 = _t120;
																			_t120 = _t120 + 1;
																			if(_t96 != 0) {
																				_v1108 = 1;
																				_v1112 =  &_v1076;
																				 *_t141 =  &_v1052;
																				E10008F30();
																			}
																			_v1100 = 0;
																			_v1104 = 1;
																			_v1108 =  &_v1059;
																			_v1112 =  *_t136;
																			 *_t141 =  &_v1052;
																			E10009730();
																			_v1112 =  &_v1072;
																			_v1108 = 1;
																			 *_t141 =  &_v1052;
																			E10008F30();
																			_v1100 = 0;
																			_v1104 = 1;
																			_v1108 =  &_v1059;
																			_v1112 = _v1056;
																			 *_t141 =  &_v1052;
																			E10009730();
																			 *_t141 =  &_v1056;
																			E100290E0();
																		}
																		goto L21;
																	}
																} else {
																	_v1112 = _t136;
																	 *_t141 = _a4;
																	if(E10030800(_t120, _t125, _t136, _t137, _t139, _t168) > 0) {
																		L21:
																		_t125 =  *_a4;
																		if(_t136 == 0) {
																			goto L8;
																		} else {
																			goto L23;
																		}
																	} else {
																		_t131 =  *_t136;
																		goto L17;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									goto L35;
								}
							}
						}
					}
				}
				L35:
			}

0x10030dc5
0x10030dd4
0x10030dda
0x10030de1
0x10030de8
0x10030ded
0x10030df4
0x10030dfb
0x10030e01
0x10030e05
0x10030e09
0x10030e0d
0x1003108a
0x1003108e
0x10031092
0x10031095
0x00000000
0x10030e38
0x10030e41
0x1003109a
0x1003109a
0x00000000
0x10030e56
0x10030e5f
0x10030e62
0x10030e65
0x10030e67
0x10030e72
0x10030e7b
0x10030e83
0x10030e86
0x10030e92
0x10030e96
0x10030e98
0x00000000
0x10030ea0
0x00000000
0x10030ea0
0x00000000
0x10030ea0
0x10030ea2
0x10030fd0
0x10030fd0
0x10030fd5
0x00000000
0x10030fd7
0x10030fd7
0x00000000
0x10030fd7
0x10030ea8
0x10030ea8
0x10030eaa
0x10030ff2
0x00000000
0x00000000
0x00000000
0x00000000
0x10030eb0
0x10030eb0
0x10030eb5
0x10031000
0x10031007
0x1003100f
0x1003101d
0x10031020
0x1003102c
0x10030ebb
0x10030ebb
0x10030ebf
0x00000000
0x10030ec5
0x10030ec5
0x10030ec9
0x00000000
0x10030ecb
0x10030ecd
0x10030ed0
0x10030fe4
0x00000000
0x10030fea
0x00000000
0x10030fea
0x10030ed6
0x10030ed8
0x00000000
0x10030eda
0x10030eda
0x10030ee0
0x10030eff
0x10030eff
0x10030f09
0x10030f14
0x10030f18
0x10030f1b
0x10030f22
0x10031058
0x1003105c
0x10031064
0x10031067
0x10031078
0x10030f28
0x10030f2e
0x10030f34
0x10030f36
0x10030f3b
0x10031035
0x1003103d
0x10031045
0x10031048
0x10031048
0x10030f48
0x10030f50
0x10030f54
0x10030f5a
0x10030f62
0x10030f65
0x10030f73
0x10030f7b
0x10030f7f
0x10030f82
0x10030f89
0x10030f92
0x10030f9a
0x10030fa2
0x10030faa
0x10030fad
0x10030fb6
0x10030fb9
0x10030fb9
0x00000000
0x10030f2e
0x10030ee2
0x10030ee2
0x10030eed
0x10030ef7
0x10030fbe
0x10030fc7
0x10030fc9
0x00000000
0x00000000
0x00000000
0x00000000
0x10030efd
0x10030efd
0x00000000
0x10030efd
0x10030ef7
0x10030ee0
0x10030ed8
0x10030ed0
0x10030ec9
0x10030ebf
0x10030eb5
0x10030eaa
0x00000000
0x10030ea2
0x10030ea0
0x10030ea0
0x10030ea0
0x10030e41
0x00000000

APIs

mv_bprint_init.LICKING ref: 10030E86
mv_opt_is_set_to_default.LICKING ref: 10030EF0
mv_opt_get.LICKING ref: 10030F1B
mv_bprint_escape.LICKING ref: 10030F65
mv_bprint_append_data.LICKING ref: 10030F82
mv_bprint_escape.LICKING ref: 10030FAD
mv_freep.LICKING ref: 10030FB9
mv_bprint_finalize.LICKING ref: 10031012
mv_log.LICKING ref: 10031095

Strings

Invalid separator(s) found., xrefs: 10031080

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_escape$mv_bprint_append_datamv_bprint_finalizemv_bprint_initmv_freepmv_logmv_opt_getmv_opt_is_set_to_default
String ID: Invalid separator(s) found.
API String ID: 350117393-2087347751
Opcode ID: 306d08498e64c6dfa6b0842b17f31782d22c4d4e000651b5f684b78f931ae54d
Instruction ID: eedb2b98a932ad741b50b3fbf783afbedd5dd37674d72c00a2bb786f58d66b13
Opcode Fuzzy Hash: 306d08498e64c6dfa6b0842b17f31782d22c4d4e000651b5f684b78f931ae54d
Instruction Fuzzy Hash: 0B7125756093459FD361CF29C48069BBBE5FF89385F01892EE9D8CB301E771E9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 10031D24 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E10031D24(void* __ebx, void* __edx, void* __eflags) {
				signed int _t204;
				void* _t205;
				signed int _t210;
				signed int* _t217;
				void* _t220;
				void* _t225;
				signed int _t226;
				signed int _t232;
				void* _t239;
				signed int _t242;
				signed int _t245;
				signed int _t246;
				signed int _t248;
				void* _t250;

				__eax = E1004DBB0(__ebx, __eflags);
				__esp[1] = __edx;
				__esi = __eax;
				__eax = 0xf4240;
				__esp[2] = 0xf4240;
				__eax = 0;
				__edi = __edx;
				__esp[3] = 0;
				 *__esp = __esi;
				__eax = E10091900();
				 *__esp = __ebp;
				__esp[0xe] = __eax;
				__eax = 0x100b82ee;
				__esp[1] = 0x100b82ee;
				__esp[0xf] = __edx;
				__eax = E10006B30();
				__eflags = __eax;
				if(__eax == 0) {
					L39:
					_t217 =  *(_t250 + 0xd0);
					 *_t217 = _t246;
					_t217[1] = _t242;
					_t205 = 0;
					goto L40;
				} else {
					__esp[2] = __ebx;
					__eax = "%Y - %m - %d";
					__esp[1] = "%Y - %m - %d";
					 *__esp = __ebp;
					__eax = E10031790();
					__eflags = __eax;
					if(__eax != 0) {
						__edi = 0;
						__ebp = __eax;
						__esp[0xb] = 0;
					} else {
						 *__esp = __ebp;
						__eax = "%Y%m%d";
						__esp[2] = __ebx;
						__esp[1] = "%Y%m%d";
						__eax = E10031790();
						__eflags = __eax - 1;
						asm("sbb edi, edi");
						__edi = __edi & 0x00000001;
						__eflags = __eax;
						__esp[0xb] = __edi;
						__ebp =  !=  ? __eax : __ebp;
					}
					__eax =  *__ebp & 0x000000ff;
					__eflags = (__al & 0x000000df) - 0x54;
					if((__al & 0x000000df) == 0x54) {
						__ebp =  &(__ebp[1]);
					} else {
						while(1) {
							__eflags = __al - 9 - 4;
							if(__al - 9 <= 4) {
								goto L41;
							}
							__eflags = __al - 0x20;
							if(__al == 0x20) {
								goto L41;
							}
							goto L12;
							L41:
							__ebp =  &(__ebp[1]);
							__eax =  *__ebp & 0x000000ff;
						}
					}
					L12:
					__esp[2] = __ebx;
					__esi = "%H:%M:%S";
					__esp[1] = "%H:%M:%S";
					 *__esp = __ebp;
					__eax = E10031790();
					__eflags = __eax;
					__edx = __eax;
					if(__eax != 0) {
						L14:
						__eax =  *__edx & 0x000000ff;
						__ecx = 0;
						__esp[9] = 0;
						__eflags = __al - 0x2e;
						if(__al == 0x2e) {
							__esp[0xa] = 0;
							__ecx = __edx;
							__edx = __ecx[1];
							__eax = __edx;
							__edx = __edx - 0x30;
							__eflags = __edx - 9;
							if(__edx > 9) {
								_t171 =  &(__ecx[1]); // 0x1
								__edx = _t171;
								__ebp = 0;
							} else {
								__ebp = __edx * 0x186a0;
								__edx = __ecx[2];
								__eax = __edx;
								__edx = __edx - 0x30;
								__eflags = __edx - 9;
								if(__edx > 9) {
									_t172 =  &(__ecx[2]); // 0x2
									__edx = _t172;
								} else {
									__ebp =  &(__ebp[__edx]);
									__edx = __ecx[3];
									__eax = __edx;
									__edx = __edx - 0x30;
									__eflags = __edx - 9;
									if(__edx > 9) {
										_t173 =  &(__ecx[3]); // 0x3
										__edx = _t173;
									} else {
										__ebp =  &(__ebp[__edx]);
										__edx = __ecx[4];
										__eax = __edx;
										__edx = __edx - 0x30;
										__eflags = __edx - 9;
										if(__edx > 9) {
											_t174 =  &(__ecx[4]); // 0x4
											__edx = _t174;
										} else {
											__eax = __edx + __edx * 4;
											__edx = __ecx[5];
											__ebp = __ebp + __eax * 4;
											__eax = __edx;
											__edx = __edx - 0x30;
											__eflags = __edx - 9;
											if(__edx > 9) {
												_t175 =  &(__ecx[5]); // 0x5
												__edx = _t175;
											} else {
												__eax = __edx + __edx * 4;
												__edx = __ecx[6];
												__ebp = __ebp + __eax * 2;
												__eax = __edx;
												__edx = __edx - 0x30;
												__eflags = __edx - 9;
												if(__edx > 9) {
													_t176 =  &(__ecx[6]); // 0x6
													__edx = _t176;
												} else {
													__ebp =  &(__ebp[__edx]);
													_t35 =  &(__ecx[7]); // 0x7
													__edx = _t35;
													__ecx = __ecx[7];
													__eax = __ecx;
													__ecx = __ecx - 0x30;
													__eflags = __ecx - 9;
													while(__ecx <= 9) {
														__ecx =  *(__edx + 1);
														__edx = __edx + 1;
														__eax = __ecx;
														__ecx = __ecx - 0x30;
														__eflags = __ecx - 9;
													}
												}
											}
										}
									}
								}
							}
							__esi = __esp[0x36];
							__eflags = __esp[0x36];
							if(__esp[0x36] != 0) {
								__ecx = __edx;
								if(_t204 == 0x6d) {
									__eflags =  *(_t225 + 1) - 0x73;
									if( *(_t225 + 1) != 0x73) {
										goto L63;
									} else {
										_t239 = 0x5a1cac09;
										_t204 =  *(_t225 + 2) & 0x000000ff;
										_t220 = 0xa5e353f7;
										_t226 = 0x3e8;
										_t248 = 0x10624dd3 * _t248 >> 0x20 >> 6;
										goto L31;
									}
								} else {
									if(_t204 == 0x75) {
										__eflags =  *(_t225 + 1) - 0x73;
										if( *(_t225 + 1) == 0x73) {
											__eflags =  *(_t225 + 2);
											if( *(_t225 + 2) != 0) {
												goto L63;
											} else {
												_t245 = 0;
												_t242 = 0;
												goto L35;
											}
										} else {
											goto L63;
										}
									} else {
										if(_t204 == 0x73) {
											_t204 =  *(_t225 + 1) & 0x000000ff;
										}
										goto L30;
									}
								}
								goto L40;
							} else {
								goto L26;
							}
						} else {
							__esp[0xa] = 0;
							__ebp = 0;
							L26:
							__al = __al & 0x000000df;
							__eflags = __al - 0x5a;
							__ecx = __ecx & 0xffffff00 | __al == 0x0000005a;
							__edi = __cl & 0x000000ff;
							__ecx = __esp[0xb];
							__esi = __edx + __edi;
							__edi = __edi | __esp[0xb];
							__eflags = __edi;
							if(__edi != 0) {
								__edx = __esp[0xb];
								__eflags = __esp[0xb];
								if(__esp[0xb] == 0) {
									L50:
									__eax = 0;
									__esp[6] = 0;
									__eax = 0;
									__eflags = 0;
									__esp[7] = 0;
									goto L51;
								} else {
									__eflags = __al - 0x5a;
									__eax =  &(__esp[0xe]);
									__esp[1] =  &(__esp[0xe]);
									__eax =  &(__esp[0x1a]);
									 *__esp =  &(__esp[0x1a]);
									if(__al != 0x5a) {
										__eax =  *0x100ad0c4();
										__eflags = __eax;
										if(__eax != 0) {
											goto L86;
										} else {
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x68);
												 *(__esp + __eax + 0x8c) =  *(__esp + __eax + 0x68);
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											__eax = __esp[0x11];
											__esp[0x23] = __esp[0x11];
											__eax = __esp[0x12];
											__esp[0x24] = __esp[0x12];
											__eax = __esp[0x13];
											__esp[0x25] = __esp[0x13];
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x8c);
												 *(__esp + __eax + 0x44) = __edx;
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											goto L28;
										}
									} else {
										__eax =  *0x100ad0c8();
										__eflags = __eax;
										if(__eax != 0) {
											L86:
											__esi = 0;
											__ecx = 9;
											__edi =  &(__esp[0x23]);
											__eax = memcpy( &(__esp[0x23]), 0, 9 << 2);
											__edi = 0 + __ecx;
											__edi =  &(__ecx[0 + __ecx]);
											__ecx = 0;
											asm("ud2");
											_push(__ebp);
											_push(__edi);
											_push(0);
											_push(__ebx);
											__esp = __esp - 0xac;
											__ecx = __esp[0x33];
											__edi = __esp[0x30];
											__eax =  *__ecx & 0x000000ff;
											__eflags = __al - 0x3f;
											if(__al == 0x3f) {
												__eax = __ecx[1] & 0x000000ff;
												__ecx =  &(__ecx[1]);
												__eflags = __ecx;
											}
											__esi = __esp[0x31];
											__ebx =  &(__esp[8]);
											__esi = __esp[0x31] - 1;
											__eflags = __al;
											__esp[7] = __esp[0x31] - 1;
											__esi = __esp[0x32];
											if(__al == 0) {
												L100:
												__edx = __ebx;
												__eflags = __al - 0x3d;
												 *__ebx = 0;
												__ebp = __ecx;
												__edx = __edi;
												if(__al == 0x3d) {
													goto L102;
												}
											} else {
												L90:
												__eflags = __al - 0x3d;
												__edx = __ebx;
												if(__al == 0x3d) {
													goto L100;
												} else {
													while(1) {
														__eflags = __al - 0x26;
														if(__al == 0x26) {
															break;
														} else {
															goto L93;
														}
														while(1) {
															L93:
															__edx = __edx - __ebx;
															__eflags = __edx - __ebx - 0x7e;
															if(__edx - __ebx <= 0x7e) {
																break;
															}
															__eax = __ecx[1] & 0x000000ff;
															__ecx =  &(__ecx[1]);
															__eflags = __al;
															if(__al == 0) {
																L96:
																 *__edx = 0;
																__eflags = __al - 0x3d;
																__ebp = __ecx;
																__edx = __edi;
																if(__al == 0x3d) {
																	L102:
																	__eax =  &(__ecx[1]);
																	__ecx = __ecx[1] & 0x000000ff;
																	__eflags = __cl;
																	if(__cl == 0) {
																		L124:
																		__edx = __edi;
																		__ebp = __eax;
																	} else {
																		__eflags = __cl - 0x26;
																		if(__cl == 0x26) {
																			goto L124;
																		} else {
																			__esp[0x32] = __esi;
																			while(1) {
																				__esi = __esp[7];
																				__edx = __edx - __edi;
																				__eflags = __edx - __edi - __esp[7];
																				if(__edx - __edi >= __esp[7]) {
																					break;
																				}
																				__eflags = __cl - 0x2b;
																				if(__cl == 0x2b) {
																					__cl = 0x20;
																				}
																				 *__edx = __cl;
																				__ebp = __edx + 1;
																				__eax = __eax + 1;
																				__ecx =  *__eax & 0x000000ff;
																				__eflags = __cl;
																				if(__cl == 0) {
																					L123:
																					__edx = __ebp;
																					__esi = __esp[0x32];
																					__ebp = __eax;
																				} else {
																					__eflags = __cl - 0x26;
																					if(__cl == 0x26) {
																						goto L123;
																					} else {
																						__edx = __ebp;
																						continue;
																					}
																				}
																				goto L97;
																			}
																			__ebp = __eax + 1;
																			__eax =  *(__eax + 1) & 0x000000ff;
																			__esi = __esp[0x32];
																			__eflags = __al - 0x26;
																			if(__al != 0x26) {
																				__eflags = __al;
																				if(__al != 0) {
																					while(1) {
																						__eax = __ebp[1] & 0x000000ff;
																						__ebp =  &(__ebp[1]);
																						__eflags = __al;
																						if(__al == 0) {
																							break;
																						}
																						__eflags = __al - 0x26;
																						if(__al != 0x26) {
																							continue;
																						}
																						goto L97;
																					}
																				} else {
																				}
																			}
																		}
																	}
																}
															} else {
																__eflags = __al - 0x3d;
																if(__al == 0x3d) {
																	goto L96;
																} else {
																	__eflags = __al - 0x26;
																	if(__al != 0x26) {
																		continue;
																	} else {
																		goto L115;
																	}
																}
															}
															goto L97;
														}
														 *__edx = __al;
														__eax = __ecx[1] & 0x000000ff;
														__ecx =  &(__ecx[1]);
														__ebp = __edx + 1;
														__edx = __edx + 1;
														__eflags = __al - 0x3d;
														if(__al == 0x3d) {
															goto L96;
														} else {
															__eflags = __al;
															if(__al != 0) {
																continue;
															} else {
																goto L96;
															}
														}
														goto L97;
													}
													L115:
													 *__edx = 0;
													__ebp = __ecx;
													__edx = __edi;
												}
											}
											L97:
											 *__edx = 0;
											__eax = strcmp(__ebx, __esi);
											__eflags = __eax;
											if(__eax == 0) {
												__esp =  &(__esp[0x2b]);
												__eax = 1;
												_pop(__ebx);
												_pop(__esi);
												_pop(__edi);
												_pop(__ebp);
												return 1;
											} else {
												__eflags =  *__ebp - 0x26;
												if( *__ebp != 0x26) {
													__esp =  &(__esp[0x2b]);
													__eax = 0;
													__eflags = 0;
													_pop(__ebx);
													_pop(__esi);
													_pop(__edi);
													_pop(__ebp);
													return 0;
												} else {
													__eax = __ebp[1] & 0x000000ff;
													__ecx =  &(__ebp[1]);
													__eflags = __al;
													if(__al != 0) {
														goto L90;
													} else {
														goto L100;
													}
													goto L97;
												}
											}
										} else {
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x68);
												 *(__esp + __eax + 0x8c) =  *(__esp + __eax + 0x68);
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											__eax = __esp[0x11];
											__esp[0x23] = __esp[0x11];
											__eax = __esp[0x12];
											__esp[0x24] = __esp[0x12];
											__eax = __esp[0x13];
											__esp[0x25] = __esp[0x13];
											__eax = 0;
											__eflags = 0;
											do {
												__edx =  *(__esp + __eax + 0x8c);
												 *(__esp + __eax + 0x44) =  *(__esp + __eax + 0x8c);
												__eax = __eax + 4;
												__eflags = __eax - 0x24;
											} while (__eax < 0x24);
											goto L50;
										}
									}
								}
							} else {
								__eax =  *__esi & 0x000000ff;
								__al = __al - 0x2b;
								__eflags = __al & 0x000000fd;
								if((__al & 0x000000fd) == 0) {
									__ebx =  &(__esp[0x23]);
									__edx = 0;
									__eax = 0;
									__eflags = 0;
									do {
										 *(__esp + __eax + 0x8c) = 0;
										 *((intOrPtr*)(__esp + __eax + 0x90)) = 0;
										__eax = __eax + 8;
										__eflags = __eax - 0x20;
									} while (__eax < 0x20);
									__ebx[__eax] = 0;
									__eax = 0;
									__edx = 0x100b82e8;
									__eflags =  *__esi - 0x2b;
									__eax = 0 |  *__esi != 0x0000002b;
									__esi =  &(__esi[1]);
									__eflags = __esi;
									__esp[6] = __eax;
									while(1) {
										__esp[2] = __ebx;
										__esp[1] = __edx;
										 *__esp = __esi;
										__eax = E10031790();
										__eflags = __eax;
										if(__eax != 0) {
											break;
										}
										__edi = __edi + 1;
										__eflags = __edi - 3;
										if(__edi == 3) {
											goto L63;
										} else {
											__edx =  *(0x100b8324 + __edi * 4);
											continue;
										}
										goto L40;
									}
									__ecx = __esp[0x25];
									__esi = __eax;
									__eax = __esp[6];
									__edx = (__ecx << 4) - __ecx;
									__ecx = __esp[0x24];
									__edx = __esp[0x24] + __edx * 4;
									__edx = __edx * __esp[6];
									__edx = __edx << 4;
									__eax = (__edx << 4) - __edx;
									__eax = (__edx << 4) - __edx << 2;
									__esp[6] = __eax;
									__esp[7] = __eax;
									L51:
									__edx = __esp[0x15];
									__eax = 0;
									__esp[0x19] = 0;
									__ecx = __esp[0x16];
									__edi = __esp[0x14];
									__eax = __edx + 1;
									__eflags = __eax - 2;
									if(__eax <= 2) {
										__eax = __edx + 0xd;
										__ecx =  &(__ecx[0x76b]);
									} else {
										__ecx =  &(__ecx[0x76c]);
										__eflags = __ecx;
									}
									__eax = __eax + __eax * 8;
									__edx = __eax;
									__edx = __eax << 4;
									__ebx = __eax + (__eax << 4) - 0x1c9;
									__eax = 0x66666667;
									__edx = 0x66666667 * __ebx >> 0x20;
									0x66666667 * __ebx = __ebx;
									__eax = __ebx >> 0x1f;
									__edx = 0x66666667 * __ebx >> 0x20 >> 1;
									__edx = (0x66666667 * __ebx >> 0x20 >> 1) - (__ebx >> 0x1f);
									__eax = __ecx + __ecx * 8;
									__eax = __ecx + (__ecx + __ecx * 8) * 8;
									__ebx = __edx + __edi;
									__ebx =  &((__edx + __edi)[__eax]);
									__eflags = __ecx;
									 &(__ecx[3]) =  >=  ? __ecx :  &(__ecx[3]);
									__eax = ( >=  ? __ecx :  &(__ecx[3])) >> 2;
									__ebx =  &(__ebx[( >=  ? __ecx :  &(__ecx[3])) >> 2]);
									__eax = 0x51eb851f;
									__edx = 0x51eb851f * __ecx >> 0x20;
									__eax = 0x51eb851f * __ecx;
									__ecx = __ecx >> 0x1f;
									__edi = __ecx;
									__eax = __edx;
									__eax = __edx >> 5;
									__edx = __edx >> 7;
									__edi = __ecx - __eax;
									__edi =  &(__ebx[__ecx - __eax]);
									__ebx = __esp[0x12];
									__eax = __edi + __edx - 0xafa6d;
									__edx = 0x15180;
									__edi = __esp[0x13] * 0xe10;
									__edx = __eax * 0x15180 >> 0x20;
									__eax = __eax * 0x15180;
									__ecx = (__ebx << 4) - __ebx;
									__ecx = __esp[0x13] * 0xe10 + ((__ebx << 4) - __ebx) * 4;
									__edi = __esp[0x11];
									__ecx =  &((__esp[0x13] * 0xe10 + ((__ebx << 4) - __ebx) * 4)[__esp[0x11]]);
									__ebx = __ecx;
									__ebx = __ecx >> 0x1f;
									__ecx =  &(__ecx[__eax]);
									asm("adc ebx, edx");
									__ecx =  &(__ecx[__esp[6]]);
									asm("adc ebx, [esp+0x1c]");
									__esp[6] = __ecx;
									__esp[7] = __ebx;
									goto L29;
								} else {
									L28:
									 *__esp = __ebx;
									__ecx = 0xffffffff;
									__esp[0x19] = 0xffffffff;
									__imp___mktime64();
									__esp[6] = __eax;
									__esp[7] = __edx;
									L29:
									__eax =  *__esi & 0x000000ff;
									L30:
									_t239 = 0x842fa50a;
									_t220 = 0x7bd05af6;
									_t226 = 0xf4240;
									L31:
									if(_t204 != 0) {
										goto L63;
									} else {
										asm("sbb edx, eax");
										if(_t220 <  *(_t250 + 0x18)) {
											L76:
											_t205 = 0xffffffde;
										} else {
											_t210 =  *(_t250 + 0x18);
											_t232 =  *(_t250 + 0x1c);
											asm("sbb edi, esi");
											if(_t210 < _t239) {
												goto L76;
											} else {
												_t245 = _t248;
												_t242 = _t248 >> 0x1f;
												 *(_t250 + 0x1c) = _t210 * _t226 >> 0x20;
												 *(_t250 + 0x1c) =  *(_t250 + 0x1c) + _t232 * _t226;
												 *(_t250 + 0x18) = _t210 * _t226;
												asm("sbb edx, edi");
												asm("sbb eax, ebx");
												if(0xffffffff - _t248 <  *(_t250 + 0x18)) {
													goto L76;
												} else {
													L35:
													_t246 = _t245 +  *(_t250 + 0x18);
													asm("adc edi, [esp+0x1c]");
													if((_t246 | _t242 + 0x80000000) != 0 ||  *((char*)(_t250 + 0x2b)) == 0) {
														if( *((intOrPtr*)(_t250 + 0x24)) != 0) {
															_t246 =  ~_t246;
															asm("adc edi, 0x0");
															_t242 =  ~_t242;
														}
														goto L39;
													} else {
														goto L76;
													}
												}
											}
										}
									}
								}
								goto L40;
							}
						}
					} else {
						__esp[2] = __ebx;
						__ecx = "%H%M%S";
						__esp[1] = "%H%M%S";
						 *__esp = __ebp;
						__eax = E10031790();
						__eflags = __eax;
						__edx = __eax;
						if(__eax == 0) {
							L63:
							_t205 = 0xffffffea;
							L40:
							return _t205;
						} else {
							goto L14;
						}
					}
				}
			}

0x10031d28
0x10031d2d
0x10031d31
0x10031d33
0x10031d38
0x10031d3c
0x10031d3e
0x10031d40
0x10031d44
0x10031d47
0x10031d4c
0x10031d4f
0x10031d53
0x10031d58
0x10031d5c
0x10031d60
0x10031d65
0x10031d67
0x10032004
0x10032004
0x1003200b
0x1003200d
0x10032010
0x00000000
0x10031d6d
0x10031d6d
0x10031d71
0x10031d76
0x10031d7a
0x10031d7d
0x10031d82
0x10031d84
0x100323dd
0x100323df
0x100323e1
0x10031d8a
0x10031d8a
0x10031d8d
0x10031d92
0x10031d96
0x10031d9a
0x10031d9f
0x10031da2
0x10031da4
0x10031da7
0x10031da9
0x10031dad
0x10031dad
0x10031db0
0x10031db9
0x10031dbc
0x100321e8
0x00000000
0x10031dd0
0x10031dd5
0x10031dd8
0x00000000
0x00000000
0x10031dde
0x10031de0
0x00000000
0x00000000
0x00000000
0x10032020
0x10032020
0x10032021
0x10032021
0x10031dd0
0x10031de6
0x10031de6
0x10031dea
0x10031def
0x10031df3
0x10031df6
0x10031dfb
0x10031dfd
0x10031dff
0x10031e20
0x10031e20
0x10031e23
0x10031e25
0x10031e29
0x10031e2b
0x100323f1
0x100323f6
0x10031e46
0x10031e4a
0x10031e4c
0x10031e4f
0x10031e52
0x100323aa
0x100323aa
0x100323ad
0x10031e58
0x10031e58
0x10031e5e
0x10031e62
0x10031e64
0x10031e67
0x10031e6a
0x100323b4
0x100323b4
0x10031e70
0x10031e76
0x10031e78
0x10031e7c
0x10031e7e
0x10031e81
0x10031e84
0x100323bc
0x100323bc
0x10031e8a
0x10031e90
0x10031e92
0x10031e96
0x10031e98
0x10031e9b
0x10031e9e
0x100323c4
0x100323c4
0x10031ea4
0x10031ea4
0x10031ea7
0x10031eae
0x10031eb2
0x10031eb4
0x10031eb7
0x10031eba
0x100323cc
0x100323cc
0x10031ec0
0x10031ec0
0x10031ec3
0x10031ec7
0x10031ecb
0x10031ecd
0x10031ed0
0x10031ed3
0x100323d5
0x100323d5
0x10031ed9
0x10031ed9
0x10031edb
0x10031edb
0x10031ede
0x10031ee2
0x10031ee4
0x10031ee7
0x10031eea
0x10031ef0
0x10031ef4
0x10031ef5
0x10031ef7
0x10031efa
0x10031efa
0x10031eea
0x10031ed3
0x10031eba
0x10031e9e
0x10031e84
0x10031e6a
0x10031eff
0x10031f06
0x10031f08
0x100323ea
0x10031ced
0x10032210
0x10032214
0x00000000
0x10032216
0x1003221b
0x10032227
0x1003222b
0x10032230
0x10032238
0x00000000
0x1003223a
0x10031cf3
0x10031cf5
0x100321f0
0x100321f4
0x10032388
0x1003238c
0x00000000
0x10032392
0x10032392
0x10032394
0x00000000
0x10032394
0x00000000
0x00000000
0x00000000
0x10031cfb
0x10031d00
0x10031d06
0x10031d06
0x00000000
0x10031d00
0x10031cf5
0x00000000
0x00000000
0x00000000
0x00000000
0x10031e31
0x10031e31
0x10031e36
0x10031f0e
0x10031f0e
0x10031f10
0x10031f12
0x10031f15
0x10031f18
0x10031f1c
0x10031f1f
0x10031f1f
0x10031f21
0x10032030
0x10032034
0x10032036
0x100320b0
0x100320b0
0x100320b2
0x100320b6
0x100320b6
0x100320b8
0x00000000
0x10032038
0x10032038
0x1003203a
0x1003203e
0x10032042
0x10032046
0x10032049
0x100322e8
0x100322ee
0x100322f0
0x00000000
0x100322f6
0x100322f6
0x100322f6
0x100322f8
0x100322f8
0x100322fc
0x10032303
0x10032306
0x10032306
0x1003230b
0x1003230f
0x10032316
0x1003231a
0x10032321
0x10032325
0x1003232c
0x1003232c
0x1003232e
0x1003232e
0x10032335
0x10032339
0x1003233c
0x1003233c
0x00000000
0x10032341
0x1003204f
0x1003204f
0x10032055
0x10032057
0x100323fd
0x100323fd
0x100323ff
0x10032404
0x1003240b
0x1003240b
0x1003240b
0x1003240b
0x1003240d
0x10032410
0x10032411
0x10032412
0x10032413
0x10032414
0x1003241a
0x10032421
0x10032428
0x1003242b
0x1003242d
0x1003242f
0x10032433
0x10032433
0x10032433
0x10032434
0x1003243b
0x1003243f
0x10032440
0x10032442
0x10032446
0x1003244d
0x100324c0
0x100324c0
0x100324c2
0x100324c4
0x100324c7
0x100324c9
0x100324cb
0x00000000
0x00000000
0x10032450
0x10032450
0x10032450
0x10032452
0x10032454
0x00000000
0x10032460
0x10032460
0x10032460
0x10032462
0x00000000
0x00000000
0x00000000
0x00000000
0x10032468
0x10032468
0x1003246a
0x1003246c
0x1003246f
0x00000000
0x00000000
0x10032530
0x10032534
0x10032535
0x10032537
0x10032489
0x10032489
0x1003248c
0x1003248e
0x10032490
0x10032492
0x100324d0
0x100324d0
0x100324d3
0x100324d7
0x100324d9
0x100325ad
0x100325ad
0x100325af
0x100324df
0x100324df
0x100324e2
0x00000000
0x100324e8
0x100324e8
0x100324ef
0x100324ef
0x100324f5
0x100324f7
0x100324f9
0x00000000
0x00000000
0x10032560
0x10032563
0x10032565
0x10032565
0x10032567
0x10032569
0x1003256c
0x1003256d
0x10032570
0x10032572
0x1003259d
0x1003259d
0x1003259f
0x100325a6
0x10032574
0x10032574
0x10032577
0x00000000
0x10032579
0x10032579
0x00000000
0x10032579
0x10032577
0x00000000
0x10032572
0x100324fb
0x100324fe
0x10032502
0x10032509
0x1003250b
0x1003250d
0x1003250f
0x10032520
0x10032520
0x10032524
0x10032525
0x10032527
0x00000000
0x00000000
0x10032518
0x1003251a
0x00000000
0x00000000
0x00000000
0x1003251a
0x00000000
0x10032511
0x1003250f
0x1003250b
0x100324e2
0x100324d9
0x1003253d
0x1003253d
0x10032540
0x00000000
0x10032546
0x10032546
0x10032548
0x00000000
0x00000000
0x00000000
0x00000000
0x10032548
0x10032540
0x00000000
0x10032537
0x10032475
0x10032477
0x1003247b
0x1003247c
0x1003247f
0x10032481
0x10032483
0x00000000
0x10032485
0x10032485
0x10032487
0x00000000
0x00000000
0x00000000
0x00000000
0x10032487
0x00000000
0x10032483
0x1003254e
0x1003254e
0x10032551
0x10032553
0x10032553
0x10032454
0x10032494
0x10032494
0x1003249e
0x100324a3
0x100324a5
0x10032580
0x10032586
0x1003258b
0x1003258c
0x1003258d
0x1003258e
0x1003258f
0x100324ab
0x100324ab
0x100324af
0x10032590
0x10032596
0x10032596
0x10032598
0x10032599
0x1003259a
0x1003259b
0x1003259c
0x100324b5
0x100324b5
0x100324b9
0x100324bc
0x100324be
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100324be
0x100324af
0x1003205d
0x1003205d
0x1003205d
0x1003205f
0x1003205f
0x10032063
0x1003206a
0x1003206d
0x1003206d
0x10032072
0x10032076
0x1003207d
0x10032081
0x10032088
0x1003208c
0x10032093
0x10032093
0x10032095
0x10032095
0x1003209c
0x100320a0
0x100320a3
0x100320a3
0x00000000
0x10032095
0x10032057
0x10032049
0x10031f27
0x10031f27
0x10031f2a
0x10031f2c
0x10031f2e
0x10032180
0x10032187
0x10032189
0x10032189
0x1003218b
0x1003218b
0x10032192
0x10032199
0x1003219c
0x1003219c
0x100321a1
0x100321a8
0x100321aa
0x100321af
0x100321b2
0x100321b5
0x100321b5
0x100321ba
0x100321be
0x100321be
0x100321c2
0x100321c6
0x100321c9
0x100321ce
0x100321d0
0x00000000
0x00000000
0x100321d6
0x100321d7
0x100321da
0x00000000
0x100321dc
0x100321dc
0x00000000
0x100321dc
0x00000000
0x100321da
0x10032346
0x1003234d
0x1003234f
0x10032358
0x1003235a
0x10032361
0x10032364
0x10032369
0x1003236c
0x1003236e
0x10032371
0x10032378
0x100320bc
0x100320bc
0x100320c0
0x100320c2
0x100320c6
0x100320ca
0x100320ce
0x100320d1
0x100320d4
0x10032248
0x1003224b
0x100320da
0x100320da
0x100320da
0x100320da
0x100320e0
0x100320e3
0x100320e5
0x100320e8
0x100320ef
0x100320f4
0x100320f6
0x100320f8
0x100320fb
0x100320fd
0x100320ff
0x10032102
0x10032105
0x1003210b
0x1003210d
0x10032112
0x10032115
0x10032118
0x1003211a
0x1003211f
0x1003211f
0x10032121
0x10032124
0x10032126
0x10032128
0x1003212b
0x1003212e
0x10032130
0x10032132
0x10032138
0x1003213f
0x10032144
0x1003214c
0x1003214c
0x10032153
0x10032155
0x10032158
0x1003215c
0x1003215e
0x10032160
0x10032163
0x10032165
0x10032167
0x1003216b
0x1003216f
0x10032173
0x00000000
0x10031f34
0x10031f34
0x10031f34
0x10031f37
0x10031f3c
0x10031f40
0x10031f46
0x10031f4a
0x10031f4e
0x10031f4e
0x10031f51
0x10031f51
0x10031f5b
0x10031f65
0x10031f6a
0x10031f6c
0x00000000
0x10031f72
0x10031f7c
0x10031f7e
0x100323a0
0x100323a0
0x10031f84
0x10031f84
0x10031f88
0x10031f90
0x10031f92
0x00000000
0x10031f98
0x10031f9e
0x10031fa3
0x10031fa6
0x10031faf
0x10031fb3
0x10031fc6
0x10031fcc
0x10031fce
0x00000000
0x10031fd4
0x10031fd4
0x10031fd4
0x10031fd8
0x10031fe8
0x10031ffb
0x10031ffd
0x10031fff
0x10032002
0x10032002
0x00000000
0x00000000
0x00000000
0x00000000
0x10031fe8
0x10031fce
0x10031f92
0x10031f7e
0x10031f6c
0x00000000
0x10031f2e
0x10031f21
0x10031e01
0x10031e01
0x10031e05
0x10031e0a
0x10031e0e
0x10031e11
0x10031e16
0x10031e18
0x10031e1a
0x10032200
0x10032200
0x10032012
0x1003201c
0x00000000
0x00000000
0x00000000
0x10031e1a
0x10031dff

APIs

mv_gettime.LICKING ref: 10031D28
mv_strcasecmp.LICKING ref: 10031D60
mv_small_strptime.LICKING ref: 10031D7D
mv_small_strptime.LICKING ref: 10031D9A
mv_small_strptime.LICKING ref: 10031DF6
mv_small_strptime.LICKING ref: 10031E11
_mktime64.MSVCRT ref: 10031F40

Strings

%H%M%S, xrefs: 10031E05
%Y%m%d, xrefs: 10031D8D
now, xrefs: 10031D53
%H:%M:%S, xrefs: 10031DEA
%Y - %m - %d, xrefs: 10031D71

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_small_strptime$_mktime64mv_gettimemv_strcasecmp
String ID: %H%M%S$%H:%M:%S$%Y - %m - %d$%Y%m%d$now
API String ID: 3102546153-2275413634
Opcode ID: 4bf48ac0d7b20a7a536318e99917dc060e85f39b1dd693b5c177bf7607698aa2
Instruction ID: 393ac7e939c8bc40fb2518d18f59a15e32832519eb81408492e7220f9a1aacc8
Opcode Fuzzy Hash: 4bf48ac0d7b20a7a536318e99917dc060e85f39b1dd693b5c177bf7607698aa2
Instruction Fuzzy Hash: A4518071A083468FC345DF29848035ABBE2EBC8755F55892EE9D8CB391EA34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10034473 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 87stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 10034497
strcmp.MSVCRT ref: 100344AC
strcmp.MSVCRT ref: 100344FC

Strings

rgba, xrefs: 100344B3
rgb32, xrefs: 10034483
bgra, xrefs: 10034510
yuv420p, xrefs: 100344C0, 10034544
%s%s, xrefs: 1003451C
bgr32, xrefs: 100344A3

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID: %s%s$bgr32$bgra$rgb32$rgba$yuv420p
API String ID: 1004003707-3566121812
Opcode ID: 9550c25b13b3c51ea765e66f3a5b83d88c901e3b85b8e96a12ffededae0969d6
Instruction ID: 807c7c8d8e474d4a4436a7f9c776c039c9797f57d3ea9103522d9848d4e2685b
Opcode Fuzzy Hash: 9550c25b13b3c51ea765e66f3a5b83d88c901e3b85b8e96a12ffededae0969d6
Instruction Fuzzy Hash: EA314179E087559BC701DF69848435EB6D4FF84785F43882EE989DF301EA78EC009B81

Uniqueness

Uniqueness Score: -1.00%

Function 1004F819 Relevance: 19.8, APIs: 13, Instructions: 297COMMON

Download Yara Rule

APIs

mv_tree_find.LICKING ref: 1004F3EF
mv_tree_find.LICKING ref: 1004F40E
mv_tree_find.LICKING ref: 1004F478
mv_tree_find.LICKING ref: 1004F493
mv_tree_find.LICKING ref: 1004F58F
mv_tree_find.LICKING ref: 1004F5AE
mv_tree_find.LICKING ref: 1004F618
mv_tree_find.LICKING ref: 1004F633

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: a4cfb47e0e14e20cdd003f70e4cf5779280a1b1b1a9cf85861452e91f4ec990a
Instruction ID: c7f190c874f57329fc2fe3ad2be13bc28488bbd5c1e1fb4dabc0d28fea6bd479
Opcode Fuzzy Hash: a4cfb47e0e14e20cdd003f70e4cf5779280a1b1b1a9cf85861452e91f4ec990a
Instruction Fuzzy Hash: DBD19DB490974A9FC300DF6AC18441AFBE5FFC8A54F61892EE898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1004F34C Relevance: 19.8, APIs: 13, Instructions: 294COMMON

Download Yara Rule

APIs

mv_tree_find.LICKING ref: 1004F3EF
mv_tree_find.LICKING ref: 1004F40E
mv_tree_find.LICKING ref: 1004F478
mv_tree_find.LICKING ref: 1004F493
mv_tree_find.LICKING ref: 1004F58F
mv_tree_find.LICKING ref: 1004F5AE
mv_tree_find.LICKING ref: 1004F618
mv_tree_find.LICKING ref: 1004F633

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: 95cf165c7df1e3b14e8353417eaf65eff3f766b1f1fabdb0d3657f97e4e1532e
Instruction ID: 2a62cc5924bba10f92a7aef7dac0e5bedf0f6485aee9e4d766e4602ad48d7f01
Opcode Fuzzy Hash: 95cf165c7df1e3b14e8353417eaf65eff3f766b1f1fabdb0d3657f97e4e1532e
Instruction Fuzzy Hash: 87C1ADB490974A9FC300DF6AC18441AFBE5FFC8A54F61892EE898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1004F397 Relevance: 19.8, APIs: 13, Instructions: 279COMMON

Download Yara Rule

APIs

mv_tree_find.LICKING ref: 1004F3EF
mv_tree_find.LICKING ref: 1004F40E
mv_tree_find.LICKING ref: 1004F478
mv_tree_find.LICKING ref: 1004F493
mv_tree_find.LICKING ref: 1004F58F
mv_tree_find.LICKING ref: 1004F5AE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: 5ba1de0a2128bb80714fc7f87f514a6120d16dbb4c6ec235376ab0e5548afddf
Instruction ID: 0f8417ddc71165b3cfebcbbcf800086c18ccf89af56e5d4dc9f03a298295fbcd
Opcode Fuzzy Hash: 5ba1de0a2128bb80714fc7f87f514a6120d16dbb4c6ec235376ab0e5548afddf
Instruction Fuzzy Hash: 50C1ADB490974A9FC300DF6AC18441AFBE5FF88A54F61892EF898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001C870 Relevance: 19.7, APIs: 13, Instructions: 169COMMON

Download Yara Rule

APIs

mv_ripemd_init.LICKING ref: 1001C8DE
mv_ripemd_init.LICKING ref: 1001C8F6
mv_ripemd_init.LICKING ref: 1001C90E
mv_ripemd_init.LICKING ref: 1001C926
mv_sha_init.LICKING ref: 1001C93E
mv_sha_init.LICKING ref: 1001C95E
mv_sha_init.LICKING ref: 1001C97E
mv_sha512_init.LICKING ref: 1001C99E
mv_sha512_init.LICKING ref: 1001C9BE
mv_sha512_init.LICKING ref: 1001C9DE
mv_sha512_init.LICKING ref: 1001C9FE
mv_adler32_update.LICKING ref: 1001CA46
mv_crc.LICKING ref: 1001CAD5

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_ripemd_initmv_sha512_init$mv_sha_init$mv_adler32_updatemv_crc
String ID:
API String ID: 2533704273-0
Opcode ID: f61674c7a4464bd4039b9986a072808c349c40d6a8a4e5e275c5e8f2d66ba94a
Instruction ID: f0649640c2f65e3f5a84f6ba711108ae16dcb6379b5757981ac4c9ce1476ae06
Opcode Fuzzy Hash: f61674c7a4464bd4039b9986a072808c349c40d6a8a4e5e275c5e8f2d66ba94a
Instruction Fuzzy Hash: 71717EB4909700DFC754DF68C18491ABBE0FF8D358F1489AEE9898B321D734D980EB56

Uniqueness

Uniqueness Score: -1.00%

Function 100A1770 Relevance: 19.6, APIs: 13, Instructions: 147
threadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E100A1770(void* __ebx, void* __edi, void* __esi, void* __ebp) {
				void* _v16;
				long _v20;
				char* _v24;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				long _t37;
				void* _t39;
				long _t40;
				void* _t44;
				void* _t45;
				long _t46;
				void* _t49;
				void* _t50;
				void* _t53;
				long* _t54;

				_t49 = __esi;
				_t45 = __ebx;
				if( *0x101d9248 == 1) {
					return _t37;
				} else {
					_push(__edi);
					__eax = 0x101d9248;
					_push(__esi);
					__esp = __esp - 0x10;
					__eax = E100A10F0(0x101d9248, __eflags);
					_t9 = __eax + 4; // 0x4
					__esi = _t9;
					__ebx = __eax;
					 *__esp = __esi;
					__eax = E100A4070(__ebx);
					__edi =  *0x101d9248;
					__eflags = __edi;
					if(__edi != 0) {
						__eflags = __edi - 1;
						if(__edi == 1) {
							goto L18;
						} else {
							 *__esp = 2;
							__eax =  *0x100ad0cc();
							_v16 = __edi;
							_v20 = 0x101d9248;
							__eax = fprintf(__eax, " once %p is %d\n");
							__eax = E100A43B0(__esi);
							__eflags = __ebx;
							if(__ebx != 0) {
								goto L19;
							} else {
								goto L22;
							}
						}
					} else {
						__eax = TlsAlloc();
						 *0x100ad0f0 = __eax;
						__eflags = __eax - 0xffffffff;
						if(__eflags == 0) {
							abort();
							while(1) {
								_push(__ebp);
								_push(__edi);
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x2c;
								__eax = E100A14F0(__eflags);
								__eflags =  *0x101e1020;
								if( *0x101e1020 == 0) {
									break;
								}
								__ebx = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									break;
								} else {
									 *(__eax + 0x24) = 1;
									 *((intOrPtr*)(__ebx + 0x3c)) = GetCurrentThreadId();
									__eax = CreateEventA(0, 1, 0, 0);
									 *((intOrPtr*)(__ebx + 0x1c)) = 0xffffffff;
									 *(__ebx + 0x18) = __eax;
									__esp = __esp - 0x10;
									_t20 = __ebx + 0x38; // 0x38
									__eax = _t20;
									 *__esp = _t20;
									__eax = E100A53B0();
									__eflags = __eax - 1;
									if(__eax == 1) {
										E100A1310();
										goto L33;
									} else {
										__ebp = GetCurrentProcess;
										 *(__ebx + 0x38) = 0xffffffff;
										 *(__ebx + 0x64) = 0;
										 *(__ebx + 0x14) = 0;
										__edi = GetCurrentProcess();
										__esi = GetCurrentThread();
										__eax = GetCurrentProcess();
										_t24 = __ebx + 0x14; // 0x14
										__eax = DuplicateHandle(__eax, __esi, __edi, _t24, 0, 0, 2);
										__esp = __esp - 0x1c;
										__eflags = __eax;
										if(__eax == 0) {
											L33:
											abort();
											__esp = __esp - 0x1c;
											__eax = E100A1770(__ebx, __edi, __esi, __ebp);
											__eax =  *0x100ad0f0; // 0xffffffff
											__eax = TlsGetValue(__eax);
											__esp = __esp - 4;
											__eflags = __eax;
											if(__eflags == 0) {
												__esp =  &(__esp[7]);
												continue;
											} else {
												__esp =  &(__esp[7]);
												return __eax;
											}
										} else {
											__eax =  *(__ebx + 0x14);
											__eax = GetThreadPriority( *(__ebx + 0x14));
											 *(__ebx + 0x68) = 0;
											 *(__ebx + 0x6c) = __eax;
											__eax =  *(__ebx + 0x20) & 0x000000ff;
											__esp = __esp - 4;
											 *(__ebx + 0x20) & 0xcf =  *(__ebx + 0x20) & 0xcf | 0x00000010;
											 *(__ebx + 0x20) = __al;
											__eax =  *0x100ad0f0; // 0xffffffff
											__eax = TlsSetValue(__eax, __ebx);
											__esp = __esp - 8;
											__eflags = __eax;
											if(__eax == 0) {
												goto L33;
											} else {
												__esp =  &(__esp[0xb]);
												__eax = __ebx;
												_pop(__ebx);
												_pop(__esi);
												_pop(__edi);
												_pop(__ebp);
												return __ebx;
											}
										}
									}
								}
								goto L37;
							}
							__esp =  &(__esp[0xb]);
							__ebx = 0;
							__eflags = 0;
							__eax = 0;
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							_pop(__ebp);
							return 0;
						} else {
							 *0x101d9248 = 1;
							L18:
							__eax = E100A43B0(__esi);
							__eflags = __ebx;
							if(__ebx == 0) {
								L22:
								__esp =  &(__esp[4]);
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								return __eax;
							} else {
								L19:
								__esp =  &(__esp[4]);
								__eax = __ebx;
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								_push(_t49);
								_t46 = _t37;
								_t54 = _t53 - 0x14;
								 *_t54 = 0x100ad0e4;
								E100A53C0(_t45);
								_t39 =  *0x101d921c;
								if(_t39 == 0 || _t39 == _t46) {
									_t50 = 0;
									goto L6;
								} else {
									while(1) {
										_t50 = _t39;
										_t39 =  *(_t39 + 0xc);
										if(_t39 == 0) {
											break;
										}
										if(_t39 != _t46) {
											continue;
										} else {
											L6:
											if(_t39 == 0) {
												break;
											} else {
												_t2 = _t46 + 8;
												 *_t2 =  *((intOrPtr*)(_t46 + 8)) - 1;
												if( *_t2 == 0) {
													 *_t54 = _t46 + 4;
													E100A4530();
													_t44 =  *(_t46 + 0xc);
													__eflags = _t50;
													if(_t50 == 0) {
														 *0x101d921c = _t44;
													} else {
														 *(_t50 + 0xc) = _t44;
													}
													 *_t54 = _t46;
													L100A0710();
												}
											}
										}
										goto L8;
									}
									 *_t54 = 2;
									_t40 =  *0x100ad0cc();
									_v20 = _t46;
									_v24 = "%p not found?!?!\n";
									 *_t54 = _t40;
									L100A6AA8();
								}
								L8:
								 *_t54 = 0x100ad0e4;
								return E100A5410();
							}
						}
					}
				}
				L37:
			}

0x100a1770
0x100a1770
0x100a1777
0x100a1828
0x100a177d
0x100a177d
0x100a177e
0x100a1783
0x100a1785
0x100a1788
0x100a178d
0x100a178d
0x100a1790
0x100a1792
0x100a1795
0x100a179a
0x100a17a0
0x100a17a2
0x100a17e0
0x100a17e3
0x00000000
0x100a17e5
0x100a17e5
0x100a17ec
0x100a17f2
0x100a17f6
0x100a1809
0x100a1811
0x100a1816
0x100a1818
0x00000000
0x00000000
0x00000000
0x00000000
0x100a1818
0x100a17a4
0x100a17a4
0x100a17aa
0x100a17af
0x100a17b2
0x100a1829
0x100a1830
0x100a1830
0x100a1831
0x100a1832
0x100a1833
0x100a1834
0x100a1837
0x100a1842
0x100a1844
0x00000000
0x00000000
0x100a184a
0x100a184c
0x100a184e
0x00000000
0x100a1854
0x100a1854
0x100a1861
0x100a1883
0x100a1889
0x100a1890
0x100a1893
0x100a1896
0x100a1896
0x100a1899
0x100a189c
0x100a18a1
0x100a18a4
0x100a1964
0x00000000
0x100a18aa
0x100a18aa
0x100a18b0
0x100a18b7
0x100a18be
0x100a18c7
0x100a18cf
0x100a18d1
0x100a18d3
0x100a18fd
0x100a1903
0x100a1906
0x100a1908
0x100a1969
0x100a1969
0x100a1970
0x100a1973
0x100a1978
0x100a1980
0x100a1986
0x100a1989
0x100a198b
0x100a1998
0x00000000
0x100a198d
0x100a198d
0x100a1990
0x100a1990
0x100a190a
0x100a190a
0x100a1910
0x100a1916
0x100a191d
0x100a1920
0x100a1924
0x100a192a
0x100a192d
0x100a1930
0x100a193c
0x100a1942
0x100a1945
0x100a1947
0x00000000
0x100a1949
0x100a1949
0x100a194c
0x100a194e
0x100a194f
0x100a1950
0x100a1951
0x100a1952
0x100a1952
0x100a1947
0x100a1908
0x100a18a4
0x00000000
0x100a184e
0x100a1958
0x100a195b
0x100a195b
0x100a195d
0x100a195f
0x100a1960
0x100a1961
0x100a1962
0x100a1963
0x100a17b4
0x100a17b4
0x100a17be
0x100a17c1
0x100a17c6
0x100a17c8
0x100a181a
0x100a181a
0x100a181d
0x100a181e
0x100a181f
0x100a1820
0x100a17ca
0x100a17ca
0x100a17ca
0x100a17cd
0x100a17cf
0x100a17d0
0x100a17d1
0x100a1400
0x100a1402
0x100a1404
0x100a1407
0x100a140e
0x100a1413
0x100a141a
0x100a14b8
0x00000000
0x100a1430
0x100a1430
0x100a1430
0x100a1432
0x100a1437
0x00000000
0x00000000
0x100a143b
0x00000000
0x100a143d
0x100a143d
0x100a143f
0x00000000
0x100a1441
0x100a1441
0x100a1441
0x100a1445
0x100a1463
0x100a1466
0x100a146b
0x100a146e
0x100a1470
0x100a147f
0x100a1472
0x100a1472
0x100a1472
0x100a1475
0x100a1478
0x100a1478
0x100a1445
0x100a143f
0x00000000
0x100a143b
0x100a1490
0x100a1497
0x100a149d
0x100a14a1
0x100a14a9
0x100a14ac
0x100a14ac
0x100a1447
0x100a1447
0x100a1458
0x100a1458
0x100a17c8
0x100a17b2
0x100a17a2
0x00000000

APIs

Part of subcall function 100A10F0: calloc.MSVCRT ref: 100A117E

TlsAlloc.KERNEL32(000003E8,?,?,100A2C7E,?,?,000003E8,000003E8,100A0F79), ref: 100A17A4
fprintf.MSVCRT ref: 100A1809
abort.MSVCRT(?,100A2C7E,?,?,000003E8,000003E8,100A0F79), ref: 100A1829
GetCurrentThreadId.KERNEL32 ref: 100A185B
CreateEventA.KERNEL32 ref: 100A1883
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000004,?,00000000), ref: 100A18C5
GetCurrentThread.KERNEL32 ref: 100A18C9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000004,?,00000000), ref: 100A18D1
DuplicateHandle.KERNEL32 ref: 100A18FD
GetThreadPriority.KERNEL32 ref: 100A1910
TlsSetValue.KERNEL32 ref: 100A193C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Current$Thread$Process$AllocCreateDuplicateEventHandlePriorityValueabortcallocfprintf
String ID:
API String ID: 3428539040-0
Opcode ID: f969a53c872a21cf028a7f4cafe3be6fed375392b9d917c574dc3f66504f5397
Instruction ID: 1581781306a54a8ce9359a3ff668a76d71cbcd9d47f296fef9c4cb60d7b15c79
Opcode Fuzzy Hash: f969a53c872a21cf028a7f4cafe3be6fed375392b9d917c574dc3f66504f5397
Instruction Fuzzy Hash: 675189B5905310DFDB00EFB9D88939ABBE4FB84390F418A2DE89487356E778D544CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001A460 Relevance: 19.6, APIs: 13, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A460(signed char __eax) {
				void* __ebx;
				void* __esi;
				void* _t68;
				intOrPtr _t74;
				signed char _t79;
				signed char _t82;
				char* _t83;
				intOrPtr _t85;
				signed int _t86;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				signed int _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t99;
				intOrPtr* _t100;

				_t79 = __eax;
				_t100 = _t99 - 0x1c;
				if( *((intOrPtr*)(__eax + 0xe4)) > 0) {
					_t89 = 0;
					do {
						_t98 =  *((intOrPtr*)(__eax + 0xe0)) + _t89 * 4;
						_t89 = _t89 + 1;
						_t95 =  *_t98;
						_t96 = _t95 + 0xc;
						 *_t100 = _t95 + 0x10;
						E1000A000(__eax, _t96);
						 *_t100 = _t96;
						E10011CC0();
						 *_t100 = _t98;
						E100290E0();
					} while (_t89 <  *((intOrPtr*)(_t79 + 0xe4)));
				}
				_t90 = _t79 + 0xb8;
				 *((intOrPtr*)(_t79 + 0xe4)) = 0;
				 *_t100 = _t79 + 0xe0;
				_t85 = _t79 + 0xd8;
				E100290E0();
				do {
					 *_t100 = _t90;
					_t90 = _t90 + 4;
					E1000A000(_t79, _t90);
				} while (_t85 != _t90);
				if( *((intOrPtr*)(_t79 + 0xdc)) > 0) {
					_t94 = 0;
					do {
						_t74 =  *((intOrPtr*)(_t79 + 0xd8)) + _t94 * 4;
						_t94 = _t94 + 1;
						 *_t100 = _t74;
						E1000A000(_t79, _t94);
					} while (_t94 <  *((intOrPtr*)(_t79 + 0xdc)));
				}
				 *_t100 = _t85;
				E100290E0();
				 *_t100 = _t79 + 0x118;
				E10011CC0();
				 *_t100 = _t79 + 0x128;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x12c;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x140;
				E1000A000(_t79, _t90);
				if( *(_t79 + 0x40) != _t79) {
					 *_t100 = _t79 + 0x40;
					E100290E0();
				}
				_t86 = 0x168;
				 *_t100 = _t79 + 0x148;
				E1000D270();
				_t82 = _t79;
				if((_t79 & 0x00000001) != 0) {
					 *_t79 = 0;
					_t82 = _t79 + 1;
					_t86 = 0x167;
					if((_t82 & 0x00000002) == 0) {
						goto L12;
					} else {
						goto L20;
					}
					L14:
					_t83 = _t82 + _t68;
					if((_t86 & 0x00000004) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 4;
					}
					if((_t86 & 0x00000002) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 2;
					}
					if((_t86 & 0x00000001) != 0) {
						 *_t83 = 0;
					}
					 *((intOrPtr*)(_t79 + 0x100)) = 0;
					 *((intOrPtr*)(_t79 + 0xf4)) = 2;
					 *((intOrPtr*)(_t79 + 0x70)) = 0;
					 *((intOrPtr*)(_t79 + 0x74)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x68)) = 0;
					 *((intOrPtr*)(_t79 + 0x6c)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x104)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x108)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x10c)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x124)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x7c)) = 1;
					 *((intOrPtr*)(_t79 + 0x54)) = 1;
					 *((intOrPtr*)(_t79 + 0x60)) = 1;
					 *((intOrPtr*)(_t79 + 0x50)) = 0xffffffff;
					 *(_t79 + 0x40) = _t79;
					 *((intOrPtr*)(_t79 + 0xf0)) = 2;
					 *((intOrPtr*)(_t79 + 0xf8)) = 2;
					return 2;
				} else {
					if((_t82 & 0x00000002) != 0) {
						L20:
						 *_t82 = 0;
						_t86 = _t86 - 2;
						_t82 = _t82 + 2;
					}
				}
				L12:
				_t68 = 0;
				_t92 = _t86 & 0xfffffff8;
				do {
					 *((intOrPtr*)(_t82 + _t68)) = 0;
					 *((intOrPtr*)(_t82 + _t68 + 4)) = 0;
					_t68 = _t68 + 8;
				} while (_t68 < _t92);
				goto L14;
			}

0x1001a464
0x1001a466
0x1001a471
0x1001a473
0x1001a480
0x1001a486
0x1001a489
0x1001a48a
0x1001a490
0x1001a493
0x1001a496
0x1001a49b
0x1001a49e
0x1001a4a3
0x1001a4a6
0x1001a4ab
0x1001a480
0x1001a4b3
0x1001a4bb
0x1001a4c7
0x1001a4ca
0x1001a4d0
0x1001a4e0
0x1001a4e0
0x1001a4e3
0x1001a4e6
0x1001a4eb
0x1001a4f7
0x1001a4f9
0x1001a500
0x1001a506
0x1001a509
0x1001a50a
0x1001a50d
0x1001a512
0x1001a500
0x1001a51a
0x1001a51d
0x1001a528
0x1001a52b
0x1001a536
0x1001a539
0x1001a544
0x1001a547
0x1001a552
0x1001a555
0x1001a55d
0x1001a562
0x1001a565
0x1001a565
0x1001a570
0x1001a575
0x1001a578
0x1001a582
0x1001a584
0x1001a668
0x1001a66b
0x1001a66e
0x1001a676
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a5a8
0x1001a5a8
0x1001a5b0
0x1001a6a5
0x1001a6ab
0x1001a6ab
0x1001a5bc
0x1001a698
0x1001a69d
0x1001a69d
0x1001a5c5
0x1001a690
0x1001a690
0x1001a5d2
0x1001a5e2
0x1001a5f2
0x1001a603
0x1001a60a
0x1001a611
0x1001a618
0x1001a61e
0x1001a624
0x1001a62a
0x1001a630
0x1001a637
0x1001a63e
0x1001a645
0x1001a64c
0x1001a64f
0x1001a655
0x1001a662
0x1001a58a
0x1001a58d
0x1001a680
0x1001a680
0x1001a685
0x1001a688
0x1001a688
0x1001a58d
0x1001a593
0x1001a595
0x1001a597
0x1001a59a
0x1001a59a
0x1001a59d
0x1001a5a1
0x1001a5a4
0x00000000

APIs

mv_dict_free.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A49E
mv_freep.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A4A6
mv_buffer_unref.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A496

Part of subcall function 1000A000: mv_freep.LICKING ref: 1000A01E

mv_freep.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A4D0
mv_buffer_unref.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A4E6
mv_buffer_unref.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A50D
mv_freep.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A51D
mv_dict_free.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A52B
mv_buffer_unref.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A539
mv_buffer_unref.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A547
mv_buffer_unref.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A555
mv_freep.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A565
mv_channel_layout_uninit.LICKING(?,?,?,?,?,?,1001ADCA), ref: 1001A578

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_unref$mv_freep$mv_dict_free$mv_channel_layout_uninit
String ID:
API String ID: 1735483532-0
Opcode ID: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction ID: e5137f4a5bc7018b3bf66a3982d40490682209c4fe07239027ca6129b2817d8d
Opcode Fuzzy Hash: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction Fuzzy Hash: 66516BB19046068BDB10DF28C48178A77E5FF45364F0A46BADC989F38AD774E8C5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C640 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C650
memcmp.MSVCRT ref: 1000C6F4

Strings

mono, xrefs: 1000C6B0

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: memcmpstrlen
String ID: mono
API String ID: 3108337309-2381334079
Opcode ID: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction ID: 18b6b574f71558c9a9b0b92199a84ecc10b2be927aad7e864a8dbdfaab720d03
Opcode Fuzzy Hash: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction Fuzzy Hash: 62713A74A083598FD354DF25C48491EBBE2FFC8384F51892DE88997319DB34E9458F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001E7F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.LICKING ref: 1001E9EE
mv_log.LICKING ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_pix_fmt_namemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 3418758923-379977042
Opcode ID: 9b272a863b8c87bc50828a51ff6e70bc1a94dffcb6cd8086de82a19a6494632f
Instruction ID: a270e7ec8c0c912217b56fd727a34e093eb2c836343d1efa160e437917b73519
Opcode Fuzzy Hash: 9b272a863b8c87bc50828a51ff6e70bc1a94dffcb6cd8086de82a19a6494632f
Instruction Fuzzy Hash: 9F61B3746087858FD750DF69C480A0EF7E5FF88354F568A6DE998DB311E670EC818B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1D0 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

mv_realloc.LICKING ref: 1000A231
mv_mallocz.LICKING ref: 1000A24B
mv_mallocz.LICKING ref: 1000A284
mv_freep.LICKING ref: 1000A2DA
mv_realloc.LICKING ref: 1000A344
mv_realloc.LICKING ref: 1000A36B
mv_mallocz.LICKING ref: 1000A385
mv_mallocz.LICKING ref: 1000A3BC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_realloc$mv_freep
String ID:
API String ID: 3944475926-0
Opcode ID: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction ID: 0671ab7339bb216cd2d01b0f004d479de4b058bf66c6df6044412f8339b3df2e
Opcode Fuzzy Hash: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction Fuzzy Hash: 937104B48087018FE714DF25C18471AFBE0FF86380F568A6DE9898B365D775E980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1002BD60 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 225stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002BDE3
mv_log.LICKING ref: 1002BE0D

Strings

%c%c%c%c%c%c%c%c%c%c%c, xrefs: 1002C09E
%-15s , xrefs: 1002BDF4
%s%-17s , xrefs: 1002BF20
%-12s , xrefs: 1002BF60

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: %-15s $ %s%-17s $%-12s $%c%c%c%c%c%c%c%c%c%c%c
API String ID: 3828882664-2158144587
Opcode ID: cd315c485f21a5d92caec50ebdf3783483848b95e2873c555e898fd340466650
Instruction ID: 81ce71257c6f568c107695be669e8e9b550c4ba999c531598f557fc534171d91
Opcode Fuzzy Hash: cd315c485f21a5d92caec50ebdf3783483848b95e2873c555e898fd340466650
Instruction Fuzzy Hash: F89139B1A19B458BC714CF29D88065EBBE2FFC8750F55CA2EF89887755D338D8448B82

Uniqueness

Uniqueness Score: -1.00%

Function 1004EC71 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1004EDC7
mv_log.LICKING ref: 1004EE40
mv_log.LICKING ref: 1004EF01
mv_log.LICKING ref: 1004EF33

Strings

%d:%d:%d%c%d, xrefs: 1004ECBB
Unable to parse timecode, syntax: hh:mm:ss[:;.]ff, xrefs: 1004EEEA
Valid timecode frame rate must be specified. Minimum value is 1, xrefs: 1004EF1E
Drop frame is only allowed with multiples of 30000/1001 FPS, xrefs: 1004EE2B
Using non-standard frame rate %d/%d, xrefs: 1004EDA7
gfff, xrefs: 1004EE62

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: %d:%d:%d%c%d$Drop frame is only allowed with multiples of 30000/1001 FPS$Unable to parse timecode, syntax: hh:mm:ss[:;.]ff$Using non-standard frame rate %d/%d$Valid timecode frame rate must be specified. Minimum value is 1$gfff
API String ID: 2418673259-2042051344
Opcode ID: 667b1855407bd178daa68827b0fc8dc4cac5444d40c4ce1888b1831c71f7e425
Instruction ID: ad6f89b5d716708f39f7d1c1240442daf23e2e802f1dd0c33ed5984729e4a587
Opcode Fuzzy Hash: 667b1855407bd178daa68827b0fc8dc4cac5444d40c4ce1888b1831c71f7e425
Instruction Fuzzy Hash: 17617B75D083988BC720CF29C58065EBBE1FB88350F658A3EE898DB355D735ED448B86

Uniqueness

Uniqueness Score: -1.00%

Function 1001E690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E1001E690(intOrPtr _a4, char _a8) {
				char _v16;
				intOrPtr _v32;
				intOrPtr _v48;
				char* _v52;
				char _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				char _t46;
				intOrPtr _t49;
				char _t58;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr* _t73;

				_t73 = _t72 - 0x34;
				_t37 = _a4;
				_t58 = _a8;
				_t71 =  *((intOrPtr*)(_t37 + 4));
				_t63 =  *((intOrPtr*)(_t71 + 4));
				_t61 =  *((intOrPtr*)(_t63 + 0xc));
				if( *((intOrPtr*)(_t63 + 0xc)) == 0) {
					_t64 =  *_t63;
					_t62 =  *((intOrPtr*)(_t64 + 0x3c));
					if( *((intOrPtr*)(_t64 + 0x3c)) == 0) {
						_t38 = 0xffffffd8;
						goto L7;
					} else {
						if( *((intOrPtr*)(_t71 + 0x1c)) == 0) {
							_t38 = 0xffffffea;
							goto L7;
						} else {
							 *_t73 = _t37;
							_t39 = E10009FC0(_t58, _t62);
							 *((intOrPtr*)(_t58 + 0x128)) = _t39;
							if(_t39 == 0) {
								goto L6;
							} else {
								_v56 = _t58;
								 *_t73 = _t71;
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)))) + 0x3c))();
								if(_t42 < 0) {
									_v32 = _t42;
									 *_t73 = _t58 + 0x128;
									E1000A000(_t58 + 0x128, _t71);
									_t38 = _v32;
									goto L7;
								} else {
									 *((intOrPtr*)(_t58 + 0x40)) = _t58;
									return 0;
								}
							}
						}
					}
				} else {
					 *((intOrPtr*)(_t58 + 0x50)) =  *((intOrPtr*)(_t71 + 0x24));
					 *_t73 = _t37;
					_t45 = E10009FC0(_t58, _t61);
					 *((intOrPtr*)(_t58 + 0x128)) = _t45;
					if(_t45 == 0) {
						L6:
						_t38 = 0xfffffff4;
						goto L7;
					} else {
						_t46 = E1001AC40(_t58, _t70, _t71);
						_v16 = _t46;
						if(_t46 == 0) {
							goto L6;
						} else {
							_v56 = _t46;
							_v52 = 0;
							 *_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0xc));
							_t49 = E1001E690();
							if(_t49 < 0) {
								L13:
								_v32 = _t49;
								 *_t73 =  &_v16;
								E1001ADB0(_t58);
								return _v32;
							} else {
								 *_t73 = _t58;
								_v52 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0x10));
								_v56 = _v16;
								_t49 = E1001E450(_t58, _t70, _t71);
								if(_t49 == 0) {
									goto L13;
								} else {
									_v48 = _t49;
									_v32 = _t49;
									_v56 = 0x10;
									_v52 = "Failed to map frame into derived frame context: %d.\n";
									 *_t73 = _t71;
									E10026560();
									 *_t73 =  &_v16;
									E1001ADB0("Failed to map frame into derived frame context: %d.\n");
									_t38 = _v32;
									L7:
									return _t38;
								}
							}
						}
					}
				}
			}

0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a8
0x1001e760
0x1001e762
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e7
0x1001e6ea
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4

APIs

mv_frame_alloc.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6CA

Part of subcall function 1001AC40: mv_malloc.LICKING ref: 1001AC56

mv_hwframe_get_buffer.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6EA

Part of subcall function 1001E690: mv_hwframe_map.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E70C
Part of subcall function 1001E690: mv_log.LICKING ref: 1001E736
Part of subcall function 1001E690: mv_frame_free.LICKING ref: 1001E742

mv_buffer_ref.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6B7

Part of subcall function 10009FC0: mv_mallocz.LICKING ref: 10009FD2

mv_buffer_ref.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E773

Strings

Failed to map frame into derived frame context: %d., xrefs: 1001E71D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_frame_allocmv_frame_freemv_hwframe_get_buffermv_hwframe_mapmv_logmv_mallocmv_mallocz
String ID: Failed to map frame into derived frame context: %d.
API String ID: 2770197599-2491951210
Opcode ID: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction ID: c8a7df340d6dcafb776f8cd3ae8b96b8e9686aa7a819e798d3a2729e9b2e2ff4
Opcode Fuzzy Hash: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction Fuzzy Hash: 6541E5786097418FE740DF29D58095FBBE0FF88350F05896DE8998B355E734E8818B82

Uniqueness

Uniqueness Score: -1.00%

Function 100A57B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 100A57E2
CreateSemaphoreA.KERNEL32 ref: 100A5838
CreateSemaphoreA.KERNEL32 ref: 100A585F
InitializeCriticalSection.KERNEL32 ref: 100A587E
InitializeCriticalSection.KERNEL32 ref: 100A5889
InitializeCriticalSection.KERNEL32 ref: 100A5894

Strings

l, xrefs: 100A57D3

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$calloc
String ID: l
API String ID: 2075313795-2517025534
Opcode ID: 20a18e4a0112209b4da9639d5e215e0c02dd3b6026310d411648e9f3e78ec2d4
Instruction ID: 16d2d4a35bbbb24a739a770089c434b6184fef880a3ad5311f983c9af6efc7f3
Opcode Fuzzy Hash: 20a18e4a0112209b4da9639d5e215e0c02dd3b6026310d411648e9f3e78ec2d4
Instruction Fuzzy Hash: 2E3128B1505300CFEB50BF68D58831ABBE4FF40354F128A6DE8948B299E77AD844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 100312C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 100312D8
strcmp.MSVCRT ref: 100312F0
strcmp.MSVCRT ref: 10031308
strcmp.MSVCRT ref: 10031320
strcmp.MSVCRT ref: 10031338
strcmp.MSVCRT ref: 10031350
strcmp.MSVCRT ref: 10031368
strcmp.MSVCRT ref: 10031380
mv_parse_ratio.LICKING(?,?,?,?,?,?,?,?,1002E89B), ref: 100313AC

Part of subcall function 100310F0: mv_expr_parse_and_eval.LICKING ref: 10031179
Part of subcall function 100310F0: mv_d2q.LICKING ref: 10031195

Strings

ntsc, xrefs: 100312C5

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_d2qmv_expr_parse_and_evalmv_parse_ratio
String ID: ntsc
API String ID: 2874497773-2045543799
Opcode ID: ec32bec2af6a2ecb4ce6168838176d8fdb98f1596f88ccec490d531f44d5e481
Instruction ID: a2e0eae1ca3038ae62bde4675692c4f594c3c7e77de8ac1c76987ebdc5f5f10b
Opcode Fuzzy Hash: ec32bec2af6a2ecb4ce6168838176d8fdb98f1596f88ccec490d531f44d5e481
Instruction Fuzzy Hash: 9A317E74A09341DFD351DF6AC54029FB6F4EF48781F41882EB989CB650E7B8EA80DB52

Uniqueness

Uniqueness Score: -1.00%

Function 1002FA50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002FA64
mv_match_name.LICKING ref: 1002FBE4

Strings

auto, xrefs: 1002FA5B
false,n,no,disable,disabled,off, xrefs: 1002FC95
true,y,yes,enable,enabled,on, xrefs: 1002FBDB
Unable to parse option value "%s" as boolean, xrefs: 1002FD2D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_match_namestrcmp
String ID: Unable to parse option value "%s" as boolean$auto$false,n,no,disable,disabled,off$true,y,yes,enable,enabled,on
API String ID: 524417830-3796170252
Opcode ID: 34fa3148977e7d767d1677c5d2720953b1690ee46a8e45433c697dfd4324e7d8
Instruction ID: 876f5722f56374415ad02e8831a214edd1e446c1e1a60714b8d0a63fd524c722
Opcode Fuzzy Hash: 34fa3148977e7d767d1677c5d2720953b1690ee46a8e45433c697dfd4324e7d8
Instruction Fuzzy Hash: 9C21EA75908749CBC751DF78D18152EF7E0FF85790F918A2DE88997211E734D880DB42

Uniqueness

Uniqueness Score: -1.00%

Function 100099E1 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100099E1(void* __eax, void* __ebx, void* __edx, void* __esi, signed int _a4, char* _a8) {
				void* _t23;

				_t23 = __eax;
				__eflags = __edx;
				if(__edx == 0) {
					do {
						__eflags = __al - 0x3c;
						if(__eflags == 0) {
							 *__esp = __esi;
							__eax = 0x100af50e;
							__edx = 0x100af500;
							_a8 = 0x100af50e;
							_a4 = 0x100af500;
							__eax = E100089C0();
						} else {
							if(__eflags <= 0) {
								__eflags = __al - 0x26;
								if(__al == 0x26) {
									 *__esp = __esi;
									__eax = 0x100af508;
									_a8 = 0x100af508;
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
								} else {
									__eflags = __al - 0x27;
									if(__al != 0x27) {
										goto L22;
									} else {
										 *__esp = __esi;
										__eax = 0x100af500;
										_a8 = "&apos;";
										_a4 = 0x100af500;
										__eax = E100089C0();
									}
								}
							} else {
								__eflags = __al - 0x3e;
								if(__al != 0x3e) {
									L22:
									__edx = __al;
									__esi = E100086F0(__esi, __al);
								} else {
									 *__esp = __esi;
									_a8 = 0x100af513;
									_a4 = 0x100af500;
									__eax = E100089C0();
								}
							}
						}
						__eax =  *(__ebx + 1) & 0x000000ff;
						__ebx = __ebx + 1;
						__eflags = __al;
					} while (__al != 0);
				} else {
					do {
						__dl = __al;
						__dl = __al - 0x22;
						__eflags = __dl - 0x1c;
						if(__dl > 0x1c) {
							L14:
							__edx = __al;
							__esi = E100086F0(__esi, __al);
						} else {
							__edx = __dl & 0x000000ff;
							switch( *((intOrPtr*)((__dl & 0x000000ff) * 4 +  &M100AF530))) {
								case 0:
									 *__esp = __esi;
									__eax = "&quot;";
									_a8 = "&quot;";
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 1:
									goto L14;
								case 2:
									 *__esp = __esi;
									__eax = 0x100af508;
									_a8 = 0x100af508;
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 3:
									 *__esp = __esi;
									__eax = "&apos;";
									_a8 = "&apos;";
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 4:
									 *__esp = __esi;
									_a8 = 0x100af50e;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 5:
									 *__esp = __esi;
									__edx = 0x100af513;
									_a8 = 0x100af513;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
							}
						}
						L15:
						__eax =  *(__ebx + 1) & 0x000000ff;
						__ebx = __ebx + 1;
						__eflags = __al;
					} while (__al != 0);
				}
				return _t23;
			}

0x100099e1
0x100099e8
0x100099ea
0x10009a4d
0x10009a4d
0x10009a4f
0x10009c10
0x10009c13
0x10009c18
0x10009c1d
0x10009c21
0x10009c25
0x10009a55
0x10009a55
0x10009a10
0x10009a12
0x10009c30
0x10009c33
0x10009c38
0x10009c3c
0x10009c41
0x10009c45
0x10009a18
0x10009a18
0x10009a1a
0x00000000
0x10009a20
0x10009a20
0x10009a28
0x10009a2d
0x10009a31
0x10009a35
0x10009a35
0x10009a1a
0x10009a57
0x10009a57
0x10009a60
0x10009b90
0x10009b90
0x10009b95
0x10009a66
0x10009a66
0x10009a73
0x10009a77
0x10009a7b
0x10009a7b
0x10009a60
0x10009a55
0x10009a40
0x10009a44
0x10009a45
0x10009a45
0x100099f0
0x100099f0
0x100099f0
0x100099f2
0x100099f5
0x100099f8
0x10009a88
0x10009a88
0x10009a8d
0x100099fe
0x100099fe
0x10009a01
0x00000000
0x10009b17
0x10009b1a
0x10009b1f
0x10009b23
0x10009b28
0x10009b2c
0x00000000
0x00000000
0x00000000
0x00000000
0x10009aa4
0x10009aa7
0x10009aac
0x10009ab0
0x10009ab5
0x10009ab9
0x00000000
0x00000000
0x10009af8
0x10009afb
0x10009b00
0x10009b04
0x10009b09
0x10009b0d
0x00000000
0x00000000
0x10009adc
0x10009ae9
0x10009aed
0x10009af1
0x00000000
0x00000000
0x10009ac0
0x10009ac3
0x10009acd
0x10009ad1
0x10009ad5
0x00000000
0x00000000
0x10009a01
0x10009a92
0x10009a92
0x10009a96
0x10009a97
0x10009a97
0x10009a9f
0x10009869

APIs

mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009A7B
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009AB9
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009AD5
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009AF1
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009B0D
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009B2C

Strings

<, xrefs: 10009ADF
&, xrefs: 10009AA7
', xrefs: 10009AFB
", xrefs: 10009B1A
>, xrefs: 10009AC3

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: &$'$>$<$"
API String ID: 3083893021-87953025
Opcode ID: b6ed54fa2430d4727933e5420d63455ec3df606a843a78192178217f34b32b16
Instruction ID: 8e5b0ad7770d728874d8b890f391dfc0befd8e9e6221b6722be08452d9dad11f
Opcode Fuzzy Hash: b6ed54fa2430d4727933e5420d63455ec3df606a843a78192178217f34b32b16
Instruction Fuzzy Hash: 02111270908B51DFD710DFA9904026EBBD1FB81780F54C81EE6D587285EA39D940D783

Uniqueness

Uniqueness Score: -1.00%

Function 1001BC40 Relevance: 16.8, APIs: 11, Instructions: 283
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E1001BC40() {
				void* __ebx;
				signed int _t113;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t123;
				void* _t124;
				void* _t125;
				signed int _t127;
				void* _t128;
				void* _t129;
				signed char _t133;
				signed int _t134;
				signed int _t135;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t154;
				signed int _t156;
				signed int _t158;
				signed int _t159;
				signed short* _t161;
				signed short* _t162;
				int _t166;
				signed char _t174;
				short* _t175;
				signed char _t176;
				short* _t177;
				signed int _t178;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				void* _t187;
				void* _t190;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed short* _t200;
				signed short* _t201;
				signed int _t202;
				void* _t203;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				void* _t209;
				signed int* _t210;

				_t210 = _t209 - 0x1c;
				_t154 = _t210[0xd];
				_t207 = _t210[0xc];
				_t181 = _t154 + 0x148;
				 *((intOrPtr*)(_t207 + 0x50)) =  *((intOrPtr*)(_t154 + 0x50));
				 *((intOrPtr*)(_t207 + 0x44)) =  *((intOrPtr*)(_t154 + 0x44));
				 *((intOrPtr*)(_t207 + 0x48)) =  *((intOrPtr*)(_t154 + 0x48));
				 *((intOrPtr*)(_t207 + 0x4c)) =  *((intOrPtr*)(_t154 + 0x4c));
				 *(_t207 + 0x120) =  *(_t154 + 0x120);
				 *(_t207 + 0xb4) =  *(_t154 + 0xb4);
				 *(_t207 + 0xb0) =  *(_t154 + 0xb0);
				 *_t210 = _t181;
				if(E1000EC10() == 0) {
					_t149 =  *(_t154 + 0xb4);
					_t180 =  *(_t154 + 0xb0);
					if((_t149 | _t180) != 0) {
						_t210[2] = _t149;
						_t210[1] = _t180;
						 *_t210 = _t207 + 0x148;
						E1000D1B0();
					} else {
						 *(_t207 + 0x14c) =  *(_t154 + 0x120);
						 *(_t207 + 0x148) = 0;
					}
				}
				_t160 = 0;
				_t113 = E1001A6C0(_t207, 0, _t154, 0);
				_t195 = _t113;
				if(_t113 < 0) {
					L19:
					E1001A460(_t207);
					return _t195;
				} else {
					 *_t210 = _t181;
					if(E1000EC10() != 0) {
						_t210[1] = _t181;
						 *_t210 = _t207 + 0x148;
						_t119 = E1000D340();
						__eflags = _t119;
						_t195 = _t119;
						if(_t119 < 0) {
							goto L19;
						} else {
							_t120 =  *(_t154 + 0xb8);
							__eflags = _t120;
							if(_t120 != 0) {
								goto L6;
							} else {
								goto L32;
							}
						}
					} else {
						_t120 =  *(_t154 + 0xb8);
						if(_t120 == 0) {
							L32:
							 *_t210 = _t207;
							_t210[1] = 0;
							_t147 = E1001ADF0();
							__eflags = _t147;
							_t195 = _t147;
							if(_t147 < 0) {
								goto L19;
							} else {
								_t210[1] = _t154;
								 *_t210 = _t207;
								_t148 = E1001B8D0();
								__eflags = _t148;
								_t195 = _t148;
								if(_t148 < 0) {
									goto L19;
								} else {
									goto L34;
								}
							}
						} else {
							L6:
							_t196 = 0;
							L8:
							while(1) {
								if(_t120 == 0) {
									L10:
									_t196 = _t196 + 1;
									if(_t196 != 8) {
										_t120 =  *(_t154 + 0xb8 + _t196 * 4);
										continue;
									} else {
										if( *((intOrPtr*)(_t154 + 0xd8)) == 0) {
											L21:
											_t121 =  *(_t154 + 0x128);
											__eflags = _t121;
											if(_t121 == 0) {
												L23:
												__eflags =  *(_t154 + 0x40) - _t154;
												if( *(_t154 + 0x40) == _t154) {
													 *(_t207 + 0x40) = _t207;
													goto L37;
												} else {
													_t186 =  *(_t207 + 0x14c);
													_t195 = 0xffffffea;
													__eflags = _t186;
													if(_t186 == 0) {
														goto L19;
													} else {
														_t210[1] = _t186;
														 *_t210 = 4;
														_t133 = E10028EC0();
														 *(_t207 + 0x40) = _t133;
														__eflags = _t133;
														if(_t133 == 0) {
															goto L18;
														} else {
															_t166 = _t186 * 4;
															_t203 =  *(_t154 + 0x40);
															_t187 = _t133;
															__eflags = _t166 - 8;
															if(_t166 >= 8) {
																__eflags = _t133 & 0x00000001;
																if((_t133 & 0x00000001) != 0) {
																	_t134 =  *_t203 & 0x000000ff;
																	_t187 = _t187 + 1;
																	_t203 = _t203 + 1;
																	_t166 = _t166 - 1;
																	 *(_t187 - 1) = _t134;
																}
																__eflags = _t187 & 0x00000002;
																if((_t187 & 0x00000002) != 0) {
																	_t135 =  *_t203 & 0x0000ffff;
																	_t187 = _t187 + 2;
																	_t203 = _t203 + 2;
																	_t166 = _t166 - 2;
																	 *(_t187 - 2) = _t135;
																}
																__eflags = _t187 & 0x00000004;
																if((_t187 & 0x00000004) == 0) {
																	goto L27;
																} else {
																	_t190 = _t187 + 4;
																	 *(_t190 - 4) =  *_t203;
																	memcpy(_t190, _t203 + 4, _t166 - 4);
																	_t210 =  &(_t210[3]);
																	goto L37;
																}
																L49:
																_t177 = _t176 + _t128;
																_t201 = _t200 + _t128;
																_t129 = 0;
																__eflags = _t184 & 0x00000002;
																if((_t184 & 0x00000002) != 0) {
																	 *_t177 =  *_t201 & 0x0000ffff;
																	_t129 = 2;
																}
																__eflags = _t184 & 0x00000001;
																if((_t184 & 0x00000001) == 0) {
																	L34:
																	_t202 = 0;
																	__eflags = 0;
																} else {
																	_t202 = 0;
																	 *((char*)(_t177 + _t129)) =  *(_t201 + _t129) & 0x000000ff;
																}
																return _t202;
																goto L63;
															} else {
																L27:
																memcpy(_t187, _t203, _t166);
																_t210 =  &(_t210[3]);
															}
															L37:
															__eflags = _t207 & 0x00000001;
															_t174 = _t207;
															_t161 = _t154;
															_t182 = 0x20;
															if((_t207 & 0x00000001) != 0) {
																_t174 = _t207 + 1;
																_t182 = 0x1f;
																_t161 = _t154 + 1;
																 *_t207 =  *_t154 & 0x000000ff;
															}
															__eflags = _t174 & 0x00000002;
															if((_t174 & 0x00000002) != 0) {
																_t123 =  *_t161 & 0x0000ffff;
																_t174 = _t174 + 2;
																_t161 =  &(_t161[1]);
																_t182 = _t182 - 2;
																 *(_t174 - 2) = _t123;
															}
															_t210[0xd] = _t154;
															_t124 = 0;
															_t199 = _t182 & 0xfffffffc;
															__eflags = _t199;
															do {
																 *(_t174 + _t124) =  *(_t161 + _t124);
																_t124 = _t124 + 4;
																__eflags = _t124 - _t199;
															} while (_t124 < _t199);
															_t175 = _t174 + _t124;
															_t162 = _t161 + _t124;
															_t156 = _t210[0xd];
															_t125 = 0;
															__eflags = _t182 & 0x00000002;
															if((_t182 & 0x00000002) != 0) {
																 *_t175 =  *_t162 & 0x0000ffff;
																_t125 = 2;
															}
															__eflags = _t182 & 0x00000001;
															if((_t182 & 0x00000001) != 0) {
																 *((char*)(_t175 + _t125)) =  *(_t162 + _t125) & 0x000000ff;
															}
															__eflags = _t207 & 0x00000001;
															_t184 = 0x20;
															_t176 = _t207 + 0x20;
															_t200 = _t156 + 0x20;
															if((_t207 & 0x00000001) != 0) {
																_t176 = _t207 + 0x21;
																_t184 = 0x1f;
																_t200 = _t156 + 0x21;
																 *(_t207 + 0x20) =  *(_t156 + 0x20) & 0x000000ff;
															}
															__eflags = _t176 & 0x00000002;
															if((_t176 & 0x00000002) != 0) {
																_t127 =  *_t200 & 0x0000ffff;
																_t176 = _t176 + 2;
																_t200 =  &(_t200[1]);
																_t184 = _t184 - 2;
																 *(_t176 - 2) = _t127;
															}
															_t128 = 0;
															_t158 = _t184 & 0xfffffffc;
															__eflags = _t158;
															do {
																 *(_t176 + _t128) =  *(_t200 + _t128);
																_t128 = _t128 + 4;
																__eflags = _t128 - _t158;
															} while (_t128 < _t158);
															goto L49;
														}
													}
												}
											} else {
												 *_t210 = _t121;
												_t139 = E10009FC0(_t154, _t160);
												 *(_t207 + 0x128) = _t139;
												__eflags = _t139;
												if(_t139 == 0) {
													goto L18;
												} else {
													goto L23;
												}
											}
										} else {
											_t160 = 4;
											_t210[1] = 4;
											 *_t210 =  *(_t154 + 0xdc);
											_t141 = E100291F0();
											 *((intOrPtr*)(_t207 + 0xd8)) = _t141;
											if(_t141 == 0) {
												goto L18;
											} else {
												_t178 =  *(_t154 + 0xdc);
												 *(_t207 + 0xdc) = _t178;
												if(_t178 <= 0) {
													goto L21;
												} else {
													_t210[0xc] = _t207;
													_t208 = _t154;
													_t159 = 0;
													while(1) {
														_t206 = _t159 * 4;
														 *_t210 =  *( *((intOrPtr*)(_t208 + 0xd8)) + _t206);
														 *((intOrPtr*)(_t141 + _t206)) = E10009FC0(_t159, _t160);
														_t141 =  *((intOrPtr*)(_t210[0xc] + 0xd8));
														if( *((intOrPtr*)(_t141 + _t206)) == 0) {
															break;
														}
														_t159 = _t159 + 1;
														__eflags =  *((intOrPtr*)(_t208 + 0xdc)) - _t159;
														if( *((intOrPtr*)(_t208 + 0xdc)) <= _t159) {
															_t154 = _t208;
															_t207 = _t210[0xc];
															goto L21;
														} else {
															continue;
														}
														goto L63;
													}
													_t207 = _t210[0xc];
													goto L18;
												}
											}
										}
									}
								} else {
									 *_t210 = _t120;
									_t146 = E10009FC0(_t154, _t160);
									 *((intOrPtr*)(_t207 + 0xb8 + _t196 * 4)) = _t146;
									if(_t146 == 0) {
										L18:
										_t195 = 0xfffffff4;
										goto L19;
									} else {
										goto L10;
									}
								}
								goto L63;
							}
						}
					}
				}
				L63:
			}

0x1001bc44
0x1001bc47
0x1001bc4b
0x1001bc52
0x1001bc5e
0x1001bc64
0x1001bc6a
0x1001bc70
0x1001bc79
0x1001bc85
0x1001bc8b
0x1001bc91
0x1001bc9b
0x1001bc9d
0x1001bca3
0x1001bcad
0x1001be70
0x1001be7a
0x1001be7e
0x1001be81
0x1001bcb3
0x1001bcb9
0x1001bcc1
0x1001bcc1
0x1001bcad
0x1001bcc7
0x1001bccd
0x1001bcd4
0x1001bcd6
0x1001bdb8
0x1001bdba
0x1001bdc8
0x1001bcdc
0x1001bcdc
0x1001bce6
0x1001be40
0x1001be4a
0x1001be4d
0x1001be52
0x1001be54
0x1001be56
0x00000000
0x1001be5c
0x1001be5c
0x1001be62
0x1001be64
0x00000000
0x1001be6a
0x00000000
0x1001be6a
0x1001be64
0x1001bcec
0x1001bcec
0x1001bcf4
0x1001be90
0x1001be90
0x1001be95
0x1001be99
0x1001be9e
0x1001bea0
0x1001bea2
0x00000000
0x1001bea8
0x1001bea8
0x1001beac
0x1001beaf
0x1001beb4
0x1001beb6
0x1001beb8
0x00000000
0x00000000
0x00000000
0x00000000
0x1001beb8
0x1001bcfa
0x1001bcfa
0x1001bcfa
0x00000000
0x1001bd07
0x1001bd09
0x1001bd22
0x1001bd22
0x1001bd26
0x1001bd00
0x00000000
0x1001bd28
0x1001bd30
0x1001bdd6
0x1001bdd6
0x1001bddc
0x1001bdde
0x1001bdf2
0x1001bdf2
0x1001bdf5
0x1001bed0
0x00000000
0x1001bdfb
0x1001bdfb
0x1001be01
0x1001be06
0x1001be08
0x00000000
0x1001be0a
0x1001be0a
0x1001be0e
0x1001be15
0x1001be1a
0x1001be1d
0x1001be1f
0x00000000
0x1001be21
0x1001be21
0x1001be28
0x1001be2b
0x1001be2d
0x1001be30
0x1001bf96
0x1001bf98
0x1001c033
0x1001c036
0x1001c037
0x1001c038
0x1001c039
0x1001c039
0x1001bf9e
0x1001bfa4
0x1001c01e
0x1001c021
0x1001c024
0x1001c027
0x1001c02a
0x1001c02a
0x1001bfa6
0x1001bfac
0x00000000
0x1001bfb2
0x1001bfb4
0x1001bfbd
0x1001bfc0
0x1001bfc0
0x00000000
0x1001bfc0
0x1001bf66
0x1001bf66
0x1001bf68
0x1001bf6a
0x1001bf6c
0x1001bf72
0x1001bf77
0x1001bf7a
0x1001bf7a
0x1001bf7f
0x1001bf82
0x1001bebe
0x1001bebe
0x1001bebe
0x1001bf88
0x1001bf8c
0x1001bf8e
0x1001bf8e
0x1001bec9
0x00000000
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001bed3
0x1001bed3
0x1001bed9
0x1001bedb
0x1001bedd
0x1001bee2
0x1001bfdf
0x1001bfe2
0x1001bfe7
0x1001bfea
0x1001bfea
0x1001bee8
0x1001beeb
0x1001bfc7
0x1001bfca
0x1001bfcd
0x1001bfd0
0x1001bfd3
0x1001bfd3
0x1001bef1
0x1001bef7
0x1001bef9
0x1001bef9
0x1001befc
0x1001beff
0x1001bf02
0x1001bf05
0x1001bf05
0x1001bf09
0x1001bf0b
0x1001bf0d
0x1001bf11
0x1001bf13
0x1001bf19
0x1001bf1e
0x1001bf21
0x1001bf21
0x1001bf26
0x1001bf29
0x1001bf2f
0x1001bf2f
0x1001bf32
0x1001bf38
0x1001bf3d
0x1001bf40
0x1001bf43
0x1001c00b
0x1001c00e
0x1001c013
0x1001c016
0x1001c016
0x1001bf49
0x1001bf4c
0x1001bff2
0x1001bff5
0x1001bff8
0x1001bffb
0x1001bffe
0x1001bffe
0x1001bf54
0x1001bf56
0x1001bf56
0x1001bf59
0x1001bf5c
0x1001bf5f
0x1001bf62
0x1001bf62
0x00000000
0x1001bf59
0x1001be1f
0x1001be08
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde8
0x1001bdee
0x1001bdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdf0
0x1001bd36
0x1001bd36
0x1001bd3b
0x1001bd45
0x1001bd48
0x1001bd4d
0x1001bd55
0x00000000
0x1001bd57
0x1001bd57
0x1001bd5d
0x1001bd65
0x00000000
0x1001bd67
0x1001bd67
0x1001bd6d
0x1001bd6f
0x1001bd81
0x1001bd81
0x1001bd94
0x1001bd9c
0x1001bda2
0x1001bdad
0x00000000
0x00000000
0x1001bd78
0x1001bd79
0x1001bd7f
0x1001bdd0
0x1001bdd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd7f
0x1001bdaf
0x00000000
0x1001bdaf
0x1001bd65
0x1001bd55
0x1001bd30
0x1001bd0b
0x1001bd0b
0x1001bd0e
0x1001bd13
0x1001bd1c
0x1001bdb3
0x1001bdb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd1c
0x00000000
0x1001bd09
0x1001bd07
0x1001bcf4
0x1001bce6
0x00000000

APIs

mv_channel_layout_check.LICKING ref: 1001BC94
mv_channel_layout_check.LICKING ref: 1001BCDF
mv_buffer_ref.LICKING ref: 1001BD0E
mv_calloc.LICKING ref: 1001BD48
mv_buffer_ref.LICKING ref: 1001BD97
mv_channel_layout_from_mask.LICKING ref: 1001BE81

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_refmv_channel_layout_check$mv_callocmv_channel_layout_from_mask
String ID:
API String ID: 217990561-0
Opcode ID: 1e1b2be178534d09f3809dd0d7333aeb9c5539d81d1e8131270f189a167b3022
Instruction ID: a7629d8e8dda3d5a431b7117ebde44a71cccd742558e4ac7197543dafc7bd42b
Opcode Fuzzy Hash: 1e1b2be178534d09f3809dd0d7333aeb9c5539d81d1e8131270f189a167b3022
Instruction Fuzzy Hash: 23B17875A04B968BCB60CF29C8817AA7BE1EF49350F164579ED88CF346E734D881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1004F42C Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

APIs

mv_tree_find.LICKING ref: 1004F478
mv_tree_find.LICKING ref: 1004F493
mv_tree_find.LICKING ref: 1004F58F
mv_tree_find.LICKING ref: 1004F5AE
mv_tree_find.LICKING ref: 1004F618
mv_tree_find.LICKING ref: 1004F633

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: a695cc76ce69234c581bf4b4b735b6e1a38d1706809023f07848c68a58c7e2d7
Instruction ID: 96bf0b44498b00c8afc9adc28f18f4118ac37f17b7c9e697edf206a9a7f98cbb
Opcode Fuzzy Hash: a695cc76ce69234c581bf4b4b735b6e1a38d1706809023f07848c68a58c7e2d7
Instruction Fuzzy Hash: 5DA1CDB490974A9FC300DF6AC08441AFBE5FF88A54F618D2EE898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 1000A720 Relevance: 16.7, APIs: 11, Instructions: 173COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A72E
mv_mallocz.LICKING ref: 1000A7D5
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A808
mv_mallocz.LICKING ref: 1000A890
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A8C4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Releasemv_mallocz$Acquire
String ID:
API String ID: 2881747546-0
Opcode ID: e68bda1cf1dcc83a9c629bb4ba2d6cebfd630f8bebdd504c642d2b33e51082ff
Instruction ID: d1cc2579b1c102c58a024c2dc6685eb9d016c090d03debdddd743aed40a40bb7
Opcode Fuzzy Hash: e68bda1cf1dcc83a9c629bb4ba2d6cebfd630f8bebdd504c642d2b33e51082ff
Instruction Fuzzy Hash: 0C6126B49087058FE714DF25C48171BBBE1EF85380F12866DE8998B35ADB74E981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001CBC0 Relevance: 16.7, APIs: 11, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1001CBC0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v91;
				signed int _v92;
				void* _v104;
				signed int _t61;
				signed int _t64;
				void* _t66;
				void _t68;
				intOrPtr _t72;
				signed char _t73;
				int _t76;
				signed int _t79;
				intOrPtr* _t81;
				void* _t83;
				void* _t86;
				void* _t89;
				intOrPtr _t92;

				_v16 = __ebx;
				_t81 = _a4;
				_v4 = __ebp;
				_t72 = _a12;
				_v12 = __esi;
				_v8 = __edi;
				_t61 =  *(_t81 + 4);
				_t92 =  *((intOrPtr*)(0x100b6004 + _t61 * 8));
				if(_t61 > 0xe) {
					L15:
					_t89 =  &_v92;
					L3:
					_t83 = _a8;
					_t76 =  <=  ? _t72 : _t92;
					if(_t76 >= 8) {
						L8:
						if((_t83 & 0x00000001) != 0) {
							_t89 =  &_v91;
							_t76 = _t76 - 1;
							 *_t83 = _v92 & 0x000000ff;
							_t83 = _a8 + 1;
						}
						if((_t83 & 0x00000002) != 0) {
							_t64 =  *_t89 & 0x0000ffff;
							_t83 = _t83 + 2;
							_t89 = _t89 + 2;
							_t76 = _t76 - 2;
							 *(_t83 - 2) = _t64;
						}
						if((_t83 & 0x00000004) != 0) {
							_t68 =  *_t89;
							_t83 = _t83 + 4;
							_t89 = _t89 + 4;
							_t76 = _t76 - 4;
							 *(_t83 - 4) = _t68;
						}
					}
					L4:
					memcpy(_t83, _t89, _t76);
					if(_t92 < _t72) {
						_t66 = _a8;
						_t73 = _t72 - _t92;
						_t86 = _t66 + _t92;
						if(_t73 >= 8) {
							if((_t86 & 0x00000001) != 0) {
								 *_t86 = 0;
								_t73 = _t73 - 1;
								_t86 = _t86 + 1;
							}
							if((_t86 & 0x00000002) != 0) {
								 *_t86 = 0;
								_t73 = _t73 - 2;
								_t86 = _t86 + 2;
							}
							if((_t86 & 0x00000004) != 0) {
								 *_t86 = 0;
								_t73 = _t73 - 4;
								_t86 = _t86 + 4;
							}
							_t79 = _t73 >> 2;
							_t73 = _t73 & 0x00000003;
							_t66 = memset(_t86, 0, _t79 << 2);
							_t86 = _t86 + _t79;
						}
						if((_t73 & 0x00000004) != 0) {
							 *_t86 = 0;
							_t86 = _t86 + 4;
						}
						if((_t73 & 0x00000002) != 0) {
							 *_t86 = 0;
							_t86 = _t86 + 2;
						}
						if((_t73 & 0x00000001) != 0) {
							 *_t86 = 0;
						}
					}
					return _t66;
				}
				switch( *((intOrPtr*)(_t61 * 4 +  &M100B5EF8))) {
					case 0:
						__esi =  &_v92;
						E100289F0( *__edx,  &_v92);
						goto L3;
					case 1:
						__esi =  &_v92;
						E1002A800( *__edx,  &_v92);
						goto L3;
					case 2:
						__esi =  &_v92;
						E1003C6E0( *__edx,  &_v92);
						__ecx =  <=  ? __ebx : __ebp;
						__edi = _a8;
						__eflags = ( <=  ? __ebx : __ebp) - 8;
						if(( <=  ? __ebx : __ebp) < 8) {
							goto L4;
						} else {
							goto L8;
						}
					case 3:
						__esi =  &_v92;
						E10041410( *__edx,  &_v92);
						goto L3;
					case 4:
						_t89 =  &_v92;
						_v104 = _t89;
						 *_t94 =  *_t81;
						E1004C4C0();
						goto L3;
					case 5:
						__esi =  &_v92;
						asm("bswap eax");
						_v92 =  !( *(__edx + 0xc));
						goto L3;
					case 6:
						asm("bswap eax");
						_v92 =  *(__edx + 0xc);
						goto L15;
				}
			}

0x1001cbc3
0x1001cbc7
0x1001cbcb
0x1001cbcf
0x1001cbd3
0x1001cbd7
0x1001cbdb
0x1001cbe1
0x1001cbe8
0x1001cce1
0x1001cce1
0x1001cc10
0x1001cc14
0x1001cc18
0x1001cc1e
0x1001cc70
0x1001cc76
0x1001cdbd
0x1001cdc1
0x1001cdc2
0x1001cdc8
0x1001cdc8
0x1001cc82
0x1001cda0
0x1001cda3
0x1001cda6
0x1001cda9
0x1001cdac
0x1001cdac
0x1001cc8e
0x1001cc90
0x1001cc92
0x1001cc95
0x1001cc98
0x1001cc9b
0x1001cc9b
0x1001cc8e
0x1001cc20
0x1001cc20
0x1001cc24
0x1001cd30
0x1001cd34
0x1001cd39
0x1001cd3c
0x1001cd76
0x1001cdf0
0x1001cdf3
0x1001cdf4
0x1001cdf4
0x1001cd7e
0x1001cde0
0x1001cde5
0x1001cde8
0x1001cde8
0x1001cd86
0x1001cdd0
0x1001cdd6
0x1001cdd9
0x1001cdd9
0x1001cd8c
0x1001cd8f
0x1001cd92
0x1001cd92
0x1001cd92
0x1001cd41
0x1001cd43
0x1001cd49
0x1001cd49
0x1001cd4f
0x1001cd51
0x1001cd56
0x1001cd56
0x1001cd5c
0x1001cd62
0x1001cd62
0x1001cd5c
0x1001cc3d
0x1001cc3d
0x1001cbee
0x00000000
0x1001ccf0
0x1001ccfd
0x00000000
0x00000000
0x1001cd10
0x1001cd1d
0x00000000
0x00000000
0x1001cc40
0x1001cc4d
0x1001cc56
0x1001cc59
0x1001cc5d
0x1001cc60
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001cca0
0x1001ccad
0x00000000
0x00000000
0x1001cbf8
0x1001cbfc
0x1001cc02
0x1001cc05
0x00000000
0x00000000
0x1001ccc3
0x1001ccc9
0x1001cccb
0x00000000
0x00000000
0x1001ccdb
0x1001ccdd
0x00000000
0x00000000

APIs

mv_sha512_final.LICKING ref: 1001CC05
mv_ripemd_final.LICKING ref: 1001CC4D
mv_sha_final.LICKING ref: 1001CCAD
mv_md5_final.LICKING ref: 1001CCFD
mv_murmur3_final.LICKING ref: 1001CD1D
mv_sha512_final.LICKING ref: 1001CEE5
mv_base64_encode.LICKING ref: 1001CF08
mv_ripemd_final.LICKING ref: 1001CF6D
mv_sha_final.LICKING ref: 1001CF8D
mv_md5_final.LICKING ref: 1001CFAD
mv_murmur3_final.LICKING ref: 1001CFCD

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_md5_finalmv_murmur3_finalmv_ripemd_finalmv_sha512_finalmv_sha_final$mv_base64_encode
String ID:
API String ID: 2245914800-0
Opcode ID: 62bff0bfa5fda6f057751ef9358ee1ed2e520e05b5b39d291601a4f433c69b85
Instruction ID: eab164d01422db32363519a412dd3cb370dfb3174abfeab388949418a0586d85
Opcode Fuzzy Hash: 62bff0bfa5fda6f057751ef9358ee1ed2e520e05b5b39d291601a4f433c69b85
Instruction Fuzzy Hash: D961F4B9909755CFD710EF24C48065EB7E1FF88700F52882EEA999B311D374E989CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10092440 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10092440() {
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				void* _t90;
				signed int _t91;
				void* _t97;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				char* _t129;
				void* _t131;
				signed int* _t132;

				_t132 = _t131 - 0x3c;
				_t125 = _t132[0x14];
				if(_t132[0x15] != 0) {
					_t63 = _t132[0x15];
					 *_t63 = _t125;
				}
				if(_t132[0x16] == 1) {
					L29:
					L100A0678();
					 *_t63 = 0x21;
					goto L30;
				} else {
					if(_t132[0x16] <= 0x24) {
						while(1) {
							_t65 =  *_t125;
							 *_t132 = _t65;
							_t87 = _t65;
							L100A0738();
							if(_t65 == 0) {
								break;
							}
							_t125 = _t125 + 1;
						}
						_t120 = _t87;
						_t88 = _t65;
						_t6 = _t120 - 0x2b; // -43
						_t66 = _t120;
						if((_t6 & 0x000000fd) == 0) {
							_t66 =  *(_t125 + 1) & 0x000000ff;
							_t125 = _t125 + 1;
						}
						if(_t132[0x16] != 0) {
							if(_t132[0x16] != 0x10 || _t66 != 0x30) {
								goto L11;
							} else {
								if(( *(_t125 + 1) & 0xdf) == 0x58) {
									goto L34;
								} else {
									_t132[9] = 0x10;
									_t129 = _t125 + 1;
									_t68 = 0;
									goto L16;
								}
							}
						} else {
							_t132[0x16] = 0xa;
							if(_t66 == 0x30) {
								if(( *(_t125 + 1) & 0xdf) != 0x58) {
									_t132[9] = 8;
									_t132[0x16] = 8;
									goto L45;
								} else {
									L34:
									_t66 =  *(_t125 + 2) & 0x000000ff;
									_t132[0x16] = 0x10;
									_t125 = _t125 + 2;
									goto L11;
								}
							} else {
								L11:
								_t128 = _t66;
								if(_t128 - 0x30 <= 9) {
									_t132[9] = _t132[0x16];
									L45:
									_t68 = _t66 - 0x30;
									goto L15;
								} else {
									 *_t132 = _t128;
									L100A0740();
									if(_t66 != 0) {
										_t68 = _t128 - 0x37;
										_t132[9] = _t132[0x16];
										goto L15;
									} else {
										 *_t132 = _t128;
										L100A0730();
										if(_t66 == 0) {
											L30:
											_t64 = 0;
											goto L31;
										} else {
											_t68 = _t128 - 0x57;
											_t132[9] = _t132[0x16];
											L15:
											_t129 = _t125 + 1;
											if(_t68 >= _t132[9]) {
												goto L30;
											} else {
												L16:
												_t69 = _t132[0x16];
												_t132[0xa] = _t88;
												_t126 = _t68;
												_t132[6] = _t69;
												_t132[7] = _t69 >> 0x1f;
												_t71 = _t120;
												_t121 = _t68 >> 0x1f;
												_t132[0xb] = _t71;
												while(1) {
													_t89 =  *_t129;
													_t35 = _t89 - 0x30; // -96
													_t97 = _t35;
													if(_t97 <= 9) {
														goto L17;
													}
													 *_t132 = _t89;
													L100A0740();
													if(_t71 == 0) {
														 *_t132 = _t89;
														L100A0730();
														if(_t71 != 0) {
															_t90 = _t89 - 0x57;
															goto L18;
														}
													} else {
														_t90 = _t89 - 0x37;
														L18:
														if(_t90 < _t132[9]) {
															 *_t132 = 0xffffffff;
															_t132[1] = 0x7fffffff;
															_t132[2] = _t132[6];
															_t132[3] = _t132[7];
															_t71 = E10091900() + 2;
															asm("adc edx, 0x0");
															asm("sbb edx, edi");
															if(_t71 < _t126) {
																_t132[0xa] = 1;
															} else {
																_t84 = _t126;
																_t71 = _t84 * _t132[0x16];
																_t121 = (_t84 * _t132[0x16] >> 0x20) + _t132[7] * _t126 + _t132[0x16] * _t121;
																_t126 = _t71 + _t90;
																asm("adc edi, ebx");
															}
															_t129 = _t129 + 1;
															continue;
														}
													}
													_t91 = _t132[0xa];
													_t132[7] = _t121;
													_t132[6] = _t126;
													_t122 = _t132[0xb] & 0x000000ff;
													if(_t132[0x15] != 0) {
														 *(_t132[0x15]) = _t129;
													}
													if(_t122 == 0x2d) {
														asm("sbb eax, ebp");
														if(0 < _t132[6] || _t91 != 0) {
															L100A0678();
															 *0x80000000 = 0x22;
															_t64 = 0;
														} else {
															_t64 =  ~(_t132[6]);
															asm("adc edx, 0x0");
														}
														goto L31;
													} else {
														_t64 = _t132[6];
														if(_t132[7] < 0 || _t91 != 0) {
															L100A0678();
															 *_t64 = 0x22;
															return 0xffffffff;
														} else {
															L31:
															return _t64;
														}
													}
													goto L51;
													L17:
													_t90 = _t97;
													goto L18;
												}
											}
										}
									}
								}
							}
						}
					} else {
						goto L29;
					}
				}
				L51:
			}

0x10092444
0x1009244b
0x10092451
0x10092453
0x10092457
0x10092457
0x1009245e
0x100925f0
0x100925f0
0x100925f5
0x00000000
0x10092464
0x10092469
0x10092473
0x10092473
0x10092476
0x10092479
0x1009247b
0x10092482
0x00000000
0x00000000
0x10092470
0x10092470
0x10092484
0x10092486
0x10092488
0x1009248b
0x10092493
0x10092495
0x10092499
0x10092499
0x100924a2
0x100925c5
0x00000000
0x100925d3
0x100925dc
0x00000000
0x100925de
0x100925de
0x100925e6
0x100925e9
0x00000000
0x100925e9
0x100925dc
0x100924a8
0x100924a8
0x100924b2
0x1009262a
0x10092718
0x10092720
0x00000000
0x10092630
0x10092630
0x10092630
0x10092634
0x1009263c
0x00000000
0x1009263c
0x100924b8
0x100924b8
0x100924b8
0x100924c1
0x100926d4
0x100926d8
0x100926db
0x00000000
0x100924c7
0x100924c7
0x100924ca
0x100924d1
0x10092614
0x10092617
0x00000000
0x100924d7
0x100924d7
0x100924da
0x100924e1
0x100925fb
0x100925fb
0x00000000
0x100924e7
0x100924eb
0x100924ee
0x100924f8
0x100924fc
0x10092501
0x00000000
0x10092507
0x10092507
0x1009250b
0x1009250f
0x10092516
0x10092518
0x1009251f
0x10092523
0x10092525
0x10092527
0x1009259a
0x1009259a
0x1009259e
0x1009259e
0x100925a4
0x00000000
0x00000000
0x100925a6
0x100925a9
0x100925b0
0x10092658
0x1009265b
0x10092662
0x100926c0
0x00000000
0x100926c0
0x100925b6
0x100925b6
0x10092532
0x10092538
0x10092546
0x1009254d
0x10092555
0x10092559
0x10092562
0x10092565
0x1009256a
0x1009256c
0x10092648
0x10092572
0x10092582
0x10092584
0x1009258c
0x10092593
0x10092595
0x10092595
0x10092597
0x00000000
0x10092597
0x10092538
0x10092668
0x1009266c
0x10092670
0x10092674
0x1009267b
0x10092681
0x10092681
0x10092687
0x100926f9
0x100926fb
0x10092701
0x1009270b
0x10092711
0x1009272a
0x10092732
0x10092734
0x10092737
0x00000000
0x10092689
0x1009268d
0x10092693
0x1009269d
0x100926a7
0x100926b9
0x100925ff
0x100925ff
0x10092606
0x10092606
0x10092693
0x00000000
0x10092530
0x10092530
0x00000000
0x10092530
0x1009259a
0x10092501
0x100924e1
0x100924d1
0x100924c1
0x100924b2
0x1009246b
0x00000000
0x1009246b
0x10092469
0x00000000

APIs

isspace.MSVCRT ref: 1009247B
isupper.MSVCRT ref: 100924CA
islower.MSVCRT ref: 100924DA
isupper.MSVCRT ref: 100925A9
_errno.MSVCRT ref: 100925F0

Strings

$, xrefs: 10092464

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: isupper$_errnoislowerisspace
String ID: $
API String ID: 4095548146-3993045852
Opcode ID: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction ID: bf1127f437a700fe79d2786272533d695bbcf864f17e232e7603132a75f37682
Opcode Fuzzy Hash: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction Fuzzy Hash: A171A0746087868FC300CF68C88065EFBE2EFC9394F15492DF8998B791E674D845AB82

Uniqueness

Uniqueness Score: -1.00%

Function 10026169 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E10026169(void* __edi, signed char* __ebp, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, unsigned int _a36, intOrPtr _a40, intOrPtr _a44, char _a48, signed char* _a1072, signed char* _a2096, signed char* _a3120, signed char* _a4144, intOrPtr _a4148, intOrPtr _a4152, signed int _a5204, char* _a5208, char* _a5212) {
				signed int _t63;
				signed int _t67;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				signed int _t81;
				void* _t84;
				signed char* _t85;
				signed char* _t89;
				intOrPtr _t93;
				signed char* _t94;
				char* _t103;
				signed char* _t104;
				signed char* _t105;
				signed char* _t106;
				signed char* _t107;
				char* _t108;
				char* _t123;
				signed int _t124;
				char* _t126;
				signed char* _t131;
				signed char** _t133;

				_t131 = __ebp;
				if(( *0x100d76ac & 0x00000002) != 0) {
					_t51 = _a5204 + 8; // 0x101
					__edx = _t51;
					__eax = 0x100b6d3b;
					if(__edx <= 0x40) {
						__eax =  *((intOrPtr*)(0x100b6f40 + __edx * 4));
					}
					_a8 = __eax;
					__eax = "[%s] ";
					_a4 = "[%s] ";
					 *__esp = __edi;
					__eax = E100089C0();
				}
				 *_t133 = _t131;
				_a8 = _a5212;
				_a4 = _a5208;
				E10008B70();
				_t108 = _a1072;
				_t103 = _a2096;
				_t123 = _a3120;
				_t126 = _a4144;
				if( *_t108 != 0 ||  *_t103 != 0 ||  *_t123 != 0 ||  *_t126 != 0) {
					_t93 = _a4148;
					_t63 = 0;
					if(_t93 != 0 && _a4152 >= _t93) {
						_t63 = (0 | ( *(_t126 + _t93 - 1) & 0x000000ff) == 0x0000000a |  *(_t126 + _t93 - 1) & 0 | ( *(_t126 + _t93 - 1) & 0x000000ff) == 0x0000000d) & 0x000000ff;
					}
					 *0x100ad00c = _t63;
				}
				_a24 = _t126;
				_t94 =  &_a48;
				_a8 = "%s%s%s%s";
				_a20 = _t123;
				_a16 = _t103;
				_a12 = _t108;
				_a4 = 0x400;
				 *_t133 = _t94;
				E10025AE0();
				_t67 =  *0x100d76a0;
				if(_t67 == 0) {
					 *_t133 = 2;
					L100A0860();
					asm("sbb eax, eax");
					 *0x100d76a0 = _t67 | 0x00000001;
				}
				_t124 =  *0x100ad00c; // 0x1
				_t127 =  *0x100d7280;
				if(_t124 == 0 || ( *0x100d76ac & 0x00000001) == 0) {
					L12:
					if(_t127 > 0) {
						 *_t133 = 2;
						_t124 = 0;
						_t85 =  *0x100ad0cc();
						_a8 = _t127;
						_t127 = "    Last message repeated %d times\n";
						_a4 = "    Last message repeated %d times\n";
						 *_t133 = _t85;
						E10025610();
						 *0x100d7280 = 0;
					}
					_a4 = _t94;
					 *_t133 = 0x100d72a0;
					strcpy(??, ??);
					_t104 = _a1072;
					_t70 =  *_t104 & 0x000000ff;
					if(_t70 == 0) {
						L20:
						L100257B0(_a40, _t94, _t104, 0, _t124, _t127);
						_t105 = _a2096;
						_t73 =  *_t105 & 0x000000ff;
						if(_t73 == 0) {
							L26:
							L100257B0(_a44, _t94, _t105, 0, _t124, _t127);
							_t106 = _a3120;
							_t76 =  *_t106 & 0x000000ff;
							if(_t76 == 0) {
								L32:
								_t129 = _a36 >> 8;
								_t97 =  >  ? 7 : _a5204 >> 3;
								_t98 =  <  ? 0 :  >  ? 7 : _a5204 >> 3;
								L100257B0( <  ? 0 :  >  ? 7 : _a5204 >> 3,  <  ? 0 :  >  ? 7 : _a5204 >> 3, _t106, _a36 >> 8, _t124, _a36 >> 8);
								_t107 = _a4144;
								_t81 =  *_t107 & 0x000000ff;
								if(_t81 == 0) {
									L38:
									L100257B0(_t98, _t98, _t107, _t129, _t124, _t129);
									goto L39;
								}
								L34:
								while(_t81 - 0xe > 0x11 && _t81 > 7) {
									_t81 = _t107[1] & 0x000000ff;
									_t107 =  &(_t107[1]);
									if(_t81 != 0) {
										continue;
									}
									L37:
									_t107 = _a4144;
									goto L38;
								}
								 *_t107 = 0x3f;
								_t107 =  &(_t107[1]);
								_t81 =  *_t107 & 0x000000ff;
								if(_t81 != 0) {
									goto L34;
								}
								goto L37;
							}
							L28:
							while(_t76 - 0xe > 0x11 && _t76 > 7) {
								_t76 = _t106[1] & 0x000000ff;
								_t106 =  &(_t106[1]);
								if(_t76 != 0) {
									continue;
								}
								L31:
								_t106 = _a3120;
								goto L32;
							}
							 *_t106 = 0x3f;
							_t106 =  &(_t106[1]);
							_t76 =  *_t106 & 0x000000ff;
							if(_t76 != 0) {
								goto L28;
							}
							goto L31;
						}
						L22:
						while(_t73 - 0xe > 0x11 && _t73 > 7) {
							_t73 = _t105[1] & 0x000000ff;
							_t105 =  &(_t105[1]);
							if(_t73 != 0) {
								continue;
							}
							L25:
							_t105 = _a2096;
							goto L26;
						}
						 *_t105 = 0x3f;
						_t105 =  &(_t105[1]);
						_t73 =  *_t105 & 0x000000ff;
						if(_t73 != 0) {
							goto L22;
						}
						goto L25;
					} else {
						L16:
						while(_t70 - 0xe > 0x11 && _t70 > 7) {
							_t70 = _t104[1] & 0x000000ff;
							_t104 =  &(_t104[1]);
							if(_t70 != 0) {
								continue;
							}
							L19:
							_t104 = _a1072;
							goto L20;
						}
						 *_t104 = 0x3f;
						_t104 =  &(_t104[1]);
						_t70 =  *_t104 & 0x000000ff;
						if(_t70 != 0) {
							goto L16;
						}
						goto L19;
					}
				} else {
					 *_t133 = _t94;
					_t107 = 0x100d72a0;
					_a4 = 0x100d72a0;
					if(strcmp(??, ??) != 0) {
						goto L12;
					}
					if(_a48 != 0) {
						 *_t133 = _t94;
						if( *((char*)(_t133 + strlen(??) + 0x2f)) == 0xd) {
							goto L12;
						}
						_t129 =  &(_t127[1]);
						 *0x100d7280 = _t129;
						if( *0x100d76a0 == 1) {
							 *_t133 = 2;
							_t89 =  *0x100ad0cc();
							_a8 = _t129;
							_a4 = "    Last message repeated %d times\r";
							 *_t133 = _t89;
							E10025610();
						}
						L39:
						 *_t133 = _t131;
						_a4 = 0;
						_t84 = E10009690(0, _t107, _t124, _t129);
						 *_t133 = 0x100d76b0;
						L100A0978();
						return _t84;
					}
					goto L12;
				}
			}

0x10026169
0x10026177
0x10026184
0x10026184
0x10026187
0x1002618f
0x100261be
0x100261be
0x10026191
0x10026195
0x1002619a
0x1002619e
0x100261a1
0x100261a1
0x10025d94
0x10025d9e
0x10025da9
0x10025dad
0x10025db2
0x10025db9
0x10025dc0
0x10025dc7
0x10025dd1
0x10026010
0x10026017
0x1002601b
0x10026039
0x10026039
0x1002603c
0x1002603c
0x10025e00
0x10025e04
0x10025e0d
0x10025e16
0x10025e1a
0x10025e1e
0x10025e22
0x10025e26
0x10025e29
0x10025e2e
0x10025e35
0x100260b0
0x100260b7
0x100260bf
0x100260c4
0x100260c4
0x10025e3b
0x10025e41
0x10025e49
0x10025e80
0x10025e82
0x10025e84
0x10025e8b
0x10025e8d
0x10025e93
0x10025e97
0x10025e9c
0x10025ea0
0x10025ea3
0x10025ea8
0x10025ea8
0x10025eae
0x10025eb2
0x10025eb9
0x10025ebe
0x10025ec5
0x10025eca
0x10025ef6
0x10025efc
0x10025f01
0x10025f08
0x10025f0d
0x10025f36
0x10025f3c
0x10025f41
0x10025f48
0x10025f4d
0x10025f76
0x10025f89
0x10025f8e
0x10025f97
0x10025f9c
0x10025fa1
0x10025fa8
0x10025fad
0x10025fd6
0x10025fda
0x00000000
0x10025fda
0x00000000
0x10025fb0
0x10025fc6
0x10025fca
0x10025fcd
0x00000000
0x00000000
0x10025fcf
0x10025fcf
0x00000000
0x10025fcf
0x10026068
0x1002606b
0x1002606c
0x10026071
0x00000000
0x00000000
0x00000000
0x10026077
0x00000000
0x10025f50
0x10025f66
0x10025f6a
0x10025f6d
0x00000000
0x00000000
0x10025f6f
0x10025f6f
0x00000000
0x10025f6f
0x10026050
0x10026053
0x10026054
0x10026059
0x00000000
0x00000000
0x00000000
0x1002605f
0x00000000
0x10025f10
0x10025f26
0x10025f2a
0x10025f2d
0x00000000
0x00000000
0x10025f2f
0x10025f2f
0x00000000
0x10025f2f
0x10026080
0x10026083
0x10026084
0x10026089
0x00000000
0x00000000
0x00000000
0x10025ed0
0x00000000
0x10025ed0
0x10025ee6
0x10025eea
0x10025eed
0x00000000
0x00000000
0x10025eef
0x10025eef
0x00000000
0x10025eef
0x10026098
0x1002609b
0x1002609c
0x100260a1
0x00000000
0x00000000
0x00000000
0x100260a7
0x10025e54
0x10025e54
0x10025e57
0x10025e5c
0x10025e67
0x00000000
0x00000000
0x10025e6e
0x100261c7
0x100261d4
0x00000000
0x00000000
0x100261da
0x100261e2
0x100261e8
0x100261ee
0x100261f5
0x10026200
0x10026204
0x10026208
0x1002620b
0x1002620b
0x10025fdf
0x10025fdf
0x10025fe4
0x10025fe8
0x10025fed
0x10025ff4
0x10026006
0x10026006
0x00000000
0x10025e6e

APIs

mv_vbprintf.LICKING ref: 10025DAD
strcmp.MSVCRT ref: 10025E60
strcpy.MSVCRT ref: 10025EB9
mv_bprintf.LICKING ref: 100261A1

Strings

Last message repeated %d times, xrefs: 10025E97
%s%s%s%s, xrefs: 10025E08
[%s] , xrefs: 10026195

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintfmv_vbprintfstrcmpstrcpy
String ID: Last message repeated %d times$%s%s%s%s$[%s]
API String ID: 3163274402-1378087399
Opcode ID: 92fe572d3c91f27e652c46d7d51aebd23f6a1e44d33db3be991a07085aa6e5fb
Instruction ID: d1eb8843b360d500b767063b44c9564666ae391a763e2864b4dfe10f501dd800
Opcode Fuzzy Hash: 92fe572d3c91f27e652c46d7d51aebd23f6a1e44d33db3be991a07085aa6e5fb
Instruction Fuzzy Hash: B661C0749093C18FD720CF24D8807AABBE2FF85344F85885EE8CA57342D736A945DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001EDD3 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1001EDD3(intOrPtr _a4) {
				intOrPtr _v40;
				signed char _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr* _v128;
				intOrPtr _v132;
				intOrPtr* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				char* _v152;
				char _v156;
				intOrPtr _v160;
				char* _v164;
				intOrPtr _v168;
				void* __ebx;
				intOrPtr _t80;
				signed int _t81;
				intOrPtr _t84;
				void* _t85;
				intOrPtr* _t92;
				intOrPtr _t93;
				intOrPtr _t107;
				signed char _t108;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr* _t126;
				void* _t132;
				intOrPtr* _t133;

				_t133 = _t132 - 0x8c;
				_t107 = _a4;
				_t126 =  *((intOrPtr*)(_t107 + 0x10));
				_v128 =  *((intOrPtr*)( *((intOrPtr*)(_t107 + 0xc)) + 0xc));
				_v136 =  *((intOrPtr*)( *((intOrPtr*)(_t107 + 4)) + 4));
				_t80 =  *((intOrPtr*)(_t107 + 0x28));
				if(_t80 == 0x17) {
					_t81 = 0;
					goto L10;
				} else {
					if(_t80 == 0x9f) {
						_t81 = 1;
						goto L10;
					} else {
						if(_t80 == 0x1c) {
							_t81 = 2;
							goto L10;
						} else {
							if(_t80 == 0xc4) {
								_t81 = 3;
								goto L10;
							} else {
								if(_t80 == 0xd0) {
									_t81 = 4;
									goto L10;
								} else {
									if(_t80 == 0) {
										_t81 = 5;
										L10:
										_t113 =  *((intOrPtr*)(0x100b6660 + _t81 * 8));
										_t108 =  *(_t126 + 4);
										_v132 =  *((intOrPtr*)(_t126 + 8));
										 *((intOrPtr*)(_v136 + 8)) = _t113;
										_t83 =  *((intOrPtr*)(_t107 + 0x20));
										_v92 = 0;
										_v80 = 0;
										_v100 = _t113;
										_v88 = 0;
										_v96 = 1;
										_t115 =  *_t126;
										_v116 =  *((intOrPtr*)(_t107 + 0x2c));
										_v104 = _t83;
										_v112 =  *((intOrPtr*)(_t107 + 0x30));
										_v108 = 1;
										_v84 = _t108;
										_v76 = _v132;
										if(_t115 == 0) {
											if((_t108 & 0x00000020) != 0 || _t83 == 0) {
												goto L15;
											} else {
												_t92 =  *_v128;
												_v144 = _t126;
												_v148 = 0;
												_v152 =  &_v116;
												_v156 = _t92;
												_t93 =  *((intOrPtr*)( *_t92 + 0x14))();
												_t133 = _t133 - 0x10;
												if(_t93 < 0) {
													_v160 = _t93;
													_v164 = "Could not create the texture (%lx)\n";
													_v168 = 0x10;
													 *_t133 = _t107;
													E10026560();
													_t85 = 0xb1b4b1ab;
													goto L8;
												} else {
													_t83 =  *((intOrPtr*)(_t107 + 0x20));
													goto L15;
												}
											}
										} else {
											_v152 =  &_v72;
											_v156 = _t115;
											 *((intOrPtr*)( *_t115 + 0x28))();
											_t133 = _t133 - 8;
											if(_v124 != _v80 || _v120 != _v76 || _v108 != _v64) {
												E10026560(_t107, 0x10, "User-provided texture has mismatching parameters\n");
												goto L7;
											} else {
												_t83 = _v68;
												 *((intOrPtr*)(_t107 + 0x20)) = _v68;
												 *(_t126 + 4) = _v48;
												 *((intOrPtr*)(_t126 + 8)) = _v40;
												L15:
												_t84 = E10028DE0(0, _t83, 8);
												 *((intOrPtr*)(_t126 + 0xc)) = _t84;
												if(_t84 == 0) {
													L28:
													_t85 = 0xfffffff4;
													goto L8;
												} else {
													 *_v136 =  *((intOrPtr*)(_t107 + 0x20));
													_v144 = 0;
													 *((intOrPtr*)( *((intOrPtr*)(_t107 + 4)) + 8)) = E1000A590(_t107, 8, _t107, 0x1001f3c0);
													if( *((intOrPtr*)( *((intOrPtr*)(_t107 + 4)) + 8)) == 0) {
														goto L28;
													} else {
														return 0;
													}
												}
											}
										}
									} else {
										E10026560(_t107, 0x10, "Unsupported pixel format: %s\n", E10034450(_t80));
										L7:
										_t85 = 0xffffffea;
										L8:
										return _t85;
									}
								}
							}
						}
					}
				}
			}

0x1001ede4
0x1001edea
0x1001edf4
0x1001edfa
0x1001ee04
0x1001ee08
0x1001ee0e
0x1001ee80
0x00000000
0x1001ee10
0x1001ee15
0x1001eff8
0x00000000
0x1001ee1b
0x1001ee1e
0x1001f002
0x00000000
0x1001ee24
0x1001ee29
0x1001f00c
0x00000000
0x1001ee2f
0x1001ee34
0x1001f016
0x00000000
0x1001ee3a
0x1001ee3c
0x1001f020
0x1001ee90
0x1001ee95
0x1001eea0
0x1001eea3
0x1001eea9
0x1001eeac
0x1001eeaf
0x1001eeb5
0x1001eebc
0x1001eec5
0x1001eecc
0x1001eed0
0x1001eed2
0x1001eeda
0x1001eede
0x1001eee7
0x1001eeed
0x1001eef1
0x1001eef5
0x1001efc3
0x00000000
0x1001efc9
0x1001efd3
0x1001efd7
0x1001efdb
0x1001efdf
0x1001efe3
0x1001efe6
0x1001efe9
0x1001efee
0x1001f053
0x1001f057
0x1001f05f
0x1001f067
0x1001f06a
0x1001f06f
0x00000000
0x1001eff0
0x1001eff0
0x00000000
0x1001eff0
0x1001efee
0x1001eefb
0x1001ef01
0x1001ef05
0x1001ef08
0x1001ef0b
0x1001ef16
0x1001f03f
0x00000000
0x1001ef38
0x1001ef38
0x1001ef40
0x1001ef43
0x1001ef4a
0x1001ef4d
0x1001ef61
0x1001ef66
0x1001ef6b
0x1001f049
0x1001f049
0x00000000
0x1001ef71
0x1001ef80
0x1001ef84
0x1001ef9c
0x1001efa7
0x00000000
0x1001efad
0x1001efb9
0x1001efb9
0x1001efa7
0x1001ef6b
0x1001ef16
0x1001ee42
0x1001ee63
0x1001ee68
0x1001ee68
0x1001ee6d
0x1001ee77
0x1001ee77
0x1001ee3c
0x1001ee34
0x1001ee29
0x1001ee1e
0x1001ee15

APIs

mv_get_pix_fmt_name.LICKING ref: 1001EE45
mv_log.LICKING ref: 1001EE63
mv_realloc_f.LICKING ref: 1001EF61
mv_buffer_pool_init2.LICKING ref: 1001EF97

Strings

User-provided texture has mismatching parameters, xrefs: 1001F02D
Could not create the texture (%lx), xrefs: 1001F057
Unsupported pixel format: %s, xrefs: 1001EE51

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_pool_init2mv_get_pix_fmt_namemv_logmv_realloc_f
String ID: Could not create the texture (%lx)$Unsupported pixel format: %s$User-provided texture has mismatching parameters
API String ID: 2711572445-2713259832
Opcode ID: 61522124965e7a70bcebdc6bea7493d2fd4525d62fe2246ab6ae2aa39c44ee0d
Instruction ID: 6e4f5ef8983291c51a841fcbf1f78f5fcdc40949d936ea548a3686936fced655
Opcode Fuzzy Hash: 61522124965e7a70bcebdc6bea7493d2fd4525d62fe2246ab6ae2aa39c44ee0d
Instruction Fuzzy Hash: 2D71D1B4A087418FD750CF29D58061ABBE1FF88754F51892EE899CB351E735EC81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1002F6A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1002F6A0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, void* __fp0, int _a4, int _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v32;
				int _v36;
				char _v40;
				int _v60;
				char _v88;
				intOrPtr _v92;
				int _v96;
				char* _v100;
				int* _v104;
				void* _t134;
				signed int _t136;
				signed char _t146;
				void* _t149;
				signed char _t151;
				int _t162;
				intOrPtr _t167;
				intOrPtr* _t169;

				 *_t169 =  &_v40;
				_v4 = __ebp;
				_v16 = __ebx;
				_t167 = _a12;
				_v12 = __esi;
				_v8 = __edi;
				_t134 = E1002B8B0(_a4, _a16, _a8);
				if(_t134 == 0 || _v40 == 0) {
					_t162 = 0xabafb008;
					goto L14;
				} else {
					_t149 = _t134;
					if(_t167 == 0) {
						_t151 =  *(_t134 + 0xc);
						if(_t151 == 5) {
							goto L3;
						}
						if(_t151 == 0xc) {
							goto L3;
						}
						if(_t151 > 0x12) {
							L52:
							_t162 = 0xffffffea;
							L14:
							return _t162;
						}
						_t146 = 0x7a800 >> _t151;
						if((_t146 & 0x00000001) != 0) {
							goto L3;
						} else {
							goto L52;
						}
					}
					L3:
					_t136 =  *(_t149 + 0x28);
					if((_t136 & 0x00000080) != 0) {
						goto L52;
					} else {
						if((_t136 & 0x00020000) != 0) {
							_v100 = "The \"%s\" option is deprecated: %s\n";
							_v104 = 0x18;
							_v92 =  *((intOrPtr*)(_t149 + 4));
							_v96 = _a8;
							 *_t169 = _a4;
							E10026560();
						}
						if( *(_t149 + 0xc) > 0x13) {
							L51:
							_v100 = "Invalid option type.\n";
							_v104 = 0x10;
							 *_t169 = _a4;
							E10026560();
							goto L52;
						}
						switch( *((intOrPtr*)( *(_t149 + 0xc) * 4 +  &M100B7E1C))) {
							case 0:
								_v104 = __edi;
								__eax = _a4;
								__ecx = __ebx;
								 *__esp = __ebp;
								__esi = E1002EEB0(_a4, __ebx, __edx, __fp0);
								goto L14;
							case 1:
								E100290E0(__edi);
								__eax = E100292E0(__ebx, __edi, __esi, __ebp, __ebp);
								 *__edi = __eax;
								__eflags = __eax;
								__eax = 0xfffffff4;
								__esi =  ==  ? 0xfffffff4 : __esi;
								goto L14;
							case 2:
								__edx = __edi;
								__eax = __ebp;
								__esi = E1002B710(__ebp, __edi);
								goto L14;
							case 3:
								__eax = 0;
								__eflags = __ebp;
								_v36 = 0;
								if(__ebp == 0) {
									L53:
									E10011CC0(__edi);
									__eax = _v36;
									 *__edi = _v36;
									goto L14;
								}
								_v104 = __ebp;
								__ecx = 0;
								__eax = 0x100b7c27;
								_v92 = 0;
								__ebp =  &_v36;
								__ebx = L":=";
								_v96 = L":=";
								_v100 = 0x100b7c27;
								 *__esp = __ebp;
								__eax = E100118C0();
								__eflags = __eax;
								if(__eax >= 0) {
									goto L53;
								}
								 *__esp = __ebp;
								_v60 = __eax;
								E10011CC0();
								__esi = _v60;
								goto L14;
							case 4:
								goto L51;
							case 5:
								__eflags = __ebp;
								if(__ebp == 0) {
									L21:
									 *(__edi + 4) = 0;
									 *__edi = 0;
									goto L14;
								}
								 *__esp = __ebp;
								__ecx = 0x100b729c;
								_v104 = 0x100b729c;
								__eax = strcmp(??, ??);
								__eflags = __eax;
								if(__eax != 0) {
									_v100 = __ebp;
									__eax = __edi + 4;
									_v104 = __edi + 4;
									 *__esp = __edi;
									__eax = E10031200();
									__eflags = __eax;
									__esi = __eax;
									if(__eax < 0) {
										_v96 = __ebp;
										__eax = "Unable to parse option value \"%s\" as image size\n";
										__edx = 0x10;
										_v100 = "Unable to parse option value \"%s\" as image size\n";
										__eax = _a4;
										_v104 = 0x10;
										 *__esp = _a4;
										__eax = E10026560();
									}
									goto L14;
								}
								goto L21;
							case 6:
								__eax = 0x10034480;
								__esi = "pixel format";
								_v100 = 0x10034480;
								__eax = 0xde;
								_v96 = __esi;
								_v104 = 0xde;
								goto L24;
							case 7:
								__eax = "sample format";
								__edx = 0x1003c860;
								_v96 = "sample format";
								__ecx = 0xc;
								_v100 = 0x1003c860;
								_v104 = 0xc;
								L24:
								__eax = _a4;
								__ecx = __ebp;
								__edx = __ebx;
								 *__esp = __edi;
								__esi = E1002AB90(_a4, __ebx, __ebp, __ebx, __edi, __esi, __ebp);
								goto L14;
							case 8:
								_v104 = __ebp;
								__eax =  &_v36;
								 *__esp =  &_v36;
								__eax = E100312C0();
								__eflags = __eax;
								__esi = __eax;
								if(__eax < 0) {
									_v96 = __ebp;
									__eax = "Unable to parse option value \"%s\" as video rate\n";
									_v100 = "Unable to parse option value \"%s\" as video rate\n";
									__eax = 0x10;
									_v104 = 0x10;
									__eax = _a4;
									 *__esp = _a4;
									__eax = E10026560();
								} else {
									__eax = _v36;
									__ecx = __edi;
									__edx = __ebx;
									asm("movsd xmm0, [0x100b80b8]");
									_v104 = __eax;
									_v100 = __eax;
									__eax = _v32;
									 *__esp = _v32;
									__eax = _a4;
									__esi = E1002ACF0(__ebx, __edi, __ebx, __edi, __esi, __fp0);
								}
								goto L14;
							case 9:
								__eax = 0;
								_v36 = 0;
								__eax = 0;
								__eflags = __ebp;
								_v32 = 0;
								if(__eflags == 0) {
									__eax = 0;
									__edx = 0;
									asm("pxor xmm0, xmm0");
									L31:
									asm("movsd xmm1, [ebx+0x18]");
									asm("movsd xmm2, [ebx+0x20]");
									asm("comisd xmm1, xmm0");
									if(__eflags > 0) {
										L60:
										asm("movsd xmm3, [0x100b80d8]");
										asm("divsd xmm2, xmm3");
										asm("divsd xmm1, xmm3");
										asm("movsd [esp+0x20], xmm2");
										asm("movsd [esp+0x18], xmm1");
										__eax =  *__ebx;
										__esi = "Value %f for parameter \'%s\' out of range [%g - %g]\n";
										__edi = 0x10;
										asm("divsd xmm0, xmm3");
										_v100 = "Value %f for parameter \'%s\' out of range [%g - %g]\n";
										asm("movsd [esp+0xc], xmm0");
										__esi = 0xffffffde;
										_v104 = 0x10;
										_v88 =  *__ebx;
										__eax = _a4;
										 *__esp = _a4;
										__eax = E10026560();
										goto L14;
									}
									asm("comisd xmm0, xmm2");
									if(__eflags > 0) {
										goto L60;
									}
									 *__edi = __eax;
									 *(__edi + 4) = __edx;
									goto L14;
								}
								_v104 = __ebp;
								__eax = 1;
								_v100 = 1;
								__eax =  &_v36;
								 *__esp =  &_v36;
								__eax = E10031C30();
								__eflags = __eax;
								if(__eflags < 0) {
									_v60 = __eax;
									__eax = 0x10;
									_v104 = 0x10;
									__eax = _a4;
									_v96 = __ebp;
									__ebp = "Unable to parse option value \"%s\" as duration\n";
									_v100 = "Unable to parse option value \"%s\" as duration\n";
									 *__esp = _a4;
									__eax = E10026560();
									__esi = _v60;
									goto L14;
								}
								__eax = _v36;
								__edx = _v32;
								asm("movd xmm0, eax");
								asm("movd xmm4, edx");
								asm("punpckldq xmm0, xmm4");
								asm("movq [esp+0x38], xmm0");
								asm("fild qword [esp+0x38]");
								_v60 = __fp0;
								asm("movsd xmm0, [esp+0x30]");
								goto L31;
							case 0xa:
								__eflags = __ebp;
								if(__ebp != 0) {
									_v104 = __ebp;
									__eax = _a4;
									__ebx = 0xffffffff;
									_v100 = 0xffffffff;
									 *__esp = __edi;
									_v96 = _a4;
									__eax = E10031420(__fp0);
									__eflags = __eax;
									__esi = __eax;
									if(__eax < 0) {
										__eax = _a4;
										__edx = "Unable to parse option value \"%s\" as color\n";
										__ecx = 0x10;
										__eax = E10026560(_a4, 0x10, "Unable to parse option value \"%s\" as color\n", __ebp);
									}
								}
								goto L14;
							case 0xb:
								__eflags = __ebp;
								if(__ebp == 0) {
									L50:
									 *__edi = 0;
									 *(__edi + 4) = 0;
									goto L51;
								}
								 *__esp = __ebp;
								__eax = 0x100b729c;
								_v104 = 0x100b729c;
								__eax = strcmp(??, ??);
								__eflags = __eax;
								if(__eax == 0) {
									goto L50;
								}
								__eax = E1000C640(__ebp);
								__ecx = __edx;
								__ebx = __edx;
								__ecx = __edx | __eax;
								__eflags = __edx | __eax;
								if((__edx | __eax) == 0) {
									_v60 = __eax;
									__eax = "Unable to parse option value \"%s\" as channel layout\n";
									__esi = 0xffffffea;
									_v100 = "Unable to parse option value \"%s\" as channel layout\n";
									__eax = 0x10;
									_v104 = 0x10;
									__eax = _a4;
									_v96 = __ebp;
									 *__esp = _a4;
									__eax = E10026560();
									__eax = _v60;
								}
								 *__edi = __eax;
								 *(__edi + 4) = __ebx;
								goto L14;
							case 0xc:
								__eflags = __ebp;
								if(__ebp == 0) {
									goto L14;
								}
								 *__esp = __ebp;
								__eax = 0x100b74ed;
								_v104 = 0x100b74ed;
								__eflags = strcmp(??, ??);
								if(__eflags != 0) {
									 *__esp = __ebp;
									__eax = "true,y,yes,enable,enabled,on";
									_v104 = "true,y,yes,enable,enabled,on";
									__eax = E10007100();
									__eflags = __eax;
									if(__eflags == 0) {
										_v60 = __eax;
										__eax = "false,n,no,disable,disabled,off";
										__eax = E10007100(__ebp, "false,n,no,disable,disabled,off");
										__edx = _v60;
										asm("pxor xmm0, xmm0");
										__eflags = __eax;
										if(__eflags != 0) {
											L44:
											asm("movsd xmm1, [ebx+0x18]");
											asm("comisd xmm1, xmm0");
											if(__eflags > 0) {
												L67:
												__eax = _a4;
												__ebx = "Unable to parse option value \"%s\" as boolean\n";
												__esi = 0x10;
												__eax = E10026560(_a4, 0x10, "Unable to parse option value \"%s\" as boolean\n", __ebp);
												goto L52;
											}
											asm("comisd xmm0, [ebx+0x20]");
											if(__eflags > 0) {
												goto L67;
											}
											 *__edi = __edx;
											goto L14;
										}
										 *__esp = __ebp;
										__eax = 0;
										_v36 = 0;
										__eax = 0xa;
										_v100 = 0xa;
										__eax =  &_v36;
										_v104 =  &_v36;
										__eax = strtol(??, ??, ??);
										 *__esp = __ebp;
										_v60 = __eax;
										__eax = strlen(??);
										__eflags = _v36 - __eax;
										if(__eflags != 0) {
											goto L67;
										}
										__edx = _v60;
										asm("pxor xmm0, xmm0");
										asm("cvtsi2sd xmm0, edx");
										goto L44;
									}
									__edx = 1;
									asm("movsd xmm0, [0x100b80b8]");
									goto L44;
								}
								__edx = 0xffffffff;
								asm("movsd xmm0, [0x100b8018]");
								goto L44;
							case 0xd:
								__eax = E1000D270(__edi);
								__eflags = __ebp;
								if(__ebp == 0) {
									goto L14;
								}
								_v104 = __ebp;
								 *__esp = __edi;
								__eax = E1000DD40(__fp0);
								__eflags = __eax;
								__esi = __eax;
								if(__eax >= 0) {
									goto L14;
								}
								_v96 = __ebp;
								__eax = _a4;
								_v100 = "Unable to parse option value \"%s\" as channel layout\n";
								_v104 = 0x10;
								 *__esp = _a4;
								__eax = E10026560();
								goto L52;
						}
					}
				}
			}

0x1002f6ab
0x1002f6b2
0x1002f6ba
0x1002f6be
0x1002f6c2
0x1002f6c6
0x1002f6ca
0x1002f6d1
0x1002fc87
0x00000000
0x1002f6e3
0x1002f6e5
0x1002f6e7
0x1002f758
0x1002f75e
0x00000000
0x00000000
0x1002f763
0x00000000
0x00000000
0x1002f768
0x1002fb1e
0x1002fb1e
0x1002f79c
0x1002f7b1
0x1002f7b1
0x1002f773
0x1002f777
0x00000000
0x1002f77d
0x00000000
0x1002f77d
0x1002f777
0x1002f6e9
0x1002f6e9
0x1002f6f4
0x00000000
0x1002f6fa
0x1002f6ff
0x1002f72d
0x1002f731
0x1002f735
0x1002f73d
0x1002f745
0x1002f748
0x1002f74d
0x1002f70a
0x1002fb00
0x1002fb0a
0x1002fb12
0x1002fb16
0x1002fb19
0x00000000
0x1002fb19
0x1002f713
0x00000000
0x1002f788
0x1002f78c
0x1002f790
0x1002f792
0x1002f79a
0x00000000
0x00000000
0x1002f7bb
0x1002f7c3
0x1002f7c8
0x1002f7ca
0x1002f7cc
0x1002f7d1
0x00000000
0x00000000
0x1002f870
0x1002f872
0x1002f879
0x00000000
0x00000000
0x1002f7e0
0x1002f7e2
0x1002f7e4
0x1002f7e8
0x1002fb30
0x1002fb33
0x1002fb38
0x1002fb3c
0x00000000
0x1002fb3c
0x1002f7ee
0x1002f7f2
0x1002f7f4
0x1002f7f9
0x1002f7fd
0x1002f801
0x1002f806
0x1002f80a
0x1002f80e
0x1002f811
0x1002f816
0x1002f818
0x00000000
0x00000000
0x1002f81e
0x1002f821
0x1002f825
0x1002f82a
0x00000000
0x00000000
0x00000000
0x00000000
0x1002f838
0x1002f83a
0x1002f855
0x1002f855
0x1002f85c
0x00000000
0x1002f85c
0x1002f83c
0x1002f83f
0x1002f844
0x1002f848
0x1002f84d
0x1002f84f
0x1002fb58
0x1002fb5c
0x1002fb5f
0x1002fb63
0x1002fb66
0x1002fb6b
0x1002fb6d
0x1002fb6f
0x1002fb75
0x1002fb79
0x1002fb7e
0x1002fb83
0x1002fb87
0x1002fb8b
0x1002fb8f
0x1002fb92
0x1002fb92
0x00000000
0x1002fb6f
0x00000000
0x00000000
0x1002f880
0x1002f885
0x1002f88a
0x1002f88e
0x1002f893
0x1002f897
0x00000000
0x00000000
0x1002f8b8
0x1002f8bd
0x1002f8c2
0x1002f8c6
0x1002f8cb
0x1002f8cf
0x1002f89b
0x1002f89b
0x1002f89f
0x1002f8a1
0x1002f8a3
0x1002f8ab
0x00000000
0x00000000
0x1002f8d8
0x1002f8dc
0x1002f8e0
0x1002f8e3
0x1002f8e8
0x1002f8ea
0x1002f8ec
0x1002fc60
0x1002fc64
0x1002fc69
0x1002fc6d
0x1002fc72
0x1002fc76
0x1002fc7a
0x1002fc7d
0x1002f8f2
0x1002f8f2
0x1002f8f6
0x1002f8f8
0x1002f8fa
0x1002f902
0x1002f909
0x1002f90d
0x1002f911
0x1002f914
0x1002f91d
0x1002f91d
0x00000000
0x00000000
0x1002f928
0x1002f92a
0x1002f92e
0x1002f930
0x1002f932
0x1002f936
0x1002fb48
0x1002fb4a
0x1002fb4c
0x1002f985
0x1002f985
0x1002f98a
0x1002f98f
0x1002f993
0x1002fc08
0x1002fc08
0x1002fc10
0x1002fc14
0x1002fc18
0x1002fc1e
0x1002fc24
0x1002fc26
0x1002fc2b
0x1002fc30
0x1002fc34
0x1002fc38
0x1002fc3e
0x1002fc43
0x1002fc47
0x1002fc4b
0x1002fc4f
0x1002fc52
0x00000000
0x1002fc52
0x1002f999
0x1002f99d
0x00000000
0x00000000
0x1002f9a3
0x1002f9a5
0x00000000
0x1002f9a5
0x1002f93c
0x1002f940
0x1002f945
0x1002f949
0x1002f94d
0x1002f950
0x1002f955
0x1002f957
0x1002fcfa
0x1002fcfe
0x1002fd03
0x1002fd07
0x1002fd0b
0x1002fd0f
0x1002fd14
0x1002fd18
0x1002fd1b
0x1002fd20
0x00000000
0x1002fd20
0x1002f95d
0x1002f961
0x1002f965
0x1002f969
0x1002f96d
0x1002f971
0x1002f977
0x1002f97b
0x1002f97f
0x00000000
0x00000000
0x1002f9b0
0x1002f9b2
0x1002f9b8
0x1002f9bc
0x1002f9c0
0x1002f9c5
0x1002f9c9
0x1002f9cc
0x1002f9d0
0x1002f9d5
0x1002f9d7
0x1002f9d9
0x1002f9df
0x1002f9e3
0x1002f9e8
0x1002f9fc
0x1002f9fc
0x1002f9d9
0x00000000
0x00000000
0x1002fa10
0x1002fa12
0x1002faf0
0x1002faf0
0x1002faf6
0x00000000
0x1002faf6
0x1002fa18
0x1002fa1b
0x1002fa20
0x1002fa24
0x1002fa29
0x1002fa2b
0x00000000
0x00000000
0x1002fa34
0x1002fa39
0x1002fa3b
0x1002fa3d
0x1002fa3d
0x1002fa3f
0x1002fba0
0x1002fba4
0x1002fba9
0x1002fbae
0x1002fbb2
0x1002fbb7
0x1002fbbb
0x1002fbbf
0x1002fbc3
0x1002fbc6
0x1002fbcb
0x1002fbcb
0x1002fa45
0x1002fa47
0x00000000
0x00000000
0x1002fa50
0x1002fa52
0x00000000
0x00000000
0x1002fa58
0x1002fa5b
0x1002fa60
0x1002fa69
0x1002fa6b
0x1002fbd8
0x1002fbdb
0x1002fbe0
0x1002fbe4
0x1002fbe9
0x1002fbeb
0x1002fc91
0x1002fc95
0x1002fca1
0x1002fca6
0x1002fcaa
0x1002fcae
0x1002fcb0
0x1002fa7e
0x1002fa7e
0x1002fa83
0x1002fa87
0x1002fd29
0x1002fd29
0x1002fd2d
0x1002fd32
0x1002fd46
0x00000000
0x1002fd46
0x1002fa8d
0x1002fa92
0x00000000
0x00000000
0x1002fa98
0x00000000
0x1002fa98
0x1002fcb6
0x1002fcb9
0x1002fcbb
0x1002fcbf
0x1002fcc4
0x1002fcc8
0x1002fccc
0x1002fcd0
0x1002fcd5
0x1002fcd8
0x1002fcdc
0x1002fce3
0x1002fce7
0x00000000
0x00000000
0x1002fce9
0x1002fced
0x1002fcf1
0x00000000
0x1002fcf1
0x1002fbf1
0x1002fbf6
0x00000000
0x1002fbf6
0x1002fa71
0x1002fa76
0x00000000
0x00000000
0x1002faa3
0x1002faa8
0x1002faaa
0x00000000
0x00000000
0x1002fab0
0x1002fab4
0x1002fab7
0x1002fabc
0x1002fabe
0x1002fac0
0x00000000
0x00000000
0x1002fac6
0x1002faca
0x1002face
0x1002fad6
0x1002fade
0x1002fae1
0x00000000
0x00000000
0x1002f713
0x1002f6f4

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002F748

Strings

Invalid option type., xrefs: 1002FB00
The "%s" option is deprecated: %s, xrefs: 1002F723

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: Invalid option type.$The "%s" option is deprecated: %s
API String ID: 2835281190-3987454512
Opcode ID: 1251028a06dcf36df38469dc9952cab2b709b63e669b2a5d8aca6b524a8916df
Instruction ID: 2de908c8c1d71828913b9723d74f38bd313dfd0906bf375f7056dfa61f3f0e82
Opcode Fuzzy Hash: 1251028a06dcf36df38469dc9952cab2b709b63e669b2a5d8aca6b524a8916df
Instruction Fuzzy Hash: CE41F678A08745CBC750DF29D09062EB7E0FF88790FA5892DE99987311DB74EC40CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10019970 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 100199A3
mv_malloc.LICKING ref: 100199AE
mv_log.LICKING ref: 10019A78

Part of subcall function 10092340: strlen.MSVCRT ref: 10092352
Part of subcall function 10092340: _errno.MSVCRT ref: 10092370

_errno.MSVCRT ref: 10019A21
mv_log.LICKING ref: 10019A4E
mv_freep.LICKING ref: 10019A56

Strings

./%sXXXXXX, xrefs: 100199FC
/tmp/%sXXXXXX, xrefs: 100199C1
ff_tempfile: Cannot open temporary file %s, xrefs: 10019A45

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errnomv_logstrlen$mv_freepmv_malloc
String ID: ./%sXXXXXX$/tmp/%sXXXXXX$ff_tempfile: Cannot open temporary file %s
API String ID: 3823847272-2791948529
Opcode ID: 4f2497ded8adec0e9d5fea2e2573f871dbcc4ea91690c32ed3ee9b970b504f84
Instruction ID: e907c6c80474d85e76648f2ad2e6aff2cb60787b767fd6f6b4bcfa06b808b4c8
Opcode Fuzzy Hash: 4f2497ded8adec0e9d5fea2e2573f871dbcc4ea91690c32ed3ee9b970b504f84
Instruction Fuzzy Hash: 9A3189B89097419FC340DF29C18151AFBE0FF88650F91896EF9D99B320E735E9808F82

Uniqueness

Uniqueness Score: -1.00%

Function 10009130 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 272
stringCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E10009130() {
				int _t86;
				void* _t91;
				void* _t93;
				signed char _t99;
				void* _t111;
				signed char _t113;
				void* _t114;
				void* _t118;
				signed char _t119;
				void* _t121;
				int _t122;
				void* _t123;
				unsigned int _t124;
				unsigned int _t125;
				signed int _t126;
				void* _t130;
				void* _t131;
				int _t132;
				void* _t136;
				signed char _t139;
				signed char _t141;
				void* _t142;
				void* _t143;
				signed int _t144;
				int _t145;
				void* _t147;
				signed int _t148;
				signed int _t151;
				int _t153;
				signed int _t154;
				void _t158;
				void* _t159;
				char* _t161;
				void** _t162;
				void* _t165;
				void* _t166;
				void** _t167;
				void*** _t168;

				_t86 = _t168[0x111];
				_t167 = _t168[0x110];
				if( *_t86 == 0) {
					L40:
					return _t86;
				} else {
					_t118 = _t167[2];
					while(1) {
						_t145 = _t167[1];
						_t88 =  <=  ? _t145 : _t118;
						_t121 = _t118 - ( <=  ? _t145 : _t118);
						if(_t121 != 0) {
							goto L15;
						}
						 *_t168 = _t168[0x111];
						_t9 = strlen(??) + 1; // 0x1
						_t159 = _t9;
						L11:
						_t124 = _t167[3];
						if(_t124 == _t118 || _t145 >= _t118) {
							L22:
							_t95 =  <=  ? _t118 : _t145;
							_t119 = _t118 - ( <=  ? _t118 : _t145);
							if(_t119 > 0x3ff) {
								L26:
								_t139 = _t119;
								_t147 =  *_t167 + _t145;
								if(_t119 >= 8) {
									if((_t147 & 0x00000001) != 0) {
										 *_t147 = 0x21;
										_t139 = _t119 - 1;
										_t147 = _t147 + 1;
									}
									if((_t147 & 0x00000002) != 0) {
										 *_t147 = 0x2121;
										_t139 = _t139 - 2;
										_t147 = _t147 + 2;
									}
									if((_t147 & 0x00000004) != 0) {
										 *_t147 = 0x21212121;
										_t139 = _t139 - 4;
										_t147 = _t147 + 4;
									}
									_t125 = _t139;
									_t139 = _t139 & 0x00000003;
									_t126 = _t125 >> 2;
									memset(_t147, 0x21212121, _t126 << 2);
									_t168 =  &(_t168[3]);
									_t147 = _t147 + _t126;
									if((_t139 & 0x00000004) == 0) {
										goto L29;
									} else {
										goto L28;
									}
									goto L40;
								} else {
									if((_t139 & 0x00000004) != 0) {
										L28:
										 *_t147 = 0x21212121;
										_t147 = _t147 + 4;
									}
								}
								L29:
								if((_t139 & 0x00000002) != 0) {
									 *_t147 = 0x2121;
									_t147 = _t147 + 2;
								}
								if((_t139 & 0x00000001) != 0) {
									 *_t147 = 0x21;
								}
								_t161 = "[truncated strftime output]";
								_t99 =  <=  ? _t119 : 0x1b;
								_t141 =  *_t167 + _t167[1];
								if(0x1b >= 4) {
									if((_t141 & 0x00000001) != 0) {
										_t141 = _t141 + 1;
										_t161 = "truncated strftime output]";
										_t99 = _t99 - 1;
										 *((char*)(_t141 - 1)) = "[truncated strftime output]" & 0x000000ff;
									}
									if((_t141 & 0x00000002) != 0) {
										_t148 =  *_t161 & 0x0000ffff;
										_t141 = _t141 + 2;
										_t161 =  &(_t161[2]);
										_t99 = _t99 - 2;
										 *(_t141 - 2) = _t148;
									}
									if(_t99 >= 4) {
										_t168[7] = _t99;
										_t131 = 0;
										_t151 = _t99 & 0xfffffffc;
										do {
											 *(_t141 + _t131) = _t161[_t131];
											_t131 = _t131 + 4;
										} while (_t131 < _t151);
										_t99 = _t168[7];
										_t141 = _t141 + _t131;
										_t161 =  &(_t161[_t131]);
									}
								}
								_t130 = 0;
								if((_t99 & 0x00000002) != 0) {
									_t130 = 2;
									 *_t141 =  *_t161 & 0x0000ffff;
								}
								if((_t99 & 0x00000001) != 0) {
									 *((char*)(_t141 + _t130)) = _t161[_t130] & 0x000000ff;
								}
								_t142 = _t167[1];
								_t102 =  >  ? _t119 : 0xfffffffa - _t142;
								_t86 = ( >  ? _t119 : 0xfffffffa - _t142) + _t142;
								_t136 = _t167[2];
								_t167[1] = 0xfffffffa;
								if(_t136 != 0) {
									L39:
									_t138 =  >  ? _t86 : _t136 - 1;
									_t93 =  *_t167;
									 *((char*)(_t93 + ( >  ? _t86 : _t136 - 1))) = 0;
									return _t93;
								}
								goto L40;
							} else {
								_t162 =  &(_t168[8]);
								 *_t168 = _t162;
								_t168[3] = _t168[0x112];
								_t168[2] = _t168[0x111];
								_t86 = 0x400;
								_t168[1] = 0x400;
								L100A07D0();
								if(0x400 != 0) {
									_t168[2] = _t162;
									_t168[1] = 0x100af500;
									 *_t168 = _t167;
									return E100089C0();
								} else {
									if(_t119 != 0) {
										_t145 = _t167[1];
										goto L26;
									}
									goto L40;
								}
							}
						} else {
							_t110 =  >  ? _t159 : 0xfffffffe - _t145;
							_t111 = _t145 + ( >  ? _t159 : 0xfffffffe - _t145) + 1;
							if(_t124 >> 1 >= _t118) {
								_t118 = _t118 + _t118;
							} else {
								_t118 = _t124;
							}
							if(_t118 < _t111) {
								_t115 =  <=  ? _t124 : _t111;
								_t118 =  <=  ? _t124 : _t111;
							}
							_t165 =  *_t167;
							_t168[1] = _t118;
							if(_t165 ==  &(_t167[4])) {
								 *_t168 = 0;
								_t113 = E10028DA0();
								if(_t113 == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								 *_t168 = _t165;
								_t113 = E10028DA0();
								if(_t113 == 0) {
									L21:
									_t118 = _t167[2];
									_t145 = _t167[1];
									goto L22;
								} else {
									if(_t165 == 0) {
										L19:
										_t153 = _t167[1];
										_t143 = _t113;
										_t166 =  *_t167;
										_t132 = _t153 + 1;
										_t168[7] = _t166;
										if(_t132 >= 8) {
											if((_t113 & 0x00000001) != 0) {
												_t144 =  *_t166 & 0x000000ff;
												_t132 = _t153;
												_t166 = _t166 + 1;
												 *_t113 = _t144;
												_t82 = _t113 + 1; // 0x1
												_t143 = _t82;
											}
											if((_t143 & 0x00000002) != 0) {
												_t154 =  *_t166 & 0x0000ffff;
												_t143 = _t143 + 2;
												_t166 = _t166 + 2;
												_t132 = _t132 - 2;
												 *(_t143 - 2) = _t154;
											}
											if((_t143 & 0x00000004) != 0) {
												_t158 =  *_t166;
												_t143 = _t143 + 4;
												_t166 = _t166 + 4;
												_t132 = _t132 - 4;
												 *(_t143 - 4) = _t158;
											}
										}
										_t114 = memcpy(_t143, _t166, _t132);
										_t168 =  &(_t168[3]);
									}
									 *_t167 = _t114;
									_t167[2] = _t118;
									continue;
								}
							}
						}
						goto L66;
						L15:
						_t168[1] = _t121;
						_t168[7] = _t121;
						_t168[3] = _t168[0x112];
						_t168[2] = _t168[0x111];
						_t91 =  *_t167;
						 *_t168 = _t91 + _t145;
						L100A07D0();
						if(_t91 != 0) {
							_t122 = _t167[1];
							_t92 =  <=  ? 0xfffffffa - _t122 : _t91;
							_t136 = _t167[2];
							_t86 = ( <=  ? 0xfffffffa - _t122 : _t91) + _t122;
							_t167[1] = _t86;
							if(_t136 != 0) {
								goto L39;
							}
							goto L40;
						} else {
							_t123 = _t168[7];
							_t159 = 0x7fffffff;
							_t145 = _t167[1];
							_t118 = _t167[2];
							if(_t123 <= 0x3fffffff) {
								_t159 = _t123 + _t123;
							}
							goto L11;
						}
						goto L66;
					}
				}
				L66:
			}

0x1000913a
0x10009141
0x1000914b
0x10009377
0x10009377
0x10009151
0x10009151
0x1000919d
0x1000919d
0x100091a6
0x100091a9
0x100091ab
0x00000000
0x00000000
0x100091b4
0x100091bc
0x100091bc
0x100091bf
0x100091bf
0x100091c4
0x10009287
0x1000928b
0x1000928e
0x10009296
0x100092d6
0x100092d9
0x100092db
0x100092e0
0x100093f6
0x100094c6
0x100094c9
0x100094cc
0x100094cc
0x10009402
0x100094b6
0x100094bb
0x100094be
0x100094be
0x1000940e
0x100094a5
0x100094ab
0x100094ae
0x100094ae
0x10009414
0x10009416
0x10009419
0x10009421
0x10009421
0x10009421
0x10009426
0x00000000
0x1000942c
0x00000000
0x1000942c
0x00000000
0x100092e6
0x100092e9
0x100092eb
0x100092eb
0x100092f1
0x100092f1
0x100092e9
0x100092f4
0x100092f7
0x100092f9
0x100092fe
0x100092fe
0x10009304
0x10009306
0x10009306
0x10009311
0x1000931b
0x1000931e
0x10009323
0x100093b3
0x100094ee
0x100094ef
0x100094f4
0x100094f5
0x100094f5
0x100093bc
0x100094d2
0x100094d5
0x100094d8
0x100094db
0x100094de
0x100094de
0x100093c5
0x100093cb
0x100093d1
0x100093d3
0x100093d6
0x100093d9
0x100093dc
0x100093df
0x100093e3
0x100093e7
0x100093e9
0x100093e9
0x100093c5
0x10009329
0x1000932d
0x10009332
0x10009337
0x10009337
0x1000933c
0x10009342
0x10009342
0x10009345
0x10009351
0x10009354
0x10009356
0x10009359
0x1000935e
0x10009360
0x10009363
0x10009366
0x10009369
0x00000000
0x10009369
0x00000000
0x10009298
0x1000929f
0x100092a3
0x100092a6
0x100092b1
0x100092b5
0x100092ba
0x100092be
0x100092c5
0x10009460
0x10009469
0x1000946d
0x1000947f
0x100092cb
0x100092cd
0x100092d3
0x00000000
0x100092d3
0x00000000
0x100092cd
0x100092c5
0x100091d2
0x100091db
0x100091e2
0x100091e8
0x10009160
0x100091ee
0x100091ee
0x100091ee
0x10009164
0x10009168
0x1000916b
0x1000916b
0x1000916d
0x10009173
0x10009179
0x10009250
0x10009257
0x1000925e
0x00000000
0x00000000
0x00000000
0x00000000
0x1000917f
0x1000917f
0x10009182
0x10009189
0x10009281
0x10009281
0x10009284
0x00000000
0x1000918f
0x10009191
0x10009260
0x10009260
0x10009263
0x10009265
0x10009268
0x1000926b
0x10009272
0x10009382
0x10009495
0x10009498
0x1000949a
0x1000949b
0x1000949d
0x1000949d
0x1000949d
0x1000938b
0x10009480
0x10009483
0x10009486
0x10009489
0x1000948c
0x1000948c
0x10009394
0x1000939a
0x1000939c
0x1000939f
0x100093a2
0x100093a5
0x100093a5
0x10009394
0x1000927a
0x1000927a
0x1000927a
0x10009197
0x1000919a
0x00000000
0x1000919a
0x10009189
0x10009179
0x00000000
0x100091f8
0x100091f8
0x10009203
0x10009207
0x10009212
0x10009216
0x1000921b
0x1000921e
0x10009225
0x10009438
0x10009444
0x10009447
0x1000944a
0x1000944c
0x10009451
0x00000000
0x10009457
0x00000000
0x1000922b
0x1000922b
0x1000922f
0x10009234
0x10009237
0x10009240
0x10009246
0x10009246
0x00000000
0x10009240
0x00000000
0x10009225
0x1000919d
0x00000000

APIs

mv_realloc.LICKING ref: 10009182
strlen.MSVCRT ref: 100091B7
strftime.MSVCRT ref: 1000921E

Strings

[truncated strftime output], xrefs: 10009311
!!!!, xrefs: 1000941C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_reallocstrftimestrlen
String ID: !!!!$[truncated strftime output]
API String ID: 709960874-1743851734
Opcode ID: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction ID: 6237faa146818e252d6bc5810784fdb2c70fb651bac13d65fe422c41695cf2e5
Opcode Fuzzy Hash: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction Fuzzy Hash: 40A19071A042429FE715CF28C98539E77E2EF843D0F268528ED898B399E735DE45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10092740 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 1009277B
isupper.MSVCRT ref: 100927CA
islower.MSVCRT ref: 100927DA
isupper.MSVCRT ref: 100928B9
_errno.MSVCRT ref: 10092900

Strings

$, xrefs: 10092764

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: isupper$_errnoislowerisspace
String ID: $
API String ID: 4095548146-3993045852
Opcode ID: be9900f16ef8ba6dd7badc9de842b1b9b2026b697452fe85c3562d42e694471b
Instruction ID: e6fe0532defbc5c939969159b76f19bdcb6dcf227e53754754f51ab417db1434
Opcode Fuzzy Hash: be9900f16ef8ba6dd7badc9de842b1b9b2026b697452fe85c3562d42e694471b
Instruction Fuzzy Hash: 91619074A0C3858BC704CF68C48021EFBE6EFC9354F154A2DF8D99B391D674D945AB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002F256 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 128stringCOMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.LICKING ref: 1002F115
strcmp.MSVCRT ref: 1002F1EE
mv_log.LICKING ref: 1002F4BD

Strings

all, xrefs: 1002F08F
none, xrefs: 1002F06A
max, xrefs: 1002F025
9, xrefs: 1002F260
default, xrefs: 1002EFF2
min, xrefs: 1002F03F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_parse_and_evalmv_logstrcmp
String ID: 9$all$default$max$min$none
API String ID: 638344568-340763830
Opcode ID: 3a43cda7731b7cc6d1eec2ee77c04c39d1a710ebf161850413e893610c0bccc0
Instruction ID: 7e14d16d44837c53f6e0618a54e32c20455491f957ac13e1facf48bed44ae4fc
Opcode Fuzzy Hash: 3a43cda7731b7cc6d1eec2ee77c04c39d1a710ebf161850413e893610c0bccc0
Instruction Fuzzy Hash: 1F5128759097468BC395DF28E04029BFBE5FFC9354F518A2EE9C9C7200EB70E8448B42

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.LICKING ref: 1000C308
mv_bprintf.LICKING ref: 1000C330

Strings

USR%d, xrefs: 1000C37C
AMBI%d, xrefs: 1000C394
NONE, xrefs: 1000C327

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 2490314137-3656852315
Opcode ID: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction ID: 0a946672120a056d3661d42bdbf04e5838db89b9617306f254fc419f9ddf239a
Opcode Fuzzy Hash: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction Fuzzy Hash: 41117FB4919745CBE314EF28C480A5EB7E0FF84380F51C92EF68897254C334AA419B93

Uniqueness

Uniqueness Score: -1.00%

Function 1000C470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.LICKING ref: 1000C4A8
mv_bprintf.LICKING ref: 1000C4D0

Strings

none, xrefs: 1000C4C7
user %d, xrefs: 1000C51C
ambisonic ACN %d, xrefs: 1000C534

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 2490314137-4180635230
Opcode ID: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction ID: b6a1bd800e9813b9dae9be9b31ba14f11150b02b1f0a339f321a001e9bfab4f6
Opcode Fuzzy Hash: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction Fuzzy Hash: B71172B4909B558BE320DF24C48096EB7E0FF847C4F51881EF5D887289D334A981DB93

Uniqueness

Uniqueness Score: -1.00%

Function 1003C85B Relevance: 13.8, APIs: 11, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1003C885
strcmp.MSVCRT ref: 1003C89D
strcmp.MSVCRT ref: 1003C8B5
strcmp.MSVCRT ref: 1003C8CD
strcmp.MSVCRT ref: 1003C8E5
strcmp.MSVCRT ref: 1003C8FD
strcmp.MSVCRT ref: 1003C915
strcmp.MSVCRT ref: 1003C92D
strcmp.MSVCRT ref: 1003C945
strcmp.MSVCRT ref: 1003C95D
strcmp.MSVCRT ref: 1003C971

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 41fd4b49ce542991124675c48b72e31e59d2b4ac3fa1d8aa02b8dedcf140937c
Instruction ID: 6c32067e4f5e52842e9bfc71f8687002ce297f9c9ea8165e0ce826888fe17b14
Opcode Fuzzy Hash: 41fd4b49ce542991124675c48b72e31e59d2b4ac3fa1d8aa02b8dedcf140937c
Instruction Fuzzy Hash: 15314FB491D349CED701EF6A854572DBAE0EF46381F82842EB8C9CB241D779D880DB53

Uniqueness

Uniqueness Score: -1.00%

Function 1001B8D0 Relevance: 13.8, APIs: 9, Instructions: 250COMMON

Download Yara Rule

APIs

mv_channel_layout_check.LICKING ref: 1001B920
mv_sample_fmt_is_planar.LICKING ref: 1001B942
mv_channel_layout_check.LICKING ref: 1001B9B7
mv_hwframe_transfer_data.LICKING ref: 1001BAE3

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_check$mv_hwframe_transfer_datamv_sample_fmt_is_planar
String ID:
API String ID: 1553998843-0
Opcode ID: f8e0577820c34def32d1422a324ff24156c3b988a6c372e5998705135d458380
Instruction ID: f6c570e5edcbfd583988d1bef83990bd6572ade0c752e77674d16c7ce7beac5b
Opcode Fuzzy Hash: f8e0577820c34def32d1422a324ff24156c3b988a6c372e5998705135d458380
Instruction Fuzzy Hash: 39A12174604B458BD758DF26C0C162BBBE2FFC4694F158A2DD9998F719E730E882CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1004F537 Relevance: 13.7, APIs: 9, Instructions: 185COMMON

Download Yara Rule

APIs

mv_tree_find.LICKING ref: 1004F58F
mv_tree_find.LICKING ref: 1004F5AE
mv_tree_find.LICKING ref: 1004F618
mv_tree_find.LICKING ref: 1004F633
mv_tree_find.LICKING ref: 1004F6D8
mv_tree_find.LICKING ref: 1004F6F3
mv_tree_find.LICKING ref: 1004F751

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find
String ID:
API String ID: 59044961-0
Opcode ID: c36327b2d25d5fe4884ec1989afda76d5058c06c978ad9fa8712f8f68075efe0
Instruction ID: cee68e4ba8061357f4dc433ceecc1098684687f5ba0f279731d159065c8eb459
Opcode Fuzzy Hash: c36327b2d25d5fe4884ec1989afda76d5058c06c978ad9fa8712f8f68075efe0
Instruction Fuzzy Hash: 1E81CDB490974A9FC300DF2AC08441AFBE5FF88A54F61892EF898D7311E774E9418F86

Uniqueness

Uniqueness Score: -1.00%

Function 10006BF0 Relevance: 13.6, APIs: 9, Instructions: 111
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E10006BF0(signed char* _a4, signed char* _a8, signed char* _a12) {
				intOrPtr _v1044;
				intOrPtr _v1048;
				char _v1052;
				char _v1056;
				int _v1072;
				int _v1076;
				signed char _v1077;
				int _v1092;
				signed char* _v1096;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t38;
				int _t39;
				int _t42;
				signed int _t63;
				signed char _t66;
				signed char _t70;
				signed char* _t72;
				signed char* _t73;
				signed char* _t74;
				void* _t75;
				signed char** _t76;

				_t64 = 1;
				_t76 = _t75 - 0x43c;
				_v1056 = 0;
				_t73 = _a8;
				_t74 = _a4;
				 *_t76 = _a12;
				_t38 = strlen(??);
				 *_t76 = _t73;
				_v1076 = _t38;
				_t39 = strlen(??);
				_v1092 = 0xffffffff;
				_v1096 = 1;
				_v1072 = _t39;
				 *_t76 =  &_v1052;
				E10008880(1, _t72, _t73, _t74);
				while(1) {
					L1:
					_t66 =  *_t73 & 0x000000ff;
					if(_t66 == 0) {
						goto L13;
					}
					_v1077 = _t66;
					_t72 = _t74;
					do {
						_t63 = _v1077 & 0x000000ff;
						_t64 = 0;
						L5:
						L5:
						if(_t63 - 0x61 <= 0x19) {
							_t63 = _t63 ^ 0x00000020;
						}
						_t70 = _t72[_t64];
						_t66 = _t70;
						if(_t70 - 0x61 <= 0x19) {
							_t66 = _t66 ^ 0x00000020;
						}
						if(_t63 == _t66) {
							goto L4;
						}
						goto L10;
						L4:
						_t64 = _t64 + 1;
						_t63 = _t73[_t64] & 0x000000ff;
						if(_t63 == 0) {
							L15:
							_v1096 = _t74;
							_v1092 = _t72 - _t74;
							 *_t76 =  &_v1052;
							E10008F30();
							_t74 =  &(_t72[_v1072]);
							_v1092 = _v1076;
							_v1096 = _a12;
							 *_t76 =  &_v1052;
							E10008F30();
							goto L1;
						}
						goto L5;
						L10:
						_t72 =  &(_t72[1]);
					} while ( *((char*)(_t72 - 1)) != 0);
					L11:
					 *_t76 = _t74;
					_t42 = strlen(??);
					_v1096 = _t74;
					_v1092 = _t42;
					 *_t76 =  &_v1052;
					E10008F30();
					if(_v1048 < _v1044) {
						_v1096 =  &_v1056;
						 *_t76 =  &_v1052;
						E10009690(_t64, _t66, _t72, _t73);
						return _v1056;
					} else {
						_v1096 = 0;
						 *_t76 =  &_v1052;
						E10009690(_t64, _t66, _t72, _t73);
						return _v1056;
					}
					L13:
					if(_t74 == 0) {
						goto L11;
					}
					_t72 = _t74;
					goto L15;
				}
			}

0x10006bf6
0x10006bfb
0x10006c01
0x10006c0c
0x10006c13
0x10006c1a
0x10006c1d
0x10006c22
0x10006c25
0x10006c29
0x10006c33
0x10006c37
0x10006c3b
0x10006c43
0x10006c46
0x10006c50
0x10006c50
0x10006c50
0x10006c55
0x00000000
0x00000000
0x10006c5b
0x10006c5f
0x10006c70
0x10006c70
0x10006c75
0x00000000
0x10006c89
0x10006c92
0x10006c94
0x10006c94
0x10006c96
0x10006c9a
0x10006ca2
0x10006ca4
0x10006ca4
0x10006ca9
0x00000000
0x00000000
0x00000000
0x10006c80
0x10006c80
0x10006c81
0x10006c87
0x10006d00
0x10006d00
0x10006d08
0x10006d10
0x10006d13
0x10006d1c
0x10006d23
0x10006d2e
0x10006d36
0x10006d39
0x00000000
0x10006d39
0x00000000
0x10006cab
0x10006cab
0x10006cac
0x10006cb2
0x10006cb2
0x10006cb5
0x10006cba
0x10006cbe
0x10006cc6
0x10006cc9
0x10006cd6
0x10006d47
0x10006d4f
0x10006d52
0x10006d65
0x10006cd8
0x10006cda
0x10006ce2
0x10006ce5
0x10006cf8
0x10006cf8
0x10006cf9
0x10006cfb
0x00000000
0x00000000
0x10006cfd
0x00000000
0x10006cfd

APIs

strlen.MSVCRT ref: 10006C1D
strlen.MSVCRT ref: 10006C29
mv_bprint_init.LICKING ref: 10006C46
strlen.MSVCRT ref: 10006CB5
mv_bprint_append_data.LICKING ref: 10006CC9
mv_bprint_finalize.LICKING ref: 10006CE5
mv_bprint_append_data.LICKING ref: 10006D13
mv_bprint_append_data.LICKING ref: 10006D39

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datastrlen$mv_bprint_finalizemv_bprint_init
String ID:
API String ID: 2033710158-0
Opcode ID: c75fb5924f894ba4483cb1fed9dd5a9c3a05b6220e4dd600efed29985aea0871
Instruction ID: 42836de37e77625fd418e7d33d9f749e16b1385b304d1157b5356f99b9815009
Opcode Fuzzy Hash: c75fb5924f894ba4483cb1fed9dd5a9c3a05b6220e4dd600efed29985aea0871
Instruction Fuzzy Hash: B44138B49087459FE750DF38C4806AFBBE5FF89384F50892EF5D897205DA30AA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001D9D0 Relevance: 13.6, APIs: 9, Instructions: 92COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1001DA1D
mv_mallocz.LICKING ref: 1001DA33
mv_mallocz.LICKING ref: 1001DA5B
mv_buffer_create.LICKING ref: 1001DA96

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_create
String ID:
API String ID: 1175948233-0
Opcode ID: d851619b5f7eea9e4c7f38e4d848967f0bc9eccba3b8863a2e28b6ce47f8998c
Instruction ID: ba5700cc6a9490facce9c283f6800acb8d5c6ef816bcc329a859ca72a5dcc87e
Opcode Fuzzy Hash: d851619b5f7eea9e4c7f38e4d848967f0bc9eccba3b8863a2e28b6ce47f8998c
Instruction Fuzzy Hash: 7F4195746087458FD740EF29C48061AFBF4FF89384F85892EE9989B302E735E991CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10025D69 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

mv_vbprintf.LICKING ref: 10025DAD
strcmp.MSVCRT ref: 10025E60
strcpy.MSVCRT ref: 10025EB9
mv_bprint_finalize.LICKING ref: 10025FE8
ReleaseSRWLockExclusive.KERNEL32 ref: 10025FF4
mv_bprintf.LICKING ref: 100261A1

Part of subcall function 100257A5: SetConsoleTextAttribute.KERNEL32 ref: 1002581C
Part of subcall function 100257A5: SetConsoleTextAttribute.KERNEL32 ref: 1002583B

Strings

Last message repeated %d times, xrefs: 10025E97
%s%s%s%s, xrefs: 10025E08

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AttributeConsoleText$ExclusiveLockReleasemv_bprint_finalizemv_bprintfmv_vbprintfstrcmpstrcpy
String ID: Last message repeated %d times$%s%s%s%s
API String ID: 1903168057-2673086376
Opcode ID: 850e234dfb56a67441d8dc103a33b0ca084a90cf43fb09e2ee5e927d827b28b5
Instruction ID: 210a88e77fd48bbbbe5a3654acb8263e380b714993617aa496345555cad9206e
Opcode Fuzzy Hash: 850e234dfb56a67441d8dc103a33b0ca084a90cf43fb09e2ee5e927d827b28b5
Instruction Fuzzy Hash: 6D61C1749093D18BD724CF24D8803ABBBE2FF85344F85485EE8CA57342D776A945DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1004EA44 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1004EB26
mv_log.LICKING ref: 1004EB9D
mv_log.LICKING ref: 1004EC67

Strings

Valid timecode frame rate must be specified. Minimum value is 1, xrefs: 1004EC52
Drop frame is only allowed with multiples of 30000/1001 FPS, xrefs: 1004EB84
gfff, xrefs: 1004EBC4
Using non-standard frame rate %d/%d, xrefs: 1004EB09

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: Drop frame is only allowed with multiples of 30000/1001 FPS$Using non-standard frame rate %d/%d$Valid timecode frame rate must be specified. Minimum value is 1$gfff
API String ID: 2418673259-764128974
Opcode ID: 6b1ca5c9f6ae6313a4d7ed9fe91980601464adae586f5b7724e2e4c497fa9e32
Instruction ID: 7f885e900c473fa8071ddf335e805219a8c512687d4484bfdde467aa28cb4176
Opcode Fuzzy Hash: 6b1ca5c9f6ae6313a4d7ed9fe91980601464adae586f5b7724e2e4c497fa9e32
Instruction Fuzzy Hash: 77518D319083948BD728CE19C58121FB7E5EB85350F658A3EEC96CB395D375EC418BC6

Uniqueness

Uniqueness Score: -1.00%

Function 1002EA50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strspn.MSVCRT ref: 1002EA6D
strspn.MSVCRT ref: 1002EAB7
strchr.MSVCRT ref: 1002EAD5
mv_malloc.LICKING(?,?,?,?,?,?,?,?,?,?,100B1ACF,100B1B86,00000000,?,1000DF13), ref: 1002EAED
mv_get_token.LICKING ref: 1002EB1F

Strings

, xrefs: 1002EA51, 1002EAAE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strspn$mv_get_tokenmv_mallocstrchr
String ID:
API String ID: 3092951656-596783616
Opcode ID: 1efd8e0203b858cb551177276c3cdd41e9dbd20d7b0ea5897e6cd4ad688bf225
Instruction ID: 7d3cccaf8280e9c67c13f7f37f4b658f555d9abbec639c74300896e523aabc58
Opcode Fuzzy Hash: 1efd8e0203b858cb551177276c3cdd41e9dbd20d7b0ea5897e6cd4ad688bf225
Instruction Fuzzy Hash: 8541BB759083858FCB11CF78958026BBBE5EF85344F81492EED9A87341E734ED06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1002AB90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002ABB9
strtol.MSVCRT ref: 1002AC63
mv_log.LICKING ref: 1002AC9E

Strings

none, xrefs: 1002ABAE
Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 1002ACD3
Unable to parse option value "%s" as %s, xrefs: 1002AC85

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmpstrtol
String ID: Unable to parse option value "%s" as %s$Value %d for parameter '%s' out of %s format range [%d - %d]$none
API String ID: 3237617949-2908652078
Opcode ID: 95ed1959dd970f54f5878909eb218b899bad9a76136a2a92315942e650fb7206
Instruction ID: dcd0279c104fd7925d55933f3ad58df0cde287d0c05e73025427fa88d91047e0
Opcode Fuzzy Hash: 95ed1959dd970f54f5878909eb218b899bad9a76136a2a92315942e650fb7206
Instruction Fuzzy Hash: EF31F7B0A087458FC305DF78958050AFBE1FF8A760F508A2EF5A9D7351EB74D8848B82

Uniqueness

Uniqueness Score: -1.00%

Function 10030180 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

mv_dict_get.LICKING ref: 100301CB
mv_opt_set.LICKING ref: 100301EF
mv_log.LICKING ref: 1003022E
mv_dict_free.LICKING ref: 1003023A
mv_dict_set.LICKING ref: 1003026F
mv_dict_free.LICKING ref: 10030283

Strings

Error setting option %s to value %s., xrefs: 10030217

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_free$mv_dict_getmv_dict_setmv_logmv_opt_set
String ID: Error setting option %s to value %s.
API String ID: 3258142065-3279051434
Opcode ID: 1a9d09993977aecac0336f7559c27a5d9f97f57d75cbac26b23ac616c45300c0
Instruction ID: dd90fc101553d41281afc15f61c3f85b5a8b12bd015060489efb1d4e53b39e8a
Opcode Fuzzy Hash: 1a9d09993977aecac0336f7559c27a5d9f97f57d75cbac26b23ac616c45300c0
Instruction Fuzzy Hash: 623192B9A097049FC740DF69D48065BBBE4FF88394F41882EF99CCB310E674E9409B82

Uniqueness

Uniqueness Score: -1.00%

Function 100506E6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1005064B
mv_bprintf.LICKING ref: 1005067A
mv_bprintf.LICKING ref: 100506B9
mv_bprintf.LICKING ref: 100506D9
mv_bprintf.LICKING ref: 10050745
mv_bprintf.LICKING ref: 10050772
mv_bprintf.LICKING ref: 100507A4
mv_bprintf.LICKING ref: 1005084D

Strings

%sinv_only, xrefs: 10050739
%spreshuf, xrefs: 10050763
%sasm_call, xrefs: 10050798

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %sasm_call$%sinv_only$%spreshuf
API String ID: 3083893021-3962727239
Opcode ID: 53563d6655126be7770e9271d84d081a887c666c1c0932d40d941c5281ba8002
Instruction ID: d7d2ba153962d99e6c9d8562a46da131943f6ac9cf38fecc930b9d03fe39ae7d
Opcode Fuzzy Hash: 53563d6655126be7770e9271d84d081a887c666c1c0932d40d941c5281ba8002
Instruction Fuzzy Hash: CC1127B1A09B448BE300EF18C58176EBBE0FB80754F558C6DF5C897250D638E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10020E29 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10020C18
GetModuleFileNameW.KERNEL32 ref: 10020E3F
mv_realloc_array.LICKING ref: 10020E84
wcsrchr.MSVCRT ref: 10020FFC
mv_realloc_array.LICKING ref: 10021034
wcscpy.MSVCRT ref: 1002104E

Strings

Failed to load DXVA2 library, xrefs: 10020BFC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_realloc_array$FileModuleNamemv_logwcscpywcsrchr
String ID: Failed to load DXVA2 library
API String ID: 3336537647-3958603366
Opcode ID: 6232e1b5e35bd46b5432fb069330a20666dd03cee3513b52b09f4f256d7c03d9
Instruction ID: 51577ab4d4543c89bcf45958d25ddcc1a73c0c49edaf80f3f1784978f1cc2000
Opcode Fuzzy Hash: 6232e1b5e35bd46b5432fb069330a20666dd03cee3513b52b09f4f256d7c03d9
Instruction Fuzzy Hash: ED11E8B5A097058FD350EF68E58071EBAE5FF88244F91883EF8CCC7251E67998859B42

Uniqueness

Uniqueness Score: -1.00%

Function 10050814 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1005064B
mv_bprintf.LICKING ref: 1005067A
mv_bprintf.LICKING ref: 100506B9
mv_bprintf.LICKING ref: 100506D9
mv_bprintf.LICKING ref: 1005084D

Strings

%simdct_full, xrefs: 100506AD
%sinplace, xrefs: 1005063F
%sfwd_only, xrefs: 1005066E

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %sfwd_only$%simdct_full$%sinplace
API String ID: 3083893021-1795882851
Opcode ID: 5fcc0f0df352d316167408a90db45309047e85528654b8a77dae4f266a814aca
Instruction ID: 6f8e565984e69295a131a426ce092ed69d71ff8c30dc7ead12f7cc9deccac873
Opcode Fuzzy Hash: 5fcc0f0df352d316167408a90db45309047e85528654b8a77dae4f266a814aca
Instruction Fuzzy Hash: E81117B5A09B808FE300EF18D58136EBAE0FB84754F558C6DF8C8C7251C638D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10020D56 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10020B82
wcslen.MSVCRT ref: 10020D6C
GetModuleFileNameW.KERNEL32 ref: 10020D8F
mv_realloc_array.LICKING ref: 10020DD4

Strings

Failed to load D3D9 library, xrefs: 10020B66

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleNamemv_logmv_realloc_arraywcslen
String ID: Failed to load D3D9 library
API String ID: 1109209711-1791602735
Opcode ID: cefe114e5fa9ee3732a92ee88a9083760b229326b03410c2d41583192a2c5dd6
Instruction ID: ede25121fb53f583ffa3cd6bddd5d5abcd4f06a7718a8138fff089a389c97c26
Opcode Fuzzy Hash: cefe114e5fa9ee3732a92ee88a9083760b229326b03410c2d41583192a2c5dd6
Instruction Fuzzy Hash: 5611B0B59097548FD750DF68E48074EFAE0EF88354F91882EF9CC97201E779A941DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002FA06 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002FA24
mv_get_channel_layout.LICKING ref: 1002FA34

Part of subcall function 1000C640: strlen.MSVCRT ref: 1000C650
Part of subcall function 1000C640: memcmp.MSVCRT ref: 1000C6F4

mv_log.LICKING ref: 1002FB19
mv_log.LICKING ref: 1002FBC6

Strings

Unable to parse option value "%s" as channel layout, xrefs: 1002FBA4
none, xrefs: 1002FA1B
Invalid option type., xrefs: 1002FB00

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$memcmpmv_get_channel_layoutstrcmpstrlen
String ID: Invalid option type.$Unable to parse option value "%s" as channel layout$none
API String ID: 2161276584-2042745188
Opcode ID: 40371e654bb8d570b224e455885585742a4164e792dbdbfc0650f75d814558f2
Instruction ID: b619ce99a3738563cdf42e9869c2844169589b912fd25cc50639b8a47658f2b6
Opcode Fuzzy Hash: 40371e654bb8d570b224e455885585742a4164e792dbdbfc0650f75d814558f2
Instruction Fuzzy Hash: 9711B7B4908B46DFC750DF28D45072ABBE0FF84750F91892DA9998B380E774E840CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10020E0B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10020C18
wcslen.MSVCRT ref: 10020E1E
GetModuleFileNameW.KERNEL32 ref: 10020E3F
mv_realloc_array.LICKING ref: 10020E84

Strings

Failed to load DXVA2 library, xrefs: 10020BFC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleNamemv_logmv_realloc_arraywcslen
String ID: Failed to load DXVA2 library
API String ID: 1109209711-3958603366
Opcode ID: caa220611896e099629ee825504d56322bd30883596ec03cce50ca05abdeeecc
Instruction ID: efe441553f36b2bfbc4a0af33d893d1b0b4f9b0516fcd8424c0e804ed1213d9b
Opcode Fuzzy Hash: caa220611896e099629ee825504d56322bd30883596ec03cce50ca05abdeeecc
Instruction Fuzzy Hash: 6B01C8B59087448FD710DF64E48175EFAE1EF88344F92892EF9CC97201D7799981DB42

Uniqueness

Uniqueness Score: -1.00%

Function 10050727 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 100506B9
mv_bprintf.LICKING ref: 100506D9
mv_bprintf.LICKING ref: 10050745
mv_bprintf.LICKING ref: 10050772
mv_bprintf.LICKING ref: 100507A4

Strings

%sinv_only, xrefs: 10050739
%spreshuf, xrefs: 10050763
%sasm_call, xrefs: 10050798

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %sasm_call$%sinv_only$%spreshuf
API String ID: 3083893021-3962727239
Opcode ID: 90c0d60d1a0617f7270b93afc4339e1985aa7d0add00b809bf154b8fce84a6d7
Instruction ID: 5f15cc7f2fd3d7a48505a056e3c9f676d562507c38ce6b0ec27f149503c426fc
Opcode Fuzzy Hash: 90c0d60d1a0617f7270b93afc4339e1985aa7d0add00b809bf154b8fce84a6d7
Instruction Fuzzy Hash: B00169B2A09B408FE300EF68D68131EBAD0FBC1754F558C6EF4C887221D638D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1004CB4B Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004CBAE
SleepConditionVariableSRW.KERNEL32 ref: 1004CBE6
ReleaseSRWLockExclusive.KERNEL32 ref: 1004CBFC
AcquireSRWLockExclusive.KERNEL32 ref: 1004CC43
WakeConditionVariable.KERNEL32 ref: 1004CC55
ReleaseSRWLockExclusive.KERNEL32 ref: 1004CC61
mv_log.LICKING ref: 1004CD07
abort.MSVCRT ref: 1004CD0C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariable$SleepWakeabortmv_log
String ID:
API String ID: 347658250-0
Opcode ID: 11be16d74d9815c027949d20d38890b29adf29a8ebb2262fad58e00ef5e099dd
Instruction ID: 281dcb2b4c0cc69d101dc971f30222bac4f82cc9c8229765b8d2a21a66344814
Opcode Fuzzy Hash: 11be16d74d9815c027949d20d38890b29adf29a8ebb2262fad58e00ef5e099dd
Instruction Fuzzy Hash: 615123B5604B098FD750EF29D58060BFBE1FF88354F118A2DE89A97601E730F949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10002670 Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

mv_samples_get_buffer_size.LICKING ref: 1000269F
mv_mallocz.LICKING ref: 100026B3
mv_sample_fmt_is_planar.LICKING(?), ref: 100026DC
mv_calloc.LICKING(?), ref: 100026F5
mv_fifo_alloc2.LICKING(?), ref: 10002736
mv_fifo_freep2.LICKING(?), ref: 10002761
mv_freep.LICKING(?), ref: 1000276E

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_fifo_alloc2mv_fifo_freep2mv_freepmv_malloczmv_sample_fmt_is_planarmv_samples_get_buffer_size
String ID:
API String ID: 3721653357-0
Opcode ID: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction ID: e2c14ad1b6a78883c2eba2dd48e6cbb770f894d0147dffab9e861290766f1c48
Opcode Fuzzy Hash: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction Fuzzy Hash: 34311AB86087068FD700DF6AD58061AFBE4FF88394F51892EE99CC7211E774E855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10025881 Relevance: 12.1, APIs: 8, Instructions: 85COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 1002588F
GetStdHandle.KERNEL32 ref: 1002589D
GetConsoleMode.KERNEL32 ref: 100258BB
GetConsoleScreenBufferInfo.KERNEL32 ref: 100258E1
getenv.MSVCRT ref: 10025907
getenv.MSVCRT ref: 10025924

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: getenv$Console$BufferHandleInfoModeScreen
String ID:
API String ID: 1699668291-0
Opcode ID: 7f282bc0ed2d4dcee7f0a81308f7e3c8600af1d931dc11b8f73a203ff028e786
Instruction ID: aadd0b3004c474cb265bda94bdb8e53be14d5ea9baf5614533476b9452e4797f
Opcode Fuzzy Hash: 7f282bc0ed2d4dcee7f0a81308f7e3c8600af1d931dc11b8f73a203ff028e786
Instruction Fuzzy Hash: BD314934909764CBD700EF28998412A7BE1FF44361F914A2EECA697394F735E844CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 1001D220 Relevance: 12.1, APIs: 8, Instructions: 71COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1001D230
mv_sha512_alloc.LICKING ref: 1001D273
mv_sha512_alloc.LICKING ref: 1001D2BB
mv_md5_alloc.LICKING ref: 1001D2EB
mv_sha_alloc.LICKING ref: 1001D31B
mv_sha_alloc.LICKING ref: 1001D34B
mv_sha_alloc.LICKING ref: 1001D37B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sha_alloc$mv_sha512_alloc$mv_malloczmv_md5_alloc
String ID:
API String ID: 1780169607-0
Opcode ID: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction ID: c35801f6e3b9458600ddf5c5e3e107538d07f14f20f18202b00d36dbdc320db3
Opcode Fuzzy Hash: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction Fuzzy Hash: C731E5B4116350CED740EF50D548A86BAE0FF00354FA7C5A9D61A4F222C7BED584DBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1001E360 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1001E381
mv_frame_alloc.LICKING ref: 1001E390

Part of subcall function 1001AC40: mv_malloc.LICKING ref: 1001AC56

mv_frame_ref.LICKING ref: 1001E3A6

Part of subcall function 1001BC40: mv_channel_layout_check.LICKING ref: 1001BC94
Part of subcall function 1001BC40: mv_channel_layout_check.LICKING ref: 1001BCDF
Part of subcall function 1001BC40: mv_buffer_ref.LICKING ref: 1001BD0E
Part of subcall function 1001BC40: mv_calloc.LICKING ref: 1001BD48
Part of subcall function 1001BC40: mv_buffer_ref.LICKING ref: 1001BD97

mv_buffer_ref.LICKING ref: 1001E3B4

Part of subcall function 10009FC0: mv_mallocz.LICKING ref: 10009FD2

mv_buffer_create.LICKING ref: 1001E3ED

Part of subcall function 10009E60: mv_mallocz.LICKING ref: 10009E86
Part of subcall function 10009E60: mv_mallocz.LICKING ref: 10009EBF

mv_buffer_unref.LICKING ref: 1001E413
mv_frame_free.LICKING ref: 1001E41B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_ref$mv_channel_layout_check$mv_buffer_createmv_buffer_unrefmv_callocmv_frame_allocmv_frame_freemv_frame_refmv_malloc
String ID:
API String ID: 2471893243-0
Opcode ID: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction ID: e44850cc1d663ee6b079855d6d5ccf767aeb5a2a45f4db7414dc8b10b7331849
Opcode Fuzzy Hash: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction Fuzzy Hash: EA21B3745087458FD780EF29C58021EFBE0EF89350F51892DFA988B346EB74E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10022AF0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 355COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.LICKING ref: 10022B47
mv_image_get_linesize.LICKING ref: 10022D4C

Part of subcall function 1008E660: mv_get_cpu_flags.LICKING(?,?,?,?,?,?,?,?,100223D7), ref: 1008E66D

mv_log.LICKING ref: 10022FBB
abort.MSVCRT ref: 10022FC0

Strings

av_image_get_linesize failed, xrefs: 10022E52
Assertion %s failed at %s:%d, xrefs: 10022FAA

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_get_cpu_flagsmv_image_get_linesizemv_logmv_pix_fmt_desc_get
String ID: Assertion %s failed at %s:%d$av_image_get_linesize failed
API String ID: 1727888755-2525362290
Opcode ID: ef639a213f2f83615e0c038dc97bc69f3bff1acf258700b68cad26bf3974dcae
Instruction ID: 6d036607613c62424ae81a283923c390e7ec525f1d66d728904b830f7b258f3c
Opcode Fuzzy Hash: ef639a213f2f83615e0c038dc97bc69f3bff1acf258700b68cad26bf3974dcae
Instruction Fuzzy Hash: 33E17775A08351AFC350CFA8D58061AFBF1FF88354F96896EE8899B311D375E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10022610 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.LICKING ref: 10022691
mv_image_get_linesize.LICKING ref: 1002282F
mv_log.LICKING ref: 10022AC0
abort.MSVCRT ref: 10022AC5

Strings

av_image_get_linesize failed, xrefs: 10022A16
Assertion %s failed at %s:%d, xrefs: 10022AB1

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_image_get_linesizemv_logmv_pix_fmt_desc_get
String ID: Assertion %s failed at %s:%d$av_image_get_linesize failed
API String ID: 1423692287-2525362290
Opcode ID: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction ID: a2789ba4896ffccc60d1fb11a9358e28422a5f1174f25c27da114458ab982159
Opcode Fuzzy Hash: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction Fuzzy Hash: 59D1AC75A093519FC354CF68D080A2AFBF1FF88354F96896DE8899B311E735E981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10031790 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

january, xrefs: 10031832
%H:%M:%S, xrefs: 10031A1B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %H:%M:%S$january
API String ID: 0-1137272109
Opcode ID: a0ef06027dd452262f59f1afacad39d413c0104e0bbceb28bfbc1ce2687d7861
Instruction ID: e4e1503b0d98e6e4a17a3abc0e555106d5c31c285ae3bcf65f3324f0311f7ad7
Opcode Fuzzy Hash: a0ef06027dd452262f59f1afacad39d413c0104e0bbceb28bfbc1ce2687d7861
Instruction Fuzzy Hash: 32A1A3305087578EC712CF18C4D01EABBF6FF8B282F69449AC4558F1A6EB31E946CB95

Uniqueness

Uniqueness Score: -1.00%

Function 100513C7 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

mv_gcd.LICKING ref: 1005141C
mv_malloc.LICKING(?), ref: 100514E1
mv_log.LICKING ref: 10051772
abort.MSVCRT ref: 10051777

Strings

libavutil/tx.c, xrefs: 10051753
Assertion %s failed at %s:%d, xrefs: 10051765

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_gcdmv_logmv_malloc
String ID: Assertion %s failed at %s:%d$libavutil/tx.c
API String ID: 4069727316-3214517670
Opcode ID: 0e09d3cc2b061c85a55b3185d35380bd036ffdae070ff85d43b61a142aff8038
Instruction ID: f0f01d31d4c0e84df56782d14635ef8fa563d79c66c70d9de09b96c6a7dbf9f0
Opcode Fuzzy Hash: 0e09d3cc2b061c85a55b3185d35380bd036ffdae070ff85d43b61a142aff8038
Instruction Fuzzy Hash: 38B1F275A083458FC764CF29C58069AF7E2FF88358F15892EE998D7311E770E949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10027A80 Relevance: 10.7, APIs: 7, Instructions: 224COMMON

Download Yara Rule

APIs

mv_rescale_rnd.LICKING(?,?), ref: 10027BE5
mv_rescale_rnd.LICKING(?,?), ref: 10027C29
mv_rescale_rnd.LICKING(?,?,?,?), ref: 10027CF0
mv_rescale_rnd.LICKING(?,?), ref: 10027D3D
mv_rescale_rnd.LICKING(?,?), ref: 10027D85
mv_log.LICKING ref: 10027DDF
abort.MSVCRT ref: 10027DE4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_rescale_rnd$abortmv_log
String ID:
API String ID: 1705930533-0
Opcode ID: 9f028200c4f7af1aa06e951d37aec827e06ee442b6e881ebc883ad2788316904
Instruction ID: db39f999ce5a05736daa428095f9c7e2df799ee4ccd4f2fe878e4aaae96237c5
Opcode Fuzzy Hash: 9f028200c4f7af1aa06e951d37aec827e06ee442b6e881ebc883ad2788316904
Instruction Fuzzy Hash: 3DB1AAB9A093409FC354CF29D48061AFBE2BFC8710F95892EF99897351D775E8458F82

Uniqueness

Uniqueness Score: -1.00%

Function 1001CA10 Relevance: 10.7, APIs: 7, Instructions: 222COMMON

Download Yara Rule

APIs

mv_adler32_update.LICKING ref: 1001CA46
mv_crc.LICKING ref: 1001CAD5
mv_sha512_final.LICKING ref: 1001CC05
mv_ripemd_final.LICKING ref: 1001CC4D
mv_sha_final.LICKING ref: 1001CCAD
mv_md5_final.LICKING ref: 1001CCFD
mv_murmur3_final.LICKING ref: 1001CD1D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_adler32_updatemv_crcmv_md5_finalmv_murmur3_finalmv_ripemd_finalmv_sha512_finalmv_sha_final
String ID:
API String ID: 1982440126-0
Opcode ID: 04687af5209a5a817b96f8f4c1425c028bc82570c951b1b25f53a8377e0956c8
Instruction ID: 891e8a77fc9a0f9a526ea0130d9988fe101dc48a86ac4b67dc945094c8dc0f10
Opcode Fuzzy Hash: 04687af5209a5a817b96f8f4c1425c028bc82570c951b1b25f53a8377e0956c8
Instruction Fuzzy Hash: 469119B5A09706CFC714CF28C18060ABBE0FF89344F65896DE98D9B321D334E985DB96

Uniqueness

Uniqueness Score: -1.00%

Function 1002D1D2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002D38B
mv_log.LICKING ref: 1002D4D3

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002D4B3
The value set by option '%s' is not a video rate., xrefs: 1002D379
Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 1002D500

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: The value set by option '%s' is not a video rate.$Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 3828882664-184275398
Opcode ID: 9048f1d3171aae043673fb0fdbe3cfab101bd8445a56e714e4be4b6e8c8ac588
Instruction ID: d45a10e71e14beca1d3a191c2c2f45444891420c3d6d5d391c48b5bc7296f499
Opcode Fuzzy Hash: 9048f1d3171aae043673fb0fdbe3cfab101bd8445a56e714e4be4b6e8c8ac588
Instruction Fuzzy Hash: A281A135908B458FC341EF29E48011BFBE5FFD62E0FA0975AF89A6B260D7319881C742

Uniqueness

Uniqueness Score: -1.00%

Function 10030430 Relevance: 10.7, APIs: 7, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800b1406a6777d3b0a110f8a2bafff3ed093b576a6716a7b0ba2b2e8c81d1b2c
Instruction ID: 3912d89886b32ab3c0e056b5cdab389be67126b87d12ef53d502f4ae6e2b42f2
Opcode Fuzzy Hash: 800b1406a6777d3b0a110f8a2bafff3ed093b576a6716a7b0ba2b2e8c81d1b2c
Instruction Fuzzy Hash: 057157B560A7028FC756CF28C0A062BB7E1EF94681F21892DF8D58F255D731ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1004F5C8 Relevance: 10.7, APIs: 7, Instructions: 151COMMON

Download Yara Rule

APIs

mv_tree_insert.LICKING ref: 1004F09E
mv_tree_find.LICKING ref: 1004F618
mv_tree_find.LICKING ref: 1004F633
mv_tree_find.LICKING ref: 1004F6D8
mv_tree_find.LICKING ref: 1004F6F3
mv_tree_find.LICKING ref: 1004F751
mv_tree_find.LICKING ref: 1004F768

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find$mv_tree_insert
String ID:
API String ID: 3047205218-0
Opcode ID: 748b1c967ae3881e327b4b3e75e89f36747101333f41ba75464ed4008a113ba7
Instruction ID: 7e0d4755b41f8e2916782f1965c067a71010c75964bc54382cfcccd0c96f60c3
Opcode Fuzzy Hash: 748b1c967ae3881e327b4b3e75e89f36747101333f41ba75464ed4008a113ba7
Instruction Fuzzy Hash: D751AEB59097469FC300DF6AC08441AFBE5FF88A50F61892EE898D7311E774E9458F86

Uniqueness

Uniqueness Score: -1.00%

Function 100A2A90 Relevance: 10.6, APIs: 7, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 100A1770: TlsAlloc.KERNEL32(000003E8,?,?,100A2C7E,?,?,000003E8,000003E8,100A0F79), ref: 100A17A4

TlsGetValue.KERNEL32(?,?,00000000,?,100A2CC5,?,?,?,000003E8,000003E8,100A0F79), ref: 100A2AA2

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocValue
String ID:
API String ID: 1189806713-0
Opcode ID: 25ac044b652095c229cfe2fa3ea3f5770be1c198b69049da9f34c8fa44119156
Instruction ID: 0c110bb8a1474054fc7518a827457970665ff0323ecc72bfc9f2e4db84b901ca
Opcode Fuzzy Hash: 25ac044b652095c229cfe2fa3ea3f5770be1c198b69049da9f34c8fa44119156
Instruction Fuzzy Hash: E14191B9604621CBD700FFFC988965E77E4EF54290F060679EC41CB256EB24E941C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 10023180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.LICKING ref: 1002319F
mv_image_get_linesize.LICKING ref: 100231D4

Part of subcall function 10021480: mv_pix_fmt_desc_get.LICKING(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_image_fill_linesizes.LICKING(?), ref: 10023268
mv_image_fill_plane_sizes.LICKING(?), ref: 100232CB

Strings

Picture size %ux%u is invalid, xrefs: 1002331F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_get_linesize
String ID: Picture size %ux%u is invalid
API String ID: 3680373976-1963597007
Opcode ID: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction ID: 42873512ec11e61a891db32c639e21bb7bc2094a7c171237446aa949f8b4b16f
Opcode Fuzzy Hash: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction Fuzzy Hash: 80513576A083418BC384CF69D88064EBBE2EFC8750F55CA3EE598C7350EA75DA448B42

Uniqueness

Uniqueness Score: -1.00%

Function 100121A0 Relevance: 10.6, APIs: 7, Instructions: 119COMMON

Download Yara Rule

APIs

mv_strdup.LICKING ref: 1001221F
mv_bprint_init.LICKING ref: 1001225D
mv_bprint_escape.LICKING ref: 100122B3
mv_bprint_append_data.LICKING ref: 100122CC
mv_bprint_escape.LICKING ref: 100122EE
mv_bprint_finalize.LICKING ref: 1001231B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_escape$mv_bprint_append_datamv_bprint_finalizemv_bprint_initmv_strdup
String ID:
API String ID: 806756221-0
Opcode ID: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction ID: 1123dba4393114ef0ad0658bdbc6ab6a3ceb4212d851131ba1441c628290b326
Opcode Fuzzy Hash: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction Fuzzy Hash: 8C4114B55093449BC360CF28C08025ABBE5FF85394F55892EE9988B341E636EA95CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1000E950 Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON

Download Yara Rule

APIs

mv_channel_from_string.LICKING ref: 1000E993
strchr.MSVCRT ref: 1000E9C4
mv_strlcpy.LICKING ref: 1000E9EF
mv_channel_from_string.LICKING ref: 1000EA01
strcmp.MSVCRT ref: 1000EA3D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_from_string$mv_strlcpystrchrstrcmp
String ID:
API String ID: 1821482347-0
Opcode ID: 5ce235384a62128bb730ed29545a141e1c22fd50a2d3fedd0eec4bd7515d1792
Instruction ID: 91c5a6e0a1255d2b0d9764647b30d267e30255839a2f84cd078a58f26ad91a2a
Opcode Fuzzy Hash: 5ce235384a62128bb730ed29545a141e1c22fd50a2d3fedd0eec4bd7515d1792
Instruction Fuzzy Hash: E1418F75A087858BEB50DF28C48054EBBE4FF89794F114A2DF8D4A7296D370ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001A8BC Relevance: 10.6, APIs: 7, Instructions: 112COMMON

Download Yara Rule

APIs

mv_buffer_alloc.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A8CA

Part of subcall function 10009DC0: mv_malloc.LICKING ref: 10009DDC
Part of subcall function 10009DC0: mv_mallocz.LICKING ref: 10009DF2
Part of subcall function 10009DC0: mv_mallocz.LICKING ref: 10009E25

mv_realloc.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A902

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_mallocz.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001A91C
mv_dict_copy.LICKING ref: 1001A996
mv_buffer_ref.LICKING ref: 1001A9EC
mv_realloc.LICKING ref: 1001AA26
mv_mallocz.LICKING ref: 1001AA40
mv_buffer_unref.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001AA87
mv_buffer_unref.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001AAAD
mv_dict_free.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001AAB5
mv_freep.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001AABD
mv_freep.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1001AADB

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_unrefmv_freepmv_realloc$_aligned_reallocmv_buffer_allocmv_buffer_refmv_dict_copymv_dict_freemv_malloc
String ID:
API String ID: 3654835198-0
Opcode ID: 0bf41d1fdf1a0d08d43b0fab588065db97ebe82ea24d02b71fa17c9d9ea0863f
Instruction ID: 2ff58008ff79fef770ec364c302c24b01e6a414989e191337692d11d052fa45a
Opcode Fuzzy Hash: 0bf41d1fdf1a0d08d43b0fab588065db97ebe82ea24d02b71fa17c9d9ea0863f
Instruction Fuzzy Hash: E651E674904342CFCB14CF19C58069ABBE1FF89390F46896EE98A9B351E770E981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10006940 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10006950
mv_malloc.LICKING ref: 10006959
strspn.MSVCRT ref: 10006980
strspn.MSVCRT ref: 100069C1

Strings

, xrefs: 10006973, 10006A73

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strspn$mv_mallocstrlen
String ID:
API String ID: 1916163187-596783616
Opcode ID: 6d443ae11f2d914a5227319bcfeb12270d11b8b479f6cc4a7ac6a66c55ffb6ff
Instruction ID: cedbecd3a87d8b5a4725ffb42990fb526c0b4fb3d9c1c657b53cfd1c5efe5fcf
Opcode Fuzzy Hash: 6d443ae11f2d914a5227319bcfeb12270d11b8b479f6cc4a7ac6a66c55ffb6ff
Instruction Fuzzy Hash: 6041623460C3958BDB11DF65888025ABBE6EF8B6C0F55845DF8C56B306C235AE48CF93

Uniqueness

Uniqueness Score: -1.00%

Function 1002F226 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.LICKING ref: 1002F115

Strings

all, xrefs: 1002F08F
none, xrefs: 1002F06A
max, xrefs: 1002F025
default, xrefs: 1002EFF2
min, xrefs: 1002F03F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_parse_and_eval
String ID: all$default$max$min$none
API String ID: 2217327432-3292705889
Opcode ID: 10902ce6959dcda57c3802d1404c17b7355792d975e56109f361b0065da62f55
Instruction ID: 98b80aec2e3a380831a781cac75c10b25bfbbdd989e4a5369e61f7fda47c1b04
Opcode Fuzzy Hash: 10902ce6959dcda57c3802d1404c17b7355792d975e56109f361b0065da62f55
Instruction Fuzzy Hash: CC41F3B5A097418BC391EF28E04039BBBE5FFC9354F618A2EE5C9C7200EB71D9459B42

Uniqueness

Uniqueness Score: -1.00%

Function 1004E921 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1004E9D4
mv_log.LICKING ref: 1004EA11
mv_log.LICKING ref: 1004EA3D

Strings

Valid timecode frame rate must be specified. Minimum value is 1, xrefs: 1004EA28
Drop frame is only allowed with multiples of 30000/1001 FPS, xrefs: 1004E9FC
Using non-standard frame rate %d/%d, xrefs: 1004E9B7

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: Drop frame is only allowed with multiples of 30000/1001 FPS$Using non-standard frame rate %d/%d$Valid timecode frame rate must be specified. Minimum value is 1
API String ID: 2418673259-1533689702
Opcode ID: 5308b788b35eb2ba41f347ff00c63aea73f51a605b3ca88b212ef6a92ed3e4a8
Instruction ID: 30860fd35e86e6619b39004a3d0271e71dd1b8231c662d412ace0011f73d0d12
Opcode Fuzzy Hash: 5308b788b35eb2ba41f347ff00c63aea73f51a605b3ca88b212ef6a92ed3e4a8
Instruction Fuzzy Hash: A8317F709083919BCBA4DF18C98061EB7E1EB85750F609D3FF895C7394D274DC408B86

Uniqueness

Uniqueness Score: -1.00%

Function 1002BE3B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002BDE3
mv_log.LICKING ref: 1002BE0D
mv_log.LICKING ref: 1002BE75
mv_log.LICKING ref: 1002BE93
mv_log.LICKING ref: 1002BEB1

Strings

%-15s , xrefs: 1002BDF4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$strcmp
String ID: %-15s
API String ID: 1163046698-755444208
Opcode ID: c8950e813505deaba6e6c740a0b4a0732e9367fb689c9f1dfb58362b7529538a
Instruction ID: 563700deaef263fce159176b0dd492e00eb1d330f8125ad98d2bf1a7a26520e4
Opcode Fuzzy Hash: c8950e813505deaba6e6c740a0b4a0732e9367fb689c9f1dfb58362b7529538a
Instruction Fuzzy Hash: B9317474A09B459FCB50DF29D58069EBBE1FF88740F95882DF99887712E734E8409B42

Uniqueness

Uniqueness Score: -1.00%

Function 10092340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10092352
_errno.MSVCRT ref: 10092370
rand.MSVCRT ref: 100923D0
_sopen.MSVCRT ref: 10092416
_errno.MSVCRT ref: 10092424

Strings

XXXX, xrefs: 10092368

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$_sopenrandstrlen
String ID: XXXX
API String ID: 1081397658-1518373315
Opcode ID: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction ID: 5ba2c4e2c30cf57021d4c67dc99ab4cf3299af9f9df0caf2ec803c7fcbdd4207
Opcode Fuzzy Hash: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction Fuzzy Hash: A62137B190934A9FC704EF24889015E7BE4EF86394F11C92DF4998B291D6399A49DB81

Uniqueness

Uniqueness Score: -1.00%

Function 10034916 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10034945
mv_strlcpy.LICKING ref: 10034967

Part of subcall function 100066E0: strlen.MSVCRT ref: 10006726

strlen.MSVCRT ref: 1003496F
strcmp.MSVCRT ref: 100349B6
mv_match_name.LICKING ref: 100349C8

Part of subcall function 10007100: strlen.MSVCRT ref: 10007126
Part of subcall function 10007100: strchr.MSVCRT ref: 1000715B
Part of subcall function 10007100: strncmp.MSVCRT ref: 10007200

Strings

yuv420p, xrefs: 10034999

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$mv_match_namemv_strlcpystrchrstrcmpstrncmp
String ID: yuv420p
API String ID: 426946574-503634524
Opcode ID: 914257408c454b33cc12dbd9f650cd5a4579398391d3cd4c2bef35e482282d5e
Instruction ID: 8d81f2d43a194587669f2922de82af64566de1d3bc049b1fbb5779b2406c821a
Opcode Fuzzy Hash: 914257408c454b33cc12dbd9f650cd5a4579398391d3cd4c2bef35e482282d5e
Instruction Fuzzy Hash: DC219C789083918FD712DB28D48575BBBE0EF82391F07895FE4848F251DA74B884CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1004D8C2 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004D8E1
SleepConditionVariableSRW.KERNEL32 ref: 1004D926
mv_fifo_can_write.LICKING ref: 1004D937
mv_fifo_write.LICKING ref: 1004D965
WakeConditionVariable.KERNEL32 ref: 1004D96D
ReleaseSRWLockExclusive.KERNEL32 ref: 1004D981
mv_fifo_can_write.LICKING ref: 1004D99A

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConditionExclusiveLockVariablemv_fifo_can_write$AcquireReleaseSleepWakemv_fifo_write
String ID:
API String ID: 1714568982-0
Opcode ID: 45c406128746d57d056cd708442fb8be9560ff6dba704c5ed733ae9ae6dd79b1
Instruction ID: 58dfbd11946cbb2bc3b27651b3eb27094259b7c96db196a793ad7ed99f6a8d81
Opcode Fuzzy Hash: 45c406128746d57d056cd708442fb8be9560ff6dba704c5ed733ae9ae6dd79b1
Instruction Fuzzy Hash: 04213BB59087058FD704EF29C58461BBBF1FF84350F11896DE998CB259E730E846CB86

Uniqueness

Uniqueness Score: -1.00%

Function 100A2810 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 100A1770: TlsGetValue.KERNEL32 ref: 100A1980

longjmp.MSVCRT ref: 100A2846
TlsGetValue.KERNEL32(?,?,?,0000001C,100A29FF,?,?,?,?,00000000,100A2B3E,?,?,?,00000000,?), ref: 100A2854
CloseHandle.KERNEL32(?,?,?,?,0000001C,100A29FF,?,?,?,?,00000000,100A2B3E,?,?,?,00000000), ref: 100A287B
_endthreadex.MSVCRT(?,?,?,?,0000001C,100A29FF,?,?,?,?,00000000,100A2B3E,?,?,?,00000000), ref: 100A2890
CloseHandle.KERNEL32(?,?,?,?,0000001C,100A29FF,?,?,?,?,00000000,100A2B3E,?,?,?,00000000), ref: 100A28A2
TlsSetValue.KERNEL32(?,?,?,?,?,0000001C,100A29FF,?,?,?,?,00000000,100A2B3E), ref: 100A28C3
CloseHandle.KERNEL32(?,?,?,?,0000001C,100A29FF,?,?,?,?,00000000,100A2B3E,?,?,?,00000000), ref: 100A28DA

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseHandleValue$_endthreadexlongjmp
String ID:
API String ID: 3990644698-0
Opcode ID: 321131890c9b128d99831a3ad50efb5b355209c35e37694f091b5e4f2916aa8c
Instruction ID: 2ddd366e07835171e7f8968bf9f36d94d719ae96dfead8c336bdbb42f04f28c0
Opcode Fuzzy Hash: 321131890c9b128d99831a3ad50efb5b355209c35e37694f091b5e4f2916aa8c
Instruction Fuzzy Hash: 4B21A7B4605221DFDB40EFB8C98861A7BE4FF08384F06486DED45CB256EB38D944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000F8F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 1000F8F7
GetProcessAffinityMask.KERNEL32 ref: 1000F910
mv_log.LICKING ref: 1000F99A

Strings

overriding to %d logical cores, xrefs: 1000F981
detected %d logical cores, xrefs: 1000F9B4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Process$AffinityCurrentMaskmv_log
String ID: detected %d logical cores$overriding to %d logical cores
API String ID: 4261380130-3421371979
Opcode ID: 59ef6a107ec3cdb46dd4167b638c4726428b6cb03edb44507d23a229c6465c65
Instruction ID: 655d1004639110147f1915e1f3dd4d32bf395fc4964a2075afa2b445a2896311
Opcode Fuzzy Hash: 59ef6a107ec3cdb46dd4167b638c4726428b6cb03edb44507d23a229c6465c65
Instruction Fuzzy Hash: 0E2142B5B197019BD304DF29C88030ABBE2EBC8250F48C93DF888C7759E638D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001D820 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

mv_buffer_pool_uninit.LICKING ref: 1001D83B

Part of subcall function 1000A650: AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
Part of subcall function 1000A650: mv_freep.LICKING ref: 1000A69C
Part of subcall function 1000A650: ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

mv_buffer_unref.LICKING ref: 1001D872
mv_buffer_unref.LICKING ref: 1001D881
mv_freep.LICKING ref: 1001D890
mv_freep.LICKING ref: 1001D8A2
mv_freep.LICKING ref: 1001D8B1
mv_freep.LICKING ref: 1001D8BD

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$ExclusiveLockmv_buffer_unref$AcquireReleasemv_buffer_pool_uninit
String ID:
API String ID: 3286761627-0
Opcode ID: ce86d33006e2883c2f07b557f8b7dc23eb80ab62c5c85b3ca20994ce710f1ba1
Instruction ID: c2c7fff8f9affbfaa43353b1796216bc37b5074c3dd7c6f1f2ea0825a5865995
Opcode Fuzzy Hash: ce86d33006e2883c2f07b557f8b7dc23eb80ab62c5c85b3ca20994ce710f1ba1
Instruction Fuzzy Hash: 081186B86086018FDB04EF69D5C5A1AF7F1EF84240F46CD5DE8948B306D635E885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000C220 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1000C27B
mv_bprintf.LICKING ref: 1000C298
mv_bprintf.LICKING ref: 1000C2B8

Strings

USR%d, xrefs: 1000C28C
AMBI%d, xrefs: 1000C2AC
NONE, xrefs: 1000C247

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 3083893021-3656852315
Opcode ID: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction ID: 215f8c01a0ebe083e3755320398acc4362dbfeb093f1504df316b337c640c054
Opcode Fuzzy Hash: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction Fuzzy Hash: 16012CB8909B418BD304EF28848052EBAE1FF84284FD48A6DE4CC87755E639DA409B83

Uniqueness

Uniqueness Score: -1.00%

Function 1000C3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1000C41B
mv_bprintf.LICKING ref: 1000C438
mv_bprintf.LICKING ref: 1000C458

Strings

none, xrefs: 1000C3E7
user %d, xrefs: 1000C42C
ambisonic ACN %d, xrefs: 1000C44C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 3083893021-4180635230
Opcode ID: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction ID: 324eb216ddd130d516033ba78e4077f7499b10045cf144ab3190435d7abd8d01
Opcode Fuzzy Hash: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction Fuzzy Hash: 77012CB8D09B418BD304EF28908152DBAE1FFC4288FD4CA6DE4CC87355E639DA408B53

Uniqueness

Uniqueness Score: -1.00%

Function 1003D010 Relevance: 9.2, APIs: 6, Instructions: 164COMMON

Download Yara Rule

APIs

mv_calloc.LICKING ref: 1003D04A
mv_samples_get_buffer_size.LICKING ref: 1003D07E
mv_malloc.LICKING ref: 1003D092
mv_samples_fill_arrays.LICKING ref: 1003D0C8

Part of subcall function 1003CCD0: mv_samples_get_buffer_size.LICKING ref: 1003CD21

mv_freep.LICKING ref: 1003D1B7

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_samples_get_buffer_size$mv_callocmv_freepmv_mallocmv_samples_fill_arrays
String ID:
API String ID: 3785048109-0
Opcode ID: a837376923d31b8d51785eda9ee147ded60cc4d974556988644d2961f86c7bc0
Instruction ID: c7ae188871f9336af766a03ae5236d5e5e7d21bd421fb7eeebc3b094d4729f23
Opcode Fuzzy Hash: a837376923d31b8d51785eda9ee147ded60cc4d974556988644d2961f86c7bc0
Instruction Fuzzy Hash: 1C515B75A083459FC701EF69E48060BFBE4EF95391F11492FE9888B351D3B5E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001B039 Relevance: 9.2, APIs: 6, Instructions: 164COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.LICKING ref: 1001B043
mv_image_check_size.LICKING ref: 1001B069

Part of subcall function 100221C0: mv_image_get_linesize.LICKING ref: 10022203

mv_image_fill_linesizes.LICKING ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.LICKING ref: 1001B15D
mv_buffer_alloc.LICKING ref: 1001B1CD
mv_image_fill_pointers.LICKING ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_buffer_allocmv_image_check_sizemv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_image_get_linesize
String ID:
API String ID: 566543421-0
Opcode ID: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction ID: 4992ce4e1065cc46e00ece35f003ee7f574db56b11f2f258b44564899a0fbe5b
Opcode Fuzzy Hash: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction Fuzzy Hash: 4561E7B5A08B018FCB44DF69D59065ABBE1FF88240F16897DE949CB315E735E844CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1002EC60 Relevance: 9.1, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002ED21
strcmp.MSVCRT ref: 1002ED3F
strcmp.MSVCRT ref: 1002ED69
mv_opt_find2.LICKING ref: 1002EE43

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_opt_find2
String ID:
API String ID: 3181049271-0
Opcode ID: e0a30610a9e5f39601499a9484602b70a4d75e8127ea9340288bfb7d2c9b0116
Instruction ID: 2e9d4fc877a1d5e419652e043605975d8ac202c057ec651dfcbc480896da8628
Opcode Fuzzy Hash: e0a30610a9e5f39601499a9484602b70a4d75e8127ea9340288bfb7d2c9b0116
Instruction Fuzzy Hash: 7E41D6356483899BDB50DF65E98066BBBE4FF84780F818C2DED9887201E774EC41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C210 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

mv_buffer_is_writable.LICKING ref: 1001C24C
mv_buffer_is_writable.LICKING ref: 1001C27C
mv_channel_layout_copy.LICKING ref: 1001C30C
mv_hwframe_get_buffer.LICKING ref: 1001C336
mv_frame_copy.LICKING ref: 1001C348

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_is_writable$mv_channel_layout_copymv_frame_copymv_hwframe_get_buffer
String ID:
API String ID: 1431812533-0
Opcode ID: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction ID: 9aa00ebb7c7a901d7ff1af15f7d5cd17a7e62451d1a9c752bdbd2b923dfe8871
Opcode Fuzzy Hash: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction Fuzzy Hash: F0514A75A047169FD354CF79C880B9AF7E4FF88350F018A2AE999CB301E734E9948B91

Uniqueness

Uniqueness Score: -1.00%

Function 10090D70 Relevance: 9.1, APIs: 6, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 10090D9F
vfprintf.MSVCRT ref: 10090DBF
abort.MSVCRT ref: 10090DC4
VirtualQuery.KERNEL32 ref: 10090E5B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID:
API String ID: 2513968241-0
Opcode ID: e17759b3fb2837557a8b365765238414b278e3dec190b4c7fa76bc060ff69d89
Instruction ID: df2d4e1fd157290d0ee2fcec052a5d80a6cec2ab82355e25c391395788c49f3d
Opcode Fuzzy Hash: e17759b3fb2837557a8b365765238414b278e3dec190b4c7fa76bc060ff69d89
Instruction Fuzzy Hash: B95145B5909711CFC700DF69C88965ABBF0FF84354F55892CE98C8B229E738E845DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10001020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,10001281,?,?,?,?,?,?,100013AE), ref: 10001057
_amsg_exit.MSVCRT ref: 10001086

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction ID: 2785d9bf782298c98c7f05eb770d18c25c91c74859540191a5f4291f5604d36f
Opcode Fuzzy Hash: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction Fuzzy Hash: D031DE70609291CBF341DF69C9C838A77E0EB843D4F11842DED888B65CD7B9D980CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9E7 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1002BA0E
mv_mallocz.LICKING ref: 1002BA1C
mv_mallocz.LICKING ref: 1002BA2A

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$strcmp
String ID:
API String ID: 2834502591-0
Opcode ID: 91268935fb6a5324bd6a0c4bbc37de54e9932ad71abd3cf9a84d2fd258137503
Instruction ID: f9b15f886985c9bcac0ab4322a90cce24b04e6b91aee38886bf3c92c90122c6f
Opcode Fuzzy Hash: 91268935fb6a5324bd6a0c4bbc37de54e9932ad71abd3cf9a84d2fd258137503
Instruction Fuzzy Hash: 3E41CDB5404B048BDB10DF24C49535BBBE0FF49354F928A89ED984F29AC7B6D985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1004CD20 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004CD82
WakeConditionVariable.KERNEL32 ref: 1004CD94
ReleaseSRWLockExclusive.KERNEL32 ref: 1004CDA0
WaitForSingleObjectEx.KERNEL32 ref: 1004CDE8
CloseHandle.KERNEL32 ref: 1004CDF8
mv_freep.LICKING ref: 1004CE13

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseConditionHandleObjectReleaseSingleVariableWaitWakemv_freep
String ID:
API String ID: 1841216690-0
Opcode ID: d04cd0e88430129ae94d593417afda897d5d74261d0e15a29793019cdd47cee2
Instruction ID: 87809e021e4ed86b95ec7d105ce6fdcb387fbfbde36d4bb7a1cbf7cbfa54c983
Opcode Fuzzy Hash: d04cd0e88430129ae94d593417afda897d5d74261d0e15a29793019cdd47cee2
Instruction Fuzzy Hash: 96316CB2A047098FD344EF69D88460BBBE1FF84290F21853DE99987215D730E959CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 1000E173 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1000DF70
mv_channel_layout_from_mask.LICKING ref: 1000E046
mv_freep.LICKING ref: 1000E17B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_from_maskmv_freepstrcmp
String ID:
API String ID: 3576703362-0
Opcode ID: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction ID: f14a3d27c2c21489c07e4dbc689c5fec37a1484687acd34e25a8149a501b133e
Opcode Fuzzy Hash: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction Fuzzy Hash: 45312535A083819FE340EF25D48062FBBE1EF84394F52992EF98997314D671EC40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1004CE2C Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004CD82
WakeConditionVariable.KERNEL32 ref: 1004CD94
ReleaseSRWLockExclusive.KERNEL32 ref: 1004CDA0
WaitForSingleObjectEx.KERNEL32 ref: 1004CDE8
CloseHandle.KERNEL32 ref: 1004CDF8
mv_freep.LICKING ref: 1004CE13

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseConditionHandleObjectReleaseSingleVariableWaitWakemv_freep
String ID:
API String ID: 1841216690-0
Opcode ID: 63587515ec9b90ea21497cd5ccb01439822d9a24b8bb4638c80c749b9f17b1f2
Instruction ID: ccadba58c46f8248f3f0d35244fc53a0b1b289b5ddee3407f287dacd285830b0
Opcode Fuzzy Hash: 63587515ec9b90ea21497cd5ccb01439822d9a24b8bb4638c80c749b9f17b1f2
Instruction Fuzzy Hash: 46211BB19087198FD700EF69D88464BBBE0FF84390F61893DE99587215D730EA59CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 1004D700 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1004D72F
InitializeConditionVariable.KERNEL32 ref: 1004D740
InitializeConditionVariable.KERNEL32 ref: 1004D755
InitializeConditionVariable.KERNEL32 ref: 1004D760
mv_fifo_alloc2.LICKING ref: 1004D772

Part of subcall function 10017E40: mv_mallocz.LICKING(?,?,?,?,?,1000273B,?), ref: 10017E68

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConditionInitializeVariable$mv_mallocz$mv_fifo_alloc2
String ID:
API String ID: 4159095404-0
Opcode ID: e4d08d054348a10b5d62f2dc293bd84c386795ac7498b10b4fa93478bdeed630
Instruction ID: 8f3d9d181a4fabb45340e1a03e96ffd45e992578f1406e9f8df9df0cfa86b498
Opcode Fuzzy Hash: e4d08d054348a10b5d62f2dc293bd84c386795ac7498b10b4fa93478bdeed630
Instruction Fuzzy Hash: D011E2B49083048FCB40EF39848451ABBE4BF88254F564A6EE898D7355E734E984CB86

Uniqueness

Uniqueness Score: -1.00%

Function 1004D7CC Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004D7F3
mv_fifo_can_read.LICKING ref: 1004D800
mv_fifo_read_to_cb.LICKING ref: 1004D82A
WakeAllConditionVariable.KERNEL32 ref: 1004D835
ReleaseSRWLockExclusive.KERNEL32 ref: 1004D841
mv_fifo_freep2.LICKING ref: 1004D84E

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariableWakemv_fifo_can_readmv_fifo_freep2mv_fifo_read_to_cb
String ID:
API String ID: 615083901-0
Opcode ID: a502c8e509520cf3cf71fa028d506e8428bdf8578b691e17736b3ae36d2e60bb
Instruction ID: df47cf619a1e5bf3bc6ba66eea37f09d6ce88ae29aaf1d55ad75ccacbec190b0
Opcode Fuzzy Hash: a502c8e509520cf3cf71fa028d506e8428bdf8578b691e17736b3ae36d2e60bb
Instruction Fuzzy Hash: 46117CB59083408FCB40EF69C08551ABBE0FF88354F55896EE8C8AB315D734EA85CB87

Uniqueness

Uniqueness Score: -1.00%

Function 10011B29 Relevance: 9.0, APIs: 6, Instructions: 27COMMON

Download Yara Rule

APIs

mv_freep.LICKING ref: 10011AE6
mv_freep.LICKING ref: 10011AF2
mv_freep.LICKING ref: 10011B36
mv_freep.LICKING ref: 10011B42

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: 4dad41aface1bf4d8e8f6d457dcfae7240ecd57a1cb0b23708a07321ea9591c0
Instruction ID: d62fb898b935cc63bf9da65a74de6d4b5ecaebda1c704ba131891dd3b15b5cb6
Opcode Fuzzy Hash: 4dad41aface1bf4d8e8f6d457dcfae7240ecd57a1cb0b23708a07321ea9591c0
Instruction Fuzzy Hash: 28F05F795097089FCB40EFB4E0C5A9DB7F4EF44294F854D2AF8D487201E635E544CA52

Uniqueness

Uniqueness Score: -1.00%

Function 10033008 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

mv_strstart.LICKING ref: 100327D5
mv_strstart.LICKING ref: 100327FE

Strings

, xrefs: 10032B32
xyz, xrefs: 100327F5
yuvj, xrefs: 100327C4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strstart
String ID: $xyz$yuvj
API String ID: 2201124280-2071466796
Opcode ID: 39b5a30e90ac46c83331b72173aec11757fe19d2f3b47d718497b41df0643e4c
Instruction ID: a5d947d74d650894119c99c5be97153cec975f5daebd80d8028626f77209e2c2
Opcode Fuzzy Hash: 39b5a30e90ac46c83331b72173aec11757fe19d2f3b47d718497b41df0643e4c
Instruction Fuzzy Hash: 72C1BD355083958FD342CF29C8D079ABBE2EB86385F48496CE4D58B366D274EA58CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10032DAC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 275COMMON

Download Yara Rule

APIs

mv_strstart.LICKING ref: 100327D5
mv_strstart.LICKING ref: 100327FE

Strings

, xrefs: 10032B32
xyz, xrefs: 100327F5
yuvj, xrefs: 100327C4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strstart
String ID: $xyz$yuvj
API String ID: 2201124280-2071466796
Opcode ID: 03f605acba4452d00feb8d75fe28fa4e3e63605085a0c1b03da2bd43c9460d12
Instruction ID: c9f45acd98c498f54e1a22fb9fdb1e645dd1fed1b2e3f6060196e5eb3db7b0e6
Opcode Fuzzy Hash: 03f605acba4452d00feb8d75fe28fa4e3e63605085a0c1b03da2bd43c9460d12
Instruction Fuzzy Hash: EBC1CF355083958FD342CF29C4D079ABBE2EBC6385F44496CF4D18B366D274EA58CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1003277C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 274COMMON

Download Yara Rule

APIs

mv_strstart.LICKING ref: 100327D5
mv_strstart.LICKING ref: 100327FE

Strings

, xrefs: 10032B32
xyz, xrefs: 100327F5
yuvj, xrefs: 100327C4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strstart
String ID: $xyz$yuvj
API String ID: 2201124280-2071466796
Opcode ID: bf538c3d32dc164546b8d71b7ef143894ac079a28419cdf11871ed8b135c828a
Instruction ID: 7b85f3f284fba82e988c741fad1b5415d7ed07ecc4c5c93fba96830e7aa22b5e
Opcode Fuzzy Hash: bf538c3d32dc164546b8d71b7ef143894ac079a28419cdf11871ed8b135c828a
Instruction Fuzzy Hash: 41B1BE355083958FD342CF29C8D079ABBE2EBC6385F49496CF4D18B366D274EA58CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002C7A3 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002C968

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002C993
Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 1002C955

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 2835281190-116802341
Opcode ID: 7a430b63537cfca4e52c8b34ddb6aeeaf0ef8f8de78e7bc3377def3a7c12f401
Instruction ID: f5ff938638eab8d41af19827bf25da70b1ccf5c84ca8afc5ac51977fc6dbc480
Opcode Fuzzy Hash: 7a430b63537cfca4e52c8b34ddb6aeeaf0ef8f8de78e7bc3377def3a7c12f401
Instruction Fuzzy Hash: E6914B7580CB898FC361DF24E48064AB7E0FF99794FA09B1EF8D997250E73188859B42

Uniqueness

Uniqueness Score: -1.00%

Function 10022070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

mv_image_get_linesize.LICKING ref: 100220C7

Part of subcall function 10021480: mv_pix_fmt_desc_get.LICKING(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_log.LICKING ref: 10022171
mv_log.LICKING(?), ref: 100221AE

Strings

Picture size %ux%u is invalid, xrefs: 10022154
Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it, xrefs: 1002219E

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it$Picture size %ux%u is invalid
API String ID: 1737039923-91635712
Opcode ID: be307f069a0f8f3830f1a6dc5593e53dc4cbf9be5c3141ac0c4df79d406c7717
Instruction ID: 3c8a99a71c8e326a98376f97ab33d5763ba7511a9ded89bfad592829aebd47ca
Opcode Fuzzy Hash: be307f069a0f8f3830f1a6dc5593e53dc4cbf9be5c3141ac0c4df79d406c7717
Instruction Fuzzy Hash: 8341EBB5A083449FC340CF69C48060AFBE1FBC8750F958A2EF9A8D3350E774E9448B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 1000C582
strcmp.MSVCRT ref: 1000C5B0
strtol.MSVCRT ref: 1000C5DA

Strings

AMBI, xrefs: 1000C561

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmpstrncmpstrtol
String ID: AMBI
API String ID: 155133989-3084986980
Opcode ID: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction ID: 080b42f47ecb1617c9eeb941eeb6b1a796e462e2a98a72bb2a37a4396a6a9be9
Opcode Fuzzy Hash: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction Fuzzy Hash: 6A21BEB5A0C7858FF350CF2898C064FBAD0EB492D1F11893EF989C7355E235E8858B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002D618 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002D6D0
mv_log.LICKING ref: 1002D719

Strings

Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 1002D6EC
The value set by option '%s' is not a %s format, xrefs: 1002D6AF
sample, xrefs: 1002D6AA, 1002D6E7

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: The value set by option '%s' is not a %s format$Value %d for parameter '%s' out of %s format range [%d - %d]$sample
API String ID: 3828882664-398100351
Opcode ID: 3e07b54a8c5b9266100eb8df6fed5a03186d0a9d5f030d572b3c63d664d80861
Instruction ID: 0c7f2e03ba38d81d1e1e0c9b6d1db8cf13c67e72c17d494c92790103fe4f9750
Opcode Fuzzy Hash: 3e07b54a8c5b9266100eb8df6fed5a03186d0a9d5f030d572b3c63d664d80861
Instruction Fuzzy Hash: F23106B49087458FC310EF28E49450ABBE1FB89250F818A6EE898A7350E735DC85CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1002D510 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002D5C0
mv_log.LICKING ref: 1002D609

Strings

Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 1002D5DC
pixel, xrefs: 1002D59A, 1002D5D7
The value set by option '%s' is not a %s format, xrefs: 1002D59F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: The value set by option '%s' is not a %s format$Value %d for parameter '%s' out of %s format range [%d - %d]$pixel
API String ID: 3828882664-2904529261
Opcode ID: 6d67d68f37827fc2173720777fded49bdc184725d4fd87e091acf406c810f77d
Instruction ID: 234bf2112a1e99f4284ec0035f949f822d499b6bfe1808c76b51d9f3b31785bb
Opcode Fuzzy Hash: 6d67d68f37827fc2173720777fded49bdc184725d4fd87e091acf406c810f77d
Instruction Fuzzy Hash: 3B2127B4908B558FC300EF28E49050BB7F1FB89254F918A6FF89897350E671DC84CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002EB4C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

strspn.MSVCRT ref: 1002EAB7
strchr.MSVCRT ref: 1002EAD5
mv_malloc.LICKING(?,?,?,?,?,?,?,?,?,?,100B1ACF,100B1B86,00000000,?,1000DF13), ref: 1002EAED
mv_get_token.LICKING ref: 1002EB1F

Strings

, xrefs: 1002EAAE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_tokenmv_mallocstrchrstrspn
String ID:
API String ID: 476366593-596783616
Opcode ID: fa5b88f1b8814146142485dbcbba38f8d78eda3b92d7ab4a7f2b04ae58596800
Instruction ID: 7a59a5e34b6314a91c485c5e47f348f9c9076d95ab1665f67b4c4e8e31b595b1
Opcode Fuzzy Hash: fa5b88f1b8814146142485dbcbba38f8d78eda3b92d7ab4a7f2b04ae58596800
Instruction Fuzzy Hash: F12129745083458FCB41DF78918025BBBE5FB89344F80896EE999C7305E734E94ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 1002F924 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

mv_parse_time.LICKING ref: 1002F950

Part of subcall function 10031C30: mv_small_strptime.LICKING ref: 10031CA8

mv_log.LICKING ref: 1002FC52
mv_log.LICKING ref: 1002FD1B

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002FC26
Unable to parse option value "%s" as duration, xrefs: 1002FD0F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_parse_timemv_small_strptime
String ID: Unable to parse option value "%s" as duration$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 3872847692-4184771261
Opcode ID: 8555ac785c636bc177381b6b87435304910b003b646a65e1ffe0f62c40ca7f85
Instruction ID: 04723a61c92b88deaf7366cc6268804a0b7aa500f60a24147c865a406c97a370
Opcode Fuzzy Hash: 8555ac785c636bc177381b6b87435304910b003b646a65e1ffe0f62c40ca7f85
Instruction Fuzzy Hash: BB210675828B45DFC342DF39C44011BFBE4FF9A280F918A2EB899A7210EB30D4818B42

Uniqueness

Uniqueness Score: -1.00%

Function 10012370 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strftime.MSVCRT ref: 100123EF
mv_strlcatf.LICKING ref: 10012429
mv_dict_set.LICKING ref: 1001244D

Strings

.%06dZ, xrefs: 10012419
%Y-%m-%dT%H:%M:%S, xrefs: 100123D6

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrftime
String ID: %Y-%m-%dT%H:%M:%S$.%06dZ
API String ID: 3046200060-930656424
Opcode ID: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction ID: 4200585820eefb0ad3589c066a71afa0f6c055d7c0249a28ce441d2d822c6705
Opcode Fuzzy Hash: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction Fuzzy Hash: 3F21B0B5A093419FD350DF29E58069BBBE0FB88354F51C92EF89CC7301E638D8849B82

Uniqueness

Uniqueness Score: -1.00%

Function 10051A70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 10051A9F
mv_log.LICKING ref: 10051B38
abort.MSVCRT ref: 10051B3D

Strings

libavutil/tx.c, xrefs: 10051B17, 10051B5E
Assertion %s failed at %s:%d, xrefs: 10051B27

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_logmv_mallocz
String ID: Assertion %s failed at %s:%d$libavutil/tx.c
API String ID: 3953837095-3214517670
Opcode ID: 68c0d996a981bbc66643e77ab61e3cc10474680d174601fa6036a37006479bce
Instruction ID: 84e93a3f7dc53c65b3d3cc6c5ae563c424299e873b1875bdf58d56f022d36c75
Opcode Fuzzy Hash: 68c0d996a981bbc66643e77ab61e3cc10474680d174601fa6036a37006479bce
Instruction Fuzzy Hash: 2121F5749097818BD700CF69C18064EFBE5FFC8610F558A1EF49997241E7B5DA45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D5CB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1000D617
mv_bprintf.LICKING ref: 1000D64E
mv_bprintf.LICKING ref: 1000D678
mv_bprintf.LICKING ref: 1000D715
mv_bprintf.LICKING ref: 1000D7EB
mv_bprintf.LICKING ref: 1000D814
mv_bprintf.LICKING ref: 1000D84A
mv_bprintf.LICKING ref: 1000D86F
mv_bprintf.LICKING ref: 1000D8CE

Strings

@%s, xrefs: 1000D642
NONE, xrefs: 1000D60B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s$NONE
API String ID: 3083893021-9228147
Opcode ID: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction ID: 7566f4ee250c6b1008f1cbc21f7ab5f057a1ffbd92fde749fdda637f05722331
Opcode Fuzzy Hash: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction Fuzzy Hash: 8C114C75909B1A8BE720EF18C58006EF7E1FB443D4F55891EE889A7219D731EC94CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 10050897 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1005067A
mv_bprintf.LICKING ref: 100506B9
mv_bprintf.LICKING ref: 100506D9
mv_bprintf.LICKING ref: 10050745
mv_bprintf.LICKING ref: 10050772
mv_bprintf.LICKING ref: 100507A4

Strings

%simdct_full, xrefs: 100506AD
%sfwd_only, xrefs: 1005066E

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %sfwd_only$%simdct_full
API String ID: 3083893021-2621051289
Opcode ID: 8cfdf5749831751b29b90732df4f257e3476b33c10225d6435e7a573b1318f3f
Instruction ID: e6189fd6b5ad5a1c94355349e056b77fc203a876163f68b7e5123befe54cfe40
Opcode Fuzzy Hash: 8cfdf5749831751b29b90732df4f257e3476b33c10225d6435e7a573b1318f3f
Instruction Fuzzy Hash: BCF049B6E48B848EE300EF68D98135EBAD0EB84754F55886DF4C8C7241C638E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002F833 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002F848
mv_parse_video_size.LICKING ref: 1002FB66
mv_log.LICKING ref: 1002FB92

Strings

Unable to parse option value "%s" as image size, xrefs: 1002FB79
none, xrefs: 1002F83F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logmv_parse_video_sizestrcmp
String ID: Unable to parse option value "%s" as image size$none
API String ID: 349907703-3024956746
Opcode ID: da510bc751a7cb91ebc68ebeeb6c0ed551647f857729677cd7f3a732f3b22d5e
Instruction ID: 742f442548f3738d924be194df5076bf47961da766425f110782a59c8e881436
Opcode Fuzzy Hash: da510bc751a7cb91ebc68ebeeb6c0ed551647f857729677cd7f3a732f3b22d5e
Instruction Fuzzy Hash: 5A0192B9908746DFD710DF69D54022EFBE0FF88780F95882DE99897700E778E8509B86

Uniqueness

Uniqueness Score: -1.00%

Function 100199F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 10092340: strlen.MSVCRT ref: 10092352
Part of subcall function 10092340: _errno.MSVCRT ref: 10092370

_errno.MSVCRT ref: 10019A21
mv_log.LICKING ref: 10019A4E
mv_freep.LICKING ref: 10019A56

Strings

./%sXXXXXX, xrefs: 100199FC
ff_tempfile: Cannot open temporary file %s, xrefs: 10019A45

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$mv_freepmv_logstrlen
String ID: ./%sXXXXXX$ff_tempfile: Cannot open temporary file %s
API String ID: 3408331932-3725816632
Opcode ID: 9ea466ec382f632922ab7edcfa4757c4d1ebebccac8452957cd71096d89945a6
Instruction ID: 32628fa2dfbfa7f9f07bbe3c009a9960c5743f995751c964622c37dae3a8a88e
Opcode Fuzzy Hash: 9ea466ec382f632922ab7edcfa4757c4d1ebebccac8452957cd71096d89945a6
Instruction Fuzzy Hash: 79017E789097519FC744DF29C18151ABBE1FF88740F91885EF9C99B310D739E9458F82

Uniqueness

Uniqueness Score: -1.00%

Function 100194D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 100194D8
mv_strerror.LICKING ref: 100194FE

Part of subcall function 10013B30: mv_strlcpy.LICKING ref: 10013B71

mv_log.LICKING ref: 1001951B
_close.MSVCRT ref: 10019523

Strings

Error occurred in fstat(): %s, xrefs: 1001950B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _close_errnomv_logmv_strerrormv_strlcpy
String ID: Error occurred in fstat(): %s
API String ID: 1199337903-68092211
Opcode ID: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction ID: dfd730866d5ba72d1ec682aa82f713c85e766a8eb03f77e440fb808261e44811
Opcode Fuzzy Hash: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction Fuzzy Hash: A3F092B4819755DFC310DF14C48425EFBE4FF84700F51881EE5D997321DB78A9459B86

Uniqueness

Uniqueness Score: -1.00%

Function 10028D00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 18COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10028D34
abort.MSVCRT ref: 10028D39

Strings

Assertion %s failed at %s:%d, xrefs: 10028D0C
libavutil/mem.c, xrefs: 10028D11
val || !min_size, xrefs: 10028D1A

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d$libavutil/mem.c$val || !min_size
API String ID: 2075109169-2043513658
Opcode ID: ba4f1ec8494fc1b8e44c8788233aa30dd87118504021e5d3e1e6678e68cb107f
Instruction ID: 7ec5af041dbc8225b82333e00f0ef86f6a14fa33dad1e54fca37ac068eae9b10
Opcode Fuzzy Hash: ba4f1ec8494fc1b8e44c8788233aa30dd87118504021e5d3e1e6678e68cb107f
Instruction Fuzzy Hash: 4CE092B8A493449FC384DF69D54020ABAE0FB88300F84882EF49CC7344E738C8859B56

Uniqueness

Uniqueness Score: -1.00%

Function 10017E00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 15COMMON

Download Yara Rule

APIs

mv_log.LICKING(?,?,?,?,?,?,?,?,?,?,100186B9,?,?,00000000,?,?), ref: 10017E34
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,100186B9,?,?,00000000,?,?), ref: 10017E39

Strings

Assertion %s failed at %s:%d, xrefs: 10017E0C
cur_size >= size, xrefs: 10017E1A
libavutil/fifo.c, xrefs: 10017E11

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d$cur_size >= size$libavutil/fifo.c
API String ID: 2075109169-1865016996
Opcode ID: 329440a94f8c7a99fb07f7034f266a86e60b7f15998dd5fe1bc22234d625c871
Instruction ID: 9999096a437dec4bbf9d25340c9771322b9005185c0e92fffbd912ccd442c005
Opcode Fuzzy Hash: 329440a94f8c7a99fb07f7034f266a86e60b7f15998dd5fe1bc22234d625c871
Instruction Fuzzy Hash: 31E0E2B89093448FC384DF29D50030EBAE0EF88301F80882DF0C8D7304EB38C8408B42

Uniqueness

Uniqueness Score: -1.00%

Function 1004F64B Relevance: 7.6, APIs: 5, Instructions: 122COMMON

Download Yara Rule

APIs

mv_tree_insert.LICKING ref: 1004F09E
mv_tree_find.LICKING ref: 1004F6D8
mv_tree_find.LICKING ref: 1004F6F3
mv_tree_find.LICKING ref: 1004F751
mv_tree_find.LICKING ref: 1004F768

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_tree_find$mv_tree_insert
String ID:
API String ID: 3047205218-0
Opcode ID: 43d8240786b9d873e81d273712abfc48f6f278bf5570dac8054a8e241964c1c2
Instruction ID: a692ddd4e42c548da2a451405af12052818be960dea61ee10821ac63c1916e90
Opcode Fuzzy Hash: 43d8240786b9d873e81d273712abfc48f6f278bf5570dac8054a8e241964c1c2
Instruction Fuzzy Hash: DB51E2B59087469FC300DF6AC08441AFBE1FF88A50F61892EE898D7311E735E9468F86

Uniqueness

Uniqueness Score: -1.00%

Function 10007100 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10007126
strchr.MSVCRT ref: 1000715B
strncmp.MSVCRT ref: 10007200
strlen.MSVCRT ref: 1000724B

Strings

-, xrefs: 10007232

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strchrstrncmp
String ID: -
API String ID: 2264528763-2547889144
Opcode ID: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction ID: 5f1f2dd0eab5bc6f8befd7c2bb33942bdc2d6399c7dfe7216c1ccb09edde324b
Opcode Fuzzy Hash: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction Fuzzy Hash: 6F318075A0C3558FEB50DA78949026EBBE1FF893C4F05492DF9C8D7245D278D9068B82

Uniqueness

Uniqueness Score: -1.00%

Function 1001CB30 Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

mv_sha512_final.LICKING ref: 1001CC05
mv_ripemd_final.LICKING ref: 1001CC4D
mv_sha_final.LICKING ref: 1001CCAD
mv_md5_final.LICKING ref: 1001CCFD
mv_murmur3_final.LICKING ref: 1001CD1D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_md5_finalmv_murmur3_finalmv_ripemd_finalmv_sha512_finalmv_sha_final
String ID:
API String ID: 4068971256-0
Opcode ID: 77e6d344d15cac12b7d953fd94e5dcde2c6b0ac2fb432a5f73cf57a004a6a2b4
Instruction ID: 872ec83ce80bc847426b976397e13f93fccfa770522cf0553384e680b1361ba3
Opcode Fuzzy Hash: 77e6d344d15cac12b7d953fd94e5dcde2c6b0ac2fb432a5f73cf57a004a6a2b4
Instruction Fuzzy Hash: 7C41E6B5A09706DFC700CF28C18491AB7E1FF89740F568C6DEA999B311C730ED849B92

Uniqueness

Uniqueness Score: -1.00%

Function 1004C9F9 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004CA24
SleepConditionVariableSRW.KERNEL32 ref: 1004CA86
AcquireSRWLockExclusive.KERNEL32 ref: 1004CB02
ReleaseSRWLockExclusive.KERNEL32 ref: 1004CB22
ReleaseSRWLockExclusive.KERNEL32 ref: 1004CB35

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ConditionSleepVariable
String ID:
API String ID: 836161756-0
Opcode ID: 5ec672dc05651b5230ae3768142335a056a4087186fcaa9918669e13402922d7
Instruction ID: bd8ede38fb3e5680420a17facc55270c64696567dc667577efa6ab035fe79c53
Opcode Fuzzy Hash: 5ec672dc05651b5230ae3768142335a056a4087186fcaa9918669e13402922d7
Instruction Fuzzy Hash: 3341F6B59046199FCB00DF69C48468AFBF5FF48314F118A2AE855A3300E735B959CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1001E82C Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

mv_image_check_size.LICKING ref: 1001E85A
mv_calloc.LICKING ref: 1001E8B9
mv_frame_alloc.LICKING ref: 1001E924
mv_frame_free.LICKING ref: 1001E96B
mv_freep.LICKING ref: 1001E97C
mv_get_pix_fmt_name.LICKING ref: 1001E9EE
mv_log.LICKING ref: 1001EA15

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_frame_allocmv_frame_freemv_freepmv_get_pix_fmt_namemv_image_check_sizemv_log
String ID:
API String ID: 473889652-0
Opcode ID: f8cf93a28b677fe8d6aa97792fd6637bea7d0f1a55816fad0b8c7aac0eef2079
Instruction ID: 0916db3863c180832e99ce082f3c0ba9a657d34c2ea2780525ffec91a203d69c
Opcode Fuzzy Hash: f8cf93a28b677fe8d6aa97792fd6637bea7d0f1a55816fad0b8c7aac0eef2079
Instruction Fuzzy Hash: 6D410674A047468FD750DF69C480A0AF7E5FF88354F56896DE989DB321EB30EC818B81

Uniqueness

Uniqueness Score: -1.00%

Function 1001EA30 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

next.LICKING ref: 1001EA70
mv_buffer_ref.LICKING ref: 1001EAA3
mv_buffer_ref.LICKING ref: 1001EB1B
mv_buffer_unref.LICKING ref: 1001EB3C

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_buffer_unrefnext
String ID:
API String ID: 588746049-0
Opcode ID: fac146f1e373efe844ebac59fd5a49249283024f4d1aec8cf55168bb527a5e24
Instruction ID: 331b7485fb96ce059d0be5225e9f030113a6692caf64fc522d6fc928efd0b2e4
Opcode Fuzzy Hash: fac146f1e373efe844ebac59fd5a49249283024f4d1aec8cf55168bb527a5e24
Instruction Fuzzy Hash: A1419CB8A097518FC744DF29C18091AFBE1FF89350F568A6DE8999B355D730EC81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100A4070 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 100A40B0

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 7b64306a5401adec7b367a83e65c3704408f16f8ed2f441962072565bcb4360b
Instruction ID: 0fc20f633be1c6787968bece9e16816ce5d8cf7113110466bb8c7157672bbe5d
Opcode Fuzzy Hash: 7b64306a5401adec7b367a83e65c3704408f16f8ed2f441962072565bcb4360b
Instruction Fuzzy Hash: E9315E39700212DBDB11DFA8D984B0A77E5EBC03A4F168579DA488F24AEB76CC41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100A4950 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 100A4978
free.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,100A4AB7), ref: 100A4A07
free.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,100A4AB7), ref: 100A4A2F

Part of subcall function 100A57B0: calloc.MSVCRT ref: 100A57E2
Part of subcall function 100A57B0: CreateSemaphoreA.KERNEL32 ref: 100A5838
Part of subcall function 100A57B0: CreateSemaphoreA.KERNEL32 ref: 100A585F
Part of subcall function 100A57B0: InitializeCriticalSection.KERNEL32 ref: 100A587E
Part of subcall function 100A57B0: InitializeCriticalSection.KERNEL32 ref: 100A5889
Part of subcall function 100A57B0: InitializeCriticalSection.KERNEL32 ref: 100A5894

free.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,100A4AB7), ref: 100A4A77

Strings

, xrefs: 100A4969

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSectionfree$CreateSemaphorecalloc
String ID:
API String ID: 3430360044-3916222277
Opcode ID: bffb8674e0e42efb878d66c42395e58906558d40bbb63cd6d895fa828ba300c4
Instruction ID: 6bad4951f8a1e239e54b52dc78c3ed3e9d1b02ab77d7939d8df67e7ecc61d28f
Opcode Fuzzy Hash: bffb8674e0e42efb878d66c42395e58906558d40bbb63cd6d895fa828ba300c4
Instruction Fuzzy Hash: 7A31F879608305CFD300DF65E48535BBBE5EBC4354F06882DE4888B242E775D859CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1000A480 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1000A4BA
mv_freep.LICKING ref: 1000A4E8
mv_freep.LICKING ref: 1000A541

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz
String ID:
API String ID: 2455733640-0
Opcode ID: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction ID: 3b99154a913b274524c08becb6f728f5f8244ec0eeb4226c169e02ad570783d9
Opcode Fuzzy Hash: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction Fuzzy Hash: 1131B074908B01CFD760DF25C581A1AB7F0FF89391B568A5DEC999B319D730E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10012049 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1001205B
strlen.MSVCRT ref: 10012069
mv_realloc.LICKING ref: 1001207F

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.LICKING ref: 100120D0

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction ID: 9bf475a18fd4cb1c0505352b53a299a598f586f68b75c8a149e966f8cd1839f1
Opcode Fuzzy Hash: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction Fuzzy Hash: 0031CDB99087058FC744CF29C18045AFBE1FF88718F558A6EE889AB310D731EA45CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A650 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
mv_freep.LICKING ref: 1000A69C
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireReleasemv_freep
String ID:
API String ID: 2444013405-0
Opcode ID: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction ID: c3c698d3df7831113588d9bdc2aa75e8a835319d0c3e7d0db2d9c6c4417e318c
Opcode Fuzzy Hash: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction Fuzzy Hash: 7B21D6B5608701CFD700EF25D5C491ABBF4EF85280F06C969E8898B31AD731E885CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10012239 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

mv_bprint_init.LICKING ref: 1001225D
mv_bprint_escape.LICKING ref: 100122B3
mv_bprint_append_data.LICKING ref: 100122CC
mv_bprint_escape.LICKING ref: 100122EE
mv_bprint_finalize.LICKING ref: 1001231B
mv_bprint_append_data.LICKING ref: 1001234B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprint_init
String ID:
API String ID: 3283265872-0
Opcode ID: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction ID: 90910876c942d1fbafe524e13dc9732c176e9ecd8d18a9c8de127334b5e1fd1f
Opcode Fuzzy Hash: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction Fuzzy Hash: 6121DDB59197059FC350DF28C18025AFBE1FF88354F51892EE99D87351E736E982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011483 Relevance: 7.6, APIs: 5, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10011491
strlen.MSVCRT ref: 1001149F
mv_realloc.LICKING ref: 100114B5

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.LICKING ref: 100114E2

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction ID: 4ab28d8c1afc1d5d21c0288313e81dd6decefd2b0a989d53a21eca3f7d4547be
Opcode Fuzzy Hash: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction Fuzzy Hash: 2F21AEB8908316CFCB54DF28C08095AB7E5FF89344F558A5DE999AB301D731EA46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10030A68 Relevance: 7.6, APIs: 5, Instructions: 61stringCOMMON

Download Yara Rule

APIs

mv_d2q.LICKING ref: 100308A3
mv_dict_parse_string.LICKING ref: 10030A9E

Part of subcall function 100118C0: mv_get_token.LICKING ref: 10011913
Part of subcall function 100118C0: mv_freep.LICKING ref: 10011930
Part of subcall function 100118C0: mv_freep.LICKING ref: 1001193C

strcmp.MSVCRT ref: 10030AC5
mv_dict_get.LICKING ref: 10030AEB
mv_dict_get.LICKING ref: 10030B0B
strcmp.MSVCRT ref: 10030B25
mv_dict_free.LICKING ref: 10030B31
mv_dict_free.LICKING ref: 10030D57

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_freemv_dict_getmv_freepstrcmp$mv_d2qmv_dict_parse_stringmv_get_token
String ID:
API String ID: 103754174-0
Opcode ID: de0d3bc57564446325f2033dcf06c9d9551909bbcc549c151a5b2d90f1039568
Instruction ID: 3539affa3b8ab6ba154133fda8a9536f45b2963cbe5efb770b7414b6e0051b3c
Opcode Fuzzy Hash: de0d3bc57564446325f2033dcf06c9d9551909bbcc549c151a5b2d90f1039568
Instruction Fuzzy Hash: 7021A7B4A097459FC750DFA9918121ABBE0FF89380F558C2DB998DB311E774E840DB42

Uniqueness

Uniqueness Score: -1.00%

Function 100A01C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 100A01D9
_unlock.MSVCRT ref: 100A0201
calloc.MSVCRT ref: 100A024F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction ID: 8fe92059074c50cb47f0fafd9c3e369871995c2eed6e667d345993090a648f63
Opcode Fuzzy Hash: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction Fuzzy Hash: A81149B1604305CFDB80DFA8C48475ABBE0EF88340F15C6A9E888CF245EB74D840CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001232B Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

mv_bprint_escape.LICKING ref: 100122B3

Part of subcall function 10009730: mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_append_data.LICKING ref: 100122CC
mv_bprint_escape.LICKING ref: 100122EE
mv_bprint_finalize.LICKING ref: 1001231B
mv_bprint_append_data.LICKING ref: 1001234B

Part of subcall function 10008F30: mv_realloc.LICKING ref: 10008F73

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprintfmv_realloc
String ID:
API String ID: 1942445456-0
Opcode ID: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction ID: 403ebcfaa7f6bf6d2df9c5cc3f9910434a712b72dc8362acc2447b37bc06364c
Opcode Fuzzy Hash: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction Fuzzy Hash: 752199B59183019FD360DF29C08069AFBE1FB89348F50892EE58CC7301E736E981CB46

Uniqueness

Uniqueness Score: -1.00%

Function 10030AB1 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 10030AC5
mv_dict_get.LICKING ref: 10030AEB
mv_dict_get.LICKING ref: 10030B0B
strcmp.MSVCRT ref: 10030B25
mv_dict_free.LICKING ref: 10030B31

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_getstrcmp$mv_dict_free
String ID:
API String ID: 3431027116-0
Opcode ID: 6f7d12cd7a48bbb2e02fc94fab0f9ff0136c727aa36f6ec8b1882353e4c8ceae
Instruction ID: 9c4e01dd48fc40e78dac02036e5e7d1d335cd750f4083c30515aa7abe6bb0531
Opcode Fuzzy Hash: 6f7d12cd7a48bbb2e02fc94fab0f9ff0136c727aa36f6ec8b1882353e4c8ceae
Instruction Fuzzy Hash: CF1196B89097049FCB51DFA9C18121ABBE4FF88780F41882DF9988B311E674E840DB42

Uniqueness

Uniqueness Score: -1.00%

Function 10009DC0 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

mv_malloc.LICKING ref: 10009DDC
mv_mallocz.LICKING ref: 10009DF2
mv_mallocz.LICKING ref: 10009E25
mv_freep.LICKING ref: 10009E55

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_freepmv_malloc
String ID:
API String ID: 1213213188-0
Opcode ID: b3348c7cbf53dd59cb46d7918af22b3d6d5ec5eab1e580142c4b14d34cb90cf9
Instruction ID: 61e6e3019f6d22858814eed3066cc18376ee6b6952274d578c1963b104500367
Opcode Fuzzy Hash: b3348c7cbf53dd59cb46d7918af22b3d6d5ec5eab1e580142c4b14d34cb90cf9
Instruction Fuzzy Hash: 5011A5B45083418FD340DF26C18561AFBE4FF48784F46895EE8889B262D779D944CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1001D7A0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

mv_buffer_unref.LICKING ref: 1001D7D9
mv_freep.LICKING ref: 1001D7E8
mv_freep.LICKING ref: 1001D7FA
mv_freep.LICKING ref: 1001D809
mv_freep.LICKING ref: 1001D815

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_buffer_unref
String ID:
API String ID: 1375661620-0
Opcode ID: b5ec8d363419cb92d8bdb1f38329e2028d6a2324dcebd7ef3df8143324761c55
Instruction ID: d52695f6b373eec4d5e7979f8718589b80dc3da3b7455b83048969c7455da62b
Opcode Fuzzy Hash: b5ec8d363419cb92d8bdb1f38329e2028d6a2324dcebd7ef3df8143324761c55
Instruction Fuzzy Hash: 7B0172B86086058FDB00EF79C485A1AF7F1FF84244F46CD6DE8948B316E634E885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011A87 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

mv_freep.LICKING ref: 10011A5F
mv_freep.LICKING ref: 10011A6B
mv_mallocz.LICKING ref: 10011A97
mv_freep.LICKING ref: 10011AE6
mv_freep.LICKING ref: 10011AF2
mv_freep.LICKING ref: 10011B36
mv_freep.LICKING ref: 10011B42

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz
String ID:
API String ID: 2455733640-0
Opcode ID: 9def39ab8334334498dc92bc04231888fb56c78b9717c776b78c351b1b7e14d5
Instruction ID: 578f6a72ff247b37d94199203e366b17b36adcd36fb23e3b004727b24c0878f9
Opcode Fuzzy Hash: 9def39ab8334334498dc92bc04231888fb56c78b9717c776b78c351b1b7e14d5
Instruction Fuzzy Hash: 9201B6756097489FC740EFB9D481B5AB7E4FF44290F81582DF89897241E771E884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7D9 Relevance: 7.5, APIs: 5, Instructions: 36stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 1000C7E0
strtol.MSVCRT ref: 1000C804
_errno.MSVCRT ref: 1000C80B
_errno.MSVCRT ref: 1000C822
_errno.MSVCRT ref: 1000C848

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$strtol
String ID:
API String ID: 3596500743-0
Opcode ID: 7ebbe4887208d3a811f5f7b53f87de9f50cb6efb863a80ebecaab125b7496197
Instruction ID: 4b89768cd935a08b72e57307d992163ee312e19cf8de062bdca3011805c3dd3e
Opcode Fuzzy Hash: 7ebbe4887208d3a811f5f7b53f87de9f50cb6efb863a80ebecaab125b7496197
Instruction Fuzzy Hash: 6A01C47490931A8FD784DF65C48861BBBE1FF84754F15C82DE989C7324EB34E9048B45

Uniqueness

Uniqueness Score: -1.00%

Function 1004DB40 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1004DB4F
mv_fifo_can_read.LICKING ref: 1004DB5C
mv_fifo_read_to_cb.LICKING ref: 1004DB86
WakeAllConditionVariable.KERNEL32 ref: 1004DB91
ReleaseSRWLockExclusive.KERNEL32 ref: 1004DB9D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariableWakemv_fifo_can_readmv_fifo_read_to_cb
String ID:
API String ID: 93134951-0
Opcode ID: dd886a4344a692785b4ffd3e0a74c75ef4704fa589abd679fd4a22e4eee26e83
Instruction ID: 3d8064983a527e5009f29cac6cace0f6c6d759a234687b9855d84d779dfc47b8
Opcode Fuzzy Hash: dd886a4344a692785b4ffd3e0a74c75ef4704fa589abd679fd4a22e4eee26e83
Instruction Fuzzy Hash: 5DF0B2B59086108FDB40EF79D4C550BBBE0EF84200F01892EF8858B209E634E58ACB93

Uniqueness

Uniqueness Score: -1.00%

Function 1001DAB6 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1001DA5B
mv_buffer_create.LICKING ref: 1001DA96
mv_mallocz.LICKING ref: 1001DAC3
mv_freep.LICKING ref: 1001DAE3
mv_freep.LICKING ref: 1001DAF2
mv_freep.LICKING ref: 1001DB01
mv_freep.LICKING ref: 1001DB0D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz$mv_buffer_create
String ID:
API String ID: 4029081030-0
Opcode ID: f558445e92d8f344a2b19d652df6b51a7bb5d3f7c9784a62d422961d597e1fb7
Instruction ID: 4deaf3c84f864011dd216728e7cc8d893d65b08eedd0c3209068fda1f16a16bb
Opcode Fuzzy Hash: f558445e92d8f344a2b19d652df6b51a7bb5d3f7c9784a62d422961d597e1fb7
Instruction Fuzzy Hash: 820142795087048FCB00EF24D48565AB7F0EF88288F858D2DEDD8A7302E635F955CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100317D4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

january, xrefs: 10031832
%H:%M:%S, xrefs: 10031A1B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %H:%M:%S$january
API String ID: 0-1137272109
Opcode ID: ac53c16304bcdc5b059f44a9d19bbcfe658715e93b0606a1a4038d9b5b639492
Instruction ID: 7aef8d5cf5a54e6e7fb32b0a8ee25519c4eb10dcc9c47c696554c918e0996b98
Opcode Fuzzy Hash: ac53c16304bcdc5b059f44a9d19bbcfe658715e93b0606a1a4038d9b5b639492
Instruction Fuzzy Hash: 7281A7305182574EC712CF18C0D01EEBBF6FF8B282F99449AC4558F1A6EB35E956CB84

Uniqueness

Uniqueness Score: -1.00%

Function 10031823 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

mv_strncasecmp.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 10031857
mv_small_strptime.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 10031A28

Strings

january, xrefs: 10031832
%H:%M:%S, xrefs: 10031A1B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_small_strptimemv_strncasecmp
String ID: %H:%M:%S$january
API String ID: 2521375588-1137272109
Opcode ID: a8646abd77d08aff9898db6a2664a2eea01bd681b6ca7976d1eecaa21091bf01
Instruction ID: 4bfd4d0d8bbd4466a7a63170b2e8f4f16d152bebad9cbaaf1f209d7c828cf1f8
Opcode Fuzzy Hash: a8646abd77d08aff9898db6a2664a2eea01bd681b6ca7976d1eecaa21091bf01
Instruction Fuzzy Hash: A18167305186578EC712CF18C0D05EEFBF6FF8A282F99449AC4558F1A6EB31E956CB84

Uniqueness

Uniqueness Score: -1.00%

Function 10031A3C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

january, xrefs: 10031832
%H:%M:%S, xrefs: 10031A1B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %H:%M:%S$january
API String ID: 0-1137272109
Opcode ID: 15973441fe21ffffde3870a92f014c3b0685d9e8348dba2cbdf6db2051165006
Instruction ID: d37e22ef1bcdae9a4f795e15b74cba10ea253061b612132f3ae6e9e2f399fc41
Opcode Fuzzy Hash: 15973441fe21ffffde3870a92f014c3b0685d9e8348dba2cbdf6db2051165006
Instruction Fuzzy Hash: 767176305186578EC711CF18C0D05EEFBF6FF8A282F99449AC4558F1A6EB31E956CB84

Uniqueness

Uniqueness Score: -1.00%

Function 1002CCB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002CF91

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002CF6E
Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 1002CF3D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 2835281190-116802341
Opcode ID: 3fb3e7f482e66b3f4c9e64f16ffebbc278259e766f29453e77f1449d21fb91ac
Instruction ID: 76fcebbbf0fad3e27ef0cccf6e9e4ab070f5870348f72e2b41472ecc8993c3e4
Opcode Fuzzy Hash: 3fb3e7f482e66b3f4c9e64f16ffebbc278259e766f29453e77f1449d21fb91ac
Instruction Fuzzy Hash: B8718435918F498FC382CF34E59151AFBF5FF9A2E0F91972AF89A6A250D7309481C742

Uniqueness

Uniqueness Score: -1.00%

Function 1002C9C5 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002CCA1

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002CC7E
Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 1002CC3A

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 2835281190-116802341
Opcode ID: 6727eae7db4d5214923dbd5738105f96a5dfc86225ee62a07d3a454af13f0b6c
Instruction ID: 59cbec61f6a12ec3c5ec0a1f7780c8c0d636401c7f5da8be121bdbf6e0712297
Opcode Fuzzy Hash: 6727eae7db4d5214923dbd5738105f96a5dfc86225ee62a07d3a454af13f0b6c
Instruction Fuzzy Hash: 1051817590CB898FC391DF24E88150AB7E0FF8A6A4F904B5EF8DA57250D731C885D742

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1002B01D

Strings

Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002B001
Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 1002B048

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 2418673259-116802341
Opcode ID: 40831d28ed744a2545372a1b1dac5a884682418f856ac13a81d5e89c0acd445f
Instruction ID: f2e73f674ee25082a403f2744bc159f0d9bb9468df85830c1eede129a0fd3b7d
Opcode Fuzzy Hash: 40831d28ed744a2545372a1b1dac5a884682418f856ac13a81d5e89c0acd445f
Instruction Fuzzy Hash: A9416B31829F948BC382DF34909161BF7E8FFDA7C0F819B5EF88666651CB3094528742

Uniqueness

Uniqueness Score: -1.00%

Function 1001F3B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1001F4EF

Part of subcall function 1001F080: mv_mallocz.LICKING ref: 1001F0A0
Part of subcall function 1001F080: mv_realloc_f.LICKING ref: 1001F0DD
Part of subcall function 1001F080: mv_buffer_create.LICKING ref: 1001F128

Strings

Static surface pool size exceeded., xrefs: 1001F4DB
Could not create the texture (%lx), xrefs: 1001F504

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_createmv_logmv_malloczmv_realloc_f
String ID: Could not create the texture (%lx)$Static surface pool size exceeded.
API String ID: 22886632-350389734
Opcode ID: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction ID: d0ee2a216646596517f8e2272bb6c8791eb02a2e11f7fe46a603028adb549b45
Opcode Fuzzy Hash: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction Fuzzy Hash: 5C4188B5A087419FC744DF29C58061ABBE1FF88700F51896EF8999B316E774E984CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D684 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING ref: 1000D64E
mv_bprintf.LICKING ref: 1000D678
mv_bprintf.LICKING ref: 1000D715

Strings

@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s
API String ID: 3083893021-2921637043
Opcode ID: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction ID: bde4f2789606c19ab050fa63e9045ae12eeb8ea4b86e9135c35405d0853ffa6a
Opcode Fuzzy Hash: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction Fuzzy Hash: 89215A759097068BE310EF19C48026EF7E1FF88394F12892EE88897315E731ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100310F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.LICKING ref: 10031179

Part of subcall function 100177F0: mv_expr_parse.LICKING ref: 10017862
Part of subcall function 100177F0: mv_expr_free.LICKING ref: 100178D7
Part of subcall function 100177F0: mv_expr_free.LICKING ref: 100178E6
Part of subcall function 100177F0: mv_expr_free.LICKING ref: 100178F5
Part of subcall function 100177F0: mv_freep.LICKING ref: 10017904
Part of subcall function 100177F0: mv_freep.LICKING ref: 1001790C
Part of subcall function 100177F0: mv_expr_free.LICKING ref: 10017926
Part of subcall function 100177F0: mv_expr_free.LICKING ref: 10017935
Part of subcall function 100177F0: mv_expr_free.LICKING ref: 10017944
Part of subcall function 100177F0: mv_freep.LICKING ref: 10017953
Part of subcall function 100177F0: mv_freep.LICKING ref: 1001795B

mv_d2q.LICKING ref: 10031195
mv_reduce.LICKING ref: 100311E9

Strings

%d:%d%c, xrefs: 1003110F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_d2qmv_expr_parsemv_expr_parse_and_evalmv_reduce
String ID: %d:%d%c
API String ID: 3833080124-2624059611
Opcode ID: 85f5d36575807e7fafa94c670191ceb92a74355afdc239334235b21a28f3aeeb
Instruction ID: a95d822099c94071c5e8dd7deebf43e7e110092c234b0a376a52b2c466eaaf16
Opcode Fuzzy Hash: 85f5d36575807e7fafa94c670191ceb92a74355afdc239334235b21a28f3aeeb
Instruction Fuzzy Hash: 7B3156B59193419F8741DF29C58014AFBF1BF89681F458D2EF989DB321E7B0E9448B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002C2B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002BDE3
mv_log.LICKING ref: 1002BE0D
mv_log.LICKING ref: 1002BEB1
mv_log.LICKING ref: 1002C29B

Strings

%-15s , xrefs: 1002BDF4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$strcmp
String ID: %-15s
API String ID: 1163046698-755444208
Opcode ID: 67f8d91f5481be5a8abc9581b63586c4f7dabccb4f422c1acad020251f47d285
Instruction ID: a65aa5bdc326f2953bb7a34f6a4e1eb88b94763fe27593f8274a1ef2d068a0ee
Opcode Fuzzy Hash: 67f8d91f5481be5a8abc9581b63586c4f7dabccb4f422c1acad020251f47d285
Instruction Fuzzy Hash: 8E21B774A09B899FCB50CF29D5806AEB7E1FF88740F96881DF99887712D734EC408B42

Uniqueness

Uniqueness Score: -1.00%

Function 100315DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

strtoul.MSVCRT ref: 10031526
strspn.MSVCRT ref: 100315F4
bsearch.MSVCRT ref: 1003162A
strtoul.MSVCRT ref: 10031694
mv_log.LICKING ref: 10031758

Strings

0123456789ABCDEFabcdef, xrefs: 100315EB

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strtoul$bsearchmv_logstrspn
String ID: 0123456789ABCDEFabcdef
API String ID: 1580567553-1534423534
Opcode ID: c327318b04b43838116a0972af538bf9c9ae0042157bb8606ce20964d6a13b67
Instruction ID: 475c0a1212074f1c7d46960a65edae6006a24f871e4a86debb08d9146b8ed167
Opcode Fuzzy Hash: c327318b04b43838116a0972af538bf9c9ae0042157bb8606ce20964d6a13b67
Instruction Fuzzy Hash: 932180759087859FD752CFB4818139ABBF0EF892C1F45CA6EE4899F251D738C884CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10031200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1003122F

Strings

ntsc, xrefs: 10031201

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID: ntsc
API String ID: 1004003707-2045543799
Opcode ID: c2f3f76b493e7ae363ef3bea34b35956eb32799f12b6245bb7e1ae69e1db444d
Instruction ID: 6cea7622dc21b0a8fdc9447b4567d31d915cfc657656d513b1a483a310e5b42b
Opcode Fuzzy Hash: c2f3f76b493e7ae363ef3bea34b35956eb32799f12b6245bb7e1ae69e1db444d
Instruction Fuzzy Hash: 5F112374A083029FD341CF69C4C069BBBE5EF89340F10896AF885CB361D774E996CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002D115 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002D191
mv_log.LICKING ref: 1002D1CB

Strings

The value set by option '%s' is not an image size., xrefs: 1002D174
Invalid negative size value %dx%d for size '%s', xrefs: 1002D1BB

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: Invalid negative size value %dx%d for size '%s'$The value set by option '%s' is not an image size.
API String ID: 3828882664-2712872533
Opcode ID: b31177d7786b4a561955791bd2828fcace0b00fc2088e4f3536eec9f814de66f
Instruction ID: 02b988b28a835c7d36fa6f9bea235d2f97bb535cbcd3440d1fa17c5a1276ff59
Opcode Fuzzy Hash: b31177d7786b4a561955791bd2828fcace0b00fc2088e4f3536eec9f814de66f
Instruction Fuzzy Hash: 8E21D078A087419FC700DF28E49095ABBF5FF89750F85886EF99987760D635EC41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10026730 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10026792
mv_log.LICKING ref: 100267AC

Strings

If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org), xrefs: 10026797
is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented., xrefs: 10026780

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.$If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
API String ID: 2418673259-452301706
Opcode ID: e6cf6ba8b22bf0788caeb5b2bc13ebdcd15b2fa09116b02164e182888be3a209
Instruction ID: cd8e871a35f16579d6f3ce221cb9c29d0fa83c6cca779b8fa567d44589e44066
Opcode Fuzzy Hash: e6cf6ba8b22bf0788caeb5b2bc13ebdcd15b2fa09116b02164e182888be3a209
Instruction Fuzzy Hash: 93110978A087458BD344DF19EA8021EBBE2FFCC744F91C92DE4888B355DA34D9449B82

Uniqueness

Uniqueness Score: -1.00%

Function 10032256 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

mv_small_strptime.LICKING ref: 10032270
_errno.MSVCRT ref: 1003228D

Part of subcall function 10092440: _errno.MSVCRT ref: 100925F0

_errno.MSVCRT ref: 100322C6

Strings

%M:%S, xrefs: 10032264

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$mv_small_strptime
String ID: %M:%S
API String ID: 1751681387-2500880230
Opcode ID: c3d908d13c1e039d41a5e226ac4ed468a27b5a4f753288add814200e358970ce
Instruction ID: 5da90234cc48fb51afaae1d0e0c7376ed52327f504ee9011e26ba8ee41a26718
Opcode Fuzzy Hash: c3d908d13c1e039d41a5e226ac4ed468a27b5a4f753288add814200e358970ce
Instruction Fuzzy Hash: 4D010871A09302CFD765DF29C84035FBBE0EB84341F11C82EE899CB220E7309945DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1003024B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

mv_dict_get.LICKING ref: 100301CB
mv_opt_set.LICKING ref: 100301EF
mv_log.LICKING ref: 1003022E
mv_dict_free.LICKING ref: 1003023A
mv_dict_set.LICKING ref: 1003026F

Strings

Error setting option %s to value %s., xrefs: 10030217

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_freemv_dict_getmv_dict_setmv_logmv_opt_set
String ID: Error setting option %s to value %s.
API String ID: 1354616078-3279051434
Opcode ID: 1bc4169319db0e7c065ad1531228e2073ef3ecfc67cf9b47b9935cbba6993644
Instruction ID: 363f789e0d128d701feb49ee83ad72dbf536247a7b92236e9547f7cdcc278430
Opcode Fuzzy Hash: 1bc4169319db0e7c065ad1531228e2073ef3ecfc67cf9b47b9935cbba6993644
Instruction Fuzzy Hash: A1012CB9A097449FC744DF29D58059ABBE0FB88354F14892EF89CDB310E634E9449B86

Uniqueness

Uniqueness Score: -1.00%

Function 10009784 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C65

Strings

&, xrefs: 1000979B
>, xrefs: 100097E9

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: &$>
API String ID: 3083893021-624094588
Opcode ID: f6f8d3d5fc7b62e55630e6ba9b01de786338a4dbd923bb065a803ba8d4e77ea4
Instruction ID: 827a1dd9a6b26f0f52677796166c22f358f1b9d0e9bb7a9b4a6d704745ef5d9f
Opcode Fuzzy Hash: f6f8d3d5fc7b62e55630e6ba9b01de786338a4dbd923bb065a803ba8d4e77ea4
Instruction Fuzzy Hash: B6F03071C08B55CADB50EFA485503AAB7E5EB453D0F81480EE5DA9B249CB34FC86C782

Uniqueness

Uniqueness Score: -1.00%

Function 10009A08 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009A35
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009A7B
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C25
mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C45

Strings

', xrefs: 10009A23
>, xrefs: 10009A69

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: '$>
API String ID: 3083893021-1996891769
Opcode ID: 1aeedeae98a5987040bddea5af0af90760674b431017039b4982ef1ed2b4652a
Instruction ID: bc6627f18e32ee5202192b1056a4cb19888092f8efc788239e6f4bef1ea5dc2b
Opcode Fuzzy Hash: 1aeedeae98a5987040bddea5af0af90760674b431017039b4982ef1ed2b4652a
Instruction Fuzzy Hash: DCF05430C18B55CAD710EF64805037AB7D1EB463C0F818C0EE6D55B249C734A882C797

Uniqueness

Uniqueness Score: -1.00%

Function 100267C7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10026792
mv_log.LICKING ref: 100267AC

Strings

If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org), xrefs: 10026797
is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented., xrefs: 10026780

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.$If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
API String ID: 2418673259-452301706
Opcode ID: 726f5603a65502359e655967f00b1600284beb5137becb6436dd4fcad8af556a
Instruction ID: 749b7b172e694e1bef6e0ea00623f78dc4c312dad7cdc32441d2dd052aa7ac3c
Opcode Fuzzy Hash: 726f5603a65502359e655967f00b1600284beb5137becb6436dd4fcad8af556a
Instruction Fuzzy Hash: D7F09DB8A087059BC744DF29D98026EBBE0EFCD744F90CD2DA49897355DA38E9449B82

Uniqueness

Uniqueness Score: -1.00%

Function 100267B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10026792
mv_log.LICKING ref: 100267AC

Strings

If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org), xrefs: 10026797
is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented., xrefs: 10026780

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.$If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
API String ID: 2418673259-452301706
Opcode ID: 8c63f5b068e4a02c16e5e4e3d6ed8fca3382fd8153a0e1c5dc78481aba7fba1a
Instruction ID: 20e3eb0074f28b37b3f93e03534fea868915181d0f0dff0f0c45d1e812b63dfd
Opcode Fuzzy Hash: 8c63f5b068e4a02c16e5e4e3d6ed8fca3382fd8153a0e1c5dc78481aba7fba1a
Instruction Fuzzy Hash: 54F0AFB8A087049BC344DF29D98025EBBE0EFCC744F90CC2DA49897351DA38DA449B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002FAA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

mv_channel_layout_uninit.LICKING ref: 1002FAA3
mv_channel_layout_from_string.LICKING ref: 1002FAB7

Part of subcall function 1000DD40: strcmp.MSVCRT ref: 1000DD7C

mv_log.LICKING ref: 1002FAE1

Strings

Unable to parse option value "%s" as channel layout, xrefs: 1002FACE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_from_stringmv_channel_layout_uninitmv_logstrcmp
String ID: Unable to parse option value "%s" as channel layout
API String ID: 2250963865-3079124760
Opcode ID: b413acc8c816bdb3f397be0ad531e83b4049b6b25b1440f5d3d24d509fddeecc
Instruction ID: a2b437ab3629f9466f9d03373ee9fa2b21f7023d6dee1340f51008e2d72f7420
Opcode Fuzzy Hash: b413acc8c816bdb3f397be0ad531e83b4049b6b25b1440f5d3d24d509fddeecc
Instruction Fuzzy Hash: 96F0D47950C759CBC710EF24D18012EB7E0FF84690F85886EE99487301E7B4A8409B87

Uniqueness

Uniqueness Score: -1.00%

Function 1000F9A9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 1000F99A
mv_log.LICKING ref: 1000F9D1

Strings

overriding to %d logical cores, xrefs: 1000F981
detected %d logical cores, xrefs: 1000F9B4

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: detected %d logical cores$overriding to %d logical cores
API String ID: 2418673259-3421371979
Opcode ID: 90275b86c17e776038138dcba82a00c85a429c764d9a65a8049d4f95b16cdb34
Instruction ID: 2ad4cfbc9a9c4dbb4345db51cabf0ecaf158a2bd4eab2b52301dfa895f4142c7
Opcode Fuzzy Hash: 90275b86c17e776038138dcba82a00c85a429c764d9a65a8049d4f95b16cdb34
Instruction Fuzzy Hash: C3F06CB4A08741AFD340DF1AC59071BBBE4EF88740F80882EE59887355D638E9459F86

Uniqueness

Uniqueness Score: -1.00%

Function 10051B04 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 10051B38
abort.MSVCRT ref: 10051B3D

Strings

libavutil/tx.c, xrefs: 10051B17
Assertion %s failed at %s:%d, xrefs: 10051B27

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d$libavutil/tx.c
API String ID: 2075109169-3214517670
Opcode ID: b061e549ea72886835fe496441a42dfb17fc1933edc9673e738038d55b334f9a
Instruction ID: 294e6e31d1c042bd29846c071a84322545ab081ff1ae1951d9c98100e2980593
Opcode Fuzzy Hash: b061e549ea72886835fe496441a42dfb17fc1933edc9673e738038d55b334f9a
Instruction Fuzzy Hash: A1F0F2B54097A5CBC701CF64C14024EBBE4FF89718F858A4DF89927241C3B9AA09CB83

Uniqueness

Uniqueness Score: -1.00%

Function 10027E03 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

mv_mul_q.LICKING ref: 10027E72

Part of subcall function 100358C0: mv_reduce.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,10027E77), ref: 10035901

mv_rescale_rnd.LICKING ref: 10027F13
mv_rescale_rnd.LICKING ref: 10027F40

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_rescale_rnd$mv_mul_qmv_reduce
String ID:
API String ID: 3269292098-0
Opcode ID: 08142fdf52f9e36070fde2b03474353fa0ab6ab72b34e27d04fd971d1c410cd1
Instruction ID: eaeecc91df01722ca597b3935dd37da2822abf5ab746aba34c86299e1984a441
Opcode Fuzzy Hash: 08142fdf52f9e36070fde2b03474353fa0ab6ab72b34e27d04fd971d1c410cd1
Instruction Fuzzy Hash: 3071AF74A097008FC354CF29D58061AFBE1BFC8764F548A2EF8A8933A0D734E9458F86

Uniqueness

Uniqueness Score: -1.00%

Function 1003CE40 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

mv_samples_get_buffer_size.LICKING ref: 1003CE6E
mv_malloc.LICKING ref: 1003CE80
mv_samples_fill_arrays.LICKING ref: 1003CEB6

Part of subcall function 1003CCD0: mv_samples_get_buffer_size.LICKING ref: 1003CD21

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_samples_get_buffer_size$mv_mallocmv_samples_fill_arrays
String ID:
API String ID: 3894167361-0
Opcode ID: 149e994705a3ac2a3cee3504dedff79b527292fc29c1040fba6c2bfee93eefa2
Instruction ID: ca4533343c6314b1d09f2bd67e63e8e9edfee6d142f4a496cf417362aa2bcc61
Opcode Fuzzy Hash: 149e994705a3ac2a3cee3504dedff79b527292fc29c1040fba6c2bfee93eefa2
Instruction Fuzzy Hash: 5841CE75A083098FC705CF2AC580A0AFBE6EFC5391F15893EE888CB354E771D8458B42

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0A4 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

mv_image_fill_linesizes.LICKING ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.LICKING ref: 1001B15D
mv_buffer_alloc.LICKING ref: 1001B1CD
mv_image_fill_pointers.LICKING ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_allocmv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_pix_fmt_desc_get
String ID:
API String ID: 2879504290-0
Opcode ID: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction ID: 7a3e12a9aca585330d458c3661a5f2850fdcc4197d16b6054e58506080106dfe
Opcode Fuzzy Hash: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction Fuzzy Hash: 1F51F8B5608B018FCB48DF69D59066ABBE1FF88240F1589BDE949CB319E731E844CB41

Uniqueness

Uniqueness Score: -1.00%

Function 1002B710 Relevance: 6.1, APIs: 4, Instructions: 106stringCOMMON

Download Yara Rule

APIs

mv_freep.LICKING ref: 1002B71E
strlen.MSVCRT ref: 1002B735
mv_malloc.LICKING ref: 1002B751

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freepmv_mallocstrlen
String ID:
API String ID: 2899962033-0
Opcode ID: a736d10584ce5874dd6bac7a0226d077e871490410e67f0bd01ac0c7618d90e2
Instruction ID: f4bbfc858db46916ec8d50edbb8d047ad4d9460b315178fc85c3996dfb55f9f0
Opcode Fuzzy Hash: a736d10584ce5874dd6bac7a0226d077e871490410e67f0bd01ac0c7618d90e2
Instruction Fuzzy Hash: 4B318978A08F454EE310EE79A4D13AA7BC9DF813A4FD1452FDE9887383D5369888C741

Uniqueness

Uniqueness Score: -1.00%

Function 1002BBF0 Relevance: 6.1, APIs: 4, Instructions: 102stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002BC75
mv_strlcatf.LICKING ref: 1002BCBC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strlcatfstrcmp
String ID:
API String ID: 3138383634-0
Opcode ID: 701ca0cda81cfe13e71ec4a3dadb7f8a3e2805c3a2d7818681dedb533bf3d730
Instruction ID: b75bef4056b051760c21a1d0f5e35318dff82620cbdab855973cb261dc883fd1
Opcode Fuzzy Hash: 701ca0cda81cfe13e71ec4a3dadb7f8a3e2805c3a2d7818681dedb533bf3d730
Instruction Fuzzy Hash: 37316B75A087898FD750DF69E48075BBBE4FF84354F95486DEC889B201E734E908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001ABCC Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

mv_dict_copy.LICKING ref: 1001A996
mv_buffer_ref.LICKING ref: 1001A9EC
mv_realloc.LICKING ref: 1001AA26
mv_mallocz.LICKING ref: 1001AA40

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_refmv_dict_copymv_malloczmv_realloc
String ID:
API String ID: 2487838726-0
Opcode ID: 341fc402060be86a2fcd2e9fc1e8ffea4b64613a0575fdde9eba9ad236ef5339
Instruction ID: 752c63dab16079834bcce617f1b516c7b3c7acad474eb666f68a373bd45cded8
Opcode Fuzzy Hash: 341fc402060be86a2fcd2e9fc1e8ffea4b64613a0575fdde9eba9ad236ef5339
Instruction Fuzzy Hash: 7741F675908382CFC718CF25C18065AB7E1FF89354F46896DE99AAB351E730E985CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100A02F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 100A0342
MultiByteToWideChar.KERNEL32 ref: 100A0385

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction ID: 7d595e0308f4db80fc988514bbf5ff759a63fd2ee38edf780f56cffaa40d1ea8
Opcode Fuzzy Hash: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction Fuzzy Hash: 3D31F4B1509351CFDB40DF69D48420ABBE0FF8A354F05896DF9D48B290E3B6DA48CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10035254 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

clock.MSVCRT ref: 10035293
mv_sha_init.LICKING ref: 1003532D
mv_sha_update.LICKING ref: 10035347
mv_sha_final.LICKING ref: 10035357

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: clockmv_sha_finalmv_sha_initmv_sha_update
String ID:
API String ID: 679641161-0
Opcode ID: e23dd5efd1bf3d0f9353d7ec12f2411e5e10918d39fbe7231d3abc0c1350133f
Instruction ID: 408675c28d2283c62ae71b4a23e78d15769cea63b3a73d0841c587d7b5b59e14
Opcode Fuzzy Hash: e23dd5efd1bf3d0f9353d7ec12f2411e5e10918d39fbe7231d3abc0c1350133f
Instruction Fuzzy Hash: 4621C176A043108FE308DF68CAC0249BBE2FBC9315F55C97DD9888B365E671DD058B95

Uniqueness

Uniqueness Score: -1.00%

Function 100504B0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

mv_freep.LICKING ref: 1005050A
mv_freep.LICKING ref: 10050515
mv_freep.LICKING ref: 10050520
mv_freep.LICKING ref: 1005052B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: 51b46fa0c3e647798770ac4f0ef9ba58e3f2782e95ebad3d141340941b153ad4
Instruction ID: eb948135ab71b72e24107c6ecdab83edb7219b6b973595483056ca6219957605
Opcode Fuzzy Hash: 51b46fa0c3e647798770ac4f0ef9ba58e3f2782e95ebad3d141340941b153ad4
Instruction Fuzzy Hash: B6219DB5904B118ADB51DF28D9C1B5B37E5EF40280F4A8968EC858B25AF638D944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001F080 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

mv_mallocz.LICKING ref: 1001F0A0
mv_realloc_f.LICKING ref: 1001F0DD

Part of subcall function 10028DE0: _aligned_realloc.MSVCRT ref: 10028E11

mv_buffer_create.LICKING ref: 1001F128

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_buffer_createmv_malloczmv_realloc_f
String ID:
API String ID: 2794559729-0
Opcode ID: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction ID: c869ac9f6eaa7e77a9466fdee6e8f712de869673a1390132f44f2bab79372784
Opcode Fuzzy Hash: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction Fuzzy Hash: 8031ACB4A08701DFC300DF29C58051AFBF1FF98250F568A6EE9889B321D771E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001E8EB Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

mv_hwframe_get_buffer.LICKING ref: 1001E901

Part of subcall function 1001E690: mv_buffer_ref.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6B7
Part of subcall function 1001E690: mv_frame_alloc.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6CA
Part of subcall function 1001E690: mv_hwframe_map.LICKING(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E70C
Part of subcall function 1001E690: mv_log.LICKING ref: 1001E736
Part of subcall function 1001E690: mv_frame_free.LICKING ref: 1001E742

mv_frame_alloc.LICKING ref: 1001E924

Part of subcall function 1001AC40: mv_malloc.LICKING ref: 1001AC56

mv_frame_free.LICKING ref: 1001E96B
mv_freep.LICKING ref: 1001E97C
mv_freep.LICKING ref: 1001E9BB
mv_freep.LICKING ref: 1001E9DA

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_frame_allocmv_frame_free$mv_buffer_refmv_hwframe_get_buffermv_hwframe_mapmv_logmv_malloc
String ID:
API String ID: 2206481229-0
Opcode ID: 79c8d88cebc22737386eaed7f45d38e3b8102e0589b1ed1e7bc540e175b26d4a
Instruction ID: 29f5c0114d75d8e24f10f0d659d02582b2a633f1d5fed070b3d3b165e5742c48
Opcode Fuzzy Hash: 79c8d88cebc22737386eaed7f45d38e3b8102e0589b1ed1e7bc540e175b26d4a
Instruction Fuzzy Hash: EB21E4756087558FD780DF29C880A4EF7E4FF88354F468969F988EB221EB70ED858B41

Uniqueness

Uniqueness Score: -1.00%

Function 100027B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

mv_fifo_can_read.LICKING ref: 100027C7
mv_fifo_can_write.LICKING ref: 100027D6
mv_samples_get_buffer_size.LICKING ref: 100027FF
mv_fifo_grow2.LICKING ref: 10002833

Part of subcall function 10017F70: mv_realloc_array.LICKING(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10002838), ref: 10017FAE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_fifo_can_readmv_fifo_can_writemv_fifo_grow2mv_realloc_arraymv_samples_get_buffer_size
String ID:
API String ID: 78108474-0
Opcode ID: 16ee73bcc62b132f1e54a42e7e71ebc810354682a887e12c02217443e12b8a1b
Instruction ID: ce1007827096595f26e8808010e9ccaaa56d4b232a4da4f197e7c45d59299025
Opcode Fuzzy Hash: 16ee73bcc62b132f1e54a42e7e71ebc810354682a887e12c02217443e12b8a1b
Instruction Fuzzy Hash: 7811E378A093559FD700DF69D58094ABBE4FF88394F01892DFD88CB314E774E9458B92

Uniqueness

Uniqueness Score: -1.00%

Function 10009D20 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 10009D2F
ReleaseSRWLockExclusive.KERNEL32 ref: 10009D43
mv_freep.LICKING ref: 10009D8C
mv_freep.LICKING ref: 10009DB2

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLockmv_freep$AcquireRelease
String ID:
API String ID: 3724862848-0
Opcode ID: ac4210530bb79ecd5549b874ce9c7899e433265b2d2bca190b16abdc6e9280a1
Instruction ID: 89e4f59d669a14a487a12db1f0054bb5833f42878af0183c7ab0729c06348047
Opcode Fuzzy Hash: ac4210530bb79ecd5549b874ce9c7899e433265b2d2bca190b16abdc6e9280a1
Instruction Fuzzy Hash: 8E11C6B55087008FD750EF25D4C595ABBF4EF88280B05C96AE8898B31AD330E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100504E8 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

mv_freep.LICKING ref: 1005050A
mv_freep.LICKING ref: 10050515
mv_freep.LICKING ref: 10050520
mv_freep.LICKING ref: 1005052B

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: 91a9fe6894f8249f030ea4ab2fddbd406b54ae13d9189eaddf484fc70f6e33f5
Instruction ID: 71427ac98d9546297571b377f8f0db424f0a15a4a19817769b42c9de4595c363
Opcode Fuzzy Hash: 91a9fe6894f8249f030ea4ab2fddbd406b54ae13d9189eaddf484fc70f6e33f5
Instruction Fuzzy Hash: A31187B5D04B108BDB41DF24E8C179A77E0EF01390F4A8869EC858B396E738D884CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1001B7E0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

mv_buffer_alloc.LICKING(?,?,?,?,?,?,?,?,1001284A), ref: 1001B7F0

Part of subcall function 10009DC0: mv_malloc.LICKING ref: 10009DDC
Part of subcall function 10009DC0: mv_mallocz.LICKING ref: 10009DF2
Part of subcall function 10009DC0: mv_mallocz.LICKING ref: 10009E25

mv_realloc.LICKING(?,?,?,?,?,?,?,?,1001284A), ref: 1001B820

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_mallocz.LICKING(?,?,?,?,?,?,?,?,1001284A), ref: 1001B836
mv_buffer_unref.LICKING(?,?,?,?,?,?,?,?,1001284A), ref: 1001B87F

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$_aligned_reallocmv_buffer_allocmv_buffer_unrefmv_mallocmv_realloc
String ID:
API String ID: 547404713-0
Opcode ID: b90091ae49065f10d06a1fd9b8fc383fcac2e01a729e366898664da81a12ee34
Instruction ID: e7377a26eb348f0c440ff820f9fbcfd740b0c451e73ef676c70969cbd66757a6
Opcode Fuzzy Hash: b90091ae49065f10d06a1fd9b8fc383fcac2e01a729e366898664da81a12ee34
Instruction Fuzzy Hash: 9F1128B49087418FD750DF25D48068AFBE4FF48290F55896EE99A8B311EB30E881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000E9B1 Relevance: 6.0, APIs: 4, Instructions: 49stringCOMMON

Download Yara Rule

APIs

mv_channel_from_string.LICKING ref: 1000E993
strchr.MSVCRT ref: 1000E9C4
mv_strlcpy.LICKING ref: 1000E9EF

Part of subcall function 100066E0: strlen.MSVCRT ref: 10006726

mv_channel_from_string.LICKING ref: 1000EA01

Part of subcall function 1000C560: strncmp.MSVCRT ref: 1000C582
Part of subcall function 1000C560: strcmp.MSVCRT ref: 1000C5B0

strcmp.MSVCRT ref: 1000EA3D
mv_channel_from_string.LICKING ref: 1000EA58
strcmp.MSVCRT ref: 1000EAA6

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_from_stringstrcmp$mv_strlcpystrchrstrlenstrncmp
String ID:
API String ID: 886603963-0
Opcode ID: 0fde597ea2d2a868a062513256da9a0e3adcd654dbaa0f8bd4eedef3508a2cf5
Instruction ID: ab047ed8c5c67f14b30489f267a71008d769542088324d4ae8bf220018853c7c
Opcode Fuzzy Hash: 0fde597ea2d2a868a062513256da9a0e3adcd654dbaa0f8bd4eedef3508a2cf5
Instruction Fuzzy Hash: 7E113AB46087458FDB40DF28C58025ABBE5FF88780F118D2DE5C8EB255E274ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10007050 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

mv_bprint_init.LICKING ref: 10007076
mv_bprint_escape.LICKING ref: 100070AA

Part of subcall function 10009730: mv_bprintf.LICKING(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_finalize.LICKING ref: 100070C7

Part of subcall function 10009690: mv_realloc.LICKING(?,?,?,?,?,?,10006D57), ref: 100096C9

mv_bprint_finalize.LICKING ref: 100070F1

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_finalize$mv_bprint_escapemv_bprint_initmv_bprintfmv_realloc
String ID:
API String ID: 2707718180-0
Opcode ID: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction ID: 7786e306f37471b19b8e033861bf3e046f7241f8be26b7eb16500715b45264db
Opcode Fuzzy Hash: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction Fuzzy Hash: 9F116DB4A093408BD360DF28C18065EBBE0BF88254F908E2DBA9C87345E635A944CB06

Uniqueness

Uniqueness Score: -1.00%

Function 1004D9E6 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

SleepConditionVariableSRW.KERNEL32 ref: 1004DA06
mv_fifo_can_read.LICKING ref: 1004DA17
mv_fifo_can_read.LICKING ref: 1004DA25
ReleaseSRWLockExclusive.KERNEL32 ref: 1004DA34

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_fifo_can_read$ConditionExclusiveLockReleaseSleepVariable
String ID:
API String ID: 489524987-0
Opcode ID: aa8ee4985797e6fdfa4f35d8eec90a1d251d38471c10e4764636f0b739cff707
Instruction ID: b7e0b716ceab8fc11584da483238c59570206a01fd36a290c42ed47bded4be3b
Opcode Fuzzy Hash: aa8ee4985797e6fdfa4f35d8eec90a1d251d38471c10e4764636f0b739cff707
Instruction Fuzzy Hash: CCF04975A04A019BDB04FF39958021BBBE0FF80350F02896DEA98CB355E630E851CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001140B Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

mv_freep.LICKING ref: 10011416
mv_freep.LICKING ref: 10011422

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction ID: 289599a6c336a5d98a65091fe60646c07369103d16afa4f254b85444868d10c6
Opcode Fuzzy Hash: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction Fuzzy Hash: 86E079795087188FC600EB68948191AB7F0EB89284F854C1DE9C4A7302D675E940CA82

Uniqueness

Uniqueness Score: -1.00%

Function 10012B04 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5aa71881a64f70d77756a4d906f696ddf0c26aa6188da43a8be3433a807ac1
Instruction ID: 6e8554d19d49bcaf2218d741f46d42886b2146b860ccc89e8a21172d2929ddf4
Opcode Fuzzy Hash: 9a5aa71881a64f70d77756a4d906f696ddf0c26aa6188da43a8be3433a807ac1
Instruction Fuzzy Hash: 98E0AEB85087088FC700EFA494C151AB7E0FF88244F86086CA98867302C678E955CB62

Uniqueness

Uniqueness Score: -1.00%

Function 100997D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 10099851

Strings

NaN, xrefs: 100997D1

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 398facde90d3158e8c562ce5a90c2f8271193d3b0513a851222c672f3db81691
Instruction ID: efb825897de6c10b198cf50540e6450b8c187f7e27a86bc41c00ac793e9681bb
Opcode Fuzzy Hash: 398facde90d3158e8c562ce5a90c2f8271193d3b0513a851222c672f3db81691
Instruction Fuzzy Hash: B6410771A052168BDB14CF1DC484796B7E1EF86754B2AC2A9DC8C8F24AD732EC42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10022390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

Assertion %s failed at %s:%d, xrefs: 100224BA

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_cpu_flags
String ID: Assertion %s failed at %s:%d
API String ID: 185405932-2766368343
Opcode ID: ae38f2bd3777c43dd98a86799c3fbb04b858685c9bc6fc0daeb3b72dea18069a
Instruction ID: 9000e0a9215e96f19705fc5f92f59cb8436bb03ac98e3bf4af9b514e39ffaf03
Opcode Fuzzy Hash: ae38f2bd3777c43dd98a86799c3fbb04b858685c9bc6fc0daeb3b72dea18069a
Instruction Fuzzy Hash: 454112B5A08381AFC740DF94D58051EFBF1FF88740F91891DE99997300D7BAEA858B42

Uniqueness

Uniqueness Score: -1.00%

Function 100224F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

mv_log.LICKING ref: 100225E1
abort.MSVCRT ref: 100225E6

Strings

Assertion %s failed at %s:%d, xrefs: 100225D0

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d
API String ID: 2075109169-2766368343
Opcode ID: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction ID: 11814923a7bf7540ef128da13c98316d9c3b81b6007f7c64051ac5900c87ea26
Opcode Fuzzy Hash: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction Fuzzy Hash: 5C318D75A08B219BC708CF90E5A452EFBF1EFC1750FD1841CE98957200D77A9984CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100221C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

mv_image_get_linesize.LICKING ref: 10022203

Part of subcall function 10021480: mv_pix_fmt_desc_get.LICKING(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

Strings

Picture size %ux%u is invalid, xrefs: 1002228D

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u is invalid
API String ID: 645864070-1963597007
Opcode ID: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction ID: c32bc821c07fb99167277532678e70ae68b76ab36c526d85f24e74df5a32105a
Opcode Fuzzy Hash: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction Fuzzy Hash: C7215E75A083559FC704CF69C48020EFBE1FBC8710F958A2EF9A897350D7B5E9048B46

Uniqueness

Uniqueness Score: -1.00%

Function 1001EC37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

mv_malloc_array.LICKING ref: 1001EC62
mv_malloc_array.LICKING ref: 1001ECF1

Strings

, xrefs: 1001ECAE

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloc_array
String ID:
API String ID: 721214216-3916222277
Opcode ID: 870dbfee76fb6ea410a07dd43b2f43c5e043816628ad292f733b3740436d6b15
Instruction ID: 32942169306f562450531b280b43a1f2aea99f4b2aad1f75c52e4dfc89a656a7
Opcode Fuzzy Hash: 870dbfee76fb6ea410a07dd43b2f43c5e043816628ad292f733b3740436d6b15
Instruction Fuzzy Hash: E6213DB5508341DFD700DF29D940A4EBBE5EF89314F128A2DE8988B3A0D735E946CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1002E43C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002E4A9

Strings

sample, xrefs: 1002E499
The value for option '%s' is not a %s format., xrefs: 1002E483

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: The value for option '%s' is not a %s format.$sample
API String ID: 2835281190-3983800382
Opcode ID: f5f5e1db834bc02c8d1f8d4e6b274bacd7e5ca34d8842da282809734814b002e
Instruction ID: 24d4803273969bdf5ac517b635905fb994549115ec294322d3153323df2d4d09
Opcode Fuzzy Hash: f5f5e1db834bc02c8d1f8d4e6b274bacd7e5ca34d8842da282809734814b002e
Instruction Fuzzy Hash: C001A2786487818FC700DF29D08091AB7F2FB89350F95892DE99887360D739EC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002E542 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_channel_layout_copy.LICKING ref: 1002E58D
mv_log.LICKING ref: 1002E5C1

Strings

The value for option '%s' is not a channel layout., xrefs: 1002E5A8

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_channel_layout_copymv_log
String ID: The value for option '%s' is not a channel layout.
API String ID: 3662905369-3477801521
Opcode ID: a0beb69c1654b65415c70491f5d146282333a6159417d5f317bf65ca5f97ae25
Instruction ID: 8c388eaf2947d92ae89fe11a4375cf88f0abf7b9dee68859406d060f25dfbf9e
Opcode Fuzzy Hash: a0beb69c1654b65415c70491f5d146282333a6159417d5f317bf65ca5f97ae25
Instruction Fuzzy Hash: 6201DC78A19B419FC784DF28D080A1AB7E1FF88354F81882EF89983311E634EC408B82

Uniqueness

Uniqueness Score: -1.00%

Function 10030C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 10030C93
mv_parse_video_size.LICKING ref: 10030D23

Strings

none, xrefs: 10030C8A

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_parse_video_sizestrcmp
String ID: none
API String ID: 3218284479-2140143823
Opcode ID: fac9273d81601116ff5175ee56cabf5bdf72d5b563d456dbb201f89313973eef
Instruction ID: 5345abbb0223d8ddb96b0bd5b772d7a62542202dc2ee95d90114edf69365d23a
Opcode Fuzzy Hash: fac9273d81601116ff5175ee56cabf5bdf72d5b563d456dbb201f89313973eef
Instruction Fuzzy Hash: 8C01E435A0A3459FC781CF74C18015ABBE0FF88781F915C2DB9C5CB211E634E9408B42

Uniqueness

Uniqueness Score: -1.00%

Function 1002E3C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.LICKING ref: 1002E429

Strings

pixel, xrefs: 1002E419
The value for option '%s' is not a %s format., xrefs: 1002E403

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: The value for option '%s' is not a %s format.$pixel
API String ID: 2835281190-1801304947
Opcode ID: 74d3c326208ced39a7e621591af8db260eb8e46ed0a12fe7f96116a714d8054d
Instruction ID: 2db19661b65d9fea08d7a077c7d71974f084c1656edb1fac65c3c7ca3a026336
Opcode Fuzzy Hash: 74d3c326208ced39a7e621591af8db260eb8e46ed0a12fe7f96116a714d8054d
Instruction Fuzzy Hash: F501AE78A487818FC300DF29D094A1ABBF1FB89350F95896EE99887320E735DD418B42

Uniqueness

Uniqueness Score: -1.00%

Function 1000C461 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.LICKING ref: 1000C4A8
mv_bprintf.LICKING ref: 1000C4D0

Strings

none, xrefs: 1000C4C7

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: none
API String ID: 2490314137-2140143823
Opcode ID: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction ID: a25a21bf0bbbab6eb8dd7b885bea08568b6db38ddaeda7311d16c5a577b3c9a6
Opcode Fuzzy Hash: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction Fuzzy Hash: 910186B4904B568BD720DF24D880B9BB3E4FFC4384F52492DEA9853245D330BD858B93

Uniqueness

Uniqueness Score: -1.00%

Function 1002DBB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

mv_strdup.LICKING ref: 1002D97C

Part of subcall function 100292E0: strlen.MSVCRT ref: 100292FE
Part of subcall function 100292E0: _aligned_realloc.MSVCRT ref: 10029325

mv_get_pix_fmt_name.LICKING ref: 1002DBC5

Strings

none, xrefs: 1002DBAC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_get_pix_fmt_namemv_strdupstrlen
String ID: none
API String ID: 2695740210-2140143823
Opcode ID: d07f9affcd5207e2b9b77b40efdd4fc18c132213cdfdf0ad294b23932510ce81
Instruction ID: 7075718332a531a363de9a6ea0c22ee4fc3f7d9f9fde518584d82f2634770e4e
Opcode Fuzzy Hash: d07f9affcd5207e2b9b77b40efdd4fc18c132213cdfdf0ad294b23932510ce81
Instruction Fuzzy Hash: F0F0C4785087518FD761EF24D48075EB7E0FF84300FA5882AE98CE7301E734A9459B92

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mv_strdup.LICKING ref: 1002D97C

Part of subcall function 100292E0: strlen.MSVCRT ref: 100292FE
Part of subcall function 100292E0: _aligned_realloc.MSVCRT ref: 10029325

mv_get_sample_fmt_name.LICKING ref: 1002DBA5

Strings

none, xrefs: 1002DBAC

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_get_sample_fmt_namemv_strdupstrlen
String ID: none
API String ID: 2802023675-2140143823
Opcode ID: 2cc39675e1d81e5633586d9047803899adb734e0ef1e131c0c5d9436a7980b13
Instruction ID: f3fc13e9c3754046f817c11af4257de78816c0f54ea0bb529d557b979c944406
Opcode Fuzzy Hash: 2cc39675e1d81e5633586d9047803899adb734e0ef1e131c0c5d9436a7980b13
Instruction Fuzzy Hash: BCF0C4785087418FD760EF24D48075EB7E0FB84300FA5882AE98CE7301E734A945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1002F8D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

mv_parse_video_rate.LICKING ref: 1002F8E3

Part of subcall function 100312C0: strcmp.MSVCRT ref: 100312D8
Part of subcall function 100312C0: strcmp.MSVCRT ref: 100312F0
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031308
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031320
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031338
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031350
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031368
Part of subcall function 100312C0: strcmp.MSVCRT ref: 10031380
Part of subcall function 100312C0: mv_parse_ratio.LICKING(?,?,?,?,?,?,?,?,1002E89B), ref: 100313AC

mv_log.LICKING ref: 1002FC7D

Strings

Unable to parse option value "%s" as video rate, xrefs: 1002FC64

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_logmv_parse_ratiomv_parse_video_rate
String ID: Unable to parse option value "%s" as video rate
API String ID: 3172953258-258641133
Opcode ID: d77837d657713abd1c40b776775dbcbc05bff67a52ae03b6890b995962ced66a
Instruction ID: de9f7d53366db16d7f6149449a3e3ff1b3ef935def1e8edc4cf16d1a2f5d2f7d
Opcode Fuzzy Hash: d77837d657713abd1c40b776775dbcbc05bff67a52ae03b6890b995962ced66a
Instruction Fuzzy Hash: 9BF09278A087459FC750DF38D58051EBBE5EF88690F518D2EF988C7320E630D8809B42

Uniqueness

Uniqueness Score: -1.00%

Function 1002F9B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

mv_parse_color.LICKING ref: 1002F9D0

Part of subcall function 10031420: strlen.MSVCRT ref: 10031468
Part of subcall function 10031420: mv_strlcpy.LICKING ref: 1003148B
Part of subcall function 10031420: strchr.MSVCRT ref: 1003149C
Part of subcall function 10031420: strlen.MSVCRT ref: 100314B6
Part of subcall function 10031420: mv_strcasecmp.LICKING ref: 100314CF
Part of subcall function 10031420: mv_strcasecmp.LICKING ref: 100314E4
Part of subcall function 10031420: mv_get_random_seed.LICKING ref: 100314F1
Part of subcall function 10031420: strtoul.MSVCRT ref: 10031526

mv_log.LICKING ref: 1002F9FC

Strings

Unable to parse option value "%s" as color, xrefs: 1002F9E3

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strcasecmpstrlen$mv_get_random_seedmv_logmv_parse_colormv_strlcpystrchrstrtoul
String ID: Unable to parse option value "%s" as color
API String ID: 304971360-2072409010
Opcode ID: 15f9d6bb257ff31a797ee3b859d36c080b54e160f790c81ac8a509bbb201651f
Instruction ID: 5e6ee10e6d100ae667fbf2217dcab3102a91a37ceea72cb40c7b72cf7b28a920
Opcode Fuzzy Hash: 15f9d6bb257ff31a797ee3b859d36c080b54e160f790c81ac8a509bbb201651f
Instruction Fuzzy Hash: 6BF09D789087459BC710DF29D08011AFBE0FF887A0F918D2EBAA887351E674E8418F46

Uniqueness

Uniqueness Score: -1.00%

Function 10012408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

mv_strlcatf.LICKING ref: 10012429

Part of subcall function 100067F0: strlen.MSVCRT ref: 1000680A

mv_dict_set.LICKING ref: 1001244D

Strings

.%06dZ, xrefs: 10012419

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrlen
String ID: .%06dZ
API String ID: 1014950348-3752268379
Opcode ID: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction ID: 95eb8ff42823485582616919598dcae06947ee25e4005e9b3a20f874dc0564a5
Opcode Fuzzy Hash: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction Fuzzy Hash: DAE04EB5908740AFD714DF29E48175ABBE0FB88354F51C82EB49C97306D63898418B46

Uniqueness

Uniqueness Score: -1.00%

Function 1001E814 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

mv_image_check_size.LICKING ref: 1001E85A
mv_calloc.LICKING ref: 1001E8B9
mv_frame_alloc.LICKING ref: 1001E924
mv_frame_free.LICKING ref: 1001E96B
mv_freep.LICKING ref: 1001E97C
mv_get_pix_fmt_name.LICKING ref: 1001E9EE
mv_log.LICKING ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_frame_allocmv_frame_freemv_freepmv_get_pix_fmt_namemv_image_check_sizemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 473889652-379977042
Opcode ID: 61d72b4d4c2e0655fcbe5d0e6275bddd9b2c6f8c5749a3447ccd53c07b7555cd
Instruction ID: 4d1730ca70439439150dc69e2c3e69577fa63277b803d74fdee23c8a3be9cec6
Opcode Fuzzy Hash: 61d72b4d4c2e0655fcbe5d0e6275bddd9b2c6f8c5749a3447ccd53c07b7555cd
Instruction Fuzzy Hash: 56F01978608B418FC710DF28C58051EBBE0EB49720F518A59EAA99B395DB34EC80DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001E9E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.LICKING ref: 1001E9EE
mv_log.LICKING ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_pix_fmt_namemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 3418758923-379977042
Opcode ID: 9acddc70278920a8564941c31df27ba7a0e7fc59086f033b698efc274c7c1271
Instruction ID: 98625666b53d28444c75af3f67f2f98a31866d598749bf3d445dd6f07a753de0
Opcode Fuzzy Hash: 9acddc70278920a8564941c31df27ba7a0e7fc59086f033b698efc274c7c1271
Instruction Fuzzy Hash: F5E042B8908B549FC710DF28C58021EBBE0FF49310F418D6EB5E89B345DB78E8809B82

Uniqueness

Uniqueness Score: -1.00%

Function 100A5E20 Relevance: 5.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?,100A504B), ref: 100A5E66
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,?,100A504B), ref: 100A5EF6

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ad559f8458f607639cae4380abab9d477070a627e125345d8999fcdf52da20ba
Instruction ID: 49f11447a0f7e01ab6fa7064b0f67ba914ab8169252582f2faf27053260112fd
Opcode Fuzzy Hash: ad559f8458f607639cae4380abab9d477070a627e125345d8999fcdf52da20ba
Instruction Fuzzy Hash: 77316FB1508210CFDB44EF68E8C469A77E1FF44355F158669EC058F349E336DA85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100A5BD0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A5EA1), ref: 100A5BF0
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A5EA1), ref: 100A5C0C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A5EA1), ref: 100A5C49
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000014,-0000001C,00000018,100A5EA1), ref: 100A5C55

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9de5ac96138d83862175a2cb51557724b3de2b7a7dded66327e3fb6c5c55dc4d
Instruction ID: 76cc22a7bdc6aba2b3994854d1142472eefda1568d3fd5a722e62c3c7b863795
Opcode Fuzzy Hash: 9de5ac96138d83862175a2cb51557724b3de2b7a7dded66327e3fb6c5c55dc4d
Instruction Fuzzy Hash: 7D11DDB5A093119FC300EF79D98550EBBF0FF89661F06492DE98897315D231E954CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1009E930 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,1009EA51), ref: 1009E957
InitializeCriticalSection.KERNEL32(?,?,?,?,1009EA51), ref: 1009E994
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1009EA51), ref: 1009E9A0
EnterCriticalSection.KERNEL32(?,?,?,?,1009EA51), ref: 1009E9C8

Memory Dump Source

Source File: 00000003.00000002.383199320.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.383179268.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383296458.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383304356.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383336475.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383349101.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383356104.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.383383763.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 6d7cb76a33c7ff52e3c20d3557546a483749ef247c9b03b5c1a43ee48ccd6991
Instruction ID: 2827083f6f63268f309b51e4ebd767515f6521e82171fb4f92c076014813b677
Opcode Fuzzy Hash: 6d7cb76a33c7ff52e3c20d3557546a483749ef247c9b03b5c1a43ee48ccd6991
Instruction Fuzzy Hash: 7811A5B08051928EE740FB28D8CD15A77E6EB00390F450869DC4AC3659E679DD84D793

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report licking.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_3b59b89922c4cddf77f72f6dd2d986ddcfc674cb_82810a17_13bb9ae6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_3b59b89922c4cddf77f72f6dd2d986ddcfc674cb_82810a17_14339b25\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_3b59b89922c4cddf77f72f6dd2d986ddcfc674cb_82810a17_1cc7a70c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8fe1ff6253b685daeb750e0d8c1ede8ec9d8783_82810a17_1bab9b83\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8fe1ff6253b685daeb750e0d8c1ede8ec9d8783_82810a17_1cb3a815\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A9D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BA6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D0F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D2E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D6D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D8D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9086.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91C0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91EF.tmp.xml

Windows Analysis Report
licking.dll