Edit tour

Windows Analysis Report
A649.dll

Overview

General Information

Sample Name:	A649.dll
Analysis ID:	878700
MD5:	644bff6674870c37b8bfd2f6b97616f4
SHA1:	6fdb6e4d113c4cfb43888e439c9328b2a396f947
SHA256:	15337bc14077fec44f6f4fe7f27279afad78efef637f86a384d3992b176c4694
Tags:	dllqbot
Infos:

Detection

Qbot

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Antivirus / Scanner detection for submitted sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Potentially malicious time measurement code found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Connects to several IPs in different countries

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7028 cmdline: loaddll32.exe "C:\Users\user\Desktop\A649.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3220 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A649.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 2756 cmdline: rundll32.exe "C:\Users\user\Desktop\A649.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5732 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3828 cmdline: rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 1196 cmdline: rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3980 cmdline: rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 2252 cmdline: rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_i MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7224 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3628 cmdline: rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_q MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6000 cmdline: rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_stable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5088 cmdline: rundll32.exe "C:\Users\user\Desktop\A649.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 7340 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 2704 cmdline: rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_license MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7180 cmdline: rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_configuration MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000012.00000002.365131799.0000000000E20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.rundll32.exe.720000.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.720000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
18.2.rundll32.exe.770a48.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xdf71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9b97:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.770a48.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
18.2.rundll32.exe.770a48.1.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xeb71:$params: 8B 7D 08 8B F1 57 89 55 FC E8 A0 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa797:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
18.2.rundll32.exe.770a48.1.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685433861", "Version": "404.1320", "C2 list": ["12.172.173.82:50001", "178.175.187.254:443", "65.95.141.84:2222", "205.237.67.69:995", "83.110.223.61:443", "193.253.100.236:2222", "27.0.48.233:443", "102.159.188.125:443", "71.38.155.217:443", "58.186.75.42:443", "76.178.148.107:2222", "70.28.50.223:2087", "114.143.176.236:443", "51.14.29.227:2222", "59.28.84.65:443", "173.88.135.179:443", "103.144.201.56:2078", "96.87.28.170:2222", "105.186.128.181:995", "176.142.207.63:443", "151.62.238.176:443", "12.172.173.82:32101", "122.186.210.254:443", "82.125.44.236:2222", "84.108.200.161:443", "76.16.49.134:443", "70.28.50.223:32100", "12.172.173.82:465", "76.170.252.153:995", "184.182.66.109:443", "78.92.133.215:443", "50.68.204.71:993", "186.75.95.6:443", "113.11.92.30:443", "70.28.50.223:3389", "98.145.23.67:443", "85.57.212.13:3389", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "69.242.31.249:443", "81.101.185.146:443", "79.168.224.165:2222", "75.143.236.149:443", "14.192.241.76:995", "86.195.14.72:2222", "81.229.117.95:2222", "220.240.164.182:443", "73.29.92.128:443", "12.172.173.82:21", "96.56.197.26:2222", "75.109.111.89:443", "76.86.31.59:443", "201.244.108.183:995", "68.203.69.96:443", "124.122.47.148:443", "122.184.143.86:443", "92.186.69.229:2222", "70.28.50.223:2083", "89.129.109.27:2222", "147.147.30.126:2222", "125.99.76.102:443", "88.126.94.4:50000", "151.65.167.77:443", "86.132.236.117:443", "92.154.17.149:2222", "223.166.13.95:995", "89.36.206.69:995", "96.56.197.26:2083", "78.18.105.11:443", "82.127.153.75:2222", "90.78.147.141:2222", "82.131.141.209:443", "183.87.163.165:443", "92.9.45.20:2222", "80.6.50.34:443", "80.12.88.148:2222", "69.133.162.35:443", "172.115.17.50:443", "95.45.50.93:2222", "12.172.173.82:2087", "103.140.174.20:2222", "24.198.114.130:995", "50.68.204.71:443", "69.119.123.159:2222", "64.121.161.102:443", "2.82.8.80:443", "184.181.75.148:443", "70.112.206.5:443", "198.2.51.242:993", "2.36.64.159:2078", "79.77.142.22:2222", "84.215.202.8:443", "147.219.4.194:443", "116.74.164.81:443", "70.28.50.223:2078", "12.172.173.82:995", "77.86.98.236:443", "104.35.24.154:443", "213.64.33.61:2222", "47.149.134.231:443", "72.134.124.16:443", "47.34.30.133:443", "103.42.86.42:995", "174.4.89.3:443", "161.142.103.187:995", "78.160.146.127:443", "84.35.26.14:995", "12.172.173.82:20", "70.28.50.223:2078", "124.149.143.189:2222", "70.160.67.203:443", "186.64.67.30:443", "103.123.223.133:443", "188.28.19.84:443", "174.58.146.57:443", "94.207.104.225:443", "86.97.55.89:2222", "69.123.4.221:2222"]}

Antivirus / Scanner detection for submitted sample

Source: A649.dll

Avira: detected

Sample uses string decryption to hide its real strings

Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: netstat -nao
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: runas
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: net localgroup
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Microsoft
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SELF_TEST_1
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: p%08x
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Self test FAILED!!!
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Self test OK.
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: /t5
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: whoami /all
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: cmd
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: route print
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .lnk
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: arp -a
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: net share
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: cmd.exe /c set
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Self check
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %u;%u;%u;
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ProfileImagePath
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ProgramData
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Self check ok!
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: powershell.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: qwinsta
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: net view
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Component_08
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Start screenshot
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: appidapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: c:\ProgramData
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Component_07
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: powershell.exe -encodedCommand
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: netstat -nao
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: runas
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ipconfig /all
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SystemRoot
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: cscript.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: image/jpeg
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: LocalLow
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: displayName
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CommandLine
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: 1234567890
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wbj.go
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: System32
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Name
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: c:\\
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: FALSE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Packages
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Winsta0
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: userenv.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: from
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: user32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %S.%06d
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: shell32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: TRUE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: /
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: https
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %s\system32\
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_Process
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: cmd.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: APPDATA
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: select
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .cfg
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_Product
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: WQL
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wininet.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Create
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Initializing database...
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: winsta0\default
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .dat
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: next
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: fmon.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: vbs
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SysWOW64
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: mpr.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: image/gif
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: open
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SystemRoot
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: cscript.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: C:\INTERNAL\__empty
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_PhysicalMemory
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: image/jpeg
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: LocalLow
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: displayName
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: shlwapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CommandLine
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: kernel32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SubmitSamplesConsent
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: 1234567890
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wbj.go
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_DiskDrive
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: System32
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Name
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: WRSA.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: c:\\
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SpyNetReporting
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: FALSE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aswhookx.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Packages
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: application/x-shockwave-flash
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: RepUx.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Winsta0
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: avp.exe;kavtray.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: root\SecurityCenter2
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: MsMpEng.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: userenv.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: csc_ui.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: \\.\pipe\
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: pstorec.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: NTUSER.DAT
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: from
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: netapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: gdi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: setupapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: iphlpapi.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CrAmTray.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_ComputerSystem
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: user32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: \sf2.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: egui.exe;ekrn.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Software\Microsoft
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %S.%06d
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: bcrypt.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wtsapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: shell32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: TRUE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_Bios
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: c:\hiberfil.sysss
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: /
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ByteFence.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: type=0x%04X
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: snxhk_border_mywnd
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ROOT\CIMV2
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: https
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: fshoster32.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: kernelbase.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: regsvr32.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %s\system32\
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_Process
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: rundll32.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: LOCALAPPDATA
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: cmd.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: APPDATA
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: select
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: mcshield.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: advapi32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ws2_32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .cfg
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_Product
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: WQL
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wininet.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: LastBootUpTime
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: urlmon.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Create
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Win32_PnPEntity
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Initializing database...
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: winsta0\default
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: .dat
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: WBJ_IGNORE
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: next
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: wpcap.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: image/pjpeg
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: fmon.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: vbs
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: aswhooka.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: SysWOW64
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: mpr.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: image/gif
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: crypt32.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: ntdll.dll
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: open
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 18.2.rundll32.exe.720000.0.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035030 mv_get_random_seed,BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,mvpriv_open,_read,_close,mvpriv_open,_read,_close,clock,clock,mv_sha_init,mv_sha_update,mv_sha_final,mv_log,abort,	3_2_10035030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013860 mv_encryption_init_info_add_side_data,mv_malloc,mv_malloc,	3_2_10013860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C0B0 mv_cast5_crypt2,	3_2_1000C0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0 mv_camellia_crypt,	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013100 mv_encryption_init_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_mallocz,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_calloc,	3_2_10013100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C1B0 mv_cast5_crypt,	3_2_1000C1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012A70 mv_encryption_info_alloc,mv_mallocz,mv_mallocz,mv_mallocz,mv_calloc,mv_free,mv_free,mv_free,mv_free,	3_2_10012A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100132D0 mv_encryption_init_info_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_100132D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012B40 mv_encryption_info_clone,mv_encryption_info_alloc,	3_2_10012B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001BF0 mv_aes_crypt,	3_2_10001BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002480 mv_aes_ctr_crypt,mv_aes_crypt,	3_2_10002480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480 mv_encryption_init_info_get_side_data,mv_encryption_init_info_alloc,mv_free,mv_free,mv_free,mv_free,mv_free,	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100084B0 mv_blowfish_crypt,mv_blowfish_crypt_ecb,mv_blowfish_crypt_ecb,	3_2_100084B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012CF0 mv_encryption_info_free,mv_free,mv_free,mv_free,	3_2_10012CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002523 mv_aes_crypt,	3_2_10002523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012D40 mv_encryption_info_get_side_data,mv_encryption_info_alloc,	3_2_10012D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0 mv_blowfish_crypt_ecb,	3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001363B mv_encryption_init_info_alloc,	3_2_1001363B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010E40 mv_des_crypt,	3_2_10010E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000867B mv_blowfish_crypt_ecb,	3_2_1000867B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100136FB mv_encryption_init_info_alloc,	3_2_100136FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10012F30 mv_encryption_info_add_side_data,mv_malloc,	3_2_10012F30

Source: A649.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: unknown	HTTPS traffic detected: 54.68.22.26:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.7:49719 version: TLS 1.2

Source: A649.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 178.175.187.254:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 205.237.67.69:995
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 193.253.100.236:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 102.159.188.125:443
Source: Malware configuration extractor	IPs: 71.38.155.217:443
Source: Malware configuration extractor	IPs: 58.186.75.42:443
Source: Malware configuration extractor	IPs: 76.178.148.107:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 51.14.29.227:2222
Source: Malware configuration extractor	IPs: 59.28.84.65:443
Source: Malware configuration extractor	IPs: 173.88.135.179:443
Source: Malware configuration extractor	IPs: 103.144.201.56:2078
Source: Malware configuration extractor	IPs: 96.87.28.170:2222
Source: Malware configuration extractor	IPs: 105.186.128.181:995
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 151.62.238.176:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 122.186.210.254:443
Source: Malware configuration extractor	IPs: 82.125.44.236:2222
Source: Malware configuration extractor	IPs: 84.108.200.161:443
Source: Malware configuration extractor	IPs: 76.16.49.134:443
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 76.170.252.153:995
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 78.92.133.215:443
Source: Malware configuration extractor	IPs: 50.68.204.71:993
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 98.145.23.67:443
Source: Malware configuration extractor	IPs: 85.57.212.13:3389
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 69.242.31.249:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 75.143.236.149:443
Source: Malware configuration extractor	IPs: 14.192.241.76:995
Source: Malware configuration extractor	IPs: 86.195.14.72:2222
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 220.240.164.182:443
Source: Malware configuration extractor	IPs: 73.29.92.128:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 76.86.31.59:443
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 68.203.69.96:443
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 122.184.143.86:443
Source: Malware configuration extractor	IPs: 92.186.69.229:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 89.129.109.27:2222
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 151.65.167.77:443
Source: Malware configuration extractor	IPs: 86.132.236.117:443
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 89.36.206.69:995
Source: Malware configuration extractor	IPs: 96.56.197.26:2083
Source: Malware configuration extractor	IPs: 78.18.105.11:443
Source: Malware configuration extractor	IPs: 82.127.153.75:2222
Source: Malware configuration extractor	IPs: 90.78.147.141:2222
Source: Malware configuration extractor	IPs: 82.131.141.209:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 80.12.88.148:2222
Source: Malware configuration extractor	IPs: 69.133.162.35:443
Source: Malware configuration extractor	IPs: 172.115.17.50:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 24.198.114.130:995
Source: Malware configuration extractor	IPs: 50.68.204.71:443
Source: Malware configuration extractor	IPs: 69.119.123.159:2222
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 70.112.206.5:443
Source: Malware configuration extractor	IPs: 198.2.51.242:993
Source: Malware configuration extractor	IPs: 2.36.64.159:2078
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 147.219.4.194:443
Source: Malware configuration extractor	IPs: 116.74.164.81:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 12.172.173.82:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 104.35.24.154:443
Source: Malware configuration extractor	IPs: 213.64.33.61:2222
Source: Malware configuration extractor	IPs: 47.149.134.231:443
Source: Malware configuration extractor	IPs: 72.134.124.16:443
Source: Malware configuration extractor	IPs: 47.34.30.133:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 78.160.146.127:443
Source: Malware configuration extractor	IPs: 84.35.26.14:995
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 124.149.143.189:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 186.64.67.30:443
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443
Source: Malware configuration extractor	IPs: 94.207.104.225:443
Source: Malware configuration extractor	IPs: 86.97.55.89:2222
Source: Malware configuration extractor	IPs: 69.123.4.221:2222

Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT
Source: Joe Sandbox View	ASN Name: ASN-CXA-ALL-CCI-22773-RDCUS ASN-CXA-ALL-CCI-22773-RDCUS

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: broadcom.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 78Cache-Control: no-cache

Source: unknown

Network traffic detected: IP country count 30

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 188.28.19.84
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 151.65.167.77
Source: unknown	TCP traffic detected without corresponding DNS query: 102.159.188.125

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://cdn.cookielaw.org/scripttemplates/otSDKStub.js
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://jp.broadcom.com
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://static.broadcom.com
Source: rundll32.exe, 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.361922166.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.361922492.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.362839772.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.355387583.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.366635490.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, A649.dll	String found in binary or memory: https://streams.videolan.org/upload/
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://www.broadcom.cn
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://www.broadcom.com
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://www.broadcom.com/media/blt4ac44e0e6c6d8341/blt476a993c2707b028/62e16f3bd3b8a5700456394e/wwwB
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: V262JUIP.htm.24.dr	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-KF7XWD

Source: unknown

HTTP traffic detected: POST /t5 HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 188.28.19.84Content-Length: 78Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: broadcom.com

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: broadcom.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 54.68.22.26:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.28.19.84:443 -> 192.168.2.7:49719 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.355017026.000000000153B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: A649.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 18.2.rundll32.exe.720000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.770a48.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 18.2.rundll32.exe.770a48.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 656

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002A800	3_2_1002A800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B830	3_2_1000B830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D060	3_2_1000D060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10028070	3_2_10028070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B0D0	3_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001900	3_2_10001900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091900	3_2_10091900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D910	3_2_1000D910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F91B	3_2_1001F91B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10008144	3_2_10008144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010980	3_2_10010980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001099C	3_2_1001099C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100101D0	3_2_100101D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000C9F0	3_2_1000C9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FA00	3_2_1000FA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AA10	3_2_1000AA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001021B	3_2_1001021B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027220	3_2_10027220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10091A40	3_2_10091A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007A50	3_2_10007A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007270	3_2_10007270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10024280	3_2_10024280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EAC0	3_2_1000EAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAE0	3_2_1000FAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FAF7	3_2_1000FAF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AB30	3_2_1000AB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002334C	3_2_1002334C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10003BA5	3_2_10003BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100353B0	3_2_100353B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000FBC0	3_2_1000FBC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100243C0	3_2_100243C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001C10	3_2_10001C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DC10	3_2_1000DC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EC10	3_2_1000EC10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000BC40	3_2_1000BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10013480	3_2_10013480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004C96	3_2_10004C96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004C4C0	3_2_1004C4C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000ECC9	3_2_1000ECC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000D4D0	3_2_1000D4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1001F523	3_2_1001F523
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000DD40	3_2_1000DD40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CD50	3_2_1000CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000EDB0	3_2_1000EDB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10007DC0	3_2_10007DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100105C0	3_2_100105C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100215D0	3_2_100215D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000164B	3_2_1000164B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023E60	3_2_10023E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10004E92	3_2_10004E92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CEA0	3_2_1000CEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100206A7	3_2_100206A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010750	3_2_10010750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000E760	3_2_1000E760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010778	3_2_10010778
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10002F80	3_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000CF80	3_2_1000CF80

Source: A649.dll

Binary or memory string: OriginalFilenameavutil-lav-57.dll. vs A649.dll

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: A649.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A649.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A649.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 656
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_stable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_q
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_stable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_license
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_configuration
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A649.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_i	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_q	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_stable	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",next	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_license	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_configuration	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Shuetpioi

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2ACD.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winDLL@30/22@2/100

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4CC3B386-6951-446B-A2C7-1BDDD9E57705}
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{85E7EFE6-30C6-426C-A3AF-83E4C788615A}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2756
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4CC3B386-6951-446B-A2C7-1BDDD9E57705}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3828
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3980
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2252

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: A649.dll

Static PE information: More than 582 > 100 exports found

Source: A649.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: A649.dll

Static PE information: real checksum: 0xf1b7b should be: 0xf06c9

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 7340 base: E43C50 value: E9 63 D7 03 02

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 3224	Thread sleep count: 204 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 7356	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 Start: 10035315 End: 1003515E

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001F523 mv_dict_get,LoadLibraryA,LoadLibraryA,InitOnceBeginInitialize,InitOnceComplete,LoadLibraryA,GetProcAddress,mv_log,atoi,mv_log,mv_log,GetProcAddress,

3_2_1001F523

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10035030 rdtsc

3_2_10035030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1001E0D9 mov eax, dword ptr fs:[00000030h]

3_2_1001E0D9

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A649.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1008DB50 cpuid

3_2_1008DB50

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10092180 GetTimeZoneInformation,GetModuleHandleA,GetProcAddress,

3_2_10092180

Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 00000012.00000003.354766471.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 18.2.rundll32.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.770a48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.770a48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.365131799.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 18.2.rundll32.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.770a48.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.770a48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.365131799.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 Input Capture	31 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	21 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
A649.dll	3%	ReversingLabs	Win32.Malware.Generic
A649.dll	6%	Virustotal		Browse
A649.dll	100%	Avira	HEUR/AGEN.1363694

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://188.28.19.84/t5	0%	Virustotal		Browse
https://188.28.19.84/t5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
broadcom.com	54.68.22.26	true	false		high
www.broadcom.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://broadcom.com/	false		high
https://188.28.19.84/t5	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false	high
https://www.broadcom.cn	V262JUIP.htm.24.dr	false	high
https://www.broadcom.com/media/blt4ac44e0e6c6d8341/blt476a993c2707b028/62e16f3bd3b8a5700456394e/wwwB	V262JUIP.htm.24.dr	false	high
https://streams.videolan.org/upload/	rundll32.exe, 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.361922166.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.361922492.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.362839772.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.355387583.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.366635490.00000000100AE000.00000002.00000001.01000000.00000003.sdmp, A649.dll	false	high
https://www.broadcom.com	V262JUIP.htm.24.dr	false	high
https://static.broadcom.com	V262JUIP.htm.24.dr	false	high
https://cdn.cookielaw.org/scripttemplates/otSDKStub.js	V262JUIP.htm.24.dr	false	high
https://jp.broadcom.com	V262JUIP.htm.24.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
75.143.236.149	unknown	United States	20115	CHARTER-20115US	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
86.195.14.72	unknown	France	3215	FranceTelecom-OrangeFR	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
92.186.69.229	unknown	France	12479	UNI2-ASES	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
14.192.241.76	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
173.88.135.179	unknown	United States	10796	TWC-10796-MIDWESTUS	true
84.108.200.161	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
47.34.30.133	unknown	United States	20115	CHARTER-20115US	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
124.149.143.189	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
84.35.26.14	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	true
73.29.92.128	unknown	United States	7922	COMCAST-7922US	true
54.68.22.26	broadcom.com	United States	16509	AMAZON-02US	false
68.203.69.96	unknown	United States	11427	TWC-11427-TEXASUS	true
82.131.141.209	unknown	Hungary	20845	DIGICABLEHU	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
178.175.187.254	unknown	Moldova Republic of	43289	TRABIAMD	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
186.64.67.30	unknown	Argentina	27953	NODOSUDSAAR	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
59.28.84.65	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
105.186.128.181	unknown	South Africa	37457	Telkom-InternetZA	true
76.86.31.59	unknown	United States	20001	TWC-20001-PACWESTUS	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
96.87.28.170	unknown	United States	7922	COMCAST-7922US	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
78.92.133.215	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
88.126.94.4	unknown	France	12322	PROXADFR	true
51.14.29.227	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
85.57.212.13	unknown	Spain	12479	UNI2-ASES	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
80.12.88.148	unknown	France	3215	FranceTelecom-OrangeFR	true
69.133.162.35	unknown	United States	11426	TWC-11426-CAROLINASUS	true
86.132.236.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
151.62.238.176	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
70.112.206.5	unknown	United States	11427	TWC-11427-TEXASUS	true
102.159.188.125	unknown	Tunisia	37705	TOPNETTN	true
205.237.67.69	unknown	Canada	11290	CC-3272CA	true
151.65.167.77	unknown	Italy	1267	ASN-WINDTREIUNETEU	true
76.178.148.107	unknown	United States	10838	OCEANIC-INTERNET-RRUS	true
89.36.206.69	unknown	Italy	48544	TECNOADSL-ASIT	true
69.242.31.249	unknown	United States	7922	COMCAST-7922US	true
193.253.100.236	unknown	France	3215	FranceTelecom-OrangeFR	true
76.16.49.134	unknown	United States	7922	COMCAST-7922US	true
94.207.104.225	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
78.18.105.11	unknown	Ireland	2110	AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnet	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
103.144.201.56	unknown	unknown	139762	MSSOLUTION-AS-APSolutionBD	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
98.145.23.67	unknown	United States	20001	TWC-20001-PACWESTUS	true
47.149.134.231	unknown	United States	5650	FRONTIER-FRTRUS	true
82.125.44.236	unknown	France	3215	FranceTelecom-OrangeFR	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
89.129.109.27	unknown	Spain	12479	UNI2-ASES	true
122.186.210.254	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
90.78.147.141	unknown	France	3215	FranceTelecom-OrangeFR	true
122.184.143.86	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
213.64.33.61	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
86.97.55.89	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
78.160.146.127	unknown	Turkey	9121	TTNETTR	true
58.186.75.42	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
50.68.204.71	unknown	Canada	6327	SHAWCA	true
71.38.155.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
104.35.24.154	unknown	United States	20001	TWC-20001-PACWESTUS	true
220.240.164.182	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
24.198.114.130	unknown	United States	11351	TWC-11351-NORTHEASTUS	true
2.36.64.159	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
198.2.51.242	unknown	United States	20001	TWC-20001-PACWESTUS	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
69.119.123.159	unknown	United States	6128	CABLE-NET-1US	true
69.123.4.221	unknown	United States	6128	CABLE-NET-1US	true
172.115.17.50	unknown	United States	20001	TWC-20001-PACWESTUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878700
Start date and time:	2023-05-31 01:58:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	A649.dll
Detection:	MAL
Classification:	mal88.troj.evad.winDLL@30/22@2/100
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.6% (good quality ratio 2.3%) Quality average: 24.4% Quality standard deviation: 30.9%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.189.173.20, 52.168.117.173, 172.64.155.106, 104.18.32.150
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, www.broadcom.com.cdn.cloudflare.net
Execution Graph export aborted for target rundll32.exe, PID 3828 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
01:59:18	API Interceptor	1x Sleep call for process: loaddll32.exe modified
01:59:21	API Interceptor	4x Sleep call for process: WerFault.exe modified
01:59:28	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
2.82.8.80	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	main2.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	r3zg12.msi	Get hash	malicious	Qbot	Browse
	main.dll	Get hash	malicious	Qbot	Browse
	graphically.dat.dll	Get hash	malicious	Qbot	Browse
	kxyj5.dat.dll	Get hash	malicious	Qbot	Browse
	PXNuYAPR.dat.dll	Get hash	malicious	Qbot	Browse
	TB9mkKe4Qzu.dat.dll	Get hash	malicious	Qbot	Browse
	leiotrichy.js	Get hash	malicious	Qbot	Browse
	a0UFMZnC6ltxphw.dat.dll	Get hash	malicious	Qbot	Browse
	msfilter.dll	Get hash	malicious	Qbot	Browse
	QPAWJ8VnpO.dll	Get hash	malicious	Qbot	Browse
	Cjpxxx.js	Get hash	malicious	Qbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEO-RESIDENCIALPT	5q4psw.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	15dasx.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	5q4psw.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	15dasx.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	licking.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	licking.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	main2.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	r3zg12.msi	Get hash	malicious	Qbot	Browse	2.82.8.80
	main.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	LEo7jDCX96.elf	Get hash	malicious	Mirai	Browse	2.81.219.243
	yvweY4vsVq.elf	Get hash	malicious	Mirai	Browse	188.81.116.228
	8C3RpG9eka.elf	Get hash	malicious	Mirai	Browse	85.244.28.246
	Pc8ewtsPRR.elf	Get hash	malicious	Mirai	Browse	85.240.179.8
	33cWz2DNq2.elf	Get hash	malicious	Mirai	Browse	2.83.183.198
	pu3jOk0Q9u.elf	Get hash	malicious	Mirai	Browse	82.155.117.104
	6mu5y2WWPK.elf	Get hash	malicious	Mirai	Browse	85.246.119.61
	A6BM2Ru5xc.elf	Get hash	malicious	Mirai	Browse	37.189.107.20
ASN-CXA-ALL-CCI-22773-RDCUS	5q4psw.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	15dasx.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	5q4psw.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	15dasx.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	licking.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	licking.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	main2.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	r3zg12.msi	Get hash	malicious	Qbot	Browse	184.181.75.148
	main.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	graphically.dat.dll	Get hash	malicious	Qbot	Browse	184.181.75.148
	UMyY7qXi7b.elf	Get hash	malicious	Mirai	Browse	68.6.72.41
	udxyqUncDs.elf	Get hash	malicious	Gafgyt, Mirai	Browse	184.188.248.242
	KipHfbWc5u.elf	Get hash	malicious	Mirai	Browse	174.74.5.188
	CT1zp877iP.elf	Get hash	malicious	Mirai	Browse	68.108.254.249
	65cBS6uCoV.elf	Get hash	malicious	Mirai	Browse	70.187.92.80
	gLeiWqaVuD.elf	Get hash	malicious	Mirai	Browse	24.249.120.101
	RW3fkwplaC.elf	Get hash	malicious	Mirai	Browse	70.171.100.214
	i12DwPGkzd.elf	Get hash	malicious	Mirai	Browse	68.101.71.203

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	graphically.dat.dll	Get hash	malicious	Qbot	Browse	188.28.19.84
	M7R36259.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	3VJL50UK8M.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	3VJL50UK8M.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	ss3.dll	Get hash	malicious	Qbot	Browse	188.28.19.84
	fYV9RX7dVuLH.dll	Get hash	malicious	Qbot	Browse	188.28.19.84
	aQ2nHl74yJrc6dw8N.dat.dll	Get hash	malicious	Qbot	Browse	188.28.19.84
	beacon.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	dropThaTGhettoBlasterBoris.dll	Get hash	malicious	Qbot	Browse	188.28.19.84
	JnxE98jm3a.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	cdSiKWbwdg.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	cdSiKWbwdg.exe	Get hash	malicious	Unknown	Browse	188.28.19.84
	130.dll	Get hash	malicious	Unknown	Browse	188.28.19.84
	130.dll	Get hash	malicious	Unknown	Browse	188.28.19.84
	mN42rsDx8f.dll	Get hash	malicious	Emotet	Browse	188.28.19.84
	z6ZFELBFhG.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	A618.wsf	Get hash	malicious	Qbot	Browse	188.28.19.84
	m8H1ghYYqg.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	m8H1ghYYqg.exe	Get hash	malicious	CobaltStrike	Browse	188.28.19.84
	evUj1hg3KW.exe	Get hash	malicious	CobaltStrike, ReflectiveLoader	Browse	188.28.19.84
37f463bf4616ecd445d4a1937da06e19	Gardenizes.exe	Get hash	malicious	FormBook, GuLoader	Browse	54.68.22.26
	FACTURA_ONLINE.jse	Get hash	malicious	Unknown	Browse	54.68.22.26
	FACTURA_ONLINE.jse	Get hash	malicious	Unknown	Browse	54.68.22.26
	Quote_Request_xlsx_PDF_PDF.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	54.68.22.26
	DHL_AWB_50_No3354087.docx.doc	Get hash	malicious	Unknown	Browse	54.68.22.26
	rechnm696417531.js	Get hash	malicious	Unknown	Browse	54.68.22.26
	rechnm696417531.js	Get hash	malicious	Unknown	Browse	54.68.22.26
	ORDER-232903AF.js	Get hash	malicious	WSHRat	Browse	54.68.22.26
	main.dll	Get hash	malicious	Qbot	Browse	54.68.22.26
	008s06523610054680b6011375030062022.exe	Get hash	malicious	GuLoader	Browse	54.68.22.26
	file.exe	Get hash	malicious	PrivateLoader	Browse	54.68.22.26
	rechnm128132812.js	Get hash	malicious	Unknown	Browse	54.68.22.26
	rechnm128132812.js	Get hash	malicious	Unknown	Browse	54.68.22.26
	ARMSTRONG5262023.xlsx	Get hash	malicious	Unknown	Browse	54.68.22.26
	setup.exe	Get hash	malicious	PrivateLoader	Browse	54.68.22.26
	ufuldkommenhederne.exe	Get hash	malicious	FormBook, GuLoader	Browse	54.68.22.26
	08194399.exe	Get hash	malicious	Djvu	Browse	54.68.22.26
	09498299.exe	Get hash	malicious	Babuk, Djvu	Browse	54.68.22.26
	03543999.exe	Get hash	malicious	Djvu	Browse	54.68.22.26
	56#U044f.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	54.68.22.26

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8f19ee7b9cb685ec4f932734c39820e11122c2_82810a17_0fc75884\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9054076690821683
Encrypted:	false
SSDEEP:	192:TQxtiD0oXAHBUZMX4jed+p/u7sES274ItWc:AidXoBUZMX4jec/u7sEX4ItWc
MD5:	A7BC19994244A00E67D6A5DBCF3A3128
SHA1:	07DE5E30512F9A516A77DE57BDE998232B9CF117
SHA-256:	6480B68CEA43D10E273466FB470F12A372C8B6BCCDF8C6C0629ECE231FE17C00
SHA-512:	0D2CFC4C687044BFFC32A4D56CA75E70CEE0865D4B5785B18A219CC585CF7E150E66807B9AE1A875882B285F6009E6E4EE6F76ACB8A3E9A068CD8421D20E15A5
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.0.0.8.8.8.6.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.1.2.4.5.0.9.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.6.5.0.3.a.2.-.5.6.6.c.-.4.4.f.c.-.b.9.b.a.-.f.7.1.b.b.7.b.6.5.2.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.d.f.c.5.d.7.-.e.b.0.d.-.4.0.9.c.-.9.1.6.c.-.a.9.d.2.b.b.d.7.0.f.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.f.4.-.0.0.0.1.-.0.0.1.a.-.0.f.3.f.-.0.8.2.9.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8f19ee7b9cb685ec4f932734c39820e11122c2_82810a17_160b5807\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9051386680992131
Encrypted:	false
SSDEEP:	192:UGXmi+0oXIHBUZMX4jed+p/u7sES274ItWc:UgmiIXwBUZMX4jec/u7sEX4ItWc
MD5:	45349502B9101F8B9679CDA554D32122
SHA1:	04B765CFB299F02C689AFD214A781F7AC506942A
SHA-256:	75B98C36A371D6FEF9A6CE2AD12CC0578BDACC6F851EF0F693277091AAB52E93
SHA-512:	0C1C5689DF8CFB1AD3133F901343CD06AE1087A5DFE535130E426C414E8F3ACED35B671DF1FA74290D116CA1C22E1021A05C87EEE9CE43AE7A4FED491754F458
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.4.9.9.5.4.4.3.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.1.3.1.3.8.0.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.6.f.e.7.c.5.-.d.b.c.5.-.4.a.7.2.-.9.6.5.0.-.c.4.6.0.b.7.d.2.3.7.1.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.1.9.d.e.d.e.-.2.0.9.9.-.4.8.9.a.-.9.d.5.b.-.6.0.4.3.6.5.8.3.9.2.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.c.4.-.0.0.0.1.-.0.0.1.a.-.f.0.e.2.-.1.7.2.9.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8f19ee7b9cb685ec4f932734c39820e11122c2_82810a17_1c57599d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9055463839584366
Encrypted:	false
SSDEEP:	192:dvEiK0oXZHBUZMX4jed+p/u7sES274ItWc:CicXJBUZMX4jec/u7sEX4ItWc
MD5:	BA491BA7486891F1815558933FED13F4
SHA1:	F9A65E28D64E0AEFB195D6CE70236D259B15ADBE
SHA-256:	9D3A40C9F0D089B744907CE2F3132FF65198B2BB630E07F85C03C17B8FEFB5EB
SHA-512:	ECBCEFB747199A45B0DB88B355565B002AFEDBD6A16D78065A06F0E9880F0DEA26431341C12BC9152F797C3039CDCA96AC750B6EFE5E311957C57CEBF470110B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.8.9.5.7.3.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.6.0.0.6.6.7.6.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.e.c.e.4.c.0.-.9.6.8.1.-.4.2.9.c.-.b.b.7.0.-.6.0.9.e.1.c.e.4.f.9.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.3.c.c.4.d.e.-.1.6.a.2.-.4.4.9.a.-.b.0.9.2.-.7.2.5.5.d.e.2.6.6.4.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.c.c.-.0.0.0.1.-.0.0.1.a.-.e.e.8.1.-.9.1.2.e.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f0f3252944ac8494bc49a1f9f213cb75e7a9fcf9_82810a17_174f57b9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9057450281060402
Encrypted:	false
SSDEEP:	192:9Eq9i60oXjHBUZMX4jed+p/u7sES274ItWc:P9isXjBUZMX4jec/u7sEX4ItWc
MD5:	4A3D5BC64CB92406C9BE698D4474BB82
SHA1:	939B0FDE884B364EF1C99B2E19067897DEEBD534
SHA-256:	F72A3B121854B6B39751642DCB94C11F9A785120AEC1D50880323EDA6EB55D50
SHA-512:	E4AC316BC296A018B551262D9D14BA6DDB2A55D2CC9DEEE6CC6F2774A4C7B6CCA0D78BFFAA94F3ED0760C02F2AA0A2FA0B59A0A3A231EED00C8C46F918900B4B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.5.3.9.1.2.4.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.9.9.7.1.5.6.2.9.7.4.9.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.7.2.8.c.e.1.-.6.3.5.0.-.4.2.e.f.-.a.4.a.9.-.4.b.f.1.c.b.b.7.c.c.7.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.3.2.a.6.d.2.-.a.9.d.3.-.4.2.d.f.-.a.b.a.6.-.4.4.9.d.5.5.8.9.f.a.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.8.c.-.0.0.0.1.-.0.0.1.a.-.6.c.4.7.-.b.f.2.c.9.e.9.3.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A40.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:10 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	38518
Entropy (8bit):	2.2134857089006386
Encrypted:	false
SSDEEP:	192:kCMckZIfCVy/jO5SkblFbWnrAKj6mb95wnI:Gtfl5LblFbWrHBbA
MD5:	69F5A85F77D5FD4077DC5D31BD3CB0B0
SHA1:	F0BDFF942A2CBF5AB2288CF2A767F89EEED2739B
SHA-256:	6F14086A82079272E241886DBFA8362ECCBC2972F8C27D89C7E857CA5CEE335F
SHA-512:	BEB4D2623F9A432A231173CADA4603276042A9C58F46ED15D09F740917CD32C0C0038B3040889FECACF61EA3E7314B445BEBF2EF7476987535F06E43799EABDA
Malicious:	false
Preview:	MDMP....... .......^.wd............d...............l............)..........T.......8...........T...........P...&\|...........................................................................................U...........B..............GenuineIntelW...........T...........\.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2ACD.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	45190
Entropy (8bit):	2.0543395485570004
Encrypted:	false
SSDEEP:	192:kHWGjFw4OO5SkblNlcqi450t9nJfCyEfjC4:Ybt5Lblrcqk9Jsj
MD5:	654EE2AD9D82AE1DF7669A7946EEC690
SHA1:	7E0AB398FCEA16B256C9DB54BAB1898108630919
SHA-256:	2170639580F2D0683CAB07A8592D9290FE343392333359A1C2854CA41DF612F7
SHA-512:	CF4C5D4B008E52E8663E7E653F92DD06D04384DDE8A48C4FD00B1E14478E13B9AB8AB67EBEE897F3A118FE05CF4D14B071D2156BAD0EBABDDF4D3B8DD74E3473
Malicious:	false
Preview:	MDMP....... .......^.wd.........................................,..........T.......8...........T...........................0................................................................................U...........B..............GenuineIntelW...........T...........\.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C74.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8240
Entropy (8bit):	3.68820459028921
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiDe67z26Ygo6WgmfTASbCpr789brdsfdZm:RrlsNi66e6Yf6WgmfTAS3rWfK
MD5:	DCB0DDDA1709D7CC432E9681246F3715
SHA1:	84598CCD9224637F72E30695EC816A0F05C769F8
SHA-256:	3EF405969170BFE7398DDE2D37B97B55C6E0468CDA4F510DC77F03E99A0BDF07
SHA-512:	3BBD72D28E81FDD6462DACA4782243EDF383FCE25A74364E5C1DBD7D397937470ABB8805B6AF648CD4E1E346D3A4D7AD7E2C4A627E2539B850F03EAC6FCF5FEF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C93.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.689768241052418
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNicP6N6Y/T64agmfTASbCpr089br0sfOZm:RrlsNiU6N6Yb6FgmfTASarnfx
MD5:	F7D941A964871D5C99EF9A0C3AA87436
SHA1:	D478A0C30657D4ACEF34282B0DE632164998635F
SHA-256:	E4B1D3FF681D097FC91C3204FD787866C8B494024B5A965C45A8C1143424D9A3
SHA-512:	43B9800F694EC9A90C7E0C5625D7714CEE5EFDBD03C5A1E2F6BE30D8804F386D307A383242E49F1AAC3E2D0A7239438D49ED2B32EBDA4DE20F07E2C0AB87783F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CD2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.449016783090063
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9jhhWgc8sqYjk8fm8M4JCdsQZFd+q8/vKJ4SrSgd:uITf6YU6grsqYtJaRcCDWgd
MD5:	BF88BAA3F510167E3361CC0F4319315D
SHA1:	75A3425BFDE9ED45F46BEFBCAE90AA0666BC3EE3
SHA-256:	4E2BACAAC682C4A4BA2779A2B6F493F705DBB5F01AFB998FEB5B227AAB0A77BF
SHA-512:	E77AC0683701A7922332DC999EBAED7E56964A8DB0C0CFB6CFF1C4515103A8440C6BE36E1EF3AA62EA565733F4F90633266C823AE0210D107F5C50A04CD0D2EF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CF2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.449393827302852
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9jhhWgc8sqYjz8fm8M4JCdsQZFb+q8/vKe4SrSEd:uITf6YU6grsqYsJanc5DWEd
MD5:	33CE569324F8EF594C32CDC07383EFEC
SHA1:	807130DE6AF284514C4FB408977810ECB8B7A627
SHA-256:	E581D91FFAD0A55F821C0F71F14FDD2E973291ACA846BA0B72B9370497F55D29
SHA-512:	CC9292AEC3D51B017646FB476B4EA4EF7980D7E1E4EA5DE65B728D84ADA0FCD789671E02C17D1D12FB16EC241E8D5BD2082E67697159A3A7FDF3544262069CFC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F7E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:15 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	36578
Entropy (8bit):	2.3108262726531277
Encrypted:	false
SSDEEP:	192:NvYckZIfCVBP8O5SkblT+cKWvr+G5EdOP8:Gtfhz5LblTjXr+EEo
MD5:	B292D1B41261C16C255755E0001FF863
SHA1:	B4DD84440C145F269EBB8C2E2D572232CB082490
SHA-256:	4CA5457AEE7CEF12E45BDC5D48B1FFEAEEBC09C82CB803CFBB8C39B263E54CF4
SHA-512:	769AB17A0D66079416FDA27C306CEDA7E2E7D6C922BFF2441D0672214EF3829F4F2E2C6091B2F9AFA5441BC182759C893B61D8CB4181310961EEE3A9D57F2722
Malicious:	false
Preview:	MDMP....... .......c.wd............d...............l............)..........T.......8...........T................t...........................................................................................U...........B..............GenuineIntelW...........T...........b.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER40E6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8244
Entropy (8bit):	3.6888245956988985
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi3o67zp6Y/p6AYgmfTgSbCprO89bG4sfNlim:RrlsNiY6R6YB6AYgmfTgSMGrfNB
MD5:	7E5D87841BE9A5BB8BB8E27AE659DE24
SHA1:	A16949C1BB51141ABAA606DCFFA01A36EEAA48BB
SHA-256:	ED58B9AA29C7855183B2BF8550C8AD51F567877134BE33D6A280BF2D35576515
SHA-512:	87C9F925AF37784A94EBBE228132216A61A286A9A501596285CDC3C74105A01E747F2C52B27ABFA3DF98944649C5E21D5B8AF7CC580ADF808C9377137709C21C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4145.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.450867559879706
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9jhhWgc8sqYjkG8fm8M4JCdsQ9FAY+q8/v8/4SrS9d:uITf6YU6grsqYKJaIYcyDW9d
MD5:	850D507EFD9F04D05785CB38BB649D52
SHA1:	3CC3F8980B460DE5F06B35FD6BDBFA1CBDCC3F73
SHA-256:	481382BF2B1BC4C527AFF929E920E376A06D169DFD80184C700B8C70E367E890
SHA-512:	E1097643DCFD645E0EFA03BFFBBF5F3A0C68B99BBD711602631B57BD99F0929AE45967190BE44BEE5B3231A9474FA3BB303086694E23B4BF0977C14073D18922
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D78.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 31 08:59:19 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37654
Entropy (8bit):	2.256675980134249
Encrypted:	false
SSDEEP:	192:asODckZIfCVVpCqO5SkblnRnQTHYz8z1e/2:aptfLE5LblnRnQ7Yzb2
MD5:	1938F98A3C828AA06AD872DCE2FE7697
SHA1:	2E34887D73B2FEC0D0F2F26CC87EF3D19120A9CB
SHA-256:	9A3646BA452CBD908F14DA71B14C4CF35B44078AFFFA064D6E1C213DCCF2F712
SHA-512:	EB89693C0539BDA5848464AB4C2EEB0F68A489C66374B75C9679C4286AF2644AD9D3ECEDF8CB51415DF3E8347BD6AB600962631613D86BB8682815C04FF64AC8
Malicious:	false
Preview:	MDMP....... .......g.wd............d...............l............)..........T.......8...........T................y...........................................................................................U...........B..............GenuineIntelW...........T...........e.wd.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F6D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8240
Entropy (8bit):	3.6889398948006464
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiKF67z/6Yng65gmfTASbCpr+89baJsfN+m:RrlsNiI6X6Yg65gmfTAScaifN
MD5:	C5AF42526A778E81E6D562018E0912CD
SHA1:	A4DC3324E447DD79904A1CC931AF555CD77053CE
SHA-256:	9841A3180D7674593AAD733096736A16C7F38C0E191A43A4A435F851DB1DA3B3
SHA-512:	7B53374362D12A695593AAC9937C5FC59D42002042BFAAE8AD0CE60B228FC834A545B2F9A1E942C32A2BB42561CD1BD282C1DB05986055A302E00DA7896826A5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER500A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4626
Entropy (8bit):	4.449149817871028
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6KJgtWI9jhhWgc8sqYjk8fm8M4JCdsQZFR9+q8/vKI+4SrSZd:uITf6YU6grsqYtJaDcqDWZd
MD5:	A3728E33DDD4CF3EC84165E2607937C0
SHA1:	750786E33CB2D0878174802A9650DF5A3F04CDB2
SHA-256:	9161E9B233C84465A83CF8A61A8FAB0F29114AB9647F5E42567449C4DC88717A
SHA-512:	C05C753E4309E29FA7CF460DA056A9D7374C34B159E04990CED58AEC0B5043B59B0DD7CFB21434B64496D07698238340FA103BB0906D849E1C5BBB8AEF5DD6B9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2064609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\V262JUIP.htm

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	HTML document, ASCII text, with very long lines (15300)
Category:	dropped
Size (bytes):	20956
Entropy (8bit):	5.2126603877115265
Encrypted:	false
SSDEEP:	384:3xj44IEOf9UdGeMR9LYWseMTWeSRnKMegIMnqWOhr/St:Bj44IEOf9Udg9iWeSRnKMegJOhTSt
MD5:	B01633CBBE0EB0F15CE5003EC9ED8D5E
SHA1:	9196B986F2FDFFA52EE959E1C17F78B75A28F3BC
SHA-256:	18462AC3E016049BF72BAA8258AC7040FAC9EB2FDDBC13756F38654241C21667
SHA-512:	6750E7417755833BDC0F49BCE4EA1C44D23B96677AA6A93194959FD98B62BDBA4EDC1D2F2B2864CC3B747C43DB8D26E26759241F55AE80A9C0D800804A603048
Malicious:	false
Preview:	<!doctype html><html lang="en"><head> <title>Broadcom Inc. \| Connecting Everything</title>.<link rel="icon" type="image/png" href="/favicon.png">.<link rel="icon" type="image/png" href="/favicon.png" sizes="32x32">.<link rel="icon" type="image/png" href="/favicon-48x48.png" sizes="48x48">.<link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">.<meta charset="utf-8">.<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">.<meta http-equiv="x-ua-compatible" content="ie=edge">.<meta http-equiv="Last-Modified" content="Sat, 27 May 2023 01:20:27 GMT">.<meta property="og:title" content="Broadcom Inc. \| Connecting Everything" />.<meta name="description" content="Broadcom Inc. is a global technology leader that designs, develops and supplies semiconductor and infrastructure software solutions.">.<meta property="og:description" content="Broadcom Inc. is a global technology leader that designs, develops and supplies semiconductor and infrastructu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\t5[1]

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.373051322261979
Encrypted:	false
SSDEEP:	3:bzVHaYIUnZjVnHn:bzbjZjVH
MD5:	95727490AF2055AA9EBB186AF4529945
SHA1:	6AB0F01813F295F82F220771AEF26E46C2C43545
SHA-256:	730788681D9BDB7D912F709A3D6FF52B116B1BAC246F18CD002E855707946A46
SHA-512:	3DE1DC718DAC2644E781C53B63EB11F14C9EAA90D74EDC14C7AF7E36723C24D5D60AC3AEB547BFEB59365EDD4D9355131505E3DC5DB4FE056A37C18161CCDD4B
Malicious:	false
Preview:	ParseHTTPResponse() failed pCurlResp=NULL

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.286926589244877
Encrypted:	false
SSDEEP:	12288:esatbIqQi0ch/cxt7sVn2bmkfCdXlJ6/OWgO/mf8efiWHm4WgzIu:F4bIqQi0ch/cxtk2Mduxu
MD5:	4138644792FA830FE536BC08E7C6395D
SHA1:	F5AC2050DF85A18EE233393B45C69EDB3674A769
SHA-256:	7835EB077B91B11C6BB2EF4C4CD48BBE960E1701ED17251729445909BE7932B3
SHA-512:	627C2D20AF11185F58B77C6E76670CA328CCDF98158C74C964BE3A7A3EB1407EF6043352614BCDDA0DB379ACC2A3C843F52E7474640FC7D39AAF7B9B703786A0
Malicious:	false
Preview:	regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.h)..................................................................................................................................................................................................................................................................................................................................................bt........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.89029306750664
Encrypted:	false
SSDEEP:	192:uI9vZ1iBKHLEjYPg5FSE05nDw3na96iS3KPJKFptQtXgkvWsadfgQYZNZK/q:xZy5nnk9SaPJSptQtQ6Xad4QYzZK/q
MD5:	96B03F9227FEDF356FA9B178A0824917
SHA1:	20963B21C5BC091881A9DAAECB5D653C78D27C18
SHA-256:	FE8EB42A980A1BC87920418C5CF8718DAACD3F3066B10171720792712A522421
SHA-512:	3298471D244098EF45D44F9DAC94412DDB818C86F7B11075B76F89493A78655D548A1556D9D47A69414FEF865C42434D1CEFC2ADB4DF16FE047E13DFC4692D86
Malicious:	false
Preview:	regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.h)..................................................................................................................................................................................................................................................................................................................................................btHvLE.>......]...............5..Y...^.~.........0..............hbin................p.\..,..........nk,.4!k).................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .4!k)........ ...........8~.............. .......Z.......................Root........lf......Root....nk .4!k)................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

C:\Windows\appcompat\Programs\Amcache.hve.tmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	1.887291025785295
Encrypted:	false
SSDEEP:	48:8HV8pYdAxmmA3SS3eX5/cwlApldplCPjD04zISwnh:8ypvCC0QALdLq/zIDh
MD5:	4BF13EB222F1598B09B6E2F40B90A557
SHA1:	A17DF9EE74DEB18195D4E85AEE9BB2714C1D3A5D
SHA-256:	D0B364D14FFE91A91AD135E8BD21FE803789869F3BE84C55ED49A9A8E46DE983
SHA-512:	FF50A0DCD5914582EB2B1946C6C8E0C1DF9B182FA3E70904440959ECDAC4A39D56DABEB88729B9E0B95A9AFCF8BC51DF252E3B4DB4CFC82D1C1784CD1C8101C3
Malicious:	false
Preview:	regf........4!k).................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p....................................................rmtm..m)................................................................................................................................................................................................................................................................................................................................................+9..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	1.9218248695013394
Encrypted:	false
SSDEEP:	48:qHVGIpYdAxmmA3SS3eX5/cwlApldplCPjD04zISwnh:qoIpvCC0QALdLq/zIDh
MD5:	B0F35589AAE48859AFE467FDDB58C756
SHA1:	D67AB3D3E0F1F90061F1D8363519070C16376562
SHA-256:	A2BEFD4B06DBA5D32867559824DC5985764EF9B6CDC707BA7BE72F6EAF4402E0
SHA-512:	0C05D1072BE955244022780EAB281790EED2C7F4818BE00EA645EA6AD7449A8C02C34F2BE485DC45479BF34E0D36A5E4CBAC4F8C3B5AE0079268F0F1CB63318B
Malicious:	false
Preview:	regf........4!k).................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p....................................................rmtm..m)................................................................................................................................................................................................................................................................................................................................................-9..HvLE....................{...`..Ki.....g........hbin................4!k)............nk,...m)....................0...........................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......sk..............(.................................................................................8......................1.?l.cL<.P...b....~z...........8......................1.?l.cL<.P...b....~z.............?...................?...................?........... ... ........... ...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.663401858515362
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	A649.dll
File size:	983776
MD5:	644bff6674870c37b8bfd2f6b97616f4
SHA1:	6fdb6e4d113c4cfb43888e439c9328b2a396f947
SHA256:	15337bc14077fec44f6f4fe7f27279afad78efef637f86a384d3992b176c4694
SHA512:	17479dddd29bd79f0cc8b1911e9cf2f16912640ace9df78c4574da54c9cd704244e4c74a0ce0640ec4d6e2865786bb5d885aeec5edd47977495d3fa96cc36a09
SSDEEP:	24576:D7AkdHt+UnNtqbVotX4Dw/9JGCZdBK/+NYouXFPn/yd4I:DZ8RDwlJGoY7XI
TLSH:	A5258EC0FBD744FAE46718B1B09AB7AFAB3112050138CE76DFA58E09E976B401DDB245
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0d...........#...'.....................................................0 .....{.....@... .........................hC.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6430AE80 [Sat Apr 8 00:00:00 2023 UTC]
TLS Callbacks:	0x10090cc0, 0x10090c70, 0x100a1c60
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac404a1028e7ce450416867d9b3974cc

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [101D86FCh], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007F4EA8C46557h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 100C9000h
mov dword ptr [esp+04h], eax
call 00007F4EA8CE54EEh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 10001400h
call 00007F4EA8C466D3h
leave
ret
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push edi
push esi
push ebx
mov edx, dword ptr [esp+14h]
mov esi, dword ptr [esp+1Ch]
mov edi, dword ptr [esp+18h]
movzx ebx, dx
shr edx, 10h
test esi, esi
je 00007F4EA8C46788h
nop
cmp esi, 04h
jbe 00007F4EA8C46742h
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
movzx eax, byte ptr [edi]
add edi, 04h
sub esi, 04h
movzx ebp, byte ptr [edi-03h]
movzx ecx, byte ptr [edi-02h]
add eax, ebx
movzx ebx, byte ptr [edi-01h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da000	0x4368	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df000	0x1388	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e3000	0x378	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e4000	0x4128	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc61e4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1df328	0x2c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab124	0xab200	False	0.4480831126734843	data	6.432110661692397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xad000	0x100	0x200	False	0.28125	Matlab v4 mat-file (little endian) \377\377\377\377 , text, rows 4294967295, columns 4294967295, imaginary	2.102897197014083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xae000	0x1a624	0x1a800	False	0.3911224941037736	data	5.329684115990636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xc9000	0x110264	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x1da000	0x4368	0x4400	False	0.4040670955882353	data	5.488698281853443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1df000	0x1388	0x1400	False	0.3810546875	data	5.386273709762828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1e1000	0x30	0x200	False	0.060546875	data	0.25451054171027127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1e2000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e3000	0x1a64e	0x1b000	False	0.9544451678240741	data	7.904994179392512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1fe000	0x4128	0x4200	False	0.7178030303030303	data	6.590473987933104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1e3058	0x31c	data	English	United States

Imports

DLL	Import
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenRandom, BCryptOpenAlgorithmProvider
KERNEL32.dll	AcquireSRWLockExclusive, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileMappingA, CreateMutexA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FreeLibrary, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFullPathNameW, GetHandleInformation, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount64, GetTimeZoneInformation, InitOnceBeginInitialize, InitOnceComplete, InitializeConditionVariable, InitializeCriticalSection, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleTextAttribute, SetEvent, SetLastError, SetProcessAffinityMask, SetSystemTime, SetThreadContext, SetThreadPriority, Sleep, SleepConditionVariableSRW, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW
msvcrt.dll	__mb_cur_max, __setusermatherr, _aligned_free, _aligned_malloc, _aligned_realloc, _amsg_exit, _beginthreadex, _endthreadex, _errno, _fstat64, _get_osfhandle, _gmtime64, _hypot, _initterm, _iob, _localtime64, _lock, _mktime64, _setjmp3, _sopen, _ultoa, _unlock, _wsopen, abort, acos, asin, atan, atoi, bsearch, calloc, clock, cosh, exit, fprintf, fputc, fputs, free, fwrite, getc, getenv, islower, isspace, isupper, isxdigit, localeconv, log10, malloc, memchr, memcmp, memcpy, memmove, memset, printf, rand, realloc, setlocale, sinh, strchr, strcmp, strcpy, strcspn, strerror, strftime, strlen, strncmp, strrchr, strspn, strstr, strtol, strtoul, tan, tanh, tolower, ungetc, vfprintf, wcscat, wcscpy, wcslen, wcsrchr, longjmp, _strdup, _read, _isatty, _fdopen, _close
USER32.dll	GetDesktopWindow

Exports

Name	Ordinal	Address
mv_add_i	1	0x10023c30
mv_add_q	2	0x10035990
mv_add_stable	3	0x10027e10
mv_adler32_update	4	0x10001410
mv_aes_alloc	5	0x10001bd0
mv_aes_crypt	6	0x10001bf0
mv_aes_ctr_alloc	7	0x100022f0
mv_aes_ctr_crypt	8	0x10002480
mv_aes_ctr_free	9	0x10002420
mv_aes_ctr_get_iv	10	0x10002370
mv_aes_ctr_increment_iv	11	0x10002430
mv_aes_ctr_init	12	0x100023c0
mv_aes_ctr_set_full_iv	13	0x10002340
mv_aes_ctr_set_iv	14	0x10002310
mv_aes_ctr_set_random_iv	15	0x10002380
mv_aes_init	16	0x10001c10
mv_aes_size	17	0x100ae00c
mv_append_path_component	18	0x10006eb0
mv_asprintf	19	0x10006850
mv_assert0_fpu	20	0x1008cfa0
mv_audio_fifo_alloc	21	0x10002670
mv_audio_fifo_drain	22	0x10002af0
mv_audio_fifo_free	23	0x10002610
mv_audio_fifo_peek	24	0x10002900
mv_audio_fifo_peek_at	25	0x10002990
mv_audio_fifo_read	26	0x10002a40
mv_audio_fifo_realloc	27	0x100027b0
mv_audio_fifo_reset	28	0x10002b70
mv_audio_fifo_size	29	0x10002bb0
mv_audio_fifo_space	30	0x10002bc0
mv_audio_fifo_write	31	0x10002850
mv_base64_decode	32	0x100076c0
mv_base64_encode	33	0x100078d0
mv_basename	34	0x10006d70
mv_blowfish_alloc	35	0x10007da0
mv_blowfish_crypt	36	0x100084b0
mv_blowfish_crypt_ecb	37	0x10007dc0
mv_blowfish_init	38	0x100a6ac0
mv_bmg_get	39	0x10024fe0
mv_bprint_append_data	40	0x10008f30
mv_bprint_channel_layout	41	0x1000c9f0
mv_bprint_chars	42	0x10008d20
mv_bprint_clear	43	0x10009670
mv_bprint_escape	44	0x10009730
mv_bprint_finalize	45	0x10009690
mv_bprint_get_buffer	46	0x10009500
mv_bprint_init	47	0x10008880
mv_bprint_init_for_buffer	48	0x100089a0
mv_bprint_strftime	49	0x10009130
mv_bprintf	50	0x100089c0
mv_buffer_alloc	51	0x10009dc0
mv_buffer_allocz	52	0x10009ef0
mv_buffer_create	53	0x10009e60
mv_buffer_default_free	54	0x10009d10
mv_buffer_get_opaque	55	0x1000a090
mv_buffer_get_ref_count	56	0x1000a0a0
mv_buffer_is_writable	57	0x1000a070
mv_buffer_make_writable	58	0x1000a0b0
mv_buffer_pool_buffer_get_opaque	59	0x1000a9b0
mv_buffer_pool_get	60	0x1000a720
mv_buffer_pool_init	61	0x1000a5f0
mv_buffer_pool_init2	62	0x1000a590
mv_buffer_pool_uninit	63	0x1000a650
mv_buffer_realloc	64	0x1000a1d0
mv_buffer_ref	65	0x10009fc0
mv_buffer_replace	66	0x1000a480
mv_buffer_unref	67	0x1000a000
mv_calloc	68	0x100291f0
mv_camellia_alloc	69	0x1000b0b0
mv_camellia_crypt	70	0x1000b0d0
mv_camellia_init	71	0x100a6c8e
mv_camellia_size	72	0x100af650
mv_cast5_alloc	73	0x1000c090
mv_cast5_crypt	74	0x1000c1b0
mv_cast5_crypt2	75	0x1000c0b0
mv_cast5_init	76	0x100a7a6e
mv_cast5_size	77	0x100b1a60
mv_channel_description	78	0x1000c470
mv_channel_description_bprint	79	0x1000c3c0
mv_channel_from_string	80	0x1000c560
mv_channel_layout_channel_from_index	81	0x1000dc10
mv_channel_layout_channel_from_string	82	0x1000eac0
mv_channel_layout_check	83	0x1000ec10
mv_channel_layout_compare	84	0x1000edb0
mv_channel_layout_copy	85	0x1000d340
mv_channel_layout_default	86	0x1000eff0
mv_channel_layout_describe	87	0x1000dba0
mv_channel_layout_describe_bprint	88	0x1000d4d0
mv_channel_layout_extract_channel	89	0x1000d060
mv_channel_layout_from_mask	90	0x1000d1b0
mv_channel_layout_from_string	91	0x1000dd40
mv_channel_layout_index_from_channel	92	0x1000e760
mv_channel_layout_index_from_string	93	0x1000e950
mv_channel_layout_standard	94	0x1000f050
mv_channel_layout_subset	95	0x1000f080
mv_channel_layout_uninit	96	0x1000d270
mv_channel_name	97	0x1000c2d0
mv_channel_name_bprint	98	0x1000c220
mv_chroma_location_enum_to_pos	99	0x10034f30
mv_chroma_location_from_name	100	0x10034ee0
mv_chroma_location_name	101	0x10034ec0
mv_chroma_location_pos_to_enum	102	0x10034f70
mv_cmp_i	103	0x10024200
mv_color_primaries_from_name	104	0x10034d90
mv_color_primaries_name	105	0x10034d70
mv_color_range_from_name	106	0x10034d20
mv_color_range_name	107	0x10034d00
mv_color_space_from_name	108	0x10034e70
mv_color_space_name	109	0x10034e50
mv_color_transfer_from_name	110	0x10034e00
mv_color_transfer_name	111	0x10034de0
mv_compare_mod	112	0x100279f0
mv_compare_ts	113	0x10027830
mv_content_light_metadata_alloc	114	0x10027020
mv_content_light_metadata_create_side_data	115	0x10027050
mv_cpu_count	116	0x1000f8f0
mv_cpu_force_count	117	0x1000f9e0
mv_cpu_max_align	118	0x1000f9f0
mv_crc	119	0x100101d0
mv_crc_get_table	120	0x1000fdb0
mv_crc_init	121	0x1000fbc0
mv_csp_luma_coeffs_from_avcsp	122	0x100102b0
mv_csp_primaries_desc_from_id	123	0x100102f0
mv_csp_primaries_id_from_desc	124	0x10010320
mv_d2q	125	0x10035aa0
mv_d2str	126	0x100068e0
mv_default_get_category	127	0x10026240
mv_default_item_name	128	0x10026230
mv_des_alloc	129	0x10010d80
mv_des_crypt	130	0x10010e40
mv_des_init	131	0x10010da0
mv_des_mac	132	0x10010e90
mv_detection_bbox_alloc	133	0x10010ee0
mv_detection_bbox_create_side_data	134	0x10010f70
mv_dict_copy	135	0x10011d20
mv_dict_count	136	0x10011070
mv_dict_free	137	0x10011cc0
mv_dict_get	138	0x100110d0
mv_dict_get_string	139	0x100121a0
mv_dict_iterate	140	0x10011090
mv_dict_parse_string	141	0x100118c0
mv_dict_set	142	0x10011210
mv_dict_set_int	143	0x10011560
mv_dirname	144	0x10006e10
mv_display_matrix_flip	145	0x100126f0
mv_display_rotation_get	146	0x10012470
mv_display_rotation_set	147	0x100125c0
mv_div_i	148	0x10024ef0
mv_div_q	149	0x10035920
mv_dovi_alloc	150	0x10012780
mv_dovi_metadata_alloc	151	0x100127b0
mv_downmix_info_update_side_data	152	0x10012800
mv_dynamic_hdr_plus_alloc	153	0x1001d0a0
mv_dynamic_hdr_plus_create_side_data	154	0x1001d0d0
mv_dynamic_hdr_vivid_alloc	155	0x1001d130
mv_dynamic_hdr_vivid_create_side_data	156	0x1001d160
mv_dynarray2_add	157	0x100296f0
mv_dynarray_add	158	0x10029620
mv_dynarray_add_nofree	159	0x10029560
mv_encryption_info_add_side_data	160	0x10012f30
mv_encryption_info_alloc	161	0x10012a70
mv_encryption_info_clone	162	0x10012b40
mv_encryption_info_free	163	0x10012cf0
mv_encryption_info_get_side_data	164	0x10012d40
mv_encryption_init_info_add_side_data	165	0x10013860
mv_encryption_init_info_alloc	166	0x10013100
mv_encryption_init_info_free	167	0x100132d0
mv_encryption_init_info_get_side_data	168	0x10013480
mv_escape	169	0x10007050
mv_expr_count_func	170	0x100176e0
mv_expr_count_vars	171	0x10017650
mv_expr_eval	172	0x100177a0
mv_expr_free	173	0x10015280
mv_expr_parse	174	0x10017110
mv_expr_parse_and_eval	175	0x100177f0
mv_fast_malloc	176	0x10029d10
mv_fast_mallocz	177	0x10029df0
mv_fast_realloc	178	0x10029c60
mv_fifo_alloc	179	0x10018a20
mv_fifo_alloc2	180	0x10017e40
mv_fifo_alloc_array	181	0x10018990
mv_fifo_auto_grow_limit	182	0x10017ef0
mv_fifo_can_read	183	0x10017f10
mv_fifo_can_write	184	0x10017f40
mv_fifo_drain	185	0x100192b0
mv_fifo_drain2	186	0x100188c0
mv_fifo_elem_size	187	0x10017f00
mv_fifo_free	188	0x10018aa0
mv_fifo_freep	189	0x10018ae0
mv_fifo_freep2	190	0x10018950
mv_fifo_generic_peek	191	0x10019120
mv_fifo_generic_peek_at	192	0x10018fc0
mv_fifo_generic_read	193	0x10019160
mv_fifo_generic_write	194	0x10018e70
mv_fifo_grow	195	0x10018ce0
mv_fifo_grow2	196	0x10017f70
mv_fifo_peek	197	0x10018760
mv_fifo_peek_to_cb	198	0x100188a0
mv_fifo_read	199	0x10018500
mv_fifo_read_to_cb	200	0x100186c0
mv_fifo_realloc2	201	0x10018b70
mv_fifo_reset	202	0x10018b20
mv_fifo_reset2	203	0x10018930
mv_fifo_size	204	0x10018b40
mv_fifo_space	205	0x10018b50
mv_fifo_write	206	0x100180f0
mv_fifo_write_from_cb	207	0x100182a0
mv_file_map	208	0x100192e0
mv_file_unmap	209	0x10019570
mv_film_grain_params_alloc	210	0x10019b60
mv_film_grain_params_create_side_data	211	0x10019b90
mv_find_best_pix_fmt_of_2	212	0x10034a40
mv_find_info_tag	213	0x10032410
mv_find_nearest_q_idx	214	0x10035e60
mv_fopen_utf8	215	0x10019b50
mv_force_cpu_flags	216	0x1000f820
mv_fourcc_make_string	217	0x1008ced0
mv_frame_alloc	218	0x1001ac40
mv_frame_apply_cropping	219	0x1001c490
mv_frame_clone	220	0x1001c050
mv_frame_copy	221	0x1001b8d0
mv_frame_copy_props	222	0x1001b550
mv_frame_free	223	0x1001adb0
mv_frame_get_buffer	224	0x1001adf0
mv_frame_get_plane_buffer	225	0x1001b570
mv_frame_get_side_data	226	0x1001b890
mv_frame_is_writable	227	0x1001b4b0
mv_frame_make_writable	228	0x1001c210
mv_frame_move_ref	229	0x1001b320
mv_frame_new_side_data	230	0x1001b7e0
mv_frame_new_side_data_from_buf	231	0x1001b750
mv_frame_ref	232	0x1001bc40
mv_frame_remove_side_data	233	0x1001c3e0
mv_frame_side_data_name	234	0x1001c470
mv_frame_unref	235	0x1001b300
mv_free	236	0x100290d0
mv_freep	237	0x100290e0
mv_gcd	238	0x10027090
mv_gcd_q	239	0x100362f0
mv_get_alt_sample_fmt	240	0x1003c9f0
mv_get_bits_per_pixel	241	0x100345a0
mv_get_bytes_per_sample	242	0x1003cb50
mv_get_channel_description	243	0x1000cf80
mv_get_channel_layout	244	0x1000c640
mv_get_channel_layout_channel_index	245	0x1000cd50
mv_get_channel_layout_nb_channels	246	0x1000cc80
mv_get_channel_layout_string	247	0x1000cbf0
mv_get_channel_name	248	0x1000cea0
mv_get_colorspace_name	249	0x1001ac20
mv_get_cpu_flags	250	0x1000f880
mv_get_default_channel_layout	251	0x1000cd10
mv_get_extended_channel_layout	252	0x1000c8f0
mv_get_known_color_name	253	0x10031760
mv_get_media_type_string	254	0x1008cd60
mv_get_packed_sample_fmt	255	0x1003ca30
mv_get_padded_bits_per_pixel	256	0x100345f0
mv_get_picture_type_char	257	0x1008cd80
mv_get_pix_fmt	258	0x10034480
mv_get_pix_fmt_loss	259	0x10034a10
mv_get_pix_fmt_name	260	0x10034450
mv_get_pix_fmt_string	261	0x100346a0
mv_get_planar_sample_fmt	262	0x1003ca70
mv_get_random_seed	263	0x10035030
mv_get_sample_fmt	264	0x1003c860
mv_get_sample_fmt_name	265	0x1003c840
mv_get_sample_fmt_string	266	0x1003caa0
mv_get_standard_channel_layout	267	0x1000d150
mv_get_time_base_q	268	0x1008cf90
mv_get_token	269	0x10006940
mv_gettime	270	0x1004dbb0
mv_gettime_relative	271	0x1004dbf0
mv_gettime_relative_is_monotonic	272	0x1004dc60
mv_hash_alloc	273	0x1001c790
mv_hash_final	274	0x1001cb30
mv_hash_final_b64	275	0x1001ce80
mv_hash_final_bin	276	0x1001cbc0
mv_hash_final_hex	277	0x1001ce00
mv_hash_freep	278	0x1001d070
mv_hash_get_name	279	0x1001c770
mv_hash_get_size	280	0x1001c780
mv_hash_init	281	0x1001c870
mv_hash_names	282	0x1001c750
mv_hash_update	283	0x1001ca10
mv_hmac_alloc	284	0x1001d220
mv_hmac_calc	285	0x1001d720
mv_hmac_final	286	0x1001d5a0
mv_hmac_free	287	0x1001d3a0
mv_hmac_init	288	0x1001d3e0
mv_hmac_update	289	0x1001d590
mv_hwdevice_ctx_alloc	290	0x1001d9d0
mv_hwdevice_ctx_create	291	0x1001e0b0
mv_hwdevice_ctx_create_derived	292	0x1001e320
mv_hwdevice_ctx_create_derived_opts	293	0x1001e190
mv_hwdevice_ctx_init	294	0x1001db30
mv_hwdevice_find_type_by_name	295	0x1001d920
mv_hwdevice_get_hwframe_constraints	296	0x1001dfd0
mv_hwdevice_get_type_name	297	0x1001d970
mv_hwdevice_hwconfig_alloc	298	0x1001dfa0
mv_hwdevice_iterate_types	299	0x1001d990
mv_hwframe_constraints_free	300	0x1001e070
mv_hwframe_ctx_alloc	301	0x1008d450
mv_hwframe_ctx_create_derived	302	0x1001ea30
mv_hwframe_ctx_init	303	0x1001e7f0
mv_hwframe_get_buffer	304	0x1001e690
mv_hwframe_map	305	0x1001e450
mv_hwframe_transfer_data	306	0x1001dd70
mv_hwframe_transfer_get_formats	307	0x1001dd40
mv_i2int	308	0x10024fb0
mv_image_alloc	309	0x10021d20
mv_image_check_sar	310	0x100222b0
mv_image_check_size	311	0x100221c0
mv_image_check_size2	312	0x10022070
mv_image_copy	313	0x10022610
mv_image_copy_plane	314	0x100224f0
mv_image_copy_plane_uc_from	315	0x10022390
mv_image_copy_to_buffer	316	0x10023350
mv_image_copy_uc_from	317	0x10022af0
mv_image_fill_arrays	318	0x10022fe0
mv_image_fill_black	319	0x10023620
mv_image_fill_linesizes	320	0x100215d0
mv_image_fill_max_pixsteps	321	0x10021380
mv_image_fill_plane_sizes	322	0x100219b0
mv_image_fill_pointers	323	0x10021af0
mv_image_get_buffer_size	324	0x10023180
mv_image_get_linesize	325	0x10021480
mv_int2i	326	0x10024f80
mv_int_list_length_for_size	327	0x1008cda0
mv_lfg_init	328	0x100a7ee0
mv_lfg_init_from_data	329	0x10025100
mv_log	330	0x10026560
mv_log2	331	0x10024fc0
mv_log2_16bit	332	0x10024fd0
mv_log2_i	333	0x10023dd0
mv_log_default_callback	334	0x10025b10
mv_log_format_line	335	0x10026550
mv_log_format_line2	336	0x10026250
mv_log_get_flags	337	0x10026710
mv_log_get_level	338	0x100266e0
mv_log_once	339	0x100265d0
mv_log_set_callback	340	0x10026720
mv_log_set_flags	341	0x10026700
mv_log_set_level	342	0x100266f0
mv_lzo1x_decode	343	0x10026870
mv_malloc	344	0x10028d50
mv_malloc_array	345	0x10028ec0
mv_mallocz	346	0x10029100
mv_mallocz_array	347	0x10028f20
mv_mastering_display_metadata_alloc	348	0x10026f40
mv_mastering_display_metadata_create_side_data	349	0x10026f60
mv_match_list	350	0x100075a0
mv_match_name	351	0x10007100
mv_max_alloc	352	0x10028d40
mv_md5_alloc	353	0x10028790
mv_md5_final	354	0x100289f0
mv_md5_init	355	0x100287b0
mv_md5_size	356	0x100b7208
mv_md5_sum	357	0x10028b00
mv_md5_update	358	0x100287e0
mv_memcpy_backptr	359	0x10029830
mv_memdup	360	0x100294a0
mv_mod_i	361	0x100243c0
mv_mul_i	362	0x10023e60
mv_mul_q	363	0x100358c0
mv_murmur3_alloc	364	0x10029fc0
mv_murmur3_final	365	0x1002a800
mv_murmur3_init	366	0x1002a0d0
mv_murmur3_init_seeded	367	0x10029fe0
mv_murmur3_update	368	0x1002a1b0
mv_nearer_q	369	0x10035ca0
mv_opt_child_class_iterate	370	0x100303a0
mv_opt_child_next	371	0x10030380
mv_opt_copy	372	0x10030430
mv_opt_eval_double	373	0x1002f620
mv_opt_eval_flags	374	0x1002f520
mv_opt_eval_float	375	0x1002f5e0
mv_opt_eval_int	376	0x1002f560
mv_opt_eval_int64	377	0x1002f5a0
mv_opt_eval_q	378	0x1002f660
mv_opt_find	379	0x1002ee70
mv_opt_find2	380	0x1002ec60
mv_opt_flag_is_set	381	0x100302d0
mv_opt_free	382	0x1002ebd0
mv_opt_freep_ranges	383	0x10030760
mv_opt_get	384	0x1002d870
mv_opt_get_channel_layout	385	0x1002e4c0
mv_opt_get_chlayout	386	0x1002e550
mv_opt_get_dict_val	387	0x1002e5e0
mv_opt_get_double	388	0x1002df00
mv_opt_get_image_size	389	0x1002e1a0
mv_opt_get_int	390	0x1002dd90
mv_opt_get_key_value	391	0x1002ea50
mv_opt_get_pixel_fmt	392	0x1002e3c0
mv_opt_get_q	393	0x1002e010
mv_opt_get_sample_fmt	394	0x1002e440
mv_opt_get_video_rate	395	0x1002e230
mv_opt_is_set_to_default	396	0x10030800
mv_opt_is_set_to_default_by_name	397	0x10030d80
mv_opt_next	398	0x1002c760
mv_opt_ptr	399	0x100303c0
mv_opt_query_ranges	400	0x10030700
mv_opt_query_ranges_default	401	0x1002b9f0
mv_opt_serialize	402	0x10030dd0
mv_opt_set	403	0x1002f6a0
mv_opt_set_bin	404	0x1002cfc0
mv_opt_set_channel_layout	405	0x1002d730
mv_opt_set_chlayout	406	0x1002d820
mv_opt_set_defaults	407	0x1002ea30
mv_opt_set_defaults2	408	0x1002e6b0
mv_opt_set_dict	409	0x100302a0
mv_opt_set_dict2	410	0x10030180
mv_opt_set_dict_val	411	0x1002d7b0
mv_opt_set_double	412	0x1002c9d0
mv_opt_set_from_string	413	0x1002ff20
mv_opt_set_image_size	414	0x1002d120
mv_opt_set_int	415	0x1002c7b0
mv_opt_set_pixel_fmt	416	0x1002d510
mv_opt_set_q	417	0x1002ccc0
mv_opt_set_sample_fmt	418	0x1002d620
mv_opt_set_video_rate	419	0x1002d1e0
mv_opt_show2	420	0x1002e640
mv_parse_color	421	0x10031420
mv_parse_cpu_caps	422	0x1000f8b0
mv_parse_ratio	423	0x100310f0
mv_parse_time	424	0x10031c30
mv_parse_video_rate	425	0x100312c0
mv_parse_video_size	426	0x10031200
mv_pix_fmt_count_planes	427	0x10034870
mv_pix_fmt_desc_get	428	0x10034790
mv_pix_fmt_desc_get_id	429	0x10034800
mv_pix_fmt_desc_next	430	0x100347c0
mv_pix_fmt_get_chroma_sub_sample	431	0x10034830
mv_pix_fmt_swap_endianness	432	0x10034920
mv_pixelutils_get_sad_fn	433	0x10035000
mv_q2intfloat	434	0x10036090
mv_rc4_alloc	435	0x100363e0
mv_rc4_crypt	436	0x100364e0
mv_rc4_init	437	0x10036400
mv_read_image_line	438	0x100339c0
mv_read_image_line2	439	0x10033270
mv_realloc	440	0x10028da0
mv_realloc_array	441	0x10029010
mv_realloc_f	442	0x10028de0
mv_reallocp	443	0x10028e40
mv_reallocp_array	444	0x10029050
mv_reduce	445	0x100353b0
mv_rescale	446	0x10027760
mv_rescale_delta	447	0x10027a80
mv_rescale_q	448	0x100277e0
mv_rescale_q_rnd	449	0x100277b0
mv_rescale_rnd	450	0x10027220
mv_ripemd_alloc	451	0x1003c470
mv_ripemd_final	452	0x1003c6e0
mv_ripemd_init	453	0x100a7f8c
mv_ripemd_size	454	0x100bf9a4
mv_ripemd_update	455	0x1003c490
mv_sample_fmt_is_planar	456	0x1003cb70
mv_samples_alloc	457	0x1003ce40
mv_samples_alloc_array_and_samples	458	0x1003d010
mv_samples_copy	459	0x1003d270
mv_samples_fill_arrays	460	0x1003ccd0
mv_samples_get_buffer_size	461	0x1003cb90
mv_samples_set_silence	462	0x1003d450
mv_set_options_string	463	0x1002fd50
mv_sha512_alloc	464	0x1004c260
mv_sha512_final	465	0x1004c4c0
mv_sha512_init	466	0x100a81b0
mv_sha512_size	467	0x100bfaec
mv_sha512_update	468	0x1004c280
mv_sha_alloc	469	0x100411a0
mv_sha_final	470	0x10041410
mv_sha_init	471	0x100a80b4
mv_sha_size	472	0x100bfae4
mv_sha_update	473	0x100411c0
mv_shr_i	474	0x10024280
mv_size_mult	475	0x10029fa0
mv_small_strptime	476	0x10031790
mv_spherical_alloc	477	0x1004d120
mv_spherical_from_name	478	0x1004d280
mv_spherical_projection_name	479	0x1004d260
mv_spherical_tile_bounds	480	0x1004d150
mv_sscanf	481	0x10002f80
mv_stereo3d_alloc	482	0x1004d2d0
mv_stereo3d_create_side_data	483	0x1004d2f0
mv_stereo3d_from_name	484	0x1004d360
mv_stereo3d_type_name	485	0x1004d340
mv_strcasecmp	486	0x10006b30
mv_strdup	487	0x100292e0
mv_strerror	488	0x10013b30
mv_strireplace	489	0x10006bf0
mv_stristart	490	0x10006580
mv_stristr	491	0x100065f0
mv_strlcat	492	0x10006750
mv_strlcatf	493	0x100067f0
mv_strlcpy	494	0x100066e0
mv_strncasecmp	495	0x10006b80
mv_strndup	496	0x100293b0
mv_strnstr	497	0x10006660
mv_strstart	498	0x10006530
mv_strtod	499	0x100150e0
mv_strtok	500	0x10006aa0
mv_sub_i	501	0x10023d00
mv_sub_q	502	0x10035a10
mv_tea_alloc	503	0x1004d460
mv_tea_crypt	504	0x1004d4b0
mv_tea_init	505	0x1004d480
mv_tea_size	506	0x100bfc60
mv_tempfile	507	0x100195a0
mv_thread_message_flush	508	0x1004db40
mv_thread_message_queue_alloc	509	0x1004d700
mv_thread_message_queue_free	510	0x1004d7d0
mv_thread_message_queue_nb_elems	511	0x1004d880
mv_thread_message_queue_recv	512	0x1004d9b0
mv_thread_message_queue_send	513	0x1004d8d0
mv_thread_message_queue_set_err_recv	514	0x1004daf0
mv_thread_message_queue_set_err_send	515	0x1004daa0
mv_thread_message_queue_set_free_func	516	0x1004d7c0
mv_timecode_adjust_ntsc_framenum2	517	0x1004dd30
mv_timecode_check_frame_rate	518	0x1004e8c0
mv_timecode_get_smpte	519	0x1004e080
mv_timecode_get_smpte_from_framenum	520	0x1004ddd0
mv_timecode_init	521	0x1004e930
mv_timecode_init_from_components	522	0x1004ea50
mv_timecode_init_from_string	523	0x1004ec80
mv_timecode_make_mpeg_tc_string	524	0x1004e850
mv_timecode_make_smpte_tc_string	525	0x1004e720
mv_timecode_make_smpte_tc_string2	526	0x1004e520
mv_timecode_make_string	527	0x1004e270
mv_timegm	528	0x10031b50
mv_tree_destroy	529	0x1004f8f0
mv_tree_enumerate	530	0x1004fad0
mv_tree_find	531	0x1004ef60
mv_tree_insert	532	0x1004f020
mv_tree_node_alloc	533	0x1004ef40
mv_tree_node_size	534	0x100bfd80
mv_twofish_alloc	535	0x10050090
mv_twofish_crypt	536	0x100500b0
mv_twofish_init	537	0x100a8637
mv_twofish_size	538	0x100bfda0
mv_tx_init	539	0x100a9843
mv_tx_uninit	540	0x100a8f2b
mv_usleep	541	0x1004dc70
mv_utf8_decode	542	0x10007270
mv_util_ffversion	543	0x100c3fa0
mv_uuid_parse	544	0x1008d110
mv_uuid_parse_range	545	0x1008cff0
mv_uuid_unparse	546	0x1008d160
mv_uuid_urn_parse	547	0x1008d3e0
mv_vbprintf	548	0x10008b70
mv_version_info	549	0x1008d440
mv_video_enc_params_alloc	550	0x1008d480
mv_video_enc_params_create_side_data	551	0x1008d500
mv_vk_frame_alloc	552	0x10021370
mv_vkfmt_from_pixfmt	553	0x10021360
mv_vlog	554	0x10026650
mv_write_image_line	555	0x10034210
mv_write_image_line2	556	0x10033e70
mv_xtea_alloc	557	0x10090760
mv_xtea_crypt	558	0x100907d0
mv_xtea_init	559	0x10090780
mv_xtea_le_crypt	560	0x10090910
mv_xtea_le_init	561	0x100907b0
mvpriv_alloc_fixed_dsp	562	0x10019fa0
mvpriv_cga_font	563	0x100c59e0
mvpriv_dict_set_timestamp	564	0x10012370
mvpriv_float_dsp_alloc	565	0x100a7b20
mvpriv_fopen_utf8	566	0x10019a90
mvpriv_get_gamma_from_trc	567	0x1000f7d0
mvpriv_get_trc_function_from_trc	568	0x1000f800
mvpriv_init_lls	569	0x100a7f58
mvpriv_open	570	0x100195e0
mvpriv_report_missing_feature	571	0x100267e0
mvpriv_request_sample	572	0x10026730
mvpriv_scalarproduct_float_c	573	0x1001a2e0
mvpriv_set_systematic_pal2	574	0x10021bf0
mvpriv_slicethread_create	575	0x1004ce50
mvpriv_slicethread_execute	576	0x1004cb50
mvpriv_slicethread_free	577	0x1004cd20
mvpriv_solve_lls	578	0x10025270
mvpriv_tempfile	579	0x10019970
mvpriv_vga16_font	580	0x100c49e0
mvutil_configuration	581	0x1008d460
mvutil_license	582	0x1008d470
next	583	0x1001db90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:02:22.217406034 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:22.217477083 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:22.217608929 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:22.222136021 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:22.222172976 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:22.798540115 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:22.798861980 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:22.800134897 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:22.800321102 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:22.970849037 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:22.970912933 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:22.971321106 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:22.971414089 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:22.973323107 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:23.016307116 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:23.159967899 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:23.160077095 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:23.160154104 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:23.160188913 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:23.167185068 CEST	49717	443	192.168.2.7	54.68.22.26
May 31, 2023 02:02:23.167221069 CEST	443	49717	54.68.22.26	192.168.2.7
May 31, 2023 02:02:23.381382942 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.381433964 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.381619930 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.382040977 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.382050037 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.729975939 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.730148077 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.737595081 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.737623930 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.738604069 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.738724947 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.739537001 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.784292936 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.878252029 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.878355026 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:23.878511906 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.879931927 CEST	49719	443	192.168.2.7	188.28.19.84
May 31, 2023 02:02:23.879971981 CEST	443	49719	188.28.19.84	192.168.2.7
May 31, 2023 02:02:30.214867115 CEST	49720	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:30.214956999 CEST	443	49720	151.65.167.77	192.168.2.7
May 31, 2023 02:02:30.215068102 CEST	49720	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:30.215715885 CEST	49720	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:30.215749025 CEST	443	49720	151.65.167.77	192.168.2.7
May 31, 2023 02:02:33.266273022 CEST	443	49720	151.65.167.77	192.168.2.7
May 31, 2023 02:02:33.268630981 CEST	49721	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:33.268682957 CEST	443	49721	151.65.167.77	192.168.2.7
May 31, 2023 02:02:33.268814087 CEST	49721	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:33.269289970 CEST	49721	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:33.269305944 CEST	443	49721	151.65.167.77	192.168.2.7
May 31, 2023 02:02:36.312355042 CEST	443	49721	151.65.167.77	192.168.2.7
May 31, 2023 02:02:36.313607931 CEST	49722	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:36.313669920 CEST	443	49722	151.65.167.77	192.168.2.7
May 31, 2023 02:02:36.313827038 CEST	49722	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:36.313883066 CEST	49722	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:36.313992023 CEST	443	49722	151.65.167.77	192.168.2.7
May 31, 2023 02:02:36.314107895 CEST	49722	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:36.320297956 CEST	49723	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:36.320383072 CEST	443	49723	151.65.167.77	192.168.2.7
May 31, 2023 02:02:36.320509911 CEST	49723	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:36.321021080 CEST	49723	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:36.321054935 CEST	443	49723	151.65.167.77	192.168.2.7
May 31, 2023 02:02:39.346327066 CEST	443	49723	151.65.167.77	192.168.2.7
May 31, 2023 02:02:39.347172022 CEST	49724	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:39.347234964 CEST	443	49724	151.65.167.77	192.168.2.7
May 31, 2023 02:02:39.347326040 CEST	49724	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:39.347657919 CEST	49724	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:39.347682953 CEST	443	49724	151.65.167.77	192.168.2.7
May 31, 2023 02:02:42.388771057 CEST	443	49724	151.65.167.77	192.168.2.7
May 31, 2023 02:02:42.392713070 CEST	49725	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:42.392765999 CEST	443	49725	151.65.167.77	192.168.2.7
May 31, 2023 02:02:42.392920017 CEST	49725	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:42.393048048 CEST	49725	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:42.393121958 CEST	443	49725	151.65.167.77	192.168.2.7
May 31, 2023 02:02:42.393188000 CEST	49725	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:44.412055016 CEST	49726	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:44.412113905 CEST	443	49726	151.65.167.77	192.168.2.7
May 31, 2023 02:02:44.412271023 CEST	49726	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:44.412748098 CEST	49726	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:44.412775993 CEST	443	49726	151.65.167.77	192.168.2.7
May 31, 2023 02:02:45.424145937 CEST	443	49726	151.65.167.77	192.168.2.7
May 31, 2023 02:02:45.445744038 CEST	49727	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:45.445832014 CEST	443	49727	151.65.167.77	192.168.2.7
May 31, 2023 02:02:45.445946932 CEST	49727	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:45.446810961 CEST	49727	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:45.446844101 CEST	443	49727	151.65.167.77	192.168.2.7
May 31, 2023 02:02:48.500128984 CEST	443	49727	151.65.167.77	192.168.2.7
May 31, 2023 02:02:48.501063108 CEST	49728	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:48.501131058 CEST	443	49728	151.65.167.77	192.168.2.7
May 31, 2023 02:02:48.501234055 CEST	49728	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:48.501379013 CEST	49728	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:48.501425028 CEST	443	49728	151.65.167.77	192.168.2.7
May 31, 2023 02:02:48.501482964 CEST	49728	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:48.505054951 CEST	49729	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:48.505112886 CEST	443	49729	151.65.167.77	192.168.2.7
May 31, 2023 02:02:48.505228043 CEST	49729	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:48.508205891 CEST	49729	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:48.508240938 CEST	443	49729	151.65.167.77	192.168.2.7
May 31, 2023 02:02:51.520582914 CEST	443	49729	151.65.167.77	192.168.2.7
May 31, 2023 02:02:51.521598101 CEST	49730	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:51.521647930 CEST	443	49730	151.65.167.77	192.168.2.7
May 31, 2023 02:02:51.521744013 CEST	49730	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:51.522054911 CEST	49730	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:51.522068977 CEST	443	49730	151.65.167.77	192.168.2.7
May 31, 2023 02:02:54.560349941 CEST	443	49730	151.65.167.77	192.168.2.7
May 31, 2023 02:02:54.561491966 CEST	49731	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:54.561532974 CEST	443	49731	151.65.167.77	192.168.2.7
May 31, 2023 02:02:54.561619043 CEST	49731	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:54.561772108 CEST	49731	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:54.561831951 CEST	443	49731	151.65.167.77	192.168.2.7
May 31, 2023 02:02:54.561923981 CEST	49731	443	192.168.2.7	151.65.167.77
May 31, 2023 02:02:59.585588932 CEST	49732	443	192.168.2.7	102.159.188.125
May 31, 2023 02:02:59.585655928 CEST	443	49732	102.159.188.125	192.168.2.7
May 31, 2023 02:02:59.585822105 CEST	49732	443	192.168.2.7	102.159.188.125
May 31, 2023 02:02:59.586406946 CEST	49732	443	192.168.2.7	102.159.188.125
May 31, 2023 02:02:59.586431026 CEST	443	49732	102.159.188.125	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 02:02:22.186750889 CEST	53336	53	192.168.2.7	8.8.8.8
May 31, 2023 02:02:22.207051992 CEST	53	53336	8.8.8.8	192.168.2.7
May 31, 2023 02:02:23.170655966 CEST	51007	53	192.168.2.7	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 31, 2023 02:02:22.186750889 CEST	192.168.2.7	8.8.8.8	0x1ce8	Standard query (0)	broadcom.com	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:23.170655966 CEST	192.168.2.7	8.8.8.8	0x13d5	Standard query (0)	www.broadcom.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 31, 2023 02:02:22.207051992 CEST	8.8.8.8	192.168.2.7	0x1ce8	No error (0)	broadcom.com		54.68.22.26	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:22.207051992 CEST	8.8.8.8	192.168.2.7	0x1ce8	No error (0)	broadcom.com		50.112.202.115	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:22.207051992 CEST	8.8.8.8	192.168.2.7	0x1ce8	No error (0)	broadcom.com		52.13.171.212	A (IP address)	IN (0x0001)	false
May 31, 2023 02:02:23.211779118 CEST	8.8.8.8	192.168.2.7	0x13d5	No error (0)	www.broadcom.com	cdn.broadcom.com		CNAME (Canonical name)	IN (0x0001)	false
May 31, 2023 02:02:23.211779118 CEST	8.8.8.8	192.168.2.7	0x13d5	No error (0)	cdn.broadcom.com	www.broadcom.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

broadcom.com

188.28.19.84

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49717	54.68.22.26	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	Direction	Data
2023-05-31 00:02:22 UTC	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: broadcom.com Cache-Control: no-cache
2023-05-31 00:02:23 UTC	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 31 May 2023 00:02:23 GMT Server: Apache Location: https://www.broadcom.com/ Content-Length: 233 Connection: close Content-Type: text/html; charset=iso-8859-1
2023-05-31 00:02:23 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 72 6f 61 64 63 6f 6d 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.broadcom.com/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49719	188.28.19.84	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
2023-05-31 00:02:23 UTC	0	OUT	POST /t5 HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 188.28.19.84 Content-Length: 78 Cache-Control: no-cache
2023-05-31 00:02:23 UTC	0	OUT	Data Raw: 70 75 73 73 6d 67 6a 7a 72 3d 6b 36 32 68 6b 57 68 66 71 4f 53 69 45 65 70 69 6c 48 34 34 41 2b 6b 66 67 52 53 42 38 44 2f 77 52 4c 59 54 32 66 6c 58 54 45 71 2f 34 51 74 32 62 30 43 75 38 6d 39 54 52 71 42 30 44 5a 72 38 72 41 3d 3d Data Ascii: pussmgjzr=k62hkWhfqOSiEepilH44A+kfgRSB8D/wRLYT2flXTEq/4Qt2b0Cu8m9TRqB0DZr8rA==
2023-05-31 00:02:23 UTC	1	IN	HTTP/1.1 200 OK Date: Wed, 31 May 2023 00:02:23 GMT Transfer-Encoding: chunked Connection: close Server: nginx/1.9.12
2023-05-31 00:02:23 UTC	1	IN	Data Raw: 32 39 0d 0a 50 61 72 73 65 48 54 54 50 52 65 73 70 6f 6e 73 65 28 29 20 66 61 69 6c 65 64 20 70 43 75 72 6c 52 65 73 70 3d 4e 55 4c 4c 0d 0a 30 0d 0a 0d 0a Data Ascii: 29ParseHTTPResponse() failed pCurlResp=NULL0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 7028, Parent PID: 3320

General

Target ID:	0
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\A649.dll"
Imagebase:	0xa10000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2872, Parent PID: 7028

General

Target ID:	1
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3220, Parent PID: 7028

General

Target ID:	2
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A649.dll",#1
Imagebase:	0xa60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3828, Parent PID: 7028

General

Target ID:	3
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_i
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2756, Parent PID: 3220

General

Target ID:	4
Start time:	01:59:08
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A649.dll",#1
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4008, Parent PID: 3828

General

Target ID:	8
Start time:	01:59:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 656
Imagebase:	0x10a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5732, Parent PID: 2756

General

Target ID:	9
Start time:	01:59:09
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 664
Imagebase:	0x10a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1196, Parent PID: 7028

General

Target ID:	10
Start time:	01:59:11
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_q
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3980, Parent PID: 7028

General

Target ID:	12
Start time:	01:59:14
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\A649.dll,mv_add_stable
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5920, Parent PID: 3980

General

Target ID:	14
Start time:	01:59:15
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 652
Imagebase:	0x10a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2252, Parent PID: 7028

General

Target ID:	15
Start time:	01:59:17
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_i
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3628, Parent PID: 7028

General

Target ID:	16
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_q
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6000, Parent PID: 7028

General

Target ID:	17
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A649.dll",mv_add_stable
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5088, Parent PID: 7028

General

Target ID:	18
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A649.dll",next
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000002.365037551.000000000075A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000002.365131799.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2704, Parent PID: 7028

General

Target ID:	20
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_license
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7180, Parent PID: 7028

General

Target ID:	21
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\A649.dll",mvutil_configuration
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7224, Parent PID: 2252

General

Target ID:	23
Start time:	01:59:18
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 652
Imagebase:	0x10a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 7340, Parent PID: 5088

General

Target ID:	24
Start time:	01:59:22
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0xe30000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 3828, Parent PID: 7028COMMON

Non-executed Functions

Function 100206A7 Relevance: 142.6, APIs: 68, Strings: 13, Instructions: 805libraryCOMMON

Download Yara Rule

APIs

atoi.MSVCRT ref: 100206E2
mv_mallocz.A649 ref: 100206F2
MultiByteToWideChar.KERNEL32 ref: 1002074D
mv_calloc.A649 ref: 10020768
MultiByteToWideChar.KERNEL32 ref: 100207A0
LoadLibraryExW.KERNEL32 ref: 100207F2
MultiByteToWideChar.KERNEL32 ref: 1002083E
mv_calloc.A649 ref: 10020859
MultiByteToWideChar.KERNEL32 ref: 10020891
LoadLibraryExW.KERNEL32 ref: 100208D9
GetDesktopWindow.USER32 ref: 10020A0C
mv_log.A649 ref: 10020A76
_errno.MSVCRT ref: 10020AFA
mv_log.A649 ref: 10020B82
_errno.MSVCRT ref: 10020B9A
mv_log.A649 ref: 10020C18
wcslen.MSVCRT ref: 10020E1E
mv_realloc_array.A649 ref: 10020E84
LoadLibraryExA.KERNEL32 ref: 10020ED6
mv_log.A649 ref: 10021263
mv_log.A649 ref: 100212AF
mv_log.A649 ref: 100212D5

Strings

SetDefaultDllDirectories, xrefs: 100207B7, 100208A3, 10020B22, 10020BBD
Using D3D9Ex device., xrefs: 10020A61
Failed to open device handle, xrefs: 100212C0
Direct3DCreate9Ex, xrefs: 10020986
Direct3DCreate9, xrefs: 10020C87
Failed to bind Direct3D device to device manager, xrefs: 1002129A
DXVA2CreateDirect3DDeviceManager9, xrefs: 100208FA
Failed to load DXVA2 library, xrefs: 10020BFC
dxva2.dll, xrefs: 1002081B, 10020877, 10020EF0
Failed to locate DXVA2CreateDirect3DDeviceManager9, xrefs: 1002124E
d3d9.dll, xrefs: 10020722, 10020786, 10020EC0
Failed to load D3D9 library, xrefs: 10020B66
Failed to create Direct3D device manager, xrefs: 1002126D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$ByteCharMultiWide$LibraryLoad$_errnomv_calloc$DesktopWindowatoimv_malloczmv_realloc_arraywcslen
String ID: DXVA2CreateDirect3DDeviceManager9$Direct3DCreate9$Direct3DCreate9Ex$Failed to bind Direct3D device to device manager$Failed to create Direct3D device manager$Failed to load D3D9 library$Failed to load DXVA2 library$Failed to locate DXVA2CreateDirect3DDeviceManager9$Failed to open device handle$SetDefaultDllDirectories$Using D3D9Ex device.$d3d9.dll$dxva2.dll
API String ID: 2285110006-3565051934
Opcode ID: 81119a8c00db03e304e4471758cb6eecfd6299740ba6e44e8e551f5fdf6c1372
Instruction ID: 81d1aa8d4d65b830f3c484e294571b6d288d1a976026b3de523a4ddd3e2ab054
Opcode Fuzzy Hash: 81119a8c00db03e304e4471758cb6eecfd6299740ba6e44e8e551f5fdf6c1372
Instruction Fuzzy Hash: B372CFB49097459FD750EF68D58461EBBE1FF88344F91892EE888C7351EB78D844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000DD40 Relevance: 88.2, APIs: 46, Strings: 4, Instructions: 685stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1000DD7C

Strings

%d channels (%[^)], xrefs: 1000DE67
mono, xrefs: 1000DD56
ambisonic , xrefs: 1000DDB0
channels, xrefs: 1000E600

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmp
String ID: channels$%d channels (%[^)]$ambisonic $mono
API String ID: 1004003707-221731140
Opcode ID: 3fcea38b41cec4d3ebdd14d00128d4641ef764b39a3a1557bded19b5732e6eea
Instruction ID: af13545016f1191d554496b72978131d65e8235d82ba03aef5ebe22e60126d8d
Opcode Fuzzy Hash: 3fcea38b41cec4d3ebdd14d00128d4641ef764b39a3a1557bded19b5732e6eea
Instruction Fuzzy Hash: 42523574A083818FE350DF28C48065EFBE1EF89384F56892EE8999B355E775ED41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4D0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 306
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E1000D4D0(void* __ebx, void* __edi, void* __esi) {
				char _t142;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				char _t160;
				signed int _t163;
				signed int _t166;
				unsigned int _t178;
				signed int _t182;
				char* _t191;
				char _t192;
				char* _t206;
				void* _t211;
				unsigned int _t227;
				intOrPtr _t238;
				intOrPtr _t241;
				signed int _t243;
				signed int _t250;
				signed int _t272;
				intOrPtr _t273;
				char* _t280;
				unsigned int _t284;
				intOrPtr _t285;
				signed int _t289;
				signed int _t292;
				void* _t293;
				char* _t329;
				unsigned int _t330;
				unsigned int _t332;
				signed int _t333;
				signed int _t337;
				unsigned int _t341;
				unsigned int _t351;
				char* _t353;
				intOrPtr _t379;
				char* _t380;
				signed int _t381;
				signed int _t382;
				char* _t386;
				unsigned int _t387;
				signed int _t388;
				char* _t390;
				signed int _t395;
				void* _t397;
				signed int _t399;
				signed int _t402;
				void* _t403;
				char _t420;
				signed int _t421;
				char* _t423;
				signed int _t425;
				char* _t426;
				char* _t428;
				void* _t431;
				char** _t432;
				char** _t434;
				char** _t435;
				intOrPtr* _t438;
				void* _t440;

				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_t432 = _t431 - 0x2c;
				_t423 = _t432[0x10];
				_t432[6] = _t432[0x11];
				_t142 =  *_t423;
				_t440 = _t142 - 2;
				if(_t440 == 0) {
					L60();
					if(_t432[6] >= 0) {
						goto L8;
					} else {
						goto L14;
					}
					goto L12;
				} else {
					if(_t440 > 0) {
						if(_t142 != 3) {
							_t144 = 0xffffffea;
							goto L12;
						} else {
							_t191 = _t432[6];
							_t434 =  &(_t432[0xb]);
							_t353 = _t423;
							_pop(_t273);
							_pop(_t403);
							_pop(_t389);
							_pop(_t427);
							_t428 = _t353;
							_t390 = _t191;
							_push(_t403);
							_push(_t273);
							_t435 = _t434 - 0x4c;
							_t192 =  *_t353;
							if(_t192 == 3) {
								_t206 = _t428[4];
								_t280 =  &(_t206[ !((((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[8] - (_t353[8] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f) + (((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + (((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) & 0x33333333) + (_t353[0xc] - (_t353[0xc] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f))]);
								goto L74;
							} else {
								_t332 = _t353[8];
								if(_t192 != 2) {
									_t435[5] = 0x29a;
									_t435[1] = 0;
									 *_t435 = 0;
									_t435[4] = "libavutil/channel_layout.c";
									_t435[3] = "channel_layout->order == AV_CHANNEL_ORDER_CUSTOM";
									_t435[2] = "Assertion %s failed at %s:%d\n";
									E10026560();
									abort();
									_t438 = _t435 - 0x41c;
									 *((intOrPtr*)(_t438 + 0x418)) = _t273;
									_t238 =  *((intOrPtr*)(_t438 + 0x424));
									_t379 =  *((intOrPtr*)(_t438 + 0x428));
									if(_t238 != 0 || _t379 == 0) {
										 *((intOrPtr*)(_t438 + 8)) = _t379;
										_t285 = _t438 + 0x10;
										 *((intOrPtr*)(_t438 + 4)) = _t238;
										 *_t438 = _t285;
										E100089A0();
										 *((intOrPtr*)(_t438 + 4)) = _t285;
										 *_t438 =  *((intOrPtr*)(_t438 + 0x420));
										_t241 = E1000D4D0(_t285, _t390, _t403);
										if(_t241 >= 0) {
											_t241 =  *((intOrPtr*)(_t438 + 0x14));
										}
									} else {
										_t241 = 0xffffffea;
									}
									return _t241;
								} else {
									_t420 = _t353[4];
									_t380 = 0;
									_t280 = 0xffffffff;
									if(_t420 > 0) {
										do {
											_t206 =  *_t332 - 0x400;
											if(_t206 > 0x3ff) {
												goto L67;
											} else {
												if(_t380 > 0) {
													if( *((intOrPtr*)(_t332 - 0x18)) - 0x400 > 0x3ff || _t206 != _t380) {
														goto L72;
													} else {
														goto L66;
													}
												} else {
													if(_t206 > 0x3ff) {
														goto L67;
													} else {
														if(_t206 == _t380) {
															L66:
															_t280 = _t380;
															goto L67;
														} else {
															goto L72;
														}
													}
												}
											}
											goto L91;
											L67:
											_t380 =  &(_t380[1]);
											_t332 = _t332 + 0x18;
										} while (_t380 != _t420);
										L74:
										if(_t280 < 0) {
											goto L72;
										} else {
											asm("pxor xmm0, xmm0");
											asm("cvtsi2sd xmm0, ebx");
											asm("sqrtsd xmm0, xmm0");
											asm("cvttsd2si eax, xmm0");
											_t406 =  &(_t206[1]) *  &(_t206[1]);
											if(_t406 !=  &(_t280[1])) {
												goto L72;
											} else {
												_t435[2] = _t206;
												_t435[1] = "ambisonic %d";
												 *_t435 = _t390;
												E100089C0();
												_t329 = _t428[4];
												if(_t329 > _t406) {
													_t211 = 0;
													do {
														 *((intOrPtr*)(_t435 + _t211 + 0x28)) = 0;
														 *((intOrPtr*)(_t435 + _t211 + 0x2c)) = 0;
														_t211 = _t211 + 8;
													} while (_t211 < 0x18);
													if( *_t428 == 3) {
														_t330 = _t428[8];
														_t435[0xa] = 1;
														_t284 = _t428[0xc];
														_t435[0xc] = _t330;
														_t435[0xd] = _t284;
														_t227 = (((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t284 - (_t284 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 8);
														_t406 = _t227 >> 0x10;
														_t435[0xb] = ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t330 - (_t330 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) & 0x0000003f) + (_t227 + (_t227 >> 0x00000010) & 0x0000003f);
													} else {
														_t284 = 2;
														_t435[0xa] = 2;
														_t435[0xb] = _t329 - _t406;
														_t435[0xc] = _t428[8] + (_t406 + _t406 * 2) * 8;
													}
													 *_t435 = _t390;
													_t435[2] = 1;
													_t435[1] = 0x2b;
													E10008D20();
													_t435[1] = _t390;
													 *_t435 =  &(_t435[0xa]);
													E1000D4D0(_t284, _t390, _t406);
												}
												return 0;
											}
										}
									} else {
										L72:
										return 0xffffffea;
									}
								}
							}
						}
					} else {
						if(_t142 == 0) {
							_t148 = _t423[4];
							goto L59;
						} else {
							_t421 = _t423[8];
							_t243 = 4;
							_t333 = 0;
							_t289 = _t423[0xc];
							_t381 = 0;
							while((_t333 ^ _t289 | _t243 ^ _t421) != 0) {
								_t381 =  &(1[_t381]);
								if(_t381 == 0x1f) {
									L14:
									_t145 = _t423[4];
									if(_t145 != 0) {
										_t432[2] = _t145;
										_t432[1] = "%d channels (";
										 *_t432 = _t432[6];
										E100089C0();
										_t395 = _t423[4];
										if(_t395 > 0) {
											_t425 = 0;
											_t386 = _t423;
											goto L19;
											do {
												do {
													L19:
													if(_t425 >= _t395) {
														L57:
														_t432[1] = 0x100b1acf;
														 *_t432 = _t432[6];
														E100089C0();
														goto L24;
													} else {
														_t160 =  *_t386;
														if(_t160 == 2) {
															_t292 =  *(_t386[8] + (_t425 + _t425 * 2) * 8);
															_t250 = _t292 - 0x400;
															if(_t425 != 0) {
																_t432[4] = _t292;
																_t432[1] = 0x100b1acf;
																 *_t432 = _t432[6];
																E100089C0();
																_t292 = _t432[4];
															}
															if(_t250 > 0x3ff) {
																goto L53;
															} else {
																goto L51;
															}
														} else {
															if(_t160 == 3) {
																_t178 = _t386[8];
																_t432[4] = _t178;
																_t432[5] = _t386[0xc];
																_t397 = _t395 - (((((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000010) + (((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t178 - (_t178 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t178 - (_t178 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) & 0x0000003f) + ((((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) + (((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) + ((_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t432[5] - (_t432[5] >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f);
																_t272 = _t425 - _t397;
																if(_t425 >= _t397) {
																	goto L32;
																} else {
																	_t250 = 0;
																	if(_t425 == 0) {
																		L51:
																		_t432[2] = _t250;
																		_t432[1] = "AMBI%d";
																		 *_t432 = _t432[6];
																		E100089C0();
																	} else {
																		_t250 = _t425;
																		_t432[1] = 0x100b1acf;
																		_t64 = _t425 + 0x400; // 0x401
																		_t432[4] = _t64;
																		 *_t432 = _t432[6];
																		E100089C0();
																		_t292 = _t432[4];
																		if(_t425 <= 0x3ff) {
																			goto L51;
																		} else {
																			goto L47;
																		}
																	}
																}
															} else {
																if(_t160 == 1) {
																	_t272 = _t425;
																	_t432[4] = _t386[8];
																	_t432[5] = _t386[0xc];
																	L32:
																	_t432[7] = _t425;
																	_t182 = _t432[4];
																	_t292 = 0;
																	_t351 = _t432[5];
																	_t426 = _t386;
																	do {
																		_t387 = _t351;
																		_t399 = (_t387 << 0x00000020 | _t182) >> _t292;
																		_t388 = _t387 >> _t292;
																		if((_t292 & 0x00000020) != 0) {
																			_t399 = _t388;
																		}
																		if((_t399 & 0x00000001) == 0) {
																			goto L34;
																		} else {
																			_t49 = _t272 - 1; // 0x0
																			_t402 = _t49;
																			if(_t272 != 0) {
																				_t272 = _t402;
																				goto L34;
																			} else {
																				_t386 = _t426;
																				_t425 = _t432[7];
																				if(_t425 != 0) {
																					_t432[4] = _t292;
																					_t432[1] = 0x100b1acf;
																					 *_t432 = _t432[6];
																					E100089C0();
																					_t292 = _t432[4];
																					L53:
																					if(_t292 <= 0x28) {
																						goto L41;
																					} else {
																						if(_t292 != 0xffffffff) {
																							goto L47;
																						} else {
																							goto L24;
																						}
																					}
																				} else {
																					if(_t292 > 0x28) {
																						L47:
																						_t432[2] = _t292;
																						_t432[1] = "USR%d";
																						 *_t432 = _t432[6];
																						E100089C0();
																					} else {
																						L41:
																						_t163 =  *(0x100b2280 + _t292 * 8);
																						if(_t163 == 0) {
																							goto L47;
																						} else {
																							_t432[2] = _t163;
																							_t432[1] = "%s";
																							 *_t432 = _t432[6];
																							E100089C0();
																						}
																					}
																				}
																			}
																		}
																		goto L25;
																		L34:
																		_t292 =  &(1[_t292]);
																	} while (_t292 != 0x40);
																	_t386 = _t426;
																	_t425 = _t432[7];
																	if(_t425 == 0) {
																		goto L24;
																	} else {
																		goto L57;
																	}
																	goto L29;
																} else {
																	if(_t425 != 0) {
																		goto L57;
																	}
																	L24:
																	_t432[1] = "NONE";
																	 *_t432 = _t432[6];
																	E100089C0();
																}
															}
														}
													}
													L25:
													if( *_t386 != 2) {
														goto L18;
													} else {
														_t341 = _t386[8];
														_t166 = _t425 + _t425 * 2;
														_t293 = _t341 + _t166 * 8;
														if( *((char*)(_t341 + 4 + _t166 * 8)) == 0) {
															goto L18;
														} else {
															goto L27;
														}
													}
													goto L29;
													L27:
													_t425 =  &(1[_t425]);
													_t432[2] = _t293 + 4;
													_t432[1] = "@%s";
													 *_t432 = _t432[6];
													E100089C0();
													_t395 = _t386[4];
												} while (_t395 > _t425);
												goto L29;
												L18:
												_t395 = _t386[4];
												_t425 =  &(1[_t425]);
											} while (_t395 > _t425);
										}
										L29:
										if(_t395 == 0) {
											goto L15;
										} else {
											_t432[1] = 0x100b1ad1;
											 *_t432 = _t432[6];
											E100089C0();
											_t144 = 0;
										}
									} else {
										L15:
										_t148 = 0;
										L59:
										_t432[2] = _t148;
										_t432[1] = "%d channels";
										 *_t432 = _t432[6];
										E100089C0();
										_t144 = 0;
									}
								} else {
									_t337 = _t381 << 5;
									_t6 = _t337 + 0x100b1c90; // 0x0
									_t243 =  *_t6;
									_t7 = _t337 + 0x100b1c94; // 0x0
									_t333 =  *_t7;
									continue;
								}
								goto L12;
							}
							_t382 = _t381 << 5;
							_t432[1] = "%s";
							_t9 = _t382 + 0x100b1c80; // 0x100b1abb
							_t432[2] =  *_t9;
							 *_t432 = _t432[6];
							E100089C0();
							L8:
							_t144 = 0;
						}
						L12:
						return _t144;
					}
				}
				L91:
			}

0x1000d4d1
0x1000d4d2
0x1000d4d3
0x1000d4d4
0x1000d4db
0x1000d4df
0x1000d4e3
0x1000d4e6
0x1000d4e9
0x1000d586
0x1000d58d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d4ef
0x1000d4ef
0x1000d55b
0x1000d570
0x00000000
0x1000d55d
0x1000d55d
0x1000d561
0x1000d564
0x1000d566
0x1000d567
0x1000d568
0x1000d569
0x1000d911
0x1000d914
0x1000d916
0x1000d917
0x1000d918
0x1000d91b
0x1000d920
0x1000da10
0x1000da15
0x00000000
0x1000d922
0x1000d925
0x1000d928
0x1000db65
0x1000db6f
0x1000db73
0x1000db76
0x1000db7e
0x1000db86
0x1000db8e
0x1000db93
0x1000dba0
0x1000dba6
0x1000dbad
0x1000dbb4
0x1000dbbd
0x1000dbc3
0x1000dbc7
0x1000dbcb
0x1000dbcf
0x1000dbd2
0x1000dbde
0x1000dbe2
0x1000dbe5
0x1000dbec
0x1000dbee
0x1000dbee
0x1000dc00
0x1000dc00
0x1000dc00
0x1000dbff
0x1000d92e
0x1000d92e
0x1000d931
0x1000d933
0x1000d93a
0x1000d963
0x1000d965
0x1000d96f
0x00000000
0x1000d971
0x1000d973
0x1000d94f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d975
0x1000d97a
0x00000000
0x1000d97c
0x1000d980
0x1000d955
0x1000d955
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d980
0x1000d97a
0x1000d973
0x00000000
0x1000d957
0x1000d957
0x1000d958
0x1000d95b
0x1000da17
0x1000da19
0x00000000
0x1000da1f
0x1000da1f
0x1000da23
0x1000da27
0x1000da2b
0x1000da33
0x1000da38
0x00000000
0x1000da3e
0x1000da3e
0x1000da47
0x1000da4b
0x1000da4e
0x1000da53
0x1000da58
0x1000da5c
0x1000da5e
0x1000da5e
0x1000da62
0x1000da66
0x1000da69
0x1000da72
0x1000dac8
0x1000dad0
0x1000dad4
0x1000dad7
0x1000dadf
0x1000db44
0x1000db4f
0x1000db5c
0x1000da74
0x1000da7a
0x1000da7f
0x1000da85
0x1000da8c
0x1000da8c
0x1000da90
0x1000da9d
0x1000daa1
0x1000daa5
0x1000daae
0x1000dab2
0x1000dab5
0x1000dab5
0x1000dac3
0x1000dac3
0x1000da38
0x1000d93c
0x1000d982
0x1000d98e
0x1000d98e
0x1000d93a
0x1000d928
0x1000d920
0x1000d4f1
0x1000d4f3
0x1000d8e0
0x00000000
0x1000d4f9
0x1000d4f9
0x1000d4fc
0x1000d501
0x1000d503
0x1000d506
0x1000d527
0x1000d510
0x1000d514
0x1000d58f
0x1000d58f
0x1000d594
0x1000d59d
0x1000d5aa
0x1000d5ae
0x1000d5b1
0x1000d5b6
0x1000d5bb
0x1000d5c5
0x1000d5c7
0x1000d5c9
0x1000d5dc
0x1000d5dc
0x1000d5dc
0x1000d5de
0x1000d8be
0x1000d8c3
0x1000d8cb
0x1000d8ce
0x00000000
0x1000d5e4
0x1000d5e4
0x1000d5e9
0x1000d82c
0x1000d82e
0x1000d834
0x1000d836
0x1000d83f
0x1000d847
0x1000d84a
0x1000d84f
0x1000d84f
0x1000d859
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ef
0x1000d5f2
0x1000d720
0x1000d726
0x1000d72e
0x1000d7b9
0x1000d7bb
0x1000d7bf
0x00000000
0x1000d7c5
0x1000d7c5
0x1000d7c9
0x1000d85b
0x1000d85b
0x1000d864
0x1000d86c
0x1000d86f
0x1000d7cf
0x1000d7d4
0x1000d7d6
0x1000d7de
0x1000d7e4
0x1000d7e8
0x1000d7eb
0x1000d7f6
0x1000d7fa
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d7fa
0x1000d7c9
0x1000d5f8
0x1000d5f9
0x1000d68b
0x1000d690
0x1000d694
0x1000d698
0x1000d698
0x1000d69c
0x1000d6a0
0x1000d6a2
0x1000d6a6
0x1000d6bc
0x1000d6bc
0x1000d6c0
0x1000d6c3
0x1000d6c8
0x1000d6ca
0x1000d6ca
0x1000d6d2
0x00000000
0x1000d6d4
0x1000d6d4
0x1000d6d4
0x1000d6d9
0x1000d6b0
0x00000000
0x1000d6db
0x1000d6db
0x1000d6dd
0x1000d6e3
0x1000d879
0x1000d882
0x1000d88a
0x1000d88d
0x1000d892
0x1000d896
0x1000d899
0x00000000
0x1000d89f
0x1000d8a2
0x00000000
0x1000d8a8
0x00000000
0x1000d8a8
0x1000d8a2
0x1000d6e9
0x1000d6ec
0x1000d800
0x1000d800
0x1000d80d
0x1000d811
0x1000d814
0x1000d6f2
0x1000d6f2
0x1000d6f2
0x1000d6fb
0x00000000
0x1000d701
0x1000d701
0x1000d70a
0x1000d712
0x1000d715
0x1000d715
0x1000d6fb
0x1000d6ec
0x1000d6e3
0x1000d6d9
0x00000000
0x1000d6b2
0x1000d6b2
0x1000d6b3
0x1000d8b0
0x1000d8b2
0x1000d8b8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d5ff
0x1000d601
0x00000000
0x00000000
0x1000d607
0x1000d610
0x1000d614
0x1000d617
0x1000d617
0x1000d5f9
0x1000d5f2
0x1000d5e9
0x1000d620
0x1000d623
0x00000000
0x1000d625
0x1000d625
0x1000d628
0x1000d631
0x1000d634
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d634
0x00000000
0x1000d636
0x1000d63d
0x1000d63e
0x1000d647
0x1000d64b
0x1000d64e
0x1000d653
0x1000d656
0x00000000
0x1000d5d0
0x1000d5d0
0x1000d5d3
0x1000d5d4
0x1000d5dc
0x1000d660
0x1000d662
0x00000000
0x1000d668
0x1000d671
0x1000d675
0x1000d678
0x1000d67d
0x1000d67d
0x1000d596
0x1000d596
0x1000d596
0x1000d8e3
0x1000d8e3
0x1000d8ec
0x1000d8f4
0x1000d8f7
0x1000d8fc
0x1000d8fc
0x1000d516
0x1000d518
0x1000d51b
0x1000d51b
0x1000d521
0x1000d521
0x00000000
0x1000d521
0x00000000
0x1000d514
0x1000d52f
0x1000d537
0x1000d53b
0x1000d541
0x1000d549
0x1000d54c
0x1000d551
0x1000d551
0x1000d551
0x1000d575
0x1000d57c
0x1000d57c
0x1000d4ef
0x00000000

APIs

mv_bprintf.A649 ref: 1000D54C
mv_bprintf.A649 ref: 1000D8F7

Strings

NONE, xrefs: 1000D60B
%d channels, xrefs: 1000D8E7
@%s, xrefs: 1000D642
USR%d, xrefs: 1000D808
AMBI%d, xrefs: 1000D85F
%d channels (, xrefs: 1000D5A5

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: %d channels$%d channels ($@%s$AMBI%d$NONE$USR%d
API String ID: 3083893021-1306170362
Opcode ID: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction ID: 96990cf085468aa9ba630c0c0793423886e9eba89b3e303bf26647e4a11a856d
Opcode Fuzzy Hash: 98ded283bb3ae70f21cce0f44d25f16bdae0512caeeaba98897a65d1631d7c3f
Instruction Fuzzy Hash: 8BB1A675A087068BD714EF28C48066EB7E1FF882D0F55892EE989C7345EB31ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10035030 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 10035059
BCryptGenRandom.BCRYPT ref: 10035083
BCryptCloseAlgorithmProvider.BCRYPT ref: 1003509A
mvpriv_open.A649 ref: 100350B7
_read.MSVCRT ref: 100350D7
_close.MSVCRT ref: 100350E1
mvpriv_open.A649 ref: 100350FC
_read.MSVCRT ref: 1003511C
_close.MSVCRT ref: 10035126
clock.MSVCRT ref: 10035208

Strings

RNG, xrefs: 1003503A
N, xrefs: 10035375
Microsoft Primitive Provider, xrefs: 10035034

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmProvider_close_readmvpriv_open$CloseOpenRandomclock
String ID: Microsoft Primitive Provider$N$RNG
API String ID: 4139849330-2077157618
Opcode ID: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction ID: 55d25eed0a1b74d277015fe739bb6a08acfe9f0c77a35e4a57d9ad1f3d4738c5
Opcode Fuzzy Hash: ba0f5cf16dd16bf2a74f44db4dfaca41cdcaddc0f25a1e0faec0a639bd5545d4
Instruction Fuzzy Hash: E891A075A043508FE304DF78C9C021ABBE2FBC9311F51897EE9889B365EB75D9448B51

Uniqueness

Uniqueness Score: -1.00%

Function 1001F523 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 273
libraryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 30%

			E1001F523(intOrPtr _a4, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v64;
				intOrPtr _v96;
				signed int _v100;
				char _v320;
				signed char _v328;
				intOrPtr _v336;
				intOrPtr _v344;
				intOrPtr _v352;
				void* _v356;
				signed int _v360;
				char _v364;
				intOrPtr* _v368;
				intOrPtr _v376;
				intOrPtr _v384;
				signed int _v388;
				char _v392;
				void* _v396;
				intOrPtr _v400;
				intOrPtr* _v404;
				intOrPtr* _v408;
				void* _v412;
				CHAR* _v416;
				signed int _v420;
				char _v424;
				int _v428;
				void* _v452;
				char* _v456;
				intOrPtr _v460;
				char _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				char _v476;
				intOrPtr _v480;
				void* _t93;
				struct HINSTANCE__* _t94;
				intOrPtr _t102;
				void* _t108;
				intOrPtr* _t109;
				char _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t115;
				void* _t116;
				struct HINSTANCE__* _t117;
				_Unknown_base(*)()* _t118;
				void* _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				void* _t127;
				void* _t134;
				int _t136;
				void* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				_Unknown_base(*)()* _t146;
				intOrPtr _t147;
				signed int _t152;
				char _t155;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr* _t169;
				intOrPtr* _t191;
				intOrPtr _t194;
				void* _t195;
				void* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t205;

				_v328 = 0;
				_t191 =  *((intOrPtr*)(_a4 + 0xc));
				_t93 = E100110D0(_a12, "debug", 0, 0);
				_t94 = LoadLibraryA("d3d11_1sdklayers.dll");
				_t200 = _t198 - 0x178;
				if(_t93 == 0 || _t94 == 0) {
					_t194 = 0x800;
					_v344 = 0;
				} else {
					_t194 = 0x802;
					_v344 = 1;
				}
				_v396 = 0x100d7268;
				_v320 = 0;
				_t152 =  &_v320;
				_v384 = 0;
				_v388 = _t152;
				_v392 = 0;
				__imp__InitOnceBeginInitialize();
				_t201 = _t200 - 0x10;
				if(_v336 != 0) {
					_v356 = E100A7C1C("d3d11.dll", 0, 0);
					_t102 = E100A7C1C("dxgi.dll", 0, 0);
					_t155 = _v356;
					if(_t155 != 0) {
						_v352 = _t102;
						if(_t102 != 0) {
							_v412 = _t155;
							_v408 = "D3D11CreateDevice";
							_v356 = GetProcAddress;
							_t146 = GetProcAddress(??, ??);
							_v416 = "CreateDXGIFactory1";
							_t169 = _v364;
							 *0x100d7260 = _t146;
							_v420 = _v360;
							_t147 =  *_t169(0, 0);
							_push(_t169);
							_push(_t169);
							 *0x100d7264 = _t147;
						}
					}
				}
				_v412 = 0x100d7268;
				_v404 = 0;
				_v408 = 0;
				__imp__InitOnceComplete();
				_t202 = _t201 - 0xc;
				if( *0x100d7260 == 0) {
					L29:
					E10026560(_v24, 0x10, "Failed to load D3D11 library or its functions\n");
					goto L30;
				} else {
					_t109 =  *0x100d7264;
					if(_t109 == 0) {
						goto L29;
					}
					if(_v20 != 0) {
						_v420 = _t152;
						_v424 = 0x100c75a0;
						_t134 =  *_t109();
						_t202 = _t202 - 8;
						if(_t134 >= 0) {
							 *_t202 = _v28;
							_t136 = atoi(??);
							_v424 =  &_v364;
							_v428 = _t136;
							 *_t202 = _v356;
							_t140 =  *((intOrPtr*)( *_v356 + 0x1c))();
							_t205 = _t202 - 0xc;
							if(_t140 < 0) {
								_v376 = 0;
								_t142 = _v368;
								 *_t205 = _t142;
								 *((intOrPtr*)( *_t142 + 8))();
								_t202 = _t205 - 4;
							} else {
								_t144 = _v368;
								 *_t205 = _t144;
								 *((intOrPtr*)( *_t144 + 8))();
								_t202 = _t205 - 4;
							}
						}
					}
					_t110 = _v356;
					if(_t110 != 0) {
						_v420 = _t152;
						_v424 = _t110;
						_t127 =  *((intOrPtr*)( *_t110 + 0x20))();
						_t202 = _t202 - 8;
						if(_t127 >= 0) {
							_v412 = _t152;
							_v416 = _v96;
							_v420 = _v100;
							_v424 = "Using device %04x:%04x (%ls).\n";
							_v428 = 0x20;
							 *_t202 = _v32;
							E10026560();
						}
						_t110 = _v364;
					}
					_v412 = _t194;
					_v388 = 0;
					_v392 = 0;
					_v400 = 7;
					_v404 = 0;
					_v408 = 0;
					_v396 = _t191;
					_v416 = 0;
					_v420 = 0 | _t110 == 0x00000000;
					_v424 = _t110;
					_t111 =  *0x100d7260();
					_t202 = _t202 - 0x28;
					_t195 = _t111;
					_t112 = _v396;
					if(_t112 != 0) {
						_v464 = _t112;
						 *((intOrPtr*)( *_t112 + 8))();
						_t202 = _t202 - 4;
					}
					if(_t195 < 0) {
						E10026560(_v64, 0x10, "Failed to create Direct3D device (%lx)\n", _t195);
						L30:
						_t108 = 0xb1b4b1ab;
						goto L19;
					} else {
						_t115 =  *_t191;
						_v456 =  &_v392;
						_v460 = 0x100c70d0;
						_v464 = _t115;
						_t116 =  *((intOrPtr*)( *_t115))();
						_t202 = _t202 - 0xc;
						if(_t116 >= 0) {
							_t122 = _v404;
							_v472 = 1;
							_v476 = _t122;
							 *((intOrPtr*)( *_t122 + 0x14))();
							_t204 = _t202 - 8;
							_t124 = _v412;
							 *_t204 = _t124;
							 *((intOrPtr*)( *_t124 + 8))();
							_t202 = _t204 - 4;
						}
						if(_v424 != 0) {
							_t117 = LoadLibraryA("dxgidebug.dll");
							_t202 = _t202 - 4;
							if(_t117 != 0) {
								_t118 = GetProcAddress(_t117, "DXGIGetDebugInterface");
								_t202 = _t202 - 8;
								if(_t118 != 0) {
									_v472 = _t152;
									_v400 = 0;
									_v476 = 0x100c7530;
									_t119 =  *_t118();
									_t202 = _t202 - 8;
									if(_t119 >= 0) {
										_t120 = _v408;
										if(_t120 != 0) {
											_v464 = 7;
											_t162 =  *0x100c6e30; // 0xe48ae283
											 *_t202 = _t120;
											_v480 = _t162;
											_t163 =  *0x100c6e34; // 0x490bda80
											_v476 = _t163;
											_t164 =  *0x100c6e38; // 0xe943e687
											_v472 = _t164;
											_t165 =  *0x100c6e3c; // 0x8dacfa9
											_v468 = _t165;
											 *((intOrPtr*)( *_t120 + 0xc))();
											_t202 = _t202 - 0x18;
										}
									}
								}
							}
						}
						_t108 = 0;
						L19:
						return _t108;
					}
				}
			}

0x1001f545
0x1001f550
0x1001f569
0x1001f57d
0x1001f57f
0x1001f584
0x1001f5a2
0x1001f5a7
0x1001f58a
0x1001f58f
0x1001f594
0x1001f594
0x1001f5ab
0x1001f5b6
0x1001f5ba
0x1001f5be
0x1001f5c4
0x1001f5c8
0x1001f5cc
0x1001f5d2
0x1001f5db
0x1001f8b6
0x1001f8bf
0x1001f8c4
0x1001f8ca
0x1001f8d0
0x1001f8d6
0x1001f8dc
0x1001f8e5
0x1001f8ed
0x1001f8f1
0x1001f8f9
0x1001f901
0x1001f905
0x1001f90a
0x1001f90d
0x1001f90f
0x1001f910
0x1001f911
0x1001f911
0x1001f8d6
0x1001f8ca
0x1001f5e1
0x1001f5ea
0x1001f5f0
0x1001f5f4
0x1001f5ff
0x1001f604
0x1001f85a
0x1001f876
0x00000000
0x1001f60a
0x1001f60a
0x1001f611
0x00000000
0x00000000
0x1001f620
0x1001f622
0x1001f626
0x1001f62d
0x1001f62f
0x1001f634
0x1001f7f7
0x1001f7fa
0x1001f80b
0x1001f813
0x1001f817
0x1001f81a
0x1001f81d
0x1001f822
0x1001f842
0x1001f846
0x1001f84c
0x1001f84f
0x1001f852
0x1001f824
0x1001f824
0x1001f82a
0x1001f82d
0x1001f830
0x1001f830
0x1001f822
0x1001f634
0x1001f63a
0x1001f640
0x1001f644
0x1001f648
0x1001f64b
0x1001f64e
0x1001f653
0x1001f7b0
0x1001f7bb
0x1001f7c6
0x1001f7cf
0x1001f7d8
0x1001f7e3
0x1001f7e6
0x1001f7e6
0x1001f659
0x1001f659
0x1001f65d
0x1001f665
0x1001f66e
0x1001f674
0x1001f67a
0x1001f680
0x1001f688
0x1001f68f
0x1001f693
0x1001f697
0x1001f69a
0x1001f6a0
0x1001f6a3
0x1001f6a5
0x1001f6ab
0x1001f6af
0x1001f6b2
0x1001f6b5
0x1001f6b5
0x1001f6ba
0x1001f8a5
0x1001f87b
0x1001f87b
0x00000000
0x1001f6c0
0x1001f6c0
0x1001f6cd
0x1001f6d1
0x1001f6d5
0x1001f6d8
0x1001f6da
0x1001f6df
0x1001f6e1
0x1001f6ec
0x1001f6f0
0x1001f6f3
0x1001f6f6
0x1001f6f9
0x1001f6ff
0x1001f702
0x1001f705
0x1001f705
0x1001f70e
0x1001f727
0x1001f729
0x1001f72e
0x1001f73c
0x1001f742
0x1001f747
0x1001f749
0x1001f74f
0x1001f753
0x1001f75a
0x1001f75c
0x1001f761
0x1001f763
0x1001f769
0x1001f772
0x1001f776
0x1001f77c
0x1001f77f
0x1001f783
0x1001f789
0x1001f78d
0x1001f793
0x1001f797
0x1001f79d
0x1001f7a1
0x1001f7a4
0x1001f7a4
0x1001f769
0x1001f761
0x1001f747
0x1001f72e
0x1001f710
0x1001f712
0x1001f71c
0x1001f71c
0x1001f6ba

APIs

mv_dict_get.A649 ref: 1001F569
LoadLibraryA.KERNEL32 ref: 1001F57D
InitOnceBeginInitialize.KERNEL32 ref: 1001F5CC
InitOnceComplete.KERNEL32 ref: 1001F5F4

Strings

d3d11.dll, xrefs: 1001F8AC
DXGIGetDebugInterface, xrefs: 1001F733
Failed to load D3D11 library or its functions, xrefs: 1001F861
Failed to create Direct3D device (%lx), xrefs: 1001F890
debug, xrefs: 1001F534
Using device %04x:%04x (%ls)., xrefs: 1001F7CA
dxgi.dll, xrefs: 1001F8BA

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitOnce$BeginCompleteInitializeLibraryLoadmv_dict_get
String ID: DXGIGetDebugInterface$Failed to create Direct3D device (%lx)$Failed to load D3D11 library or its functions$Using device %04x:%04x (%ls).$d3d11.dll$debug$dxgi.dll
API String ID: 2640887736-2754084114
Opcode ID: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction ID: b26665e88cdb3ff3bd93bc6ff27e16a968a577adae798b8ccfa67922602f4651
Opcode Fuzzy Hash: 46d71de76901be22f43a985af2c852e585d150c4c55c8bf33d4014df43fd258f
Instruction Fuzzy Hash: 4EB1E4B4A087419FD354EF69D58462ABBF1FF89740F41892EE989CB354EB34D884CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100132D0 Relevance: 28.6, APIs: 19, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100132D0() {
				void* _t43;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr* _t78;
				intOrPtr* _t84;
				intOrPtr* _t87;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr* _t95;

				_t95 = _t94 - 0x2c;
				_t87 =  *((intOrPtr*)(_t95 + 0x40));
				if(_t87 != 0) {
					if( *((intOrPtr*)(_t87 + 0xc)) == 0) {
						L4:
						_t84 =  *((intOrPtr*)(_t87 + 0x1c));
						if(_t84 == 0) {
							L21:
							 *_t95 =  *_t87;
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 8));
							L23();
							 *_t95 =  *((intOrPtr*)(_t87 + 0x14));
							L23();
							 *((intOrPtr*)(_t95 + 0x40)) = _t87;
							return __imp___aligned_free();
						}
						if( *((intOrPtr*)(_t84 + 0xc)) == 0) {
							L8:
							_t93 =  *((intOrPtr*)(_t84 + 0x1c));
							if(_t93 == 0) {
								L20:
								 *_t95 =  *_t84;
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 8));
								L23();
								 *_t95 =  *((intOrPtr*)(_t84 + 0x14));
								L23();
								 *_t95 = _t84;
								L23();
								goto L21;
							}
							if( *((intOrPtr*)(_t93 + 0xc)) == 0) {
								L12:
								_t78 =  *((intOrPtr*)(_t93 + 0x1c));
								if(_t78 == 0) {
									L19:
									 *_t95 =  *_t93;
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 8));
									L23();
									 *_t95 =  *((intOrPtr*)(_t93 + 0x14));
									L23();
									 *_t95 = _t93;
									L23();
									goto L20;
								}
								if( *((intOrPtr*)(_t78 + 0xc)) == 0) {
									L16:
									_t55 =  *((intOrPtr*)(_t78 + 0x1c));
									if( *((intOrPtr*)(_t78 + 0x1c)) != 0) {
										 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
										E10012850(_t55);
										_t78 =  *((intOrPtr*)(_t95 + 0x1c));
									}
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									 *_t95 =  *_t78;
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 8));
									L23();
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x1c)) + 0x14));
									L23();
									 *_t95 =  *((intOrPtr*)(_t95 + 0x1c));
									L23();
									goto L19;
								}
								_t72 = 0;
								do {
									 *((intOrPtr*)(_t95 + 0x1c)) = _t78;
									_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t78 + 8)) + _t72 * 4));
									_t72 = _t72 + 1;
									 *_t95 = _t61;
									L23();
									_t78 =  *((intOrPtr*)(_t95 + 0x1c));
								} while (_t72 <  *((intOrPtr*)(_t78 + 0xc)));
								goto L16;
							}
							_t73 = 0;
							do {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)) + _t73 * 4));
								_t73 = _t73 + 1;
								 *_t95 = _t63;
								L23();
							} while (_t73 <  *((intOrPtr*)(_t93 + 0xc)));
							goto L12;
						}
						_t74 = 0;
						do {
							_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 8)) + _t74 * 4));
							_t74 = _t74 + 1;
							 *_t95 = _t65;
							L23();
						} while (_t74 <  *((intOrPtr*)(_t84 + 0xc)));
						goto L8;
					}
					_t75 = 0;
					do {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 8)) + _t75 * 4));
						_t75 = _t75 + 1;
						 *_t95 = _t67;
						L23();
					} while (_t75 <  *((intOrPtr*)(_t87 + 0xc)));
					goto L4;
				}
				return _t43;
			}

0x100132d4
0x100132d7
0x100132dd
0x100132e8
0x10013304
0x10013304
0x10013309
0x10013439
0x1001343b
0x1001343e
0x10013446
0x10013449
0x10013451
0x10013454
0x10013459
0x100290d0
0x100290d0
0x10013314
0x10013334
0x10013334
0x10013339
0x10013411
0x10013413
0x10013416
0x1001341e
0x10013421
0x10013429
0x1001342c
0x10013431
0x10013434
0x00000000
0x10013434
0x10013344
0x10013364
0x10013364
0x10013369
0x100133e8
0x100133eb
0x100133ee
0x100133f6
0x100133f9
0x10013401
0x10013404
0x10013409
0x1001340c
0x00000000
0x1001340c
0x10013370
0x1001339c
0x1001339c
0x100133a1
0x100133a3
0x100133a7
0x100133ac
0x100133ac
0x100133b0
0x100133b6
0x100133b9
0x100133c5
0x100133c8
0x100133d4
0x100133d7
0x100133e0
0x100133e3
0x00000000
0x100133e3
0x10013372
0x10013380
0x10013380
0x10013387
0x1001338a
0x1001338b
0x1001338e
0x10013393
0x10013397
0x00000000
0x10013380
0x10013346
0x10013350
0x10013353
0x10013356
0x10013357
0x1001335a
0x1001335f
0x00000000
0x10013350
0x10013316
0x10013320
0x10013323
0x10013326
0x10013327
0x1001332a
0x1001332f
0x00000000
0x10013320
0x100132ea
0x100132f0
0x100132f3
0x100132f6
0x100132f7
0x100132fa
0x100132ff
0x00000000
0x100132f0
0x10013477

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction ID: aab0cb6abdf460125275c6e5ebe0c2fb3ff18ba6de562b5529d80b352c1cac01
Opcode Fuzzy Hash: 196854d94c2d3dadbfed7b001a059d3303f2942ada5cc75a7543bfd3e5186445
Instruction Fuzzy Hash: 14519F79A047098FCB50EFA9D0C5A5AF7F0FF44250F41892DE8998B301DA71F985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002334C Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 635
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E1002334C(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t304;
				char* _t305;
				signed int _t314;
				signed int _t316;
				signed int _t325;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				int _t335;
				signed int _t336;
				signed int _t338;
				signed int _t342;
				signed int _t344;
				signed int _t347;
				signed int _t348;
				signed char* _t350;
				signed int _t351;
				int _t352;
				signed int _t354;
				int _t355;
				signed int _t356;
				signed int _t358;
				int _t361;
				signed int _t362;
				void _t364;
				signed int _t365;
				signed int _t367;
				signed int _t369;
				signed int _t372;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t386;
				signed int _t388;
				char* _t389;
				signed int _t393;
				signed char _t398;
				void* _t399;
				char* _t405;
				char _t406;
				char* _t408;
				signed int _t409;
				signed char _t411;
				signed int _t413;
				signed int _t414;
				signed int _t417;
				signed int _t418;
				signed short _t425;
				void* _t429;
				char* _t430;
				unsigned int _t434;
				signed int _t435;
				signed int _t437;
				signed char _t439;
				signed char* _t440;
				unsigned int _t441;
				signed int _t442;
				int _t444;
				signed char _t449;
				void* _t450;
				signed int _t453;
				signed int _t454;
				intOrPtr _t455;
				signed char _t456;
				signed char _t457;
				int _t458;
				char* _t463;
				char* _t464;
				signed int _t465;
				signed int _t467;
				signed int _t471;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t479;
				signed int* _t484;
				signed int _t489;
				signed int _t494;
				void _t495;
				char* _t496;
				signed int _t498;
				void* _t499;
				signed int _t501;
				void* _t502;
				void* _t503;
				signed int _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				void* _t514;
				signed int _t517;
				char* _t519;
				signed int _t526;
				signed int _t528;
				int _t533;
				signed int _t534;
				void* _t537;
				signed int* _t538;
				signed int _t539;
				char* _t540;
				void* _t541;
				unsigned int _t543;
				unsigned int _t544;
				signed int _t545;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t552;
				int _t553;
				void* _t554;
				char** _t555;
				signed int* _t557;
				void* _t571;

				_t465 = __edx;
				_t555 = _t554 - 0x6c;
				_t408 = _t555[0x24];
				_t519 = _t555[0x22];
				_t555[3] = _t555[0x27];
				 *_t555 = _t408;
				_t555[2] = _t555[0x26];
				_t555[1] = _t555[0x25];
				_t304 = E10023180(__edx, __eflags);
				 *_t555 = _t408;
				_t543 = _t304;
				_t305 = E10034790();
				_t555[0x12] = _t305;
				_t430 = _t305;
				if((_t543 >> 0x0000001f | _t465 & 0xffffff00 | _t543 - _t555[0x21] > 0x00000000) != 0 || _t430 == 0) {
					_t544 = 0xffffffea;
					goto L28;
				} else {
					_t467 = _t430[4] & 0x000000ff;
					if(_t467 == 0) {
						_t496 = 0;
						_t555[0xf] = 0;
					} else {
						_t463 =  >=  ? _t430[0x10] : 0;
						_t555[0xf] = _t463;
						_t496 = _t463;
						if(_t467 != 1) {
							_t464 = _t555[0x12];
							_t496 =  >=  ? _t555[0xf] : _t464[0x24];
							_t555[0xf] = _t496;
							if(_t467 != 2) {
								_t405 =  >=  ? _t496 : _t464[0x38];
								_t555[0xf] = _t405;
								_t496 = _t405;
								if(_t467 != 3) {
									_t406 = _t464[0x4c];
									_t571 = _t496 - _t406;
									_t407 =  >=  ? _t496 : _t406;
									_t555[0xf] =  >=  ? _t496 : _t406;
								}
							}
						}
					}
					_t555[1] = _t408;
					_t555[2] = _t555[0x25];
					 *_t555 =  &(_t555[0x14]);
					if(E100215D0(_t571) < 0) {
						_t555[5] = 0x209;
						_t555[1] = 0;
						 *_t555 = 0;
						_t555[4] = "libavutil/imgutils.c";
						_t555[3] = "ret >= 0";
						_t555[2] = "Assertion %s failed at %s:%d\n";
						E10026560();
						abort();
						_push(_t543);
						_push(_t496);
						_t557 = _t555 - 0x15c;
						_t409 = _t557[0x5e];
						 *_t557 = _t409;
						_t314 = E10034790(_t408);
						 *_t557 = _t409;
						_t545 = _t314;
						_t557[0xd] = E10034870(_t519);
						_t316 = 0;
						__eflags = 0;
						do {
							 *((intOrPtr*)(_t557 + _t316 + 0xd0)) = 0;
							 *((intOrPtr*)(_t557 + _t316 + 0xd4)) = 0;
							_t316 = _t316 + 8;
							__eflags = _t316 - 0x80;
						} while (_t316 < 0x80);
						_t557[0x14] = 0;
						_t557[0x15] = 0;
						_t557[0x16] = 0;
						_t557[0x17] = 0;
						_t557[0x18] = 0;
						_t557[0x19] = 0;
						_t557[0x1a] = 0;
						_t557[0x1b] = 0;
						__eflags = _t557[0xd] - 1 - 3;
						if(_t557[0xd] - 1 > 3) {
							L60:
							return 0xffffffea;
						} else {
							__eflags = _t545;
							if(_t545 == 0) {
								goto L60;
							} else {
								_t325 =  *(_t545 + 8);
								_t471 = _t325 & 0x00000008;
								_t498 = _t471;
								__eflags = _t498;
								if(_t498 != 0) {
									goto L60;
								} else {
									_t557[0xa] = _t325 & 0x00000020;
									__eflags = _t325 & 0x00000004;
									if(__eflags != 0) {
										 *_t557 = _t409;
										_t557[2] = 0;
										_t557[1] = _t557[0x60];
										_t547 = E10021480(__eflags);
										_t330 = _t409 - 9;
										__eflags = _t330 - 1;
										_t331 = _t330 & 0xffffff00 | _t330 - 0x00000001 < 0x00000000;
										__eflags = _t409 - 9;
										_t411 =  !=  ? _t498 : 0xff;
										__eflags = _t557[0xd] - 1;
										if(__eflags != 0 || __eflags == 0) {
											goto L60;
										} else {
											__eflags = _t547;
											if(_t547 <= 0) {
												goto L60;
											} else {
												__eflags = _t557[0x5c];
												if(_t557[0x5c] != 0) {
													__eflags = _t557[0x61];
													_t526 =  *(_t557[0x5c]);
													if(_t557[0x61] > 0) {
														_t335 = (_t411 & 0x000000ff) * 0x1010101;
														__eflags = _t335;
														do {
															__eflags = _t547 - 8;
															_t474 = _t547;
															_t499 = _t526;
															if(_t547 >= 8) {
																__eflags = _t526 & 0x00000001;
																if((_t526 & 0x00000001) != 0) {
																	 *_t526 = _t335;
																	_t499 = _t526 + 1;
																	_t226 = _t547 - 1; // -1
																	_t474 = _t226;
																}
																__eflags = _t499 & 0x00000002;
																if((_t499 & 0x00000002) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 2;
																	_t499 = _t499 + 2;
																}
																__eflags = _t499 & 0x00000004;
																if((_t499 & 0x00000004) != 0) {
																	 *_t499 = _t335;
																	_t474 = _t474 - 4;
																	_t499 = _t499 + 4;
																}
																_t434 = _t474;
																_t474 = _t474 & 0x00000003;
																_t435 = _t434 >> 2;
																_t335 = memset(_t499, _t335, _t435 << 2);
																_t557 =  &(_t557[3]);
																_t499 = _t499 + _t435;
															}
															_t475 = _t474 & 0x00000007;
															__eflags = _t475;
															if(_t475 != 0) {
																_t437 = 0;
																__eflags = 0;
																do {
																	 *(_t499 + _t437) = _t411;
																	_t437 = _t437 + 1;
																	__eflags = _t437 - _t475;
																} while (_t437 < _t475);
															}
															_t526 = _t526 +  *(_t557[0x5d]);
															_t216 =  &(_t557[0x61]);
															 *_t216 = _t557[0x61] - 1;
															__eflags =  *_t216;
														} while ( *_t216 != 0);
													}
												}
												goto L77;
											}
										}
									} else {
										_t477 =  *(_t545 + 4) & 0x000000ff;
										__eflags = _t477;
										if(__eflags == 0) {
											L57:
											_t557[0xa] = _t545;
											_t501 = _t557[0x60];
											_t548 = 0;
											_t528 = _t557[0xd];
											while(1) {
												_t557[2] = _t548;
												_t557[1] = _t501;
												 *_t557 = _t409;
												_t336 = E10021480(__eflags);
												 *(_t557 + 0x60 + _t548 * 4) = _t336;
												__eflags = _t336;
												if(_t336 < 0) {
													goto L60;
												}
												_t548 = _t548 + 1;
												__eflags = _t528 - _t548;
												if(__eflags <= 0) {
													_t549 = _t557[0xa];
													__eflags = _t557[0x5c];
													if(_t557[0x5c] == 0) {
														L77:
														_t332 = 0;
														__eflags = 0;
													} else {
														_t557[0x13] = _t549;
														__eflags = 0;
														_t557[0xe] =  &(_t557[0x34]);
														_t557[0xa] = 0;
														do {
															_t338 = _t557[0xa];
															_t557[0xf] =  *(_t557 + 0x60 + _t338 * 4);
															_t550 =  *(_t557[0x5c] + _t338 * 4);
															__eflags = _t338 - 1 - 1;
															if(_t338 - 1 <= 1) {
																_t439 =  *(_t557[0x13] + 6) & 0x000000ff;
																_t342 = 1 << _t439;
															} else {
																_t342 = 1;
																_t439 = 0;
																__eflags = 0;
															}
															_t344 = _t342 + _t557[0x61] - 1 >> _t439;
															_t557[0xc] = _t344;
															__eflags = _t344;
															if(_t344 > 0) {
																_t413 =  *(_t557 + 0x50 + _t557[0xa] * 4);
																_t347 = _t557[0xf];
																_t557[0xb] = _t413;
																__eflags = _t347 - _t413;
																_t533 =  >  ? _t413 : _t347;
																_t557[0x10] = _t533;
																_t348 = _t347 - _t533;
																__eflags = _t348;
																_t557[0x11] = _t348;
																do {
																	_t534 = _t557[0xb];
																	__eflags = _t534;
																	if(_t534 != 0) {
																		_t350 = _t557[0xe];
																		_t479 =  *_t350 & 0x000000ff;
																		_t440 =  &(_t350[_t534]);
																		while(1) {
																			__eflags =  *_t350 - _t479;
																			if( *_t350 != _t479) {
																				break;
																			}
																			_t350 =  &(_t350[1]);
																			__eflags = _t440 - _t350;
																			if(_t440 == _t350) {
																				L102:
																				_t351 = _t557[0xf];
																				_t502 = _t550;
																				__eflags = _t351 - 8;
																				_t414 = _t351;
																				if(_t351 >= 8) {
																					_t352 = _t479 * 0x1010101;
																					__eflags = _t550 & 0x00000001;
																					if((_t550 & 0x00000001) != 0) {
																						 *_t550 = _t352;
																						_t502 = _t550 + 1;
																						_t414 = _t557[0xf] - 1;
																					}
																					__eflags = _t502 & 0x00000002;
																					if((_t502 & 0x00000002) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 2;
																						_t502 = _t502 + 2;
																					}
																					__eflags = _t502 & 0x00000004;
																					if((_t502 & 0x00000004) != 0) {
																						 *_t502 = _t352;
																						_t414 = _t414 - 4;
																						_t502 = _t502 + 4;
																					}
																					_t441 = _t414;
																					_t414 = _t414 & 0x00000003;
																					_t442 = _t441 >> 2;
																					memset(_t502, _t352, _t442 << 2);
																					_t557 =  &(_t557[3]);
																					_t502 = _t502 + _t442;
																				}
																				_t413 = _t414 & 0x00000007;
																				__eflags = _t413;
																				if(_t413 != 0) {
																					_t354 = 0;
																					__eflags = 0;
																					do {
																						 *(_t502 + _t354) = _t479;
																						_t354 = _t354 + 1;
																						__eflags = _t354 - _t413;
																					} while (_t354 < _t413);
																				}
																			} else {
																				continue;
																			}
																			goto L99;
																		}
																		__eflags = _t557[0xb] - 1;
																		if(_t557[0xb] == 1) {
																			goto L102;
																		} else {
																			_t355 = _t557[0x10];
																			_t503 = _t550;
																			_t537 = _t557[0xe];
																			__eflags = _t355 - 8;
																			_t444 = _t355;
																			if(_t355 >= 8) {
																				__eflags = _t550 & 0x00000001;
																				if((_t550 & 0x00000001) != 0) {
																					_t356 =  *_t537 & 0x000000ff;
																					_t503 = _t550 + 1;
																					_t537 = _t537 + 1;
																					_t557[0x12] = _t356;
																					 *_t550 = _t356;
																					_t444 = _t557[0x10] - 1;
																				}
																				__eflags = _t503 & 0x00000002;
																				if((_t503 & 0x00000002) != 0) {
																					_t358 =  *_t537 & 0x0000ffff;
																					_t503 = _t503 + 2;
																					_t537 = _t537 + 2;
																					_t444 = _t444 - 2;
																					 *(_t503 - 2) = _t358;
																				}
																				__eflags = _t503 & 0x00000004;
																				if((_t503 & 0x00000004) != 0) {
																					_t364 =  *_t537;
																					_t503 = _t503 + 4;
																					_t537 = _t537 + 4;
																					_t444 = _t444 - 4;
																					 *(_t503 - 4) = _t364;
																				}
																			}
																			memcpy(_t503, _t537, _t444);
																			_t557 =  &(_t557[3]);
																			_t557[2] = _t557[0x11];
																			_t361 = _t557[0x10];
																			_t557[1] = _t361;
																			_t362 = _t361 + _t550;
																			__eflags = _t362;
																			 *_t557 = _t362;
																			E10029830(_t413, _t537 + _t444 + _t444, _t537);
																		}
																	}
																	L99:
																	_t550 = _t550 +  *((intOrPtr*)(_t557[0x5d] + _t557[0xa] * 4));
																	_t267 =  &(_t557[0xc]);
																	 *_t267 = _t557[0xc] - 1;
																	__eflags =  *_t267;
																} while ( *_t267 != 0);
															}
															_t557[0xa] = _t557[0xa] + 1;
															_t557[0xe] = _t557[0xe] + 0x20;
															__eflags = _t557[0xd] - _t557[0xa];
														} while (_t557[0xd] > _t557[0xa]);
														_t332 = 0;
													}
													return _t332;
												} else {
													continue;
												}
												goto L121;
											}
											goto L60;
										} else {
											_t365 =  *(_t545 + 0x14);
											__eflags = _t365;
											_t447 =  >=  ? _t365 : 0;
											__eflags = _t365 - 0x20;
											 *((intOrPtr*)(_t557 + 0x50 +  *(_t545 + 0x10) * 4)) =  >=  ? _t365 : 0;
											if(_t365 > 0x20) {
												goto L60;
											} else {
												__eflags = _t477 - 1;
												if(__eflags == 0) {
													L45:
													_t557[0x5e] = _t409;
													_t557[0xa] = _t545;
													_t367 = _t557[0xa];
													_t557[0xc] = __eflags == 0;
													_t145 = _t545 + 0x10; // 0x10
													_t538 = _t145;
													__eflags = _t557[0x5f] - 2;
													_t557[0xe] = _t367;
													_t507 = 0;
													_t369 = (_t367 & 0xffffff00 | _t557[0x5f] != 0x00000002) & _t557[0xc] & 0x000000ff;
													__eflags = _t369;
													_t557[0xb] = _t369;
													while(1) {
														_t449 = _t538[4];
														asm("cdq");
														_t372 =  *(_t557 + 0x50 +  *_t538 * 4) / _t538[1];
														_t557[0x20] = 0;
														_t557[0x21] = 0;
														__eflags = _t449 - 0x10;
														_t557[0x22] = 0;
														_t557[0x23] = 0;
														if(_t449 > 0x10) {
															goto L60;
														}
														__eflags = _t449 - 7;
														if(_t449 > 7) {
															L49:
															__eflags = _t372;
															if(_t372 <= 0) {
																goto L60;
															} else {
																__eflags = _t507;
																if(_t507 != 0) {
																	L61:
																	_t199 = _t507 - 1; // -1
																	_t417 = 0;
																	__eflags = _t199 - 1;
																	if(_t199 <= 1) {
																		__eflags = _t557[0xe];
																		if(_t557[0xe] == 0) {
																			_t417 = 0x00000080 << _t449 - 0x00000008 & 0x0000ffff;
																		}
																	} else {
																		__eflags = _t507 - 3;
																		if(_t507 == 3) {
																			_t417 = (0x00000001 << _t449) - 0x00000001 & 0x0000ffff;
																		}
																	}
																} else {
																	__eflags = _t557[0xb];
																	if(_t557[0xb] == 0) {
																		goto L61;
																	} else {
																		_t425 = 0x10 << _t449 - 8;
																		__eflags = _t425;
																		_t417 = _t425 & 0x0000ffff;
																	}
																}
																_t552 =  &(_t557[0x24]);
																_t450 = _t552 + _t372 * 2;
																_t484 = _t552;
																do {
																	 *_t484 = _t417;
																	_t484 =  &(_t484[0]);
																	__eflags = _t450 - _t484;
																} while (_t450 != _t484);
																_t418 = _t557[0xa];
																_t538 =  &(_t538[5]);
																_t557[7] = _t372;
																_t557[5] = 0;
																_t557[0x1c] =  &(_t557[0x34]);
																_t557[4] = 0;
																_t557[0x1d] =  &(_t557[0x3c]);
																_t557[2] =  &(_t557[0x20]);
																_t557[0x1e] =  &(_t557[0x44]);
																_t557[6] = _t507;
																_t507 = _t507 + 1;
																_t557[1] =  &(_t557[0x1c]);
																_t557[3] = _t418;
																 *_t557 = _t552;
																_t557[0x1f] =  &(_t557[0x4c]);
																E10034210();
																__eflags = ( *(_t418 + 4) & 0x000000ff) - _t507;
																if(__eflags > 0) {
																	continue;
																} else {
																	_t545 = _t557[0xa];
																	_t409 = _t557[0x5e];
																	goto L57;
																}
															}
														} else {
															__eflags = _t557[0xc];
															if(_t557[0xc] != 0) {
																goto L60;
															} else {
																goto L49;
															}
														}
														goto L121;
													}
													goto L60;
												} else {
													_t453 =  *(_t545 + 0x24);
													_t508 =  *((intOrPtr*)(_t545 + 0x28));
													_t379 =  *((intOrPtr*)(_t557 + 0x50 + _t453 * 4));
													__eflags = _t379 - _t508;
													_t380 =  <  ? _t508 : _t379;
													 *((intOrPtr*)(_t557 + 0x50 + _t453 * 4)) = _t380;
													__eflags = _t380 - 0x20;
													if(_t380 > 0x20) {
														goto L60;
													} else {
														__eflags = _t477 - 2;
														if(__eflags == 0) {
															goto L45;
														} else {
															_t454 =  *(_t545 + 0x38);
															_t509 =  *((intOrPtr*)(_t545 + 0x3c));
															_t381 =  *((intOrPtr*)(_t557 + 0x50 + _t454 * 4));
															__eflags = _t381 - _t509;
															_t382 =  <  ? _t509 : _t381;
															 *((intOrPtr*)(_t557 + 0x50 + _t454 * 4)) = _t382;
															__eflags = _t382 - 0x20;
															if(_t382 > 0x20) {
																goto L60;
															} else {
																__eflags = _t477 - 3;
																if(__eflags == 0) {
																	goto L45;
																} else {
																	_t489 =  *(_t545 + 0x4c);
																	_t455 =  *((intOrPtr*)(_t545 + 0x50));
																	_t383 =  *((intOrPtr*)(_t557 + 0x50 + _t489 * 4));
																	__eflags = _t383 - _t455;
																	_t384 =  <  ? _t455 : _t383;
																	 *((intOrPtr*)(_t557 + 0x50 + _t489 * 4)) = _t384;
																	__eflags = _t384 - 0x20;
																	if(__eflags > 0) {
																		goto L60;
																	} else {
																		goto L45;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t456 = 0;
						_t555[0x22] = _t519;
						_t539 = 0xffffffff;
						_t555[0x13] = _t543;
						_t555[0xe] = _t555[0x23];
						_t386 = 1;
						_t555[0x11] =  ~(_t555[0x27]);
						while(1) {
							_t388 = _t386 + _t555[0x26] - 1 >> _t456;
							_t429 = _t555[0x22][4 + _t539 * 4];
							_t555[0xc] = _t388;
							if(_t388 <= 0) {
								goto L18;
							}
							_t553 =  *(_t555 + 0x54 + _t539 * 4);
							_t555[0x10] = _t539;
							_t555[0xb] = 0;
							_t398 = _t555[0x20];
							_t555[0xd] = _t555[0x11] & _t553 + _t555[0x27] - 0x00000001;
							do {
								_t458 = _t553;
								_t514 = _t398;
								_t541 = _t429;
								if(_t553 >= 8) {
									if((_t398 & 0x00000001) != 0) {
										_t514 = _t398 + 1;
										_t541 = _t429 + 1;
										 *_t398 =  *_t429 & 0x000000ff;
										_t458 = _t553 - 1;
									}
									if((_t514 & 0x00000002) != 0) {
										_t494 =  *_t541 & 0x0000ffff;
										_t514 = _t514 + 2;
										_t541 = _t541 + 2;
										_t458 = _t458 - 2;
										 *(_t514 - 2) = _t494;
									}
									if((_t514 & 0x00000004) != 0) {
										_t495 =  *_t541;
										_t514 = _t514 + 4;
										_t541 = _t541 + 4;
										_t458 = _t458 - 4;
										 *(_t514 - 4) = _t495;
									}
								}
								_t399 = memcpy(_t514, _t541, _t458);
								_t555 =  &(_t555[3]);
								_t555[0xb] =  &(_t555[0xb][1]);
								_t517 = _t555[0xd];
								_t398 = _t399 + _t517;
								_t429 = _t429 +  *(_t555[0xe]);
							} while (_t555[0xc] != _t555[0xb]);
							_t539 = _t555[0x10];
							_t68 =  &(_t555[0x20]);
							 *_t68 = _t555[0x20] + _t555[0xc] * _t517;
							__eflags =  *_t68;
							L18:
							_t539 = _t539 + 1;
							__eflags = _t555[0xf] - _t539;
							if(_t555[0xf] != _t539) {
								__eflags = _t539 - 1;
								if(_t539 <= 1) {
									_t456 = _t555[0x12][6] & 0x000000ff;
									_t386 = 1 << _t456;
								} else {
									_t386 = 1;
									_t456 = 0;
									__eflags = 0;
								}
								_t555[0xe] =  &(_t555[0xe][4]);
								continue;
							}
							_t389 = _t555[0x12];
							_t544 = _t555[0x13];
							_t540 = _t555[0x22];
							__eflags = _t389[8] & 0x00000002;
							if((_t389[8] & 0x00000002) != 0) {
								_t457 = _t555[0x20];
								_t393 = 0;
								__eflags = 0;
								do {
									 *((intOrPtr*)(_t457 + _t393)) =  *((intOrPtr*)(_t540[4] + _t393));
									_t393 = _t393 + 4;
									__eflags = _t393 - 0x400;
								} while (_t393 != 0x400);
							}
							L28:
							return _t544;
							goto L121;
						}
					}
				}
				L121:
			}

0x1002334c
0x10023354
0x1002335e
0x10023365
0x1002336c
0x10023377
0x1002337a
0x10023385
0x10023389
0x1002338e
0x10023391
0x10023393
0x100233a2
0x100233a6
0x100233af
0x100235d8
0x00000000
0x100233bd
0x100233bd
0x100233c3
0x100235cd
0x100235cf
0x100233c9
0x100233d0
0x100233d6
0x100233da
0x100233dc
0x100233de
0x100233e9
0x100233f1
0x100233f5
0x100233fc
0x10023402
0x10023406
0x10023408
0x1002340a
0x1002340d
0x1002340f
0x10023412
0x10023412
0x10023408
0x100233f5
0x100233dc
0x10023416
0x10023421
0x10023429
0x10023433
0x100235df
0x100235e9
0x100235ed
0x100235f0
0x100235f8
0x10023600
0x10023608
0x1002360d
0x10023620
0x10023621
0x10023624
0x1002362a
0x10023631
0x10023634
0x10023639
0x1002363c
0x10023645
0x10023649
0x10023649
0x1002364b
0x1002364b
0x10023652
0x10023659
0x1002365c
0x1002365c
0x10023667
0x1002366f
0x10023677
0x1002367d
0x10023683
0x1002368b
0x1002368f
0x10023693
0x10023698
0x1002369b
0x100238d1
0x100238e0
0x100236a1
0x100236a1
0x100236a3
0x00000000
0x100236a9
0x100236a9
0x100236b0
0x100236b3
0x100236b3
0x100236b5
0x00000000
0x100236bb
0x100236c3
0x100236c9
0x100236cc
0x10023930
0x1002393c
0x10023940
0x10023949
0x1002394b
0x1002394e
0x10023951
0x10023954
0x1002395c
0x1002395f
0x10023964
0x00000000
0x10023979
0x10023979
0x1002397b
0x00000000
0x10023981
0x10023988
0x1002398a
0x1002399a
0x1002399c
0x1002399e
0x100239a3
0x100239a3
0x100239b0
0x100239b0
0x100239b3
0x100239b5
0x100239b7
0x100239f0
0x100239f6
0x10023a14
0x10023a16
0x10023a19
0x10023a19
0x10023a19
0x100239f8
0x100239fe
0x10023a28
0x10023a2b
0x10023a2e
0x10023a2e
0x10023a00
0x10023a06
0x10023a1e
0x10023a20
0x10023a23
0x10023a23
0x10023a08
0x10023a0a
0x10023a0d
0x10023a10
0x10023a10
0x10023a10
0x10023a10
0x100239b9
0x100239b9
0x100239bc
0x100239be
0x100239be
0x100239c0
0x100239c0
0x100239c3
0x100239c4
0x100239c4
0x100239c0
0x100239d1
0x100239d3
0x100239d3
0x100239d3
0x100239d3
0x100239b0
0x1002399e
0x00000000
0x1002398a
0x1002397b
0x100236d2
0x100236d2
0x100236d6
0x100236d8
0x10023898
0x10023898
0x1002389e
0x100238a5
0x100238a7
0x100238b9
0x100238b9
0x100238bd
0x100238c1
0x100238c4
0x100238c9
0x100238cd
0x100238cf
0x00000000
0x00000000
0x100238b0
0x100238b1
0x100238b3
0x10023a3a
0x10023a3e
0x10023a40
0x100239dc
0x100239dc
0x100239dc
0x10023a42
0x10023a42
0x10023a4d
0x10023a4f
0x10023a53
0x10023a57
0x10023a57
0x10023a5f
0x10023a6a
0x10023a6e
0x10023a71
0x10023bcb
0x10023bd4
0x10023a77
0x10023a77
0x10023a7c
0x10023a7c
0x10023a7c
0x10023a89
0x10023a8b
0x10023a8f
0x10023a91
0x10023a9b
0x10023a9f
0x10023aa3
0x10023aa7
0x10023aab
0x10023aae
0x10023ab2
0x10023ab2
0x10023ab4
0x10023ac0
0x10023ac0
0x10023ac4
0x10023ac6
0x10023ac8
0x10023acc
0x10023acf
0x10023add
0x10023add
0x10023adf
0x00000000
0x00000000
0x10023ad8
0x10023ad9
0x10023adb
0x10023b50
0x10023b50
0x10023b54
0x10023b56
0x10023b59
0x10023b5b
0x10023b6e
0x10023b74
0x10023b7a
0x10023bf0
0x10023bf3
0x10023bfa
0x10023bfa
0x10023b7c
0x10023b82
0x10023be5
0x10023be8
0x10023beb
0x10023beb
0x10023b84
0x10023b8a
0x10023bdb
0x10023bdd
0x10023be0
0x10023be0
0x10023b8c
0x10023b8e
0x10023b91
0x10023b94
0x10023b94
0x10023b94
0x10023b94
0x10023b5d
0x10023b5d
0x10023b60
0x10023b62
0x10023b62
0x10023b64
0x10023b64
0x10023b67
0x10023b68
0x10023b68
0x10023b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x10023adb
0x10023ae1
0x10023ae6
0x00000000
0x10023ae8
0x10023ae8
0x10023aec
0x10023aee
0x10023af2
0x10023af5
0x10023af7
0x10023b98
0x10023b9e
0x10023c14
0x10023c17
0x10023c1a
0x10023c1b
0x10023c1f
0x10023c26
0x10023c26
0x10023ba0
0x10023ba6
0x10023c02
0x10023c05
0x10023c08
0x10023c0b
0x10023c0e
0x10023c0e
0x10023ba8
0x10023bae
0x10023bb4
0x10023bb6
0x10023bb9
0x10023bbc
0x10023bbf
0x10023bbf
0x10023bae
0x10023afd
0x10023afd
0x10023b03
0x10023b07
0x10023b0b
0x10023b0f
0x10023b0f
0x10023b11
0x10023b14
0x10023b14
0x10023ae6
0x10023b19
0x10023b27
0x10023b29
0x10023b29
0x10023b29
0x10023b29
0x10023ac0
0x10023b2f
0x10023b33
0x10023b3c
0x10023b3c
0x10023b46
0x10023b46
0x100239e8
0x00000000
0x00000000
0x00000000
0x00000000
0x100238b3
0x00000000
0x100236de
0x100236de
0x100236e6
0x100236e8
0x100236eb
0x100236ee
0x100236f2
0x00000000
0x100236f8
0x100236f8
0x100236fb
0x1002375b
0x1002375b
0x10023766
0x1002376a
0x1002376c
0x10023776
0x10023776
0x10023779
0x10023781
0x10023788
0x1002378a
0x1002378a
0x1002378c
0x10023790
0x10023796
0x1002379d
0x1002379e
0x100237a3
0x100237ac
0x100237b3
0x100237b6
0x100237bd
0x100237c4
0x00000000
0x00000000
0x100237ca
0x100237cd
0x100237da
0x100237da
0x100237dc
0x00000000
0x100237e2
0x100237e2
0x100237e4
0x100238e8
0x100238e8
0x100238eb
0x100238ed
0x100238f0
0x10023914
0x10023916
0x10023926
0x10023926
0x100238f2
0x100238f2
0x100238f5
0x10023903
0x10023903
0x100238f5
0x100237ea
0x100237ea
0x100237f0
0x00000000
0x100237f6
0x100237fe
0x100237fe
0x10023800
0x10023800
0x100237f0
0x10023803
0x1002380a
0x1002380e
0x10023810
0x10023810
0x10023813
0x10023816
0x10023816
0x1002381a
0x10023825
0x10023828
0x1002382e
0x10023834
0x1002383f
0x1002384a
0x10023855
0x1002385d
0x10023868
0x1002386c
0x1002386d
0x10023871
0x10023875
0x10023878
0x1002387c
0x10023885
0x10023887
0x00000000
0x1002388d
0x1002388d
0x10023891
0x00000000
0x10023891
0x10023887
0x100237cf
0x100237cf
0x100237d4
0x00000000
0x00000000
0x00000000
0x00000000
0x100237d4
0x00000000
0x100237cd
0x00000000
0x100236fd
0x100236fd
0x10023700
0x10023703
0x10023707
0x10023709
0x1002370c
0x10023710
0x10023713
0x00000000
0x10023719
0x10023719
0x1002371c
0x00000000
0x1002371e
0x1002371e
0x10023721
0x10023724
0x10023728
0x1002372a
0x1002372d
0x10023731
0x10023734
0x00000000
0x1002373a
0x1002373a
0x1002373d
0x00000000
0x1002373f
0x1002373f
0x10023742
0x10023745
0x10023749
0x1002374b
0x1002374e
0x10023752
0x10023755
0x00000000
0x00000000
0x00000000
0x00000000
0x10023755
0x1002373d
0x10023734
0x1002371c
0x10023713
0x100236fb
0x100236f2
0x100236d8
0x100236cc
0x100236b5
0x100236a3
0x10023439
0x10023445
0x10023447
0x10023455
0x10023457
0x1002345d
0x10023461
0x10023466
0x1002346a
0x1002347c
0x1002347e
0x10023482
0x10023488
0x00000000
0x00000000
0x1002348e
0x10023494
0x1002349f
0x100234ad
0x100234b4
0x100234de
0x100234e1
0x100234e3
0x100234e5
0x100234e7
0x100234eb
0x1002355b
0x1002355e
0x10023561
0x10023563
0x10023563
0x100234f3
0x10023540
0x10023543
0x10023546
0x10023549
0x1002354c
0x1002354c
0x100234fb
0x100234fd
0x100234ff
0x10023502
0x10023505
0x10023508
0x10023508
0x100234fb
0x100234c0
0x100234c0
0x100234c6
0x100234ca
0x100234d4
0x100234d6
0x100234d8
0x10023514
0x1002351b
0x1002351b
0x1002351b
0x10023522
0x10023522
0x10023523
0x10023527
0x10023529
0x1002352c
0x10023574
0x1002357d
0x1002352e
0x1002352e
0x10023533
0x10023533
0x10023533
0x10023535
0x00000000
0x10023535
0x10023588
0x1002358c
0x10023590
0x1002359d
0x100235a0
0x100235a2
0x100235a9
0x100235a9
0x100235b0
0x100235b6
0x100235b9
0x100235bc
0x100235bc
0x100235b0
0x100235c3
0x100235cc
0x00000000
0x100235cc
0x1002346a
0x10023433
0x00000000

APIs

mv_image_get_buffer_size.A649 ref: 10023389

Part of subcall function 10023180: mv_pix_fmt_desc_get.A649 ref: 1002319F
Part of subcall function 10023180: mv_image_get_linesize.A649 ref: 100231D4
Part of subcall function 10023180: mv_image_fill_linesizes.A649(?), ref: 10023268
Part of subcall function 10023180: mv_image_fill_plane_sizes.A649(?), ref: 100232CB

mv_pix_fmt_desc_get.A649 ref: 10023393
mv_image_fill_linesizes.A649 ref: 1002342C
mv_log.A649 ref: 10023608
abort.MSVCRT ref: 1002360D
mv_pix_fmt_desc_get.A649 ref: 10023634
mv_pix_fmt_count_planes.A649 ref: 1002363E

Strings

Assertion %s failed at %s:%d, xrefs: 10023600
, xrefs: 10023B33

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizes$abortmv_image_fill_plane_sizesmv_image_get_buffer_sizemv_image_get_linesizemv_logmv_pix_fmt_count_planes
String ID: $Assertion %s failed at %s:%d
API String ID: 1281078460-3513380740
Opcode ID: dbf823548c2b124c23c467a487ea1b459a52d23aeb8eabc41e4b7f6b7d08bb56
Instruction ID: fcb8fd15439f2f483d5b17ebb944bfddaf5bb174ad0b20b3751318ef1a6b0b23
Opcode Fuzzy Hash: dbf823548c2b124c23c467a487ea1b459a52d23aeb8eabc41e4b7f6b7d08bb56
Instruction Fuzzy Hash: 1F429A71A083958FC761CF28E48065EBBE1FFC8354F96892EE98997310E771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10013100 Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 10013116
mv_mallocz.A649 ref: 10013128
mv_mallocz.A649 ref: 10013154
mv_mallocz.A649 ref: 100131C3
mv_calloc.A649 ref: 100132A0

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_calloc
String ID:
API String ID: 1417229449-0
Opcode ID: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction ID: 852a126e1f502dc2a5b99aeb69476376aef21eb3025c4fc6af9fe8b8a21a2e70
Opcode Fuzzy Hash: 243904e0db8cc817c6db168582f6408dcccfb0ebab956b463a2e77faa3b9a132
Instruction Fuzzy Hash: CE51D374605B069FC750EFA9D480A1AF7F0FF44780F42892CE9998B601DB74F890CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001F91B Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

mv_image_copy.A649 ref: 1001FAAE

Part of subcall function 10022610: mv_pix_fmt_desc_get.A649 ref: 10022691

mv_image_fill_pointers.A649 ref: 1001FA71

Part of subcall function 10021AF0: mv_image_fill_plane_sizes.A649 ref: 10021B60

mv_image_fill_pointers.A649 ref: 1001FBEE
mv_image_copy.A649 ref: 1001FC33
mv_log.A649 ref: 1001FD5B
mv_log.A649 ref: 1001FD8C

Strings

Could not create the staging texture (%lx), xrefs: 1001FD77
Unable to lock D3D11VA surface (%lx), xrefs: 1001FD4B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_copymv_image_fill_pointersmv_log$mv_image_fill_plane_sizesmv_pix_fmt_desc_get
String ID: Could not create the staging texture (%lx)$Unable to lock D3D11VA surface (%lx)
API String ID: 592549278-3417175521
Opcode ID: 24b71dbb73dbe40009c121059ddc25a2eb799a974b9bfa21cce5b9229e8e68c5
Instruction ID: f5ec83dd13fc7becc1cb8906caf4b861a1731c5e6261b2f5775d2eea63273682
Opcode Fuzzy Hash: 24b71dbb73dbe40009c121059ddc25a2eb799a974b9bfa21cce5b9229e8e68c5
Instruction Fuzzy Hash: 14E14AB4A087419FC364DF2AD18465AFBE1FFC8250F51892EE9998B321E774E845CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000D910 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 234
COMMONCrypto

Download Yara Rule

C-Code - Quality: 24%

			E1000D910(char* __eax, intOrPtr __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _t49;
				char* _t63;
				void* _t68;
				unsigned int _t84;
				intOrPtr _t95;
				intOrPtr _t98;
				char* _t107;
				unsigned int _t111;
				intOrPtr _t112;
				intOrPtr _t132;
				unsigned int _t133;
				unsigned int _t135;
				intOrPtr _t162;
				char* _t163;
				char* _t165;
				char* _t185;
				intOrPtr* _t187;
				void* _t190;
				char** _t191;
				intOrPtr* _t194;

				_t168 = __esi;
				_t187 = __edx;
				_push(__edi);
				_t165 = __eax;
				_push(__esi);
				_push(__ebx);
				_t191 = _t190 - 0x4c;
				_t49 =  *__edx;
				if(_t49 == 3) {
					_t63 =  *(__edx + 4);
					_t107 =  &(_t63[ !(((((( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + (((( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + ((( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + (((( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 8) - ( *(__edx + 8) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f) + ((((( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + (((( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) + ((( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + (((( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) & 0x33333333) + ( *(__edx + 0xc) - ( *(__edx + 0xc) >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) & 0x0000003f))]);
					goto L14;
				} else {
					_t135 =  *(__edx + 8);
					if(_t49 != 2) {
						_t191[5] = 0x29a;
						_t191[1] = 0;
						 *_t191 = 0;
						_t191[4] = "libavutil/channel_layout.c";
						_t191[3] = "channel_layout->order == AV_CHANNEL_ORDER_CUSTOM";
						_t191[2] = "Assertion %s failed at %s:%d\n";
						E10026560();
						abort();
						_t194 = _t191 - 0x41c;
						 *((intOrPtr*)(_t194 + 0x418)) = __ebx;
						_t95 =  *((intOrPtr*)(_t194 + 0x424));
						_t162 =  *((intOrPtr*)(_t194 + 0x428));
						if(_t95 != 0 || _t162 == 0) {
							 *((intOrPtr*)(_t194 + 8)) = _t162;
							_t112 = _t194 + 0x10;
							 *((intOrPtr*)(_t194 + 4)) = _t95;
							 *_t194 = _t112;
							E100089A0();
							 *((intOrPtr*)(_t194 + 4)) = _t112;
							 *_t194 =  *((intOrPtr*)(_t194 + 0x420));
							_t98 = E1000D4D0(_t112, _t165, _t168);
							if(_t98 >= 0) {
								_t98 =  *((intOrPtr*)(_t194 + 0x14));
							}
						} else {
							_t98 = 0xffffffea;
						}
						return _t98;
					} else {
						_t185 =  *(__edx + 4);
						_t163 = 0;
						_t107 = 0xffffffff;
						if(_t185 > 0) {
							do {
								_t63 =  *_t135 - 0x400;
								if(_t63 > 0x3ff) {
									goto L7;
								} else {
									if(_t163 > 0) {
										if( *((intOrPtr*)(_t135 - 0x18)) - 0x400 > 0x3ff || _t63 != _t163) {
											goto L12;
										} else {
											goto L6;
										}
									} else {
										if(_t63 > 0x3ff) {
											goto L7;
										} else {
											if(_t63 == _t163) {
												L6:
												_t107 = _t163;
												goto L7;
											} else {
												goto L12;
											}
										}
									}
								}
								goto L31;
								L7:
								_t163 =  &(_t163[1]);
								_t135 = _t135 + 0x18;
							} while (_t163 != _t185);
							L14:
							if(_t107 < 0) {
								goto L12;
							} else {
								asm("pxor xmm0, xmm0");
								asm("cvtsi2sd xmm0, ebx");
								asm("sqrtsd xmm0, xmm0");
								asm("cvttsd2si eax, xmm0");
								_t171 =  &(_t63[1]) *  &(_t63[1]);
								if(_t171 !=  &(_t107[1])) {
									goto L12;
								} else {
									_t191[2] = _t63;
									_t191[1] = "ambisonic %d";
									 *_t191 = _t165;
									E100089C0();
									_t132 =  *((intOrPtr*)(_t187 + 4));
									if(_t132 > _t171) {
										_t68 = 0;
										do {
											 *((intOrPtr*)(_t191 + _t68 + 0x28)) = 0;
											 *((intOrPtr*)(_t191 + _t68 + 0x2c)) = 0;
											_t68 = _t68 + 8;
										} while (_t68 < 0x18);
										if( *_t187 == 3) {
											_t133 =  *(_t187 + 8);
											_t191[0xa] = 1;
											_t111 =  *(_t187 + 0xc);
											_t191[0xc] = _t133;
											_t191[0xd] = _t111;
											_t84 = (((_t111 - (_t111 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t111 - (_t111 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t111 - (_t111 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t111 - (_t111 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) + ((((_t111 - (_t111 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t111 - (_t111 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) >> 0x00000004) + (_t111 - (_t111 >> 0x00000001 & 0x55555555) & 0x33333333) + (_t111 - (_t111 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) & 0x0f0f0f0f) >> 8);
											_t171 = _t84 >> 0x10;
											_t191[0xb] = ((((_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) + ((((_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) + ((((_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) >> 0x00000004) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) >> 0x00000002 & 0x33333333) + (_t133 - (_t133 >> 0x00000001 & 0x55555555) & 0x33333333) & 0x0f0f0f0f) >> 0x00000008) >> 0x00000010) & 0x0000003f) + (_t84 + (_t84 >> 0x00000010) & 0x0000003f);
										} else {
											_t111 = 2;
											_t191[0xa] = 2;
											_t191[0xb] = _t132 - _t171;
											_t191[0xc] =  *(_t187 + 8) + (_t171 + _t171 * 2) * 8;
										}
										 *_t191 = _t165;
										_t191[2] = 1;
										_t191[1] = 0x2b;
										E10008D20();
										_t191[1] = _t165;
										 *_t191 =  &(_t191[0xa]);
										E1000D4D0(_t111, _t165, _t171);
									}
									return 0;
								}
							}
						} else {
							L12:
							return 0xffffffea;
						}
					}
				}
				L31:
			}

0x1000d910
0x1000d911
0x1000d913
0x1000d914
0x1000d916
0x1000d917
0x1000d918
0x1000d91b
0x1000d920
0x1000da10
0x1000da15
0x00000000
0x1000d922
0x1000d925
0x1000d928
0x1000db65
0x1000db6f
0x1000db73
0x1000db76
0x1000db7e
0x1000db86
0x1000db8e
0x1000db93
0x1000dba0
0x1000dba6
0x1000dbad
0x1000dbb4
0x1000dbbd
0x1000dbc3
0x1000dbc7
0x1000dbcb
0x1000dbcf
0x1000dbd2
0x1000dbde
0x1000dbe2
0x1000dbe5
0x1000dbec
0x1000dbee
0x1000dbee
0x1000dc00
0x1000dc00
0x1000dc00
0x1000dbff
0x1000d92e
0x1000d92e
0x1000d931
0x1000d933
0x1000d93a
0x1000d963
0x1000d965
0x1000d96f
0x00000000
0x1000d971
0x1000d973
0x1000d94f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d975
0x1000d97a
0x00000000
0x1000d97c
0x1000d980
0x1000d955
0x1000d955
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d980
0x1000d97a
0x1000d973
0x00000000
0x1000d957
0x1000d957
0x1000d958
0x1000d95b
0x1000da17
0x1000da19
0x00000000
0x1000da1f
0x1000da1f
0x1000da23
0x1000da27
0x1000da2b
0x1000da33
0x1000da38
0x00000000
0x1000da3e
0x1000da3e
0x1000da47
0x1000da4b
0x1000da4e
0x1000da53
0x1000da58
0x1000da5c
0x1000da5e
0x1000da5e
0x1000da62
0x1000da66
0x1000da69
0x1000da72
0x1000dac8
0x1000dad0
0x1000dad4
0x1000dad7
0x1000dadf
0x1000db44
0x1000db4f
0x1000db5c
0x1000da74
0x1000da7a
0x1000da7f
0x1000da85
0x1000da8c
0x1000da8c
0x1000da90
0x1000da9d
0x1000daa1
0x1000daa5
0x1000daae
0x1000dab2
0x1000dab5
0x1000dab5
0x1000dac3
0x1000dac3
0x1000da38
0x1000d93c
0x1000d982
0x1000d98e
0x1000d98e
0x1000d93a
0x1000d928
0x00000000

APIs

mv_bprintf.A649 ref: 1000DA4E
mv_bprint_chars.A649 ref: 1000DAA5
mv_channel_layout_describe_bprint.A649 ref: 1000DAB5
mv_log.A649 ref: 1000DB8E
abort.MSVCRT ref: 1000DB93
mv_bprint_init_for_buffer.A649 ref: 1000DBD2
mv_channel_layout_describe_bprint.A649 ref: 1000DBE5

Strings

ambisonic %d, xrefs: 1000DA42

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_describe_bprint$abortmv_bprint_charsmv_bprint_init_for_buffermv_bprintfmv_log
String ID: ambisonic %d
API String ID: 1889878702-1019176007
Opcode ID: ee0daeb6caafb948a6d2a1e5de3c4420f462d241ef5e613a764e4997fd943660
Instruction ID: f104976abedc087e28adbdd94db5acb2b4b9dd0d6f6d3c777ec15cc1b2963047
Opcode Fuzzy Hash: ee0daeb6caafb948a6d2a1e5de3c4420f462d241ef5e613a764e4997fd943660
Instruction Fuzzy Hash: 0D81D2B6B147018BE314DF28C88135DB6D2EBD82A4F0DC63EE989D7349E634DD418B92

Uniqueness

Uniqueness Score: -1.00%

Function 10012A70 Relevance: 12.1, APIs: 8, Instructions: 56COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 10012A96
mv_mallocz.A649 ref: 10012AA8
mv_mallocz.A649 ref: 10012AB6
mv_calloc.A649 ref: 10012ACD

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_calloc
String ID:
API String ID: 1417229449-0
Opcode ID: 3961a8143fb2640b46fa4abe10631e48d72dc7f59a8019542beb5829ff2d5fe6
Instruction ID: 4f273aacc6c8985cf144dd44f50dfa69b109835566be6b0f09916b89282c3819
Opcode Fuzzy Hash: 3961a8143fb2640b46fa4abe10631e48d72dc7f59a8019542beb5829ff2d5fe6
Instruction Fuzzy Hash: AE21B4B89083058BCB44DF2691C111ABBE0FF88750F86495DEC889B306D774E9A1CB96

Uniqueness

Uniqueness Score: -1.00%

Function 10013480 Relevance: 9.3, APIs: 6, Instructions: 286COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.A649 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction ID: 5f2a4f4094cb7a0488fc386a39adfcdd6b5e851adb51ea05a95b9a0d2f55e3bd
Opcode Fuzzy Hash: c553b2355f7102cf38e75df9346fe31f6216a4e4802c0632ce5a8ed455da1efe
Instruction Fuzzy Hash: 44B156B1A083418FC764CF29C58461AFBE2FFC8250F56896DE9899B350E631E981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000C9F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

%d channels, xrefs: 1000CAF8

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %d channels
API String ID: 0-1351059727
Opcode ID: 8f88c7eba476947328e87fe40425447bcd99ec8031b5ce492b0e1bd0b4f33cc5
Instruction ID: c9c7a3ae5954c17f5d5603ead32183c847cfa5897b85e8beb4ef6d1985739e28
Opcode Fuzzy Hash: 8f88c7eba476947328e87fe40425447bcd99ec8031b5ce492b0e1bd0b4f33cc5
Instruction Fuzzy Hash: 2351E9B6B047054BD308DF28D85126EB7E2FBC52A0F58C83EE586C7345EA35ED418782

Uniqueness

Uniqueness Score: -1.00%

Function 10004E92 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

5, xrefs: 10005A43

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 8c34031281f05981b35ae4ee14f6d353663a4fd5595eac9e1f2529c1aa918aeb
Instruction ID: 82e3e90c80df05b3ebb486816bd560cbecfc5632781b0360fe89ac2d938562c2
Opcode Fuzzy Hash: 8c34031281f05981b35ae4ee14f6d353663a4fd5595eac9e1f2529c1aa918aeb
Instruction Fuzzy Hash: DD423C31A18B818FE365CE28C48135FB7E6FFC53C5F258A2EE48997255EB319845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10004C96 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

4, xrefs: 10005E70

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 4d8cbeff02eae78f0e6d9551b3900ff6fa45a2d250c9fd757a52c3161d27cb74
Instruction ID: 142c53129f6dd5162a6dc74f8f9d5308986cdb620bee08254c43db3c68278e48
Opcode Fuzzy Hash: 4d8cbeff02eae78f0e6d9551b3900ff6fa45a2d250c9fd757a52c3161d27cb74
Instruction Fuzzy Hash: 5D023A30A18784CAE375CF24C88479BB7E6FF85381F218B1ED48A97259E7719885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10007270 Relevance: 6.3, APIs: 4, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction ID: 80344777319d5c39256bea2cca684abcfe3cba157365ca00e8d05506c74a31d6
Opcode Fuzzy Hash: f015b48431e7a80715030cee135de255bbf03b7162adfda3c796d469d01474f6
Instruction Fuzzy Hash: 54C19E71A087858FD354CF2D888064EBBE1FFC9294F198A2EF8D8C7355E675D9448B42

Uniqueness

Uniqueness Score: -1.00%

Function 10003BA5 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

p, xrefs: 10003E93

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 8d7e843892f8bc59acea61e8ee3f406ea24a0c133f8ecf0cb21e14aadc3c8eac
Instruction ID: b120ad44887f90431df98fb91d1d6e0570ae98d5f198b3888bdd975ad240fbdf
Opcode Fuzzy Hash: 8d7e843892f8bc59acea61e8ee3f406ea24a0c133f8ecf0cb21e14aadc3c8eac
Instruction Fuzzy Hash: B8421775A083918FE374CF298480B9BB7E2FFC9390F558A2ED98997355D7709841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10092180 Relevance: 4.6, APIs: 3, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 100921A1

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction ID: 7e8eca435f47cc72285f0ff92e2e59cf077fa7250504efb7398187b0f8841556
Opcode Fuzzy Hash: 239ab144a6ce047cfb13d847f2b01901541eb90a974f5925169c811fb4947156
Instruction Fuzzy Hash: FC2139B04093419FDB20EF28D58825ABBF0FF84350F11892DE8D987258E738D584DB52

Uniqueness

Uniqueness Score: -1.00%

Function 10012CF0 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220783f6518366c083297090f3e1f15f6edb796605cfe3e619791d83dcd7bf41
Instruction ID: 5805fcc4f61ad00ae9ae6704460015b8043034553e22dbe709ae6012cd6c24b5
Opcode Fuzzy Hash: 220783f6518366c083297090f3e1f15f6edb796605cfe3e619791d83dcd7bf41
Instruction Fuzzy Hash: 28E0A5B45083048BCB00EFA8D0C191AFBF0FF58244F80485DA9884B303D275E5548BB2

Uniqueness

Uniqueness Score: -1.00%

Function 10013860 Relevance: 3.2, APIs: 2, Instructions: 222COMMON

Download Yara Rule

APIs

mv_malloc.A649 ref: 10013AE8

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloc
String ID:
API String ID: 3797683224-0
Opcode ID: db7b46ff415f0054f38cb9c001ad25aec02b0895e2a85fae17c1af358806de38
Instruction ID: 2c16346d9416021724ca7b8b44fcd442ffeb85943fcf338eab2551d35e8829f5
Opcode Fuzzy Hash: db7b46ff415f0054f38cb9c001ad25aec02b0895e2a85fae17c1af358806de38
Instruction Fuzzy Hash: E6718DB2A042568FCB14CF28C88175AB7E2FF94354F66C568ED899F341E671ED81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 100084B0 Relevance: 3.2, APIs: 2, Instructions: 185COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.A649 ref: 10008642

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction ID: d8ffb9ab9be6425fb2f2151958634ca33b63df147d529954a2eeef9d18f7c60e
Opcode Fuzzy Hash: e25778ea9fdb925930b24f7ee5b61e2c5b198a0ae9bacbd401b09897083a4e10
Instruction Fuzzy Hash: 537145B19097818BC709CF29D5C846AFBE1FFC9245F118A5EE8DC87344E270AA04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 100243C0 Relevance: 2.1, APIs: 1, Instructions: 601COMMON

Download Yara Rule

APIs

mv_mod_i.A649 ref: 10024C49

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mod_i
String ID:
API String ID: 416848386-0
Opcode ID: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction ID: dd13ca78155645af025b07bce56f249e9a9f1717602db99794a3f06de0c2c3b2
Opcode Fuzzy Hash: 3d8ce93c5e70e6cdd39acc70d59f7b57e28878e6643059ac4b681878335ad598
Instruction Fuzzy Hash: F7420872A083A18BD724CF19D05066FF7E2FFC8750F56891EE9D997390DA70A840DB86

Uniqueness

Uniqueness Score: -1.00%

Function 100353B0 Relevance: 1.9, APIs: 1, Instructions: 385COMMON

Download Yara Rule

APIs

mv_gcd.A649 ref: 1003544D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_gcd
String ID:
API String ID: 2848192316-0
Opcode ID: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction ID: e6b2b5b070de62496659ab70d0058dc1d8b8705572cd85af2ca405c8e7fadc16
Opcode Fuzzy Hash: 94c61de4151f85b2e349843c83d37783726b6990a1d380f2b046a8bb30d58925
Instruction Fuzzy Hash: 5DF1BF75A083508FC358CF2AC48060AFBE6AFC8750F558A2EF998D7361D670E9458F82

Uniqueness

Uniqueness Score: -1.00%

Function 100215D0 Relevance: 1.8, APIs: 1, Instructions: 297COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get
String ID:
API String ID: 2427544746-0
Opcode ID: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction ID: 559f6f707dd61799b0b773c6f5cd064c8ce248da486725d9c35fe17e2713b67a
Opcode Fuzzy Hash: 0249601a095a9487cf98e69da83eb75bdd383411e2ebe0cdbe0f724ec450abf0
Instruction Fuzzy Hash: DBA138387083098FD758DE29E4507ABB7E1EF94390F94463EE866CB780EB31E9458B01

Uniqueness

Uniqueness Score: -1.00%

Function 1000EDB0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200260e9623359c508817fde2ba7d890febb787173ff349f83ddfd7edfc928b9
Instruction ID: 0d64d5b4eefbac50bd85d2b9f56cd68fe73ffd577be4b7bc55791283b886aa23
Opcode Fuzzy Hash: 200260e9623359c508817fde2ba7d890febb787173ff349f83ddfd7edfc928b9
Instruction Fuzzy Hash: 0651F7767043464BE718CE58D8C062DB3D1EB883B4B1EC63DEE59AB399D630EC45C681

Uniqueness

Uniqueness Score: -1.00%

Function 10012D40 Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

APIs

mv_encryption_info_alloc.A649 ref: 10012DD5

Part of subcall function 10012A70: mv_mallocz.A649 ref: 10012A96
Part of subcall function 10012A70: mv_mallocz.A649 ref: 10012AA8
Part of subcall function 10012A70: mv_mallocz.A649 ref: 10012AB6
Part of subcall function 10012A70: mv_calloc.A649 ref: 10012ACD

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_callocmv_encryption_info_alloc
String ID:
API String ID: 3322142038-0
Opcode ID: 42a5be7598cb39ad7791f87488e6a70f642197d01b399c05ab6afc0b11886a48
Instruction ID: 564550559dc25ff60d170d57d2507b8afd000e4bbd60ef45d364b311c6fa6347
Opcode Fuzzy Hash: 42a5be7598cb39ad7791f87488e6a70f642197d01b399c05ab6afc0b11886a48
Instruction Fuzzy Hash: B1517CB2E042118BC704CF19C48461AFBE2FFE8354F26856DD88CAB315E674EDA5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10012F30 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

mv_malloc.A649 ref: 10012F7A

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloc
String ID:
API String ID: 3797683224-0
Opcode ID: 81d28308b882d5f4623ba03a4cb6e0d6900f7a61f4160e1c68357bd0d0ea50d7
Instruction ID: 1adcf7182058be620f8e636bbbeb519e55af080e35c08bbc079e009f233bf123
Opcode Fuzzy Hash: 81d28308b882d5f4623ba03a4cb6e0d6900f7a61f4160e1c68357bd0d0ea50d7
Instruction Fuzzy Hash: 895192B2E042058FC705CF28D49461ABBE1FF98251F1685ADD98DDB342E331D999CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001363B Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.A649 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction ID: 78d0e82bed4cec982bfd679939fa63163902b3eee1ff480991edcad54221ee49
Opcode Fuzzy Hash: cd6924afccd7b87e315566fc0b34ac7627ccdbad5b7df46105264a39c2b01be1
Instruction Fuzzy Hash: 1951F5B1A087419FC744CF29C58451ABBE2FFC8654F56CA2DF889A7350D731ED458B82

Uniqueness

Uniqueness Score: -1.00%

Function 100136FB Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

mv_encryption_init_info_alloc.A649 ref: 10013562

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_encryption_init_info_alloc
String ID:
API String ID: 3189372936-0
Opcode ID: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction ID: 95a8c643b77e51546d68e8d33e3f4ed292e5d24ad01eeb6ce01257d6c0bf5d32
Opcode Fuzzy Hash: ef5d398cf4f7091da99b035e9d0245d92d88978e73b2c3d1eb8e068e5064dbea
Instruction Fuzzy Hash: 2D5128B1A087419FC744CF29C58461AFBE2FFC8654F56C92DE889AB350D731ED428B82

Uniqueness

Uniqueness Score: -1.00%

Function 10002480 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

mv_aes_crypt.A649 ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction ID: 6533aa27bc2eace4d46e94b1d96a72d5c0883edd5f4be066e5c3eb9db2eb8fbd
Opcode Fuzzy Hash: a76755bfb4d6463656838ecde433fd04cde547babbb3dbb5163c6ebd5a4d3b10
Instruction Fuzzy Hash: 81419D3510D7C18FD301CF69848054AFFE1FF99288F198A6DE8D993306D260EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1000EAC0 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

mv_channel_layout_index_from_string.A649 ref: 1000EAD6

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_index_from_string
String ID:
API String ID: 1941520394-0
Opcode ID: b5427e202f8ac7429ec52a8e90e2a2ab38b9bd65bff75006616c9072962c14a1
Instruction ID: dd8c77e47ba7934b60b61c42e329a9640ddafb1186b5f9bdd33cfe49ccecab15
Opcode Fuzzy Hash: b5427e202f8ac7429ec52a8e90e2a2ab38b9bd65bff75006616c9072962c14a1
Instruction Fuzzy Hash: 6331E4B7F1476A0BE7209999DCC0216B3C0EB88270B4E863DDE5AA7786F551BD1582C1

Uniqueness

Uniqueness Score: -1.00%

Function 10012B40 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

mv_encryption_info_alloc.A649 ref: 10012B5E

Part of subcall function 10012A70: mv_mallocz.A649 ref: 10012A96
Part of subcall function 10012A70: mv_mallocz.A649 ref: 10012AA8
Part of subcall function 10012A70: mv_mallocz.A649 ref: 10012AB6
Part of subcall function 10012A70: mv_calloc.A649 ref: 10012ACD

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_callocmv_encryption_info_alloc
String ID:
API String ID: 3322142038-0
Opcode ID: 0d1d6d985499e695549cee1dfdc865532ac4685cf5ab5fd08e705158918137f9
Instruction ID: 70bb560b92b21ff9a949702552601914469cb58a4fc0686d30597e3817c1d297
Opcode Fuzzy Hash: 0d1d6d985499e695549cee1dfdc865532ac4685cf5ab5fd08e705158918137f9
Instruction Fuzzy Hash: 19418DF69082518BD714CF14C5D162BBBA2FF94310F6686A8CE890F309E335E9E1D790

Uniqueness

Uniqueness Score: -1.00%

Function 10002523 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

mv_aes_crypt.A649 ref: 10002554

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_aes_crypt
String ID:
API String ID: 1547198422-0
Opcode ID: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction ID: b15eea7d1e62e16a03610dfd725cbd08b0199710858140edd711ee624ae9ea9b
Opcode Fuzzy Hash: 3928a72eaf0bdf75db777ef61b97453f1547db555a5c878ed5744eb0c7f909a7
Instruction Fuzzy Hash: DC31C47610D7C18FD302CB6990C0099FFE1FF99248F198AADE4DD93706D264EA19CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1000867B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

mv_blowfish_crypt_ecb.A649 ref: 100086C2

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_blowfish_crypt_ecb
String ID:
API String ID: 997994871-0
Opcode ID: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction ID: 3ce9d50094e6346554c2820e15aae8c95f0dca09f8e32c6084807ed2f7b375be
Opcode Fuzzy Hash: acf8950ea6c148c44c64157bc22eca501f0550abc9d144bf7c67352d16790dd9
Instruction Fuzzy Hash: 26019DB59093448FC709CF18E48842AFBE0FB8C355F11892EF8CCA7740E774AA448B46

Uniqueness

Uniqueness Score: -1.00%

Function 10010750 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 0ad661e65bf89006e5cb82a1dd902ac23a8ed1824c44f0f6cdc208644b3eae13
Instruction ID: 42a7ec19d686179b44da1d5c9b288b2ee9791ca70b21cf781f8aa0d3f756190c
Opcode Fuzzy Hash: 0ad661e65bf89006e5cb82a1dd902ac23a8ed1824c44f0f6cdc208644b3eae13
Instruction Fuzzy Hash: 48615E76A183158FD308DF19D88021AF7E2FBC8710F59892DF998DB351D674EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 10010980 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010B38

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: c6972a37ad2e2222d65afc4e55376d73186b7d177790482f72f96b84295bef74
Instruction ID: 88479de14bb2f39b9fc55125830bf113a632cebd2de1f332091022c863dacf4c
Opcode Fuzzy Hash: c6972a37ad2e2222d65afc4e55376d73186b7d177790482f72f96b84295bef74
Instruction Fuzzy Hash: F7519C76A183148FD308DF19D88025AF7E2FBC8710F5A892DE998DB311D770EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 10010778 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010911

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: b861221cc90de6241f85d3be745dbcb4f6bcddd84e3623fe88ddccbc427f34d0
Instruction ID: 7f4d39fd12622659375b300fc8b1f39ce51f3fa70086a48383707f29ea88d571
Opcode Fuzzy Hash: b861221cc90de6241f85d3be745dbcb4f6bcddd84e3623fe88ddccbc427f34d0
Instruction Fuzzy Hash: E5517D76A187158FD308DF19D88021AF7E2FBC8710F4A892DE999DB351D774EC059B82

Uniqueness

Uniqueness Score: -1.00%

Function 1001099C Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

9%lld, xrefs: 10010B38

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 9%lld
API String ID: 0-1067827528
Opcode ID: 06a843a8851a56a66e7df70c880cd4096c4c69da5a0f70d5f5e3fd97c5f100c7
Instruction ID: 19cd5f952c3110aaa204112f2fa5bdffc5ff9ac6086c667ec371dfd1999c3bcc
Opcode Fuzzy Hash: 06a843a8851a56a66e7df70c880cd4096c4c69da5a0f70d5f5e3fd97c5f100c7
Instruction Fuzzy Hash: 9F518B76A187158FD308DF19D88025AF3E2FBC8710F5A892DE999DB311D770EC159B82

Uniqueness

Uniqueness Score: -1.00%

Function 100105C0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

*, xrefs: 100106C6

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction ID: cf0b5ffff515d544aa88b6753479d2fbc1523f17d7230f1051f2f56c5c5a0ce0
Opcode Fuzzy Hash: ebd0914c98d536ce5320c55f93b04da2ed1618b2e22c755dc20f5b7cb9212f43
Instruction Fuzzy Hash: EB414DB6E083514FD340CE29C88021AF7E1EBC8754F5A892EF8D8DB351E674ED418B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF80 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

front left, xrefs: 1000D055

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: front left
API String ID: 0-959785498
Opcode ID: 5dc4a86968912c40a224136d3b018256f9518c9d60abd3c84712a58f876fd2e5
Instruction ID: 2ab1a599838adb3b19c1588154a140063e0cd34b904c30bf708a2c06bbf202e1
Opcode Fuzzy Hash: 5dc4a86968912c40a224136d3b018256f9518c9d60abd3c84712a58f876fd2e5
Instruction Fuzzy Hash: FB115EB3E2582107EB5C9418AC2437E52C297E4270F0F827FDD5BA7385EC609D1286C1

Uniqueness

Uniqueness Score: -1.00%

Function 10028070 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction ID: 3bfc1c5f2a162aac7bd0c21019aebd2925a812e4926be9baa0010d95d64e9f74
Opcode Fuzzy Hash: d6db034cff99af1e7203ee44394934ffb7567196ced3806a0dc990b907df53bb
Instruction Fuzzy Hash: 9532503274471D4BC708EEE9DC811D5B3D2BB88614F49813C9E15D3706FBB8BA6A96C8

Uniqueness

Uniqueness Score: -1.00%

Function 10002F80 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0554871a15d8efd313454b027a25d14df86a48595c731b3cc2535c8c16f114
Instruction ID: d531ad45d397c355fd26d2f276cd1f5546806a71bcbcd5fd573efae9eed053bf
Opcode Fuzzy Hash: da0554871a15d8efd313454b027a25d14df86a48595c731b3cc2535c8c16f114
Instruction Fuzzy Hash: 8E420771A083918BE371CF29C48078FF7E6FBC9390F158A2ED89987359DB7598458B42

Uniqueness

Uniqueness Score: -1.00%

Function 1000B0D0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction ID: 3194deff8c1016480bd4981d57c44dc359412b19884f203e35b39e086724ce96
Opcode Fuzzy Hash: 33419a9aeb14ce56b4ab0fd1bc83750a17983b722cf78c8c468c2c97687aa838
Instruction Fuzzy Hash: D342DE756087409FC754CF29C58099AFBE2BFCE250F16C92EE899C7356D630E942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10007DC0 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89019973bee3dffa5506d068e04858f8f99ab5c1de9c519b00743639777b486
Instruction ID: 7b21dc0033a548e5174aa2f0601695db2f061ee7d4fbd3404672eef6e23c78c5
Opcode Fuzzy Hash: f89019973bee3dffa5506d068e04858f8f99ab5c1de9c519b00743639777b486
Instruction Fuzzy Hash: 4A222635A002218FD398DE1ED8D0D6A7393ABC4329F57C36E9E445B3AACD38786597D0

Uniqueness

Uniqueness Score: -1.00%

Function 10001C10 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45114ea78a404cb3cc5152c11c1bce9efc033c213ab6a958cd88ee2eb44a16a
Instruction ID: f74a24015f26f5817d470ebb5349e6953816b24295dffa4bf4435206cc52e42c
Opcode Fuzzy Hash: d45114ea78a404cb3cc5152c11c1bce9efc033c213ab6a958cd88ee2eb44a16a
Instruction Fuzzy Hash: 5212903090C3D18FD315CF29C4902AAFBE1EF8A354F1949AEE8D58B356D234EA45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000AB30 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d71789e1cfc5ba619a513dd52caf5850fc783eb8f71c40b6a59df87316754b2
Instruction ID: 41af5d95f87fbfb2af461ad8df70ea3d515ec82b3f583ba1e2401cfb082bbbf6
Opcode Fuzzy Hash: 2d71789e1cfc5ba619a513dd52caf5850fc783eb8f71c40b6a59df87316754b2
Instruction Fuzzy Hash: C102A075A087119FD744CF29C58061BFBE2AFCC650F16C96AE898DB319D770EC428B92

Uniqueness

Uniqueness Score: -1.00%

Function 10027220 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction ID: a1783afd4e89d5d45f318d4dea30fc4f4dbee87a7b07b29a2b4422f07ac09f3a
Opcode Fuzzy Hash: 649db449800bb8f44d4b591db05436e0eed4080366275189c04215ec29e8d69e
Instruction Fuzzy Hash: 55E10675B083008FC314CE2CD88060AFBE6BBC9764F598A2DF999D73A1D775E9458B42

Uniqueness

Uniqueness Score: -1.00%

Function 1004C4C0 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd2940973defb10da75f7d0a0d281f42e3bf5b71a3b14d95178fa4bbb93f91a
Instruction ID: cfe0db77eb5cf6d1d758d10ab8d8d19e39a375eed658ea468c837abfea5f450e
Opcode Fuzzy Hash: cdd2940973defb10da75f7d0a0d281f42e3bf5b71a3b14d95178fa4bbb93f91a
Instruction Fuzzy Hash: C6D124729083698BC790CE28C88176A77D2EF85310F3A89BDDC95CF346E635E844DB95

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC40 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f79798d6274997cf86a9830772a643e2613ef96d413b4a7de7c3b2c507637b8
Instruction ID: 6a64d29b74dd50650807f73386f8a28ca4746a726bb9b946e7f8f6c26765422b
Opcode Fuzzy Hash: 1f79798d6274997cf86a9830772a643e2613ef96d413b4a7de7c3b2c507637b8
Instruction Fuzzy Hash: 13C16336A002358FD708CF59E8D48E533A3ABD931174F87ADE646973A5CA30F825DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B830 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52550eb076a4e706d339de0456ef0f0ef9ca300451e06a09269b05e4983c36a4
Instruction ID: 1df3b6ebd6122cdab682df68e20255591825bd97864da38137cd296708d31c63
Opcode Fuzzy Hash: 52550eb076a4e706d339de0456ef0f0ef9ca300451e06a09269b05e4983c36a4
Instruction Fuzzy Hash: A3C13E396042284FD74CDF29E8E48B53363ABD8351B4B83ADE602473E5CA34B925DB94

Uniqueness

Uniqueness Score: -1.00%

Function 10023E60 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0655b07f9a60d7e6c93e24dd163bbcdd8dd7aa916f57eec32edbbdc4cc49b7
Instruction ID: 1e62236828b6e9aa1aac8753ad24f8483ce13cbba946de52bf7a155bd76cfe5a
Opcode Fuzzy Hash: ee0655b07f9a60d7e6c93e24dd163bbcdd8dd7aa916f57eec32edbbdc4cc49b7
Instruction Fuzzy Hash: 5CA12C715083668BD350CF19E94122BF7F0FB84684F528A2EFC94DB290E734D991DB82

Uniqueness

Uniqueness Score: -1.00%

Function 10008144 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction ID: 8c294614796abfce7a9b313687c0130c20c351539878b9b69ed8c38673feebb7
Opcode Fuzzy Hash: 0fdca86bf5610cf8d83fc9a2a9123c7de6589e9a7e00ce3a8cca6f1a48dd3632
Instruction Fuzzy Hash: 2DA134356002118FD398DE1FD8D0D6A7393ABC432DF5BC26E9E445B3AACD38B4669790

Uniqueness

Uniqueness Score: -1.00%

Function 10007A50 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930e695f6b8eca41130a53b596d6cf8baec4992ec9755c4dd3e6ab00923b5f85
Instruction ID: ebf589678dd2b21f450bef16afd8acf277a4c86fda3af18da15dd9d105d6ad1f
Opcode Fuzzy Hash: 930e695f6b8eca41130a53b596d6cf8baec4992ec9755c4dd3e6ab00923b5f85
Instruction Fuzzy Hash: 0CA13C70E003198FD39CDE1ED850E7A73A3AFC8229B8B865E95464F2F6DD346461C798

Uniqueness

Uniqueness Score: -1.00%

Function 1002A800 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23b611c883a24b7dc64f5ed3ae72e36c28d5f49227ddd76db04b40012c1942
Instruction ID: 5a3567ab1930261374c9840a1c83134747ca7f3c34ec4ff9dc62d8c6c08ad054
Opcode Fuzzy Hash: fb23b611c883a24b7dc64f5ed3ae72e36c28d5f49227ddd76db04b40012c1942
Instruction Fuzzy Hash: 59815172B047019FD308CF19D58161AF7E7ABD8210F5AC43DA999CB3A5DA74E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10091A40 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee1c2db8a7d7445515ed4ed8b5a79ec0df0280c1516db77d56b195c4cd682aa
Instruction ID: c0db4bac9e752cda226084d9a6b8fff8e792133d8021f7f25b9a52affd6acdcb
Opcode Fuzzy Hash: aee1c2db8a7d7445515ed4ed8b5a79ec0df0280c1516db77d56b195c4cd682aa
Instruction Fuzzy Hash: 76514C717087164BD704CE2EC49425AFAE3ABC8260F15CA3EE59DC3794EA70DC499B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000E760 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction ID: a9fd71970cc6ae0704401159e34ccb1fdaf457640d2c7af12330d1c819c8daf0
Opcode Fuzzy Hash: f7460696957a74314385251e6c6bcc12f45c6b26b427e07c74903d9ed9e685e2
Instruction Fuzzy Hash: 8941B173F2582507E7188828CC05319B2C3DBE4271B1EC37AED59EB789E934ED1686C2

Uniqueness

Uniqueness Score: -1.00%

Function 10001900 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c9731ac9791965d3b7a154f2342cee9636098d280da4ae3d7531fa599f4c67
Instruction ID: cc9643936d2b1120ca3b10c8b858c6b31ca5e6aa37f2d348ce5eafb853cc114c
Opcode Fuzzy Hash: 08c9731ac9791965d3b7a154f2342cee9636098d280da4ae3d7531fa599f4c67
Instruction Fuzzy Hash: E791D7755042618FDB40CF29C480692BBE1FF99324F1D85BAED989F31AD270A951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000FBC0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cead09edc808eba7652fd3d48dd65b28855fe963b82d9cdceffa72e781f375
Instruction ID: d4bf447c78ef34d846e3780bb63b59d672897940ec14c231ea6f15673d30e65f
Opcode Fuzzy Hash: 76cead09edc808eba7652fd3d48dd65b28855fe963b82d9cdceffa72e781f375
Instruction Fuzzy Hash: D451F433A209684BE304CD3ACC4079E72D3EBC4245F1EC77AD955CB64EDA74E9069780

Uniqueness

Uniqueness Score: -1.00%

Function 1000164B Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction ID: 873dc1b037270df3c72fc734cdf9910190291773d7bcced776bb32a5dc4e00db
Opcode Fuzzy Hash: 4b52556cb5978d76f0a161bfc99e885d281cec0efd41f06b8f83135470bebe30
Instruction Fuzzy Hash: 3081E2745042528FDB94CF29C5C0A96BBE1FF9E310F59C4B9ED988F61AE230A941DF60

Uniqueness

Uniqueness Score: -1.00%

Function 1000EC10 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f31e89bf383224261359c19d973366952f6040810ff11a53915b1b7b06738d
Instruction ID: 7e8a3e0d9609ec9b68da2310c9f9daf873c96b394346dc03648b3db89d458a9c
Opcode Fuzzy Hash: e3f31e89bf383224261359c19d973366952f6040810ff11a53915b1b7b06738d
Instruction Fuzzy Hash: 3E318BB7B2574307E70C89A8DCE232892C1E76823078DC23EEB17D7787E454DD5A8642

Uniqueness

Uniqueness Score: -1.00%

Function 10091900 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 077d42be5f2903746ef15cd59dbb682990c555792fad529c54c47e406318dc5a
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 7F31C13170831A4BC714EEAEC4D439AF6D3DBC82A0F56863DE98DC3380E9718C45A782

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD50 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6082cca1dc85545b64e55bf4046541dfc96b67093dd2ab0c149368fdd1ef0414
Instruction ID: e3fe650a6823e4e4dc9b535e6935c2817203043b6de3b1da7cd6ba713d0eb7c0
Opcode Fuzzy Hash: 6082cca1dc85545b64e55bf4046541dfc96b67093dd2ab0c149368fdd1ef0414
Instruction Fuzzy Hash: 8B3150F7F2692A03D31C441D9C11325A1C396E853075FC37EAE6AE77C6EC25AE1541C2

Uniqueness

Uniqueness Score: -1.00%

Function 1000DC10 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20aa1a2ed174444797f685eedafff3cac45e3a360d2fd9617722acb5f664a91e
Instruction ID: f0472b0e8e5d5ce24967d3d273812064255cadfc7dac72f8d46582de7e0842bc
Opcode Fuzzy Hash: 20aa1a2ed174444797f685eedafff3cac45e3a360d2fd9617722acb5f664a91e
Instruction Fuzzy Hash: 243146B3E1422A47E314E8089C80518F392EBD82B0B1FC376CD4DDB386E961AE45D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 10024280 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction ID: d243654ff977fd15b0e0421b28be889c9be6cd6a9a899c254bf598e7771c2fe2
Opcode Fuzzy Hash: 21e1bf70edc85c72b57ecd771a589712a2623989afca4d70576e69868d5c536e
Instruction Fuzzy Hash: 0A4174627043329AE314ABEDF4C045EF2E1FE81BA1B874A69D2952F141D230D84DC7EB

Uniqueness

Uniqueness Score: -1.00%

Function 1000D060 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction ID: 6d93bd8323a72235920ba6e149a4a7bae96c73b66a2dfad555009d0c6ff0ce4f
Opcode Fuzzy Hash: 01961a118ebc83994ce737a496e9055b1f8ab46d9bbd015c8cfe35346e32c7fc
Instruction Fuzzy Hash: 5311D2B3F2453203E71CD4199C2136D828387E82B071FC23FDE47A7286EC609D5682D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000FA00 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16418492506d26e88d9ea5ffe778ecedbadd0674902667d5b4f3f091e616a9e4
Instruction ID: 959dd8b958685b2c602623f8f1487b2043f59aa88e98173f8505a8abe479dfa4
Opcode Fuzzy Hash: 16418492506d26e88d9ea5ffe778ecedbadd0674902667d5b4f3f091e616a9e4
Instruction Fuzzy Hash: 01214F33BA0CAB07D748CD7ACC823DA62D3E7C4209F49C6789556D7649D53DD8429680

Uniqueness

Uniqueness Score: -1.00%

Function 1000FAE0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3141d09b1683437dc047317c092a48923b199cea0971d17c0b8de08017b4ddf
Instruction ID: 7401ec26052bbdd11a75dd464f743d8617a1d02d8098354ba99e3f62ca5db7ec
Opcode Fuzzy Hash: f3141d09b1683437dc047317c092a48923b199cea0971d17c0b8de08017b4ddf
Instruction Fuzzy Hash: A8219D73F300320BC728CD7D8C5825662C1D7C8295B4E8BB9EE58EF786E668DD419AC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0B0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction ID: 192b5b8e635135c3962563ef613f7b52fce4010c0b042699b34e9086fceffb22
Opcode Fuzzy Hash: de151643a332339ce823666c471d4da1aa7b144928b0c7d3fd1e004a2c822b77
Instruction Fuzzy Hash: 38316F651087D85ECB11CF3544904EABFE09EAB581B09C49EF8E84B247C524EB09EB71

Uniqueness

Uniqueness Score: -1.00%

Function 1000CEA0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bb7ca2ba318957724152ec919bcb70df8848964d6559460410a9bad870d3d6
Instruction ID: ace7997b726ea7843da6b770c817bbd0d9cae6de449fa2ba7366279bb7787243
Opcode Fuzzy Hash: 79bb7ca2ba318957724152ec919bcb70df8848964d6559460410a9bad870d3d6
Instruction Fuzzy Hash: 6B1181B3E2492603EB5C85189C2077952C3D7D52B0B0F837FED5BA7385EC605D5182C2

Uniqueness

Uniqueness Score: -1.00%

Function 100101D0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction ID: 7615e6e647f5862a10f08712ea71b14590be4302af2179b17c0dfb1654340f57
Opcode Fuzzy Hash: c78873d4f70a7114040ce7729ab5ab63925d14f9cd724e7e38f810f9ad5a330b
Instruction Fuzzy Hash: FF2122726042658BCB14DE19C8D86AB73E2FBC9314F168A68E9C55F205C234F84ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 1000FAF7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e8cd7bf255c7c8b941f54418a5bf7396c934417188cacc302b08a8026b8cc6
Instruction ID: e42923ef10120b0fce72e2dfd62ff0f6b1e92c6f034ab2fe8244b6ba9566043e
Opcode Fuzzy Hash: 21e8cd7bf255c7c8b941f54418a5bf7396c934417188cacc302b08a8026b8cc6
Instruction Fuzzy Hash: 2F115E73E301320BC724CD7D8C4834262C1D788256B4E8BB5DE98EF342E268ED429AC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA10 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7af4f46a08e7ef1a4a56e4a40f5981226a4f69f761e678816acde0877da6c7
Instruction ID: 4618d661b8687cc8c0899b5e88aa78636db23022fb76ddc9f1eb2064e60bd1bc
Opcode Fuzzy Hash: 2c7af4f46a08e7ef1a4a56e4a40f5981226a4f69f761e678816acde0877da6c7
Instruction Fuzzy Hash: 67314DB1A006344BE358CF1AEDE062AF3E2E38C320F46416DD999D33B1D9786825D792

Uniqueness

Uniqueness Score: -1.00%

Function 1001E0D9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction ID: 69aa92c53cb6c6df6d72f2decc3ec4bd7719b31d68b56e1e2cf303e831d432a8
Opcode Fuzzy Hash: 0c76c69a6e16dc7822b4f5a1a757f8ccc5bafd5d8a12991ea2ea248d2ead5663
Instruction Fuzzy Hash: 9421BF71A08189EFCB68CF98C8A1A9DBBF5EB09314F244095E905AF751D330EDC1EB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001021B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction ID: bcaa8491dccb865917a35a3d808823525e0e43ff59a73624eea8fea794acadd0
Opcode Fuzzy Hash: 123d4edf2cae72c4cb44158153aca10c35860e83f93e9ec1453424ef70596d6d
Instruction Fuzzy Hash: 141134326041618BCB15CE69C8D86AA73D2FBC9315F17C968E9C69F245C334F94ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1000ECC9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b3cff72a2fe030a4ed2511b45a548b940cb1d6c9d7d61aaa5361d334626fbb
Instruction ID: a76a18bd8d72b9e19a2e58a34af59ce664b239cd2ef53a40b3fd3bff6214917f
Opcode Fuzzy Hash: d0b3cff72a2fe030a4ed2511b45a548b940cb1d6c9d7d61aaa5361d334626fbb
Instruction Fuzzy Hash: E2011DE7B6170707D70C48A8DCE632892C1E36813078DC13EEB17D7783E4549E6A8642

Uniqueness

Uniqueness Score: -1.00%

Function 1000C1B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction ID: f8771a243a862af8759e5689c7b57640d36b1020b076dab7645bd5d8fe9118fc
Opcode Fuzzy Hash: ca7d7dad83a973bb790b37e6832e95b579524e0ac113e1f4aa988c8562b958bd
Instruction Fuzzy Hash: BDF0F676B1435947E900DF459C40B8BB7D9FFC42D8F16052EED48A3305C630BD0586A1

Uniqueness

Uniqueness Score: -1.00%

Function 1008DB50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566e91d0b8d452359c7bb78fe999ee31250548b62ca49a35f0ac2a50155920e7
Instruction ID: fb49bc79d4318df5132ff4e8978937c42cbf5c601f0cfd761cb428f5592a7514
Opcode Fuzzy Hash: 566e91d0b8d452359c7bb78fe999ee31250548b62ca49a35f0ac2a50155920e7
Instruction Fuzzy Hash: 19E0C9B62193159FE314DE09E8808A7FBECEBD8664B10492FF4C493300C231AC448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 10010E40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4a808940af3d4a140e2e1c9c95b8793836aa8f74c0c524a2d00d0069a1faa0
Instruction ID: 79e2239c1779ac0dba93b4b28f17700ca5fd18050b696cdb3e602ef130546564
Opcode Fuzzy Hash: ff4a808940af3d4a140e2e1c9c95b8793836aa8f74c0c524a2d00d0069a1faa0
Instruction Fuzzy Hash: 7AE0C5B99183629FC700DF09D58041AFBE4BB98A14F558A5EF9D8A3311C370A9589FE3

Uniqueness

Uniqueness Score: -1.00%

Function 10001BF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc891dde5e5142dc419ac2e2b5c6ff9a8dc6ccd91bf6328c5a5782cc288a074
Instruction ID: 017239b7fcefab97b4c7b84e08d353cd020fbbd4a0174547befcb6416ae83df2
Opcode Fuzzy Hash: 9fc891dde5e5142dc419ac2e2b5c6ff9a8dc6ccd91bf6328c5a5782cc288a074
Instruction Fuzzy Hash: 91B00274508205DFC309CF04C1859D677E1BB98741F2589F9E55847226D27099459A92

Uniqueness

Uniqueness Score: -1.00%

Function 10017110 Relevance: 103.6, APIs: 58, Strings: 1, Instructions: 368stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10017141
mv_malloc.A649 ref: 1001714A
mv_mallocz.A649 ref: 10017236

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocmv_malloczstrlen
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 3614917049-1422635149
Opcode ID: 47dfddafa542cdd5d887886c7941ae76232b82fd0c9e09702ab5afcd80319215
Instruction ID: f3e0d1e8fa851ff4115e358f55925041def15a0c05dd8b8be9b20c20d0472498
Opcode Fuzzy Hash: 47dfddafa542cdd5d887886c7941ae76232b82fd0c9e09702ab5afcd80319215
Instruction Fuzzy Hash: 5BF193B89097459FC780DFA8C08191ABBF1FF89290F95586DF8C58B312D735E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10017261 Relevance: 98.3, APIs: 55, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10017261(void* __eax, void* __ebx, void* __edi, intOrPtr __esi, char _a4, char* _a8, char* _a12, intOrPtr _a16, char _a48, char* _a52, char _a56, char _a60) {
				intOrPtr _t116;
				void* _t118;
				intOrPtr* _t120;

				_t116 = __esi;
				_a12 = __eax;
				__eax = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__edx = 0x10;
				_a8 = "Invalid chars \'%s\' at the end of expression \'%s\'\n";
				__eax =  &_a60;
				_a16 = __ebx;
				_a4 = 0x10;
				 *__esp =  &_a60;
				__eax = E10026560();
				_a48 = __edi;
				if(__edi != 0) {
					__eax =  *(__edi + 0x18);
					_a52 = __eax;
					if(__eax != 0) {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
					}
					__eax =  *(__edi + 0x1c);
					_a52 = __eax;
					if(__eax == 0) {
						L22:
						__eax =  *(__edi + 0x20);
						_a52 = __eax;
						if(__eax == 0) {
							L30:
							E100290E0(__edi);
							__eax =  &_a48;
							E100290E0( &_a48);
							goto L1;
						}
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L30;
					} else {
						__edx = __eax[0x18];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x1c];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						__edx = __eax[0x20];
						_a56 = __edx;
						if(__edx != 0) {
							 *((intOrPtr*)(__edx + 0x18)) = E10015280( *((intOrPtr*)(__edx + 0x18)));
							_a56 =  *(_a56 + 0x1c);
							__eax = E10015280( *(_a56 + 0x1c));
							_a56 =  *(_a56 + 0x20);
							E10015280( *(_a56 + 0x20)) = _a56;
							__eax = _a56 + 0x24;
							E100290E0(_a56 + 0x24);
							__eax =  &_a56;
							E100290E0( &_a56);
							__eax = _a52;
						}
						E100290E0(__eax);
						__eax =  &_a52;
						E100290E0( &_a52);
						__edi = _a48;
						goto L22;
					}
				}
				L1:
				 *_t120 = _t116;
				L100290D0();
				return _t118;
			}

0x10017261
0x10017268
0x1001726c
0x10017271
0x10017276
0x1001727a
0x1001727e
0x10017282
0x10017286
0x10017289
0x10017293
0x10017299
0x1001729b
0x1001729e
0x100172a4
0x100172aa
0x100172ad
0x100172b3
0x100172bb
0x100172c4
0x100172ca
0x100172d3
0x100172de
0x100172e2
0x100172e8
0x100172ed
0x100172f4
0x100172f9
0x100172f9
0x100172fd
0x10017300
0x10017306
0x1001730e
0x10017317
0x1001731d
0x10017326
0x10017331
0x10017335
0x1001733b
0x10017340
0x10017347
0x1001734c
0x1001734c
0x10017350
0x10017353
0x10017359
0x10017361
0x1001736a
0x10017370
0x10017379
0x10017384
0x10017388
0x1001738e
0x10017393
0x1001739a
0x1001739f
0x1001739f
0x100173a9
0x100173ae
0x100173b5
0x100173ba
0x100173ba
0x100173be
0x100173c1
0x100173c7
0x100174e1
0x100174e1
0x100174e4
0x100174ea
0x10017604
0x1001760a
0x1001760f
0x10017616
0x00000000
0x10017616
0x100174f0
0x100174f3
0x100174f9
0x10017501
0x1001750a
0x10017510
0x10017519
0x10017524
0x10017528
0x1001752e
0x10017533
0x1001753a
0x1001753f
0x1001753f
0x10017543
0x10017546
0x1001754c
0x10017554
0x1001755d
0x10017563
0x1001756c
0x10017577
0x1001757b
0x10017581
0x10017586
0x1001758d
0x10017592
0x10017592
0x10017596
0x10017599
0x1001759f
0x100175a7
0x100175b0
0x100175b6
0x100175bf
0x100175ca
0x100175ce
0x100175d4
0x100175d9
0x100175e0
0x100175e5
0x100175e5
0x100175ef
0x100175f4
0x100175fb
0x10017600
0x00000000
0x100173cd
0x100173cd
0x100173d0
0x100173d6
0x100173de
0x100173e7
0x100173ed
0x100173f6
0x10017401
0x10017405
0x1001740b
0x10017410
0x10017417
0x1001741c
0x1001741c
0x10017420
0x10017423
0x10017429
0x10017431
0x1001743a
0x10017440
0x10017449
0x10017454
0x10017458
0x1001745e
0x10017463
0x1001746a
0x1001746f
0x1001746f
0x10017473
0x10017476
0x1001747c
0x10017484
0x1001748d
0x10017493
0x1001749c
0x100174a7
0x100174ab
0x100174b1
0x100174b6
0x100174bd
0x100174c2
0x100174c2
0x100174cc
0x100174d1
0x100174d8
0x100174dd
0x00000000
0x100174dd
0x100173c7
0x1001724f
0x1001724f
0x10017252
0x10017260

APIs

mv_log.A649 ref: 10017289
mv_expr_free.A649 ref: 100172BB
mv_expr_free.A649 ref: 100172CA
mv_expr_free.A649 ref: 100172D9
mv_freep.A649 ref: 100172E8
mv_freep.A649 ref: 100172F4
mv_expr_free.A649 ref: 1001730E
mv_expr_free.A649 ref: 1001731D
mv_expr_free.A649 ref: 1001732C
mv_freep.A649 ref: 1001733B
mv_freep.A649 ref: 10017347
mv_expr_free.A649 ref: 10017361
mv_expr_free.A649 ref: 10017370
mv_expr_free.A649 ref: 1001737F
mv_freep.A649 ref: 1001738E
mv_freep.A649 ref: 1001739A
mv_freep.A649 ref: 100173A9
mv_freep.A649 ref: 100173B5
mv_expr_free.A649 ref: 100173DE
mv_expr_free.A649 ref: 100173ED
mv_expr_free.A649 ref: 100173FC
mv_freep.A649 ref: 1001740B
mv_freep.A649 ref: 10017417
mv_expr_free.A649 ref: 10017431
mv_expr_free.A649 ref: 10017440
mv_expr_free.A649 ref: 1001744F
mv_freep.A649 ref: 1001745E
mv_freep.A649 ref: 1001746A
mv_expr_free.A649 ref: 10017484
mv_expr_free.A649 ref: 10017493
mv_expr_free.A649 ref: 100174A2
mv_freep.A649 ref: 100174B1
mv_freep.A649 ref: 100174BD
mv_freep.A649 ref: 100174CC
mv_freep.A649 ref: 100174D8
mv_expr_free.A649 ref: 10017501
mv_expr_free.A649 ref: 10017510
mv_expr_free.A649 ref: 1001751F
mv_freep.A649 ref: 1001752E
mv_freep.A649 ref: 1001753A
mv_expr_free.A649 ref: 10017554
mv_expr_free.A649 ref: 10017563
mv_expr_free.A649 ref: 10017572
mv_freep.A649 ref: 10017581
mv_freep.A649 ref: 1001758D
mv_expr_free.A649 ref: 100175A7
mv_expr_free.A649 ref: 100175B6
mv_expr_free.A649 ref: 100175C5
mv_freep.A649 ref: 100175D4
mv_freep.A649 ref: 100175E0
mv_freep.A649 ref: 100175EF
mv_freep.A649 ref: 100175FB
mv_freep.A649 ref: 1001760A
mv_freep.A649 ref: 10017616

Strings

Invalid chars '%s' at the end of expression '%s', xrefs: 1001726C

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_log
String ID: Invalid chars '%s' at the end of expression '%s'
API String ID: 1241901728-1422635149
Opcode ID: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction ID: 39916f313f6673765a40fa09fad6d79edb9ef4feb13054b409069c6d602bd34a
Opcode Fuzzy Hash: 62983a3bb7049393546072b60dbe7a8ba563001771bc1cc3aa272a22c57f5d9a
Instruction Fuzzy Hash: F3C133B95097459FC784EFA8D18591ABBF0FF88290F85586DF8C58B311D635E880CB92

Uniqueness

Uniqueness Score: -1.00%

Function 100177E1 Relevance: 75.3, APIs: 50, Instructions: 294COMMON

Download Yara Rule

APIs

mv_expr_parse.A649 ref: 10017862

Part of subcall function 10017110: strlen.MSVCRT ref: 10017141
Part of subcall function 10017110: mv_malloc.A649 ref: 1001714A
Part of subcall function 10017110: mv_mallocz.A649 ref: 10017236

mv_expr_free.A649 ref: 100178D7
mv_expr_free.A649 ref: 100178E6
mv_expr_free.A649 ref: 100178F5
mv_freep.A649 ref: 10017904
mv_freep.A649 ref: 1001790C
mv_expr_free.A649 ref: 10017926
mv_expr_free.A649 ref: 10017935
mv_expr_free.A649 ref: 10017944
mv_freep.A649 ref: 10017953
mv_freep.A649 ref: 1001795B
mv_expr_free.A649 ref: 10017975
mv_expr_free.A649 ref: 10017984
mv_expr_free.A649 ref: 10017993
mv_freep.A649 ref: 100179A2
mv_freep.A649 ref: 100179AA
mv_freep.A649 ref: 100179B9
mv_freep.A649 ref: 100179C5
mv_expr_free.A649 ref: 100179EE
mv_expr_free.A649 ref: 100179FD
mv_expr_free.A649 ref: 10017A0C
mv_freep.A649 ref: 10017A1B
mv_freep.A649 ref: 10017A23
mv_expr_free.A649 ref: 10017A32
mv_expr_free.A649 ref: 10017A4C
mv_expr_free.A649 ref: 10017A5B
mv_expr_free.A649 ref: 10017A6A
mv_freep.A649 ref: 10017A79
mv_freep.A649 ref: 10017A81
mv_freep.A649 ref: 10017A90
mv_freep.A649 ref: 10017A9C
mv_expr_free.A649 ref: 10017AC5
mv_expr_free.A649 ref: 10017AD4
mv_expr_free.A649 ref: 10017AE3
mv_freep.A649 ref: 10017AF2
mv_freep.A649 ref: 10017AFA
mv_expr_free.A649 ref: 10017B14
mv_expr_free.A649 ref: 10017B23
mv_expr_free.A649 ref: 10017B32
mv_freep.A649 ref: 10017B41
mv_freep.A649 ref: 10017B49
mv_expr_free.A649 ref: 10017B63
mv_expr_free.A649 ref: 10017B72
mv_expr_free.A649 ref: 10017B81
mv_freep.A649 ref: 10017B90
mv_freep.A649 ref: 10017B98
mv_freep.A649 ref: 10017BA7
mv_freep.A649 ref: 10017BB3
mv_freep.A649 ref: 10017BC2
mv_freep.A649 ref: 10017BCE

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_expr_parsemv_mallocmv_malloczstrlen
String ID:
API String ID: 1983171446-0
Opcode ID: 03367b8135b077b81f45ece18bb89edcf76c5bebd5c02d4bbbdb180ad9ddbc45
Instruction ID: 5c275e82353d83d09ea56ce2e6a1ccd5f15d30cab29e959e6c342b90a485478e
Opcode Fuzzy Hash: 03367b8135b077b81f45ece18bb89edcf76c5bebd5c02d4bbbdb180ad9ddbc45
Instruction Fuzzy Hash: DDD163B9A187058FC750EF68D085A1ABBF0FF89254F458D6DE9D48B311D736E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009730 Relevance: 51.1, APIs: 23, Strings: 6, Instructions: 372
stringCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E10009730(int _a4, int _a8, unsigned int _a12, void** _a16, void* _a20) {
				char _v29;
				signed int _v32;
				int _v36;
				char _v37;
				void** _v40;
				signed int _v44;
				char** _v52;
				int _v56;
				int __ebx;
				int __edi;
				signed int __esi;
				int __ebp;
				signed int _t114;
				void** _t115;
				int _t116;
				int _t117;
				void* _t118;
				void* _t119;
				int _t120;
				void* _t121;
				signed char _t123;
				void* _t124;
				signed char* _t129;
				int _t130;
				void* _t133;
				unsigned int _t135;
				int _t136;
				signed int _t137;
				char _t146;
				void* _t150;
				int _t157;
				signed int _t158;
				void* _t163;
				void* _t164;
				void* _t167;
				void** _t170;
				int _t172;
				int _t173;
				int _t174;
				void* _t175;
				void** _t178;
				void*** _t179;
				void** _t180;

				_t179 =  &_v44;
				_t170 = _a4;
				_t129 = _a8;
				_v44 = _a12;
				_t112 = _a16;
				if(_a16 == 2) {
					L1();
					_t114 =  *_t129 & 0x000000ff;
					__eflags = _t114;
					if(_t114 != 0) {
						while(1) {
							L56:
							__eflags = _t114 - 0x27;
							if(_t114 == 0x27) {
								break;
							}
							_t129 =  &(_t129[1]);
							L1();
							_t114 =  *_t129 & 0x000000ff;
							__eflags = _t114;
							if(_t114 != 0) {
								continue;
							}
							goto L58;
						}
						 *_t179 = _t170;
						_t129 =  &(_t129[1]);
						_v56 = 0x100af503;
						E100089C0();
						_t114 =  *_t129 & 0x000000ff;
						__eflags = _t114;
						if(_t114 != 0) {
							goto L56;
						} else {
						}
					}
					L58:
					_t179 =  &(_t179[0xb]);
					_t112 = _t170;
					_pop(_t129);
					_pop(_t170);
					_pop(_t161);
					_pop(_t177);
					_t178 = _t112;
					_push(_t170);
					_push(_t129);
					_t115 =  &(_t112[4]);
					_t180 = _t179 - 0x2c;
					_v29 = 0x27;
					_t130 =  *(_t115 - 8);
					_v40 = _t115;
					while(1) {
						_t116 = _a4;
						_t144 =  <=  ? _t116 : _t130;
						_t172 = _t130 - ( <=  ? _t116 : _t130);
						if(_t172 > 1) {
							break;
						}
						_t135 = _a12;
						if(_t116 >= _t130 || _t135 == _t130) {
							L22:
							__eflags = _t172;
							if(_t172 != 0) {
								_t172 = 1;
								break;
							}
						} else {
							_t154 =  >  ? 1 : 0xfffffffe - _t116;
							_t17 = _t116 + 1; // 0xffffffff
							_t121 = ( >  ? 1 : 0xfffffffe - _t116) + _t17;
							if(_t135 >> 1 >= _t130) {
								_t130 = _t130 + _t130;
								__eflags = _t130;
							} else {
								_t130 = _t135;
							}
							if(_t130 < _t121) {
								_t125 =  <=  ? _t135 : _t121;
								_t130 =  <=  ? _t135 : _t121;
							}
							_t163 =  *_t178;
							_v56 = _t130;
							if(_t163 == _v40) {
								 *_t180 = 0;
								_t123 = E10028DA0();
								__eflags = _t123;
								if(_t123 == 0) {
									goto L21;
								} else {
									goto L15;
								}
							} else {
								 *_t180 = _t163;
								_t123 = E10028DA0();
								if(_t123 == 0) {
									L21:
									_t116 = _a4;
									goto L22;
								} else {
									if(_t163 == 0) {
										L15:
										_t157 = _a4;
										_t164 = _t123;
										_t175 =  *_t178;
										_t136 = _t157 + 1;
										_v36 = _t175;
										__eflags = _t136 - 8;
										if(_t136 >= 8) {
											__eflags = _t123 & 0x00000001;
											if((_t123 & 0x00000001) != 0) {
												_t137 =  *_t175 & 0x000000ff;
												_t35 = _t123 + 1; // 0x1
												_t164 = _t35;
												_t175 = _t175 + 1;
												 *_t123 = _t137;
												_t136 = _t157;
											}
											__eflags = _t164 & 0x00000002;
											if((_t164 & 0x00000002) != 0) {
												_t158 =  *_t175 & 0x0000ffff;
												_t164 = _t164 + 2;
												_t175 = _t175 + 2;
												_t136 = _t136 - 2;
												 *(_t164 - 2) = _t158;
											}
											__eflags = _t164 & 0x00000004;
											if((_t164 & 0x00000004) == 0) {
												goto L16;
											} else {
												_t167 = _t164 + 4;
												 *(_t167 - 4) =  *_t175;
												_t124 = memcpy(_t167, _t175 + 4, _t136 - 4);
												_t180 =  &(_t180[3]);
												goto L8;
											}
										} else {
											L16:
											_t124 = memcpy(_t164, _t175, _t136);
											_t180 =  &(_t180[3]);
											goto L8;
										}
										goto L23;
									}
									L8:
									 *_t178 = _t124;
									_a8 = _t130;
									continue;
								}
							}
						}
						L23:
						__eflags = 0xfffffffa;
						_t149 =  >  ? 1 : 0xfffffffa - _t116;
						_t150 = ( >  ? 1 : 0xfffffffa - _t116) + _t116;
						_t117 = _a8;
						_a4 = 0xfffffffa;
						__eflags = _t117;
						if(_t117 != 0) {
							_t118 = _t117 - 1;
							__eflags = _t118 - 0xfffffffa;
							_t119 =  >  ? _t150 : _t118;
							 *((char*)( *_t178 + _t119)) = 0;
							return _t119;
						}
						return _t117;
						goto L122;
					}
					_t173 = _t172 - 1;
					__eflags = _t173;
					_t174 =  >  ? 1 : _t173;
					_t146 = _v29;
					_t133 =  *_t178 + _t116;
					__eflags = _t174;
					if(_t174 != 0) {
						_t120 = 0;
						__eflags = 0;
						do {
							 *((char*)(_t133 + _t120)) = _t146;
							_t120 = _t120 + 1;
							__eflags = _t120 - _t174;
						} while (_t120 < _t174);
						_t116 = _a4;
					}
					goto L23;
				} else {
					__eflags = __eax - 3;
					if(__eax != 3) {
						__eax =  *__ebx;
						__eflags = __al;
						if(__al != 0) {
							__eflags = __cl & 0x00000002;
							if((__cl & 0x00000002) == 0) {
								_v37 = 1;
								__ebp = _v44;
								__edi = __ebx;
								__eflags = _v44;
								if(_v44 == 0) {
									_v36 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										 *__esp = "\'\\";
										_v44 = __eax;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L118;
										}
										L113:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L114:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L118:
										__edx = _v44;
										__eflags = _v44;
										if(_v44 != 0) {
											__eflags = _v36 & 0x00000001;
											if((_v36 & 0x00000001) != 0) {
												goto L113;
											} else {
												__eflags = _v37;
												if(_v37 != 0) {
													goto L113;
												} else {
												}
											}
										}
										goto L114;
									}
								} else {
									_v32 = __ecx;
									while(1) {
										 *__esp = " \n\t\r";
										__ebp = __al;
										_v56 = __ebp;
										__eax = strchr(??, ??);
										_v56 = __ebp;
										_v36 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax == 0) {
											goto L97;
										}
										L70:
										__edx = 0x5c;
										__eax = __esi;
										L1();
										L71:
										__edx =  *__edi;
										__eax = __esi;
										__edi = __edi + 1;
										L1();
										__eax =  *__edi & 0x000000ff;
										__eflags = __al;
										if(__al != 0) {
											__eflags = __ebx - __edi;
											if(__ebx == __edi) {
												_v37 = 1;
											} else {
												__eflags =  *(__edi + 1);
												_v37 =  *(__edi + 1) == 0;
											}
											continue;
										}
										goto L53;
										L97:
										__eax = strchr("\'\\", __ebp);
										__eflags = __eax;
										if(__eax != 0) {
											goto L70;
										} else {
											__eax = _v36;
											__eflags = _v36;
											if(_v36 != 0) {
												__eflags = _v32 & 0x00000001;
												if((_v32 & 0x00000001) != 0) {
													goto L70;
												} else {
													__eflags = _v37;
													if(_v37 != 0) {
														goto L70;
													} else {
													}
												}
											}
										}
										goto L71;
									}
								}
							} else {
								__edx = _v44;
								__eflags = _v44;
								if(_v44 == 0) {
									while(1) {
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											goto L53;
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eflags =  *__ebx;
										if( *__ebx == 0) {
											return __eax;
										}
									}
								} else {
									do {
										_v56 = __eax;
										__eax = _v44;
										 *__esp = _v44;
										__eax = strchr(??, ??);
										__eflags = __eax;
										if(__eax != 0) {
											__edx = 0x5c;
											__eax = __esi;
											L1();
										}
										__edx =  *__ebx;
										__eax = __esi;
										__ebx = __ebx + 1;
										L1();
										__eax =  *__ebx;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					} else {
						__eax =  *__ebx & 0x000000ff;
						__eflags = __al;
						if(__al != 0) {
							__edx = __ecx;
							__edx = __ecx & 0x00000008;
							__eflags = __cl & 0x00000004;
							if((__cl & 0x00000004) != 0) {
								__eflags = __edx;
								if(__edx == 0) {
									goto L85;
								} else {
									do {
										__dl = __al;
										__dl = __al - 0x22;
										__eflags = __dl - 0x1c;
										if(__dl > 0x1c) {
											L89:
											__edx = __al;
											__eax = __esi;
											L1();
											goto L90;
										}
										__edx = __dl & 0x000000ff;
										switch( *((intOrPtr*)((__dl & 0x000000ff) * 4 +  &M100AF530))) {
											case 0:
												 *__esp = __esi;
												__eax = "&quot;";
												_v52 = "&quot;";
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 1:
												goto L89;
											case 2:
												 *__esp = __esi;
												__eax = 0x100af508;
												_v52 = 0x100af508;
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 3:
												 *__esp = __esi;
												__eax = "&apos;";
												_v52 = "&apos;";
												__eax = 0x100af500;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 4:
												 *__esp = __esi;
												__edi = 0x100af50e;
												__ebp = 0x100af500;
												_v52 = 0x100af50e;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
											case 5:
												 *__esp = __esi;
												__edx = 0x100af513;
												__ecx = 0x100af500;
												_v52 = 0x100af513;
												_v56 = 0x100af500;
												__eax = E100089C0();
												goto L90;
										}
										L90:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
									return __eax;
								}
								do {
									goto L85;
									L84:
									__eax =  *(__ebx + 1) & 0x000000ff;
									__ebx = __ebx + 1;
									__eflags = __al;
								} while (__al != 0);
								goto L53;
								L85:
								__eflags = __al - 0x3c;
								if(__eflags == 0) {
									 *__esp = __esi;
									__eax = 0x100af50e;
									__edx = 0x100af500;
									_v52 = 0x100af50e;
									_v56 = 0x100af500;
									__eax = E100089C0();
								} else {
									if(__eflags <= 0) {
										__eflags = __al - 0x26;
										if(__al == 0x26) {
											 *__esp = __esi;
											__eax = 0x100af508;
											_v52 = 0x100af508;
											__eax = 0x100af500;
											_v56 = 0x100af500;
											__eax = E100089C0();
										} else {
											__eflags = __al - 0x27;
											if(__al != 0x27) {
												goto L103;
											} else {
												 *__esp = __esi;
												__ebp = "&apos;";
												__eax = 0x100af500;
												_v52 = "&apos;";
												_v56 = 0x100af500;
												__eax = E100089C0();
											}
										}
									} else {
										__eflags = __al - 0x3e;
										if(__al != 0x3e) {
											L103:
											__edx = __al;
											__eax = __esi;
											L1();
										} else {
											 *__esp = __esi;
											__ecx = 0x100af513;
											__edi = 0x100af500;
											_v52 = 0x100af513;
											_v56 = 0x100af500;
											__eax = E100089C0();
										}
									}
								}
								goto L84;
							} else {
								__eflags = __edx;
								if(__edx == 0) {
									do {
										__eflags = __al - 0x3c;
										if(__al == 0x3c) {
											 *__esp = __esi;
											__ebp = 0x100af50e;
											__eax = 0x100af500;
											_v52 = 0x100af50e;
											_v56 = 0x100af500;
											__eax = E100089C0();
										} else {
											__eflags = __al - 0x3e;
											if(__al != 0x3e) {
												__eflags = __al - 0x26;
												if(__al == 0x26) {
													 *__esp = __esi;
													__eax = 0x100af508;
													_v52 = 0x100af508;
													__eax = 0x100af500;
													_v56 = 0x100af500;
													__eax = E100089C0();
												} else {
													__edx = __al;
													__eax = __esi;
													L1();
												}
											} else {
												 *__esp = __esi;
												__ecx = 0x100af513;
												__edi = 0x100af500;
												_v52 = 0x100af513;
												_v56 = 0x100af500;
												__eax = E100089C0();
											}
										}
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								} else {
									do {
										__eflags = __al - 0x3c;
										if(__eflags == 0) {
											 *__esp = __esi;
											__edx = 0x100af50e;
											__ecx = 0x100af500;
											_v52 = 0x100af50e;
											_v56 = 0x100af500;
											__eax = E100089C0();
										} else {
											if(__eflags <= 0) {
												__eflags = __al - 0x22;
												if(__al == 0x22) {
													 *__esp = __esi;
													__eax = "&quot;";
													_v52 = "&quot;";
													__eax = 0x100af500;
													_v56 = 0x100af500;
													__eax = E100089C0();
												} else {
													__eflags = __al - 0x26;
													if(__al != 0x26) {
														goto L102;
													} else {
														 *__esp = __esi;
														__eax = 0x100af508;
														_v52 = 0x100af508;
														__eax = 0x100af500;
														_v56 = 0x100af500;
														__eax = E100089C0();
													}
												}
											} else {
												__eflags = __al - 0x3e;
												if(__al != 0x3e) {
													L102:
													__edx = __al;
													__eax = __esi;
													L1();
												} else {
													 *__esp = __esi;
													__edi = 0x100af513;
													__ebp = 0x100af500;
													_v52 = 0x100af513;
													_v56 = 0x100af500;
													__eax = E100089C0();
												}
											}
										}
										goto L41;
										L41:
										__eax =  *(__ebx + 1) & 0x000000ff;
										__ebx = __ebx + 1;
										__eflags = __al;
									} while (__al != 0);
								}
							}
						}
					}
					L53:
					return __eax;
				}
				L122:
			}

0x10009734
0x1000973b
0x1000973f
0x10009747
0x1000974b
0x10009752
0x10009877
0x1000987c
0x1000987f
0x10009881
0x10009890
0x10009890
0x10009890
0x10009892
0x00000000
0x00000000
0x10009897
0x1000989a
0x1000989f
0x100098a2
0x100098a4
0x00000000
0x00000000
0x00000000
0x100098a4
0x100098c0
0x100098c8
0x100098c9
0x100098cd
0x100098d2
0x100098d5
0x100098d7
0x00000000
0x00000000
0x100098d9
0x100098d7
0x100098a6
0x100098a6
0x100098a9
0x100098ab
0x100098b1
0x100098b2
0x100098b3
0x100086f1
0x100086f4
0x100086f5
0x100086f6
0x100086f9
0x100086fc
0x10008700
0x10008703
0x10008746
0x10008746
0x1000874f
0x10008752
0x10008757
0x00000000
0x00000000
0x1000875f
0x10008762
0x100087f4
0x100087f4
0x100087f6
0x1000882b
0x00000000
0x1000882b
0x10008770
0x1000877f
0x10008782
0x10008782
0x1000878c
0x10008710
0x10008710
0x1000878e
0x1000878e
0x1000878e
0x10008714
0x10008718
0x1000871b
0x1000871b
0x1000871d
0x10008720
0x1000872a
0x10008798
0x1000879f
0x100087a4
0x100087a6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000872c
0x1000872c
0x1000872f
0x10008736
0x100087f1
0x100087f1
0x00000000
0x1000873c
0x1000873e
0x100087a8
0x100087a8
0x100087ab
0x100087ad
0x100087b0
0x100087b3
0x100087b7
0x100087ba
0x100087c0
0x100087c2
0x10008859
0x1000885c
0x1000885c
0x1000885f
0x10008860
0x10008862
0x10008862
0x100087c8
0x100087ce
0x10008869
0x1000886c
0x1000886f
0x10008872
0x10008875
0x10008875
0x100087d4
0x100087da
0x00000000
0x100087dc
0x100087de
0x100087e7
0x100087ea
0x100087ea
0x00000000
0x100087ea
0x100087bc
0x100087bc
0x100087bc
0x100087bc
0x00000000
0x100087bc
0x00000000
0x100087ba
0x10008740
0x10008740
0x10008743
0x00000000
0x10008743
0x10008736
0x1000872a
0x100087f8
0x10008804
0x10008807
0x1000880a
0x1000880c
0x1000880f
0x10008812
0x10008814
0x10008816
0x10008817
0x10008819
0x1000881f
0x00000000
0x1000881f
0x1000882a
0x00000000
0x1000882a
0x10008833
0x10008839
0x1000883c
0x1000883f
0x10008844
0x10008846
0x10008848
0x1000884a
0x1000884a
0x1000884c
0x1000884c
0x1000884f
0x10008850
0x10008850
0x10008854
0x10008854
0x00000000
0x10009758
0x10009758
0x1000975b
0x10009808
0x1000980b
0x1000980d
0x1000980f
0x10009812
0x10009930
0x10009935
0x10009939
0x1000993b
0x1000993d
0x10009c70
0x10009c80
0x10009c80
0x10009c87
0x10009c8a
0x10009c8e
0x10009c93
0x10009c97
0x10009c9e
0x10009ca2
0x10009ca7
0x10009ca9
0x00000000
0x00000000
0x10009cab
0x10009cab
0x10009cb0
0x10009cb2
0x10009cb7
0x10009cb7
0x10009cba
0x10009cbc
0x10009cbd
0x10009cc2
0x10009cc5
0x10009cc7
0x10009ccd
0x10009ccf
0x10009ce0
0x10009cd1
0x10009cd1
0x10009cd5
0x10009cd5
0x00000000
0x10009ccf
0x00000000
0x10009cf0
0x10009cf0
0x10009cf4
0x10009cf6
0x10009cf8
0x10009cfd
0x00000000
0x10009cff
0x10009cff
0x10009d04
0x00000000
0x00000000
0x10009d06
0x10009d04
0x10009cfd
0x00000000
0x10009cf6
0x10009943
0x10009943
0x10009950
0x10009950
0x10009957
0x1000995a
0x1000995e
0x10009963
0x10009967
0x1000996b
0x1000996f
0x10009972
0x10009977
0x10009979
0x00000000
0x00000000
0x1000997f
0x1000997f
0x10009984
0x10009986
0x1000998b
0x1000998b
0x1000998e
0x10009990
0x10009991
0x10009996
0x10009999
0x1000999b
0x100099a1
0x100099a3
0x10009ba0
0x100099a9
0x100099a9
0x100099ad
0x100099ad
0x00000000
0x100099a3
0x00000000
0x10009b40
0x10009b4b
0x10009b50
0x10009b52
0x00000000
0x10009b58
0x10009b58
0x10009b5c
0x10009b5e
0x10009b64
0x10009b69
0x00000000
0x10009b6f
0x10009b6f
0x10009b74
0x00000000
0x00000000
0x10009b7a
0x10009b74
0x10009b69
0x10009b5e
0x00000000
0x10009b52
0x10009950
0x10009818
0x10009818
0x1000981c
0x1000981e
0x100099b8
0x100099b8
0x100099bb
0x100099bd
0x100099be
0x100099c3
0x100099c6
0x00000000
0x00000000
0x100099cc
0x100099cf
0x100099d1
0x100099d2
0x100099d7
0x100099da
0x00000000
0x00000000
0x100099da
0x00000000
0x10009830
0x10009830
0x10009834
0x10009838
0x1000983b
0x10009840
0x10009842
0x10009844
0x10009849
0x1000984b
0x1000984b
0x10009850
0x10009853
0x10009855
0x10009856
0x1000985b
0x1000985e
0x1000985e
0x10009830
0x1000981e
0x10009812
0x10009761
0x10009761
0x10009764
0x10009766
0x1000976c
0x1000976e
0x10009771
0x10009774
0x100099e8
0x100099ea
0x00000000
0x100099f0
0x100099f0
0x100099f0
0x100099f2
0x100099f5
0x100099f8
0x10009a88
0x10009a88
0x10009a8b
0x10009a8d
0x00000000
0x10009a8d
0x100099fe
0x10009a01
0x00000000
0x10009b17
0x10009b1a
0x10009b1f
0x10009b23
0x10009b28
0x10009b2c
0x00000000
0x00000000
0x00000000
0x00000000
0x10009aa4
0x10009aa7
0x10009aac
0x10009ab0
0x10009ab5
0x10009ab9
0x00000000
0x00000000
0x10009af8
0x10009afb
0x10009b00
0x10009b04
0x10009b09
0x10009b0d
0x00000000
0x00000000
0x10009adc
0x10009adf
0x10009ae4
0x10009ae9
0x10009aed
0x10009af1
0x00000000
0x00000000
0x10009ac0
0x10009ac3
0x10009ac8
0x10009acd
0x10009ad1
0x10009ad5
0x00000000
0x00000000
0x10009a92
0x10009a92
0x10009a96
0x10009a97
0x10009a97
0x00000000
0x100099f0
0x10009a4d
0x00000000
0x10009a40
0x10009a40
0x10009a44
0x10009a45
0x10009a45
0x00000000
0x10009a4d
0x10009a4d
0x10009a4f
0x10009c10
0x10009c13
0x10009c18
0x10009c1d
0x10009c21
0x10009c25
0x10009a55
0x10009a55
0x10009a10
0x10009a12
0x10009c30
0x10009c33
0x10009c38
0x10009c3c
0x10009c41
0x10009c45
0x10009a18
0x10009a18
0x10009a1a
0x00000000
0x10009a20
0x10009a20
0x10009a23
0x10009a28
0x10009a2d
0x10009a31
0x10009a35
0x10009a35
0x10009a1a
0x10009a57
0x10009a57
0x10009a60
0x10009b90
0x10009b90
0x10009b93
0x10009b95
0x10009a66
0x10009a66
0x10009a69
0x10009a6e
0x10009a73
0x10009a77
0x10009a7b
0x10009a7b
0x10009a60
0x10009a55
0x00000000
0x1000977a
0x1000977a
0x1000977c
0x100098ff
0x100098ff
0x10009901
0x10009bd0
0x10009bd3
0x10009bd8
0x10009bdd
0x10009be1
0x10009be5
0x10009907
0x10009907
0x10009909
0x100098e0
0x100098e2
0x10009bb0
0x10009bb3
0x10009bb8
0x10009bbc
0x10009bc1
0x10009bc5
0x100098e8
0x100098e8
0x100098eb
0x100098ed
0x100098ed
0x1000990b
0x1000990b
0x1000990e
0x10009913
0x10009918
0x1000991c
0x10009920
0x10009920
0x10009909
0x100098f2
0x100098f6
0x100098f7
0x100098f7
0x10009782
0x100097cd
0x100097cd
0x100097cf
0x10009bf0
0x10009bf3
0x10009bf8
0x10009bfd
0x10009c01
0x10009c05
0x100097d5
0x100097d5
0x10009788
0x1000978a
0x10009c50
0x10009c53
0x10009c58
0x10009c5c
0x10009c61
0x10009c65
0x10009790
0x10009790
0x10009792
0x00000000
0x10009798
0x10009798
0x1000979b
0x100097a0
0x100097a4
0x100097a9
0x100097ad
0x100097ad
0x10009792
0x100097d7
0x100097d7
0x100097e0
0x10009b80
0x10009b80
0x10009b83
0x10009b85
0x100097e6
0x100097e6
0x100097e9
0x100097ee
0x100097f3
0x100097f7
0x100097fb
0x100097fb
0x100097e0
0x100097d5
0x00000000
0x100097c0
0x100097c0
0x100097c4
0x100097c5
0x100097c5
0x100097cd
0x1000977c
0x10009774
0x10009766
0x10009869
0x10009869
0x10009869
0x00000000

APIs

mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
strchr.MSVCRT ref: 1000983B
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009920
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05

Strings

<, xrefs: 10009ADF, 10009BD3, 10009BF3, 10009C13
>, xrefs: 100097E9, 1000990E, 10009A69, 10009AC3
&, xrefs: 1000979B, 10009AA7, 10009BB3, 10009C33
", xrefs: 10009B1A, 10009C53
', xrefs: 10009A23, 10009AFB
'\'', xrefs: 100098C3

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf$strchr
String ID: &$'$>$<$"$'\''
API String ID: 2626076477-3929336650
Opcode ID: 4d3215f32d1e7072e86e6aa446e4fa65e4d3290bde3b119a889ed9f3e12215f6
Instruction ID: 4cad4ceb1349a5dbac3916fb8057f47bb241a6bf44f33620574422d9e36815b4
Opcode Fuzzy Hash: 4d3215f32d1e7072e86e6aa446e4fa65e4d3290bde3b119a889ed9f3e12215f6
Instruction Fuzzy Hash: 49D16D74908B91CBE710DF69808036EBBE1FB826C0F55885EE9D58B24ADB35D945CB83

Uniqueness

Uniqueness Score: -1.00%

Function 100195E0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
mv_calloc.A649 ref: 1001964E
MultiByteToWideChar.KERNEL32 ref: 10019685
mv_calloc.A649 ref: 100196D7
mv_freep.A649 ref: 10019713
wcslen.MSVCRT ref: 1001971F
_wsopen.MSVCRT ref: 1001974B
mv_freep.A649 ref: 10019758
_sopen.MSVCRT ref: 1001978A
_errno.MSVCRT ref: 100197F5
wcslen.MSVCRT ref: 1001981B
mv_calloc.A649 ref: 10019857
wcscpy.MSVCRT ref: 10019872
wcscat.MSVCRT ref: 10019882
mv_freep.A649 ref: 1001988A
_errno.MSVCRT ref: 100198E1
mv_freep.A649 ref: 100198F4
mv_calloc.A649 ref: 10019912
wcscpy.MSVCRT ref: 10019929
wcscat.MSVCRT ref: 1001993C
_errno.MSVCRT ref: 10019946
_errno.MSVCRT ref: 10019958

Strings

\\?\UNC\, xrefs: 10019920
\\?\, xrefs: 10019869

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errnomv_callocmv_freep$ByteCharMultiWidewcscatwcscpywcslen$_sopen_wsopen
String ID: \\?\$\\?\UNC\
API String ID: 2585690843-3019864461
Opcode ID: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction ID: 3dc82464431d1485f9b1200b51e46201d74a27639f097cc6c66f11d6c06c393f
Opcode Fuzzy Hash: 378f72ee278ce5d6c1fa6c04bbe2b06fef19544e86df13747ce3d1d992c4811e
Instruction Fuzzy Hash: 9391D3B49093059FC350EF69848421EBBE0FF89794F51892EF8D8CB290E774D980DB82

Uniqueness

Uniqueness Score: -1.00%

Function 100118C0 Relevance: 43.8, APIs: 29, Instructions: 289stringCOMMON

Download Yara Rule

APIs

mv_get_token.A649 ref: 10011913

Part of subcall function 10006940: strlen.MSVCRT ref: 10006950
Part of subcall function 10006940: mv_malloc.A649 ref: 10006959
Part of subcall function 10006940: strspn.MSVCRT ref: 10006980
Part of subcall function 10006940: strspn.MSVCRT ref: 100069C1

mv_freep.A649 ref: 10011930
mv_freep.A649 ref: 1001193C
strspn.MSVCRT ref: 1001195F
mv_get_token.A649 ref: 1001197C
mv_strdup.A649 ref: 100119B2
mv_strdup.A649 ref: 100119CA
mv_freep.A649 ref: 10011A5F
mv_freep.A649 ref: 10011A6B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$strspn$mv_get_tokenmv_strdup$mv_mallocstrlen
String ID:
API String ID: 2603649322-0
Opcode ID: 14e30868631fe97fec9574a02c61a58dcf1b4eabab0966b469b8327e310c11fc
Instruction ID: 0a4ec6a1b9aa069a5158d076d08d96fd34d6cbd746a5e0d91f44dd485dd0fbed
Opcode Fuzzy Hash: 14e30868631fe97fec9574a02c61a58dcf1b4eabab0966b469b8327e310c11fc
Instruction Fuzzy Hash: 87B106759097459FC744DF65D18069EBBE5FF88290F96892DF8C89B311E730E980CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100A7C1C Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100A7C1C(char* __eax, signed char __ecx, struct HINSTANCE__* __edx) {
				signed int _v32;
				short* _v36;
				int _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				void* _v56;
				void* _v60;
				void* _v64;
				long _v68;
				WCHAR* _v72;
				long _v76;
				WCHAR* _v80;
				int _t57;
				short* _t58;
				struct HINSTANCE__* _t60;
				_Unknown_base(*)()* _t61;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t65;
				WCHAR* _t67;
				long _t68;
				wchar_t* _t69;
				short* _t71;
				int _t72;
				WCHAR* _t73;
				struct HINSTANCE__* _t76;
				int _t79;
				void* _t80;
				struct HINSTANCE__* _t83;
				wchar_t* _t84;
				CHAR* _t87;
				struct HINSTANCE__* _t88;
				long _t89;
				signed char _t91;
				signed int _t93;
				WCHAR* _t97;
				WCHAR* _t98;
				struct HINSTANCE__* _t99;
				int _t101;
				wchar_t* _t103;
				WCHAR* _t104;
				wchar_t* _t107;
				long _t109;
				WCHAR* _t112;
				void* _t113;
				WCHAR** _t115;

				_t99 = __edx;
				_t91 = __ecx;
				_t87 = __eax;
				_t57 = MultiByteToWideChar(0xfde9, 8, __eax, 0xffffffff, 0, 0);
				_t115 = _t113 - 0x24;
				if(_t57 > 0) {
					_v72 = 2;
					_t101 = _t57;
					_v76 = _t57;
					_t58 = E100291F0();
					_t104 = _t58;
					if(_t58 != 0) {
						MultiByteToWideChar(0xfde9, 0, _t87, 0xffffffff, _t58, _t101);
						_t115 = _t115 - 0x18;
						L5:
						_t60 = GetModuleHandleW(L"kernel32.dll");
						_v72 = "SetDefaultDllDirectories";
						_v76 = _t60;
						_t61 = GetProcAddress(_t99, ??);
						_push(_t91);
						_push(_t91);
						if(_t61 != 0) {
							_v68 = 0xa00;
							_v72 = 0;
							if(_t104 != 0) {
								_t63 = LoadLibraryExW(_t104);
								_t115 = _t115 - 0xc;
								_t88 = _t63;
								_v76 = _t104;
								L100290D0();
							} else {
								_t65 = LoadLibraryExA(_t87);
								_t115 = _t115 - 0xc;
								_t88 = _t65;
							}
							L30:
							return _t88;
						}
						if(_t104 == 0) {
							L17:
							_t103 = 0;
							_t88 = 0;
							L26:
							_v76 = _t103;
							L100290D0();
							_v76 = _t104;
							L100290D0();
							goto L30;
						}
						_v76 = _t104;
						_t107 = 0;
						_t89 = 0x104;
						_v40 = wcslen(??);
						while(1) {
							_v68 = 2;
							_t67 = E10029010(_t107, _t89);
							_t103 = _t67;
							if(_t67 == 0) {
								break;
							}
							_t68 = GetModuleFileNameW(0, _t67, _t89);
							_t115 = _t115 - 0xc;
							_t91 = _t91 & 0xffffff00 | _t68 != 0x00000000;
							_t99 = _t99 & 0xffffff00 | _t68 - _t89 >= 0x00000000;
							_t109 = _t68;
							if((_t91 & _t99) == 0 || _t89 > 0x7fff) {
								if(_t109 == 0) {
									_v76 = _t103;
									L100290D0();
									goto L17;
								}
								_t69 = wcsrchr(_t103, 0x5c);
								_t88 = _t69;
								if(_t69 != 0) {
									_v68 = 2;
									_v76 = _t103;
									_t93 = _t69 - _t103;
									_t88 = 0;
									_v32 = _t93;
									_t71 =  &(_v40[1]);
									_v36 = _t71;
									_t72 = _t71 + (_t93 >> 1);
									_v72 = _t72;
									_v40 = _t72;
									_t73 = E10029010();
									_t112 = _t73;
									if(_t73 == 0) {
										goto L26;
									}
									_v72 = _t104;
									_t103 = _t112;
									_v76 = _t73 + _v32 + 2;
									wcscpy(??, ??);
									_t76 = LoadLibraryExW(_t112, 0, 8);
									_t115 = _t115 - 0xc;
									_t88 = _t76;
									if(_t76 != 0) {
										goto L26;
									}
									_v76 = _t112;
									_v72 = _v40;
									_v32 = GetSystemDirectoryW;
									_t79 = GetSystemDirectoryW(??, ??);
									_push(_t99);
									_push(_t99);
									if(GetSystemDirectoryW == 0) {
										L23:
										_t103 = _t112;
										goto L26;
									}
									_t97 = _v44 + GetSystemDirectoryW;
									if(_v48 >= _t97) {
										L25:
										_t80 = _t79 + _t79;
										 *((short*)(_t103 + _t80)) = 0x5c;
										_t50 = _t80 + 2; // 0x2
										_v80 = _t104;
										 *_t115 = _t103 + _t50;
										wcscpy(??, ??);
										_v76 = 8;
										_v80 = 0;
										 *_t115 = _t103;
										_t83 = LoadLibraryExW(??, ??, ??);
										_t115 = _t115 - 0xc;
										_t88 = _t83;
										goto L26;
									}
									_v80 = _t97;
									_v76 = 2;
									 *_t115 = _t112;
									_v48 = _t97;
									_t84 = E10029010();
									_t98 = _v48;
									_t103 = _t84;
									if(_t84 != 0) {
										_v80 = _t98;
										 *_t115 = _t84;
										_t79 =  *_v40();
										_push(_t98);
										_push(_t98);
										if(_t79 == 0) {
											goto L26;
										}
										goto L25;
									}
									goto L23;
								}
								goto L26;
							} else {
								_t107 = _t103;
								_t89 =  >  ? 0x8000 : _t89 + _t89;
								continue;
							}
						}
						_v76 = _t107;
						L100290D0();
						goto L17;
					}
					__imp___errno();
					 *_t58 = 0xc;
				}
				_t104 = 0;
				goto L5;
			}

0x100a7c1c
0x100a7c1c
0x100a7c22
0x100a7c50
0x100a7c52
0x100a7c57
0x100a7c5d
0x100a7c65
0x100a7c67
0x100a7c6a
0x100a7c71
0x100a7c73
0x100a7ca4
0x100a7ca6
0x100a7ca9
0x100a7cb0
0x100a7cb7
0x100a7cbf
0x100a7cc2
0x100a7cc8
0x100a7ccb
0x100a7ccc
0x100a7e9d
0x100a7ea9
0x100a7ead
0x100a7ec2
0x100a7ec8
0x100a7ecb
0x100a7ecd
0x100a7ed0
0x100a7eaf
0x100a7eb2
0x100a7eb8
0x100a7ebb
0x100a7ebb
0x100a7ed5
0x100a7ede
0x100a7ede
0x100a7cd4
0x100a7d76
0x100a7d76
0x100a7d78
0x100a7e8b
0x100a7e8b
0x100a7e8e
0x100a7e93
0x100a7e96
0x00000000
0x100a7e96
0x100a7cda
0x100a7cdd
0x100a7cdf
0x100a7ce9
0x100a7ced
0x100a7ced
0x100a7cfc
0x100a7d03
0x100a7d05
0x00000000
0x00000000
0x100a7d1e
0x100a7d24
0x100a7d29
0x100a7d2e
0x100a7d31
0x100a7d35
0x100a7d51
0x100a7d6e
0x100a7d71
0x00000000
0x100a7d71
0x100a7d5e
0x100a7d65
0x100a7d67
0x100a7d7f
0x100a7d8d
0x100a7d90
0x100a7d92
0x100a7d94
0x100a7d9c
0x100a7d9f
0x100a7da3
0x100a7da5
0x100a7da9
0x100a7dad
0x100a7db4
0x100a7db6
0x00000000
0x00000000
0x100a7dbc
0x100a7dc4
0x100a7dca
0x100a7dcd
0x100a7de3
0x100a7de9
0x100a7dee
0x100a7df0
0x00000000
0x00000000
0x100a7df6
0x100a7dfd
0x100a7e06
0x100a7e0a
0x100a7e0c
0x100a7e0f
0x100a7e10
0x100a7e40
0x100a7e40
0x00000000
0x100a7e40
0x100a7e16
0x100a7e1c
0x100a7e57
0x100a7e57
0x100a7e59
0x100a7e5f
0x100a7e63
0x100a7e67
0x100a7e6a
0x100a7e71
0x100a7e79
0x100a7e7d
0x100a7e80
0x100a7e86
0x100a7e89
0x00000000
0x100a7e89
0x100a7e1e
0x100a7e22
0x100a7e2a
0x100a7e2d
0x100a7e31
0x100a7e36
0x100a7e3c
0x100a7e3e
0x100a7e44
0x100a7e48
0x100a7e4f
0x100a7e51
0x100a7e54
0x100a7e55
0x00000000
0x00000000
0x00000000
0x100a7e55
0x00000000
0x100a7e3e
0x00000000
0x100a7d3f
0x100a7d48
0x100a7d4a
0x00000000
0x100a7d4a
0x100a7d35
0x100a7d07
0x100a7d0a
0x00000000
0x100a7d0a
0x100a7c75
0x100a7c7b
0x100a7c7b
0x100a7c59
0x00000000

APIs

MultiByteToWideChar.KERNEL32 ref: 100A7C50
mv_calloc.A649 ref: 100A7C6A
_errno.MSVCRT ref: 100A7C75
MultiByteToWideChar.KERNEL32 ref: 100A7CA4
GetModuleHandleW.KERNEL32 ref: 100A7CB0
GetProcAddress.KERNEL32 ref: 100A7CC2
wcslen.MSVCRT ref: 100A7CE4
mv_realloc_array.A649 ref: 100A7CFC
GetModuleFileNameW.KERNEL32 ref: 100A7D1E
wcsrchr.MSVCRT ref: 100A7D5E
mv_realloc_array.A649 ref: 100A7DAD
wcscpy.MSVCRT ref: 100A7DCD
LoadLibraryExW.KERNEL32 ref: 100A7DE3
mv_realloc_array.A649 ref: 100A7E31
wcscpy.MSVCRT ref: 100A7E6A
LoadLibraryExW.KERNEL32 ref: 100A7E80
LoadLibraryExA.KERNEL32 ref: 100A7EB2
LoadLibraryExW.KERNEL32 ref: 100A7EC2

Strings

\, xrefs: 100A7D53

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$mv_realloc_array$ByteCharModuleMultiWidewcscpy$AddressFileHandleNameProc_errnomv_callocwcslenwcsrchr
String ID: \
API String ID: 1053637131-2967466578
Opcode ID: bad948dc888ca7b8fe45ed86bdb40432ed6f04d219cba8fed4b1c981d5e2befc
Instruction ID: b443f8b5a0a689592232babdffcb8399bc6d9c8df0cdae325e16511af354ecc2
Opcode Fuzzy Hash: bad948dc888ca7b8fe45ed86bdb40432ed6f04d219cba8fed4b1c981d5e2befc
Instruction Fuzzy Hash: F77104B0509706DFD350EFA9C98962EBBE0FF88744F41892DE88DC7211EB789844DB46

Uniqueness

Uniqueness Score: -1.00%

Function 10015CF0 Relevance: 42.2, APIs: 28, Instructions: 193COMMON

Download Yara Rule

APIs

mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DA4
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DB3
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DC2
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DD1
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DDD
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DFF
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E0E
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E1D
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E2C
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E38
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E5A
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E69
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E78
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E87
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E93
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EAA
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EB6
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EE9
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EF8
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F07
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F16
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F22
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F35
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F44
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F53
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F62
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F6E

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep
String ID:
API String ID: 437317722-0
Opcode ID: 4a09c2d80eb7d5be778093cc5d1bd8a5fa7277655664f48290abc24ad77a81fa
Instruction ID: 0554f219994bcbd2c220c8e10deaf46e3ed2de64d36edc41725aeb4e71cd3a84
Opcode Fuzzy Hash: 4a09c2d80eb7d5be778093cc5d1bd8a5fa7277655664f48290abc24ad77a81fa
Instruction Fuzzy Hash: 3E81B0B96087058FC744EF64D08191ABBE1FF88255F458A6DE8D89F305D635EA82CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C790 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 231
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E1001C790(void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v40;
				intOrPtr _t10;
				void* _t11;
				intOrPtr* _t12;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;

				_t10 = 0x100b5e05;
				_t16 = 0;
				_t23 = _t22 - 0x1c;
				_t21 = _a4;
				_t17 = _a8;
				 *_t21 = 0;
				while(1) {
					_v40 = _t10;
					 *_t23 = _t17;
					_t11 = E10006B30();
					_t19 = _t11;
					if(_t11 == 0) {
						break;
					}
					_t16 = _t16 + 1;
					if(_t16 != 0xf) {
						_t10 =  *((intOrPtr*)(0x100b6000 + _t16 * 8));
						continue;
					} else {
						return 0xffffffea;
					}
					L19:
				}
				 *_t23 = 0x10;
				_t12 = E10029100();
				_t18 = _t12;
				if(_t12 == 0) {
					L18:
					_t19 = 0xfffffff4;
				} else {
					 *(_t12 + 4) = _t16;
					if(_t16 > 0xd) {
						L10:
						 *_t21 = _t18;
					} else {
						switch( *((intOrPtr*)(_t16 * 4 +  &M100B5E0C))) {
							case 0:
								__eax = E10028790();
								goto L9;
							case 1:
								__eax = E10029FC0();
								goto L9;
							case 2:
								__eax = E1003C470();
								goto L9;
							case 3:
								__eax = E100411A0();
								goto L9;
							case 4:
								_t14 = E1004C260();
								L9:
								 *_t18 = _t14;
								if(_t14 == 0) {
									 *_t23 = _t18;
									L100290D0();
									goto L18;
								} else {
									goto L10;
								}
								goto L11;
							case 5:
								 *((intOrPtr*)(__edi + 8)) = E1000FDB0(__ebx, 4);
								goto L10;
						}
					}
				}
				L11:
				return _t19;
				goto L19;
			}

0x1001c791
0x1001c799
0x1001c79b
0x1001c79e
0x1001c7a2
0x1001c7a6
0x1001c7b7
0x1001c7b7
0x1001c7bb
0x1001c7be
0x1001c7c5
0x1001c7c7
0x00000000
0x00000000
0x1001c7c9
0x1001c7cd
0x1001c7b0
0x00000000
0x1001c7cf
0x1001c7dd
0x1001c7dd
0x00000000
0x1001c7cd
0x1001c7e0
0x1001c7e7
0x1001c7ee
0x1001c7f0
0x1001c865
0x1001c865
0x1001c7f2
0x1001c7f2
0x1001c7f8
0x1001c813
0x1001c813
0x1001c7fa
0x1001c7fa
0x00000000
0x1001c848
0x00000000
0x00000000
0x1001c852
0x00000000
0x00000000
0x1001c820
0x00000000
0x00000000
0x1001c830
0x00000000
0x00000000
0x1001c808
0x1001c80d
0x1001c80d
0x1001c811
0x1001c859
0x1001c860
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c843
0x00000000
0x00000000
0x1001c7fa
0x1001c7f8
0x1001c816
0x1001c81f
0x00000000

APIs

mv_strcasecmp.A649 ref: 1001C7BE
mv_mallocz.A649 ref: 1001C7E7

Strings

MD5, xrefs: 1001C791

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloczmv_strcasecmp
String ID: MD5
API String ID: 1451953452-1168476579
Opcode ID: 05d541b0a02844c6fa927b2182f2bf38f1bce2312da876daaceceafae4a04c82
Instruction ID: 67cf48b984792008eb9918d7ca6f9d2bd109b0f8cd42104998243e9ea9d1147f
Opcode Fuzzy Hash: 05d541b0a02844c6fa927b2182f2bf38f1bce2312da876daaceceafae4a04c82
Instruction Fuzzy Hash: 2691D2B8909704DFC750DF68C58091ABBE0FF89354F14896EF9888B361E734D981EB56

Uniqueness

Uniqueness Score: -1.00%

Function 10011560 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 216
stringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E10011560(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int* _a4, signed int* _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v50;
				void* _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v92;
				signed int _v96;
				signed int* _v100;
				signed int* _v104;
				signed int* _t89;
				signed int* _t98;
				signed int* _t99;
				signed int _t104;
				void* _t105;
				int _t109;
				int _t110;
				void* _t112;
				signed int _t116;
				signed int* _t121;
				signed int _t127;
				int _t129;
				signed int _t130;
				intOrPtr* _t133;
				signed int* _t134;
				void* _t136;
				signed int* _t140;
				signed int* _t142;
				int _t143;
				void* _t144;
				signed int* _t149;
				void* _t150;
				signed int* _t152;
				signed int _t153;
				int _t155;
				signed int _t156;
				void _t158;
				signed int** _t162;
				signed int** _t163;

				_v16 = __ebx;
				_v12 = __esi;
				_v104 = 0x16;
				_t149 =  &_v50;
				 *_t163 = _t149;
				_v92 = _a16;
				_v96 = _a12;
				_v100 = 0x100b4200;
				_v8 = __edi;
				_t140 = _a8;
				_v4 = __ebp;
				E10011040();
				_v60 = 0;
				_t121 =  *_a4;
				 *_t163 = _t149;
				_v56 = 0;
				_t89 = E100292E0(_t121, _t140, _t149, 0);
				_v56 = _t89;
				if(_t140 == 0) {
					_t150 = 0xffffffea;
					L24:
					if(_t121 == 0) {
						L16:
						 *_t163 = _v60;
						L100290D0();
						 *_t163 = _v56;
						L100290D0();
						L17:
						return _t150;
					}
					L15:
					if( *_t121 == 0) {
						 *_t163 =  &(_t121[1]);
						E100290E0();
						 *_t163 = _a4;
						E100290E0();
					}
					goto L16;
				}
				_t162 = 0;
				_t152 = _t89;
				if((_a20 & 0x00000040) == 0) {
					_v104 = _t140;
					_v100 = 0;
					 *_t163 = _t121;
					_v96 = _a20 & 0xfffffff7;
					_t162 = E100110D0();
				}
				if((_a20 & 0x00000004) == 0) {
					 *_t163 = _t140;
					_t98 = E100292E0(_t121, _t140, _t152, _t162);
					_v60 = _t98;
					_t142 = _t98;
					if(_t121 == 0) {
						L19:
						 *_t163 = 8;
						_t99 = E10029100();
						_t142 = _v60;
						_t121 = _t99;
						 *_a4 = _t121;
						if(_t121 == 0 || _t142 == 0) {
							_t150 = 0xfffffff4;
							goto L24;
						} else {
							L21:
							_t152 = _v56;
							L4:
							if(_t152 == 0) {
								L14:
								_t150 = 0xfffffff4;
								goto L15;
							}
							if(_t162 == 0) {
								_v100 = 8;
								_v104 =  *_t121 + 1;
								 *_t163 = _t121[1];
								_t104 = E10029010();
								_t153 = _t104;
								if(_t104 == 0) {
									goto L14;
								}
								_t121[1] = _t104;
								_t127 =  *_t121;
								L10:
								_t105 = _v56;
								if(_t105 == 0) {
									if(_t127 == 0) {
										 *_t163 =  &(_t121[1]);
										E100290E0();
										 *_t163 = _a4;
										E100290E0();
									}
									_t150 = 0;
									 *_t163 =  &_v60;
									E100290E0();
								} else {
									_t133 = _t153 + _t127 * 8;
									 *((intOrPtr*)(_t133 + 4)) = _t105;
									 *_t133 = _v60;
									_t150 = 0;
									 *_t121 = _t127 + 1;
								}
								goto L17;
							}
							if((_a20 & 0x00000010) != 0) {
								 *_t163 = _t142;
								_t150 = 0;
								L100290D0();
								 *_t163 = _v56;
								L100290D0();
								goto L17;
							}
							_t134 = _a4;
							 *_t163 = _t134;
							if((_a20 & 0x00000020) != 0) {
								_v64 = _t134;
								_t109 = strlen(??);
								 *_t163 = _t152;
								_t143 = _t109;
								_t110 = strlen(??);
								 *_t163 = _v64;
								_t155 = _t110;
								_t68 = _t110 + 1; // 0x1
								_v104 = _t143 + _t68;
								_t112 = E10028DA0();
								if(_t112 == 0) {
									goto L14;
								}
								_t70 = _t155 + 1; // 0x1
								_t129 = _t70;
								_t144 = _t143 + _t112;
								_t136 = _v56;
								if(_t129 >= 8) {
									if((_t144 & 0x00000001) != 0) {
										_t130 =  *_t136 & 0x000000ff;
										_t144 = _t144 + 1;
										_t136 = _t136 + 1;
										 *(_t144 - 1) = _t130;
										_t129 = _t155;
									}
									if((_t144 & 0x00000002) != 0) {
										_t156 =  *_t136 & 0x0000ffff;
										_t144 = _t144 + 2;
										_t136 = _t136 + 2;
										_t129 = _t129 - 2;
										 *(_t144 - 2) = _t156;
									}
									if((_t144 & 0x00000004) != 0) {
										_t158 =  *_t136;
										_t144 = _t144 + 4;
										_t136 = _t136 + 4;
										_t129 = _t129 - 4;
										 *(_t144 - 4) = _t158;
									}
								}
								_v64 = _t112;
								memcpy(_t144, _t136, _t129);
								_t163 =  &(_t163[3]);
								 *_t163 =  &_v56;
								E100290E0();
								_v56 = _v64;
								goto L9;
							} else {
								L100290D0();
								L9:
								 *_t163 =  *_t162;
								L100290D0();
								_t116 =  *_t121;
								_t153 = _t121[1];
								_t32 = _t116 - 1; // -1
								_t127 = _t32;
								 *_t121 = _t127;
								 *_t162 =  *(_t153 + _t127 * 8);
								_a4 =  *(_t153 + 4 + _t127 * 8);
								goto L10;
							}
						}
					}
					if(_t98 != 0) {
						goto L21;
					}
					goto L14;
				}
				_v60 = _t140;
				if(_t121 == 0) {
					goto L19;
				}
				goto L4;
			}

0x10011563
0x1001156b
0x10011578
0x1001157c
0x10011580
0x10011583
0x1001158c
0x10011590
0x10011594
0x10011598
0x1001159c
0x100115a2
0x100115ab
0x100115af
0x100115b3
0x100115b6
0x100115ba
0x100115c1
0x100115c5
0x10011758
0x1001175d
0x1001175f
0x10011699
0x1001169d
0x100116a0
0x100116a9
0x100116ac
0x100116b1
0x100116c6
0x100116c6
0x1001168f
0x10011693
0x10011773
0x10011776
0x1001177f
0x10011782
0x10011782
0x00000000
0x10011693
0x100115cb
0x100115cd
0x100115d7
0x100116d0
0x100116dd
0x100116e1
0x100116e7
0x100116f0
0x100116f0
0x100115e5
0x10011670
0x10011673
0x1001167a
0x1001167e
0x10011680
0x10011700
0x10011700
0x10011707
0x1001170c
0x10011710
0x10011718
0x1001171a
0x10011840
0x00000000
0x10011728
0x10011728
0x10011728
0x100115f7
0x100115f9
0x1001168a
0x1001168a
0x00000000
0x1001168a
0x10011601
0x100117b5
0x100117bc
0x100117c3
0x100117c6
0x100117cd
0x100117cf
0x00000000
0x00000000
0x100117d5
0x100117d8
0x10011650
0x10011650
0x10011656
0x10011792
0x10011853
0x10011856
0x1001185f
0x10011862
0x10011862
0x1001179c
0x1001179e
0x100117a1
0x1001165c
0x1001165c
0x10011664
0x10011667
0x10011669
0x1001166b
0x1001166b
0x00000000
0x10011656
0x1001160f
0x10011738
0x1001173b
0x1001173d
0x10011746
0x10011749
0x00000000
0x10011749
0x10011615
0x10011620
0x10011623
0x100117e0
0x100117e4
0x100117e9
0x100117ec
0x100117ee
0x100117f7
0x100117fa
0x100117fc
0x10011800
0x10011804
0x1001180b
0x00000000
0x00000000
0x10011811
0x10011811
0x10011814
0x10011816
0x1001181d
0x10011876
0x10011898
0x1001189b
0x1001189c
0x1001189d
0x100118a0
0x100118a0
0x1001187e
0x100118a4
0x100118a7
0x100118aa
0x100118ad
0x100118b0
0x100118b0
0x10011886
0x10011888
0x1001188a
0x1001188d
0x10011890
0x10011893
0x10011893
0x10011886
0x1001181f
0x10011825
0x10011825
0x1001182b
0x1001182e
0x10011837
0x00000000
0x10011629
0x10011629
0x1001162e
0x10011631
0x10011634
0x10011639
0x1001163b
0x1001163e
0x1001163e
0x10011641
0x1001164a
0x1001164d
0x00000000
0x1001164d
0x10011623
0x1001171a
0x10011684
0x00000000
0x00000000
0x00000000
0x10011684
0x100115eb
0x100115f1
0x00000000
0x00000000
0x00000000

APIs

mv_strdup.A649 ref: 100115BA

Part of subcall function 100292E0: strlen.MSVCRT ref: 100292FE
Part of subcall function 100292E0: _aligned_realloc.MSVCRT ref: 10029325

mv_strdup.A649 ref: 10011673
mv_dict_get.A649 ref: 100116EB
mv_mallocz.A649 ref: 10011707
mv_freep.A649 ref: 100117A1
mv_realloc_array.A649 ref: 100117C6
strlen.MSVCRT ref: 100117E4
strlen.MSVCRT ref: 100117EE
mv_realloc.A649 ref: 10011804
mv_freep.A649 ref: 1001182E

Strings

, xrefs: 10011618
%lld, xrefs: 10011587

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$mv_freepmv_strdup$_aligned_reallocmv_dict_getmv_malloczmv_reallocmv_realloc_array
String ID: $%lld
API String ID: 420417855-3617178099
Opcode ID: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction ID: 8f6e5ec8c3f0a619e422cb1a926671cc568e29337de09296a572835a12694a18
Opcode Fuzzy Hash: c3b2448d299c3e7ec0f0b399289f88982a6b045d30e820103abfaa4dec61d1d3
Instruction Fuzzy Hash: 539117B59097458FC754DF68C18066EBBE0FF88380F56892DED889B341DB74E880CB42

Uniqueness

Uniqueness Score: -1.00%

Function 100192E0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 150fileCOMMON

Download Yara Rule

APIs

mvpriv_open.A649 ref: 1001933F

Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10019633
Part of subcall function 100195E0: mv_calloc.A649 ref: 1001964E
Part of subcall function 100195E0: MultiByteToWideChar.KERNEL32 ref: 10019685
Part of subcall function 100195E0: mv_calloc.A649 ref: 100196D7
Part of subcall function 100195E0: mv_freep.A649 ref: 10019713
Part of subcall function 100195E0: wcslen.MSVCRT ref: 1001971F
Part of subcall function 100195E0: _wsopen.MSVCRT ref: 1001974B

_fstat64.MSVCRT ref: 10019366
_close.MSVCRT ref: 10019394
_get_osfhandle.MSVCRT ref: 100193C5
CreateFileMappingA.KERNEL32 ref: 100193ED
MapViewOfFile.KERNEL32 ref: 10019422
CloseHandle.KERNEL32 ref: 10019434
mv_log.A649 ref: 1001945D
_close.MSVCRT ref: 10019465
_errno.MSVCRT ref: 10019480
mv_strerror.A649 ref: 100194A1
mv_log.A649 ref: 100194C7
_errno.MSVCRT ref: 100194D8
mv_strerror.A649 ref: 100194FE
mv_log.A649 ref: 1001951B
_close.MSVCRT ref: 10019523
mv_log.A649 ref: 1001954F
_close.MSVCRT ref: 10019557

Strings

Cannot read file '%s': %s, xrefs: 100194A6
Error occurred in CreateFileMapping(), xrefs: 10019561
Error occurred in fstat(): %s, xrefs: 1001950B
File size for file '%s' is too big, xrefs: 10019535

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _closemv_log$ByteCharFileMultiWide_errnomv_callocmv_strerror$CloseCreateHandleMappingView_fstat64_get_osfhandle_wsopenmv_freepmvpriv_openwcslen
String ID: Cannot read file '%s': %s$Error occurred in CreateFileMapping()$Error occurred in fstat(): %s$File size for file '%s' is too big
API String ID: 2213036534-2445208470
Opcode ID: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction ID: a1ac4bca67f905ea7eb530c9fec20e9fe0d2cf07c5fae6ebec99be3d32fbbfc6
Opcode Fuzzy Hash: f3d6b5768689cfe5005ee31c4e5cc66ead5e4a9d6eb64f32d910fd6e1a6354d1
Instruction Fuzzy Hash: 8561BDB59097459FC310DF29C48429EBBE4FF88710F51892EE8D98B350EB78D9808F82

Uniqueness

Uniqueness Score: -1.00%

Function 10012850 Relevance: 37.7, APIs: 25, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10012850(intOrPtr* __eax) {
				intOrPtr _t65;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				intOrPtr* _t98;
				intOrPtr* _t102;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t109;
				void* _t110;
				intOrPtr* _t111;

				_t107 = __eax;
				_t111 = _t110 - 0x2c;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					_t96 = 0;
					do {
						_t90 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 8)) + _t96 * 4));
						_t96 = _t96 + 1;
						 *_t111 = _t90;
						L100290D0();
					} while (_t96 <  *((intOrPtr*)(__eax + 0xc)));
				}
				_t106 =  *((intOrPtr*)(_t107 + 0x1c));
				if(_t106 != 0) {
					if( *((intOrPtr*)(_t106 + 0xc)) != 0) {
						_t95 = 0;
						do {
							_t88 =  *((intOrPtr*)( *((intOrPtr*)(_t106 + 8)) + _t95 * 4));
							_t95 = _t95 + 1;
							 *_t111 = _t88;
							L100290D0();
						} while (_t95 <  *((intOrPtr*)(_t106 + 0xc)));
					}
					_t109 =  *((intOrPtr*)(_t106 + 0x1c));
					if(_t109 != 0) {
						if( *((intOrPtr*)(_t109 + 0xc)) != 0) {
							_t94 = 0;
							do {
								_t86 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 8)) + _t94 * 4));
								_t94 = _t94 + 1;
								 *_t111 = _t86;
								L100290D0();
							} while (_t94 <  *((intOrPtr*)(_t109 + 0xc)));
						}
						_t102 =  *((intOrPtr*)(_t109 + 0x1c));
						if(_t102 != 0) {
							if( *((intOrPtr*)(_t102 + 0xc)) != 0) {
								_t93 = 0;
								do {
									 *((intOrPtr*)(_t111 + 0x18)) = _t102;
									_t84 =  *((intOrPtr*)( *((intOrPtr*)(_t102 + 8)) + _t93 * 4));
									_t93 = _t93 + 1;
									 *_t111 = _t84;
									L100290D0();
									_t102 =  *((intOrPtr*)(_t111 + 0x18));
								} while (_t93 <  *((intOrPtr*)(_t102 + 0xc)));
							}
							_t98 =  *((intOrPtr*)(_t102 + 0x1c));
							if(_t98 != 0) {
								if( *((intOrPtr*)(_t98 + 0xc)) != 0) {
									_t92 = 0;
									do {
										 *((intOrPtr*)(_t111 + 0x1c)) = _t102;
										 *((intOrPtr*)(_t111 + 0x18)) = _t98;
										_t82 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 8)) + _t92 * 4));
										_t92 = _t92 + 1;
										 *_t111 = _t82;
										L100290D0();
										_t98 =  *((intOrPtr*)(_t111 + 0x18));
										_t102 =  *((intOrPtr*)(_t111 + 0x1c));
									} while (_t92 <  *((intOrPtr*)(_t98 + 0xc)));
								}
								_t76 =  *((intOrPtr*)(_t98 + 0x1c));
								if( *((intOrPtr*)(_t98 + 0x1c)) != 0) {
									 *((intOrPtr*)(_t111 + 0x1c)) = _t98;
									 *((intOrPtr*)(_t111 + 0x18)) = _t102;
									E10012850(_t76);
									_t98 =  *((intOrPtr*)(_t111 + 0x1c));
									_t102 =  *((intOrPtr*)(_t111 + 0x18));
								}
								 *((intOrPtr*)(_t111 + 0x1c)) = _t102;
								 *((intOrPtr*)(_t111 + 0x18)) = _t98;
								 *_t111 =  *_t98;
								L100290D0();
								 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 8));
								L100290D0();
								 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 0x14));
								L100290D0();
								 *_t111 =  *((intOrPtr*)(_t111 + 0x18));
								L100290D0();
								_t102 =  *((intOrPtr*)(_t111 + 0x1c));
							}
							 *((intOrPtr*)(_t111 + 0x18)) = _t102;
							 *_t111 =  *_t102;
							L100290D0();
							 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 8));
							L100290D0();
							 *_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x18)) + 0x14));
							L100290D0();
							 *_t111 =  *((intOrPtr*)(_t111 + 0x18));
							L100290D0();
						}
						 *_t111 =  *_t109;
						L100290D0();
						 *_t111 =  *((intOrPtr*)(_t109 + 8));
						L100290D0();
						 *_t111 =  *((intOrPtr*)(_t109 + 0x14));
						L100290D0();
						 *_t111 = _t109;
						L100290D0();
					}
					 *_t111 =  *_t106;
					L100290D0();
					 *_t111 =  *((intOrPtr*)(_t106 + 8));
					L100290D0();
					 *_t111 =  *((intOrPtr*)(_t106 + 0x14));
					L100290D0();
					 *_t111 = _t106;
					L100290D0();
				}
				 *_t111 =  *_t107;
				L100290D0();
				 *_t111 =  *((intOrPtr*)(_t107 + 8));
				L100290D0();
				_t65 =  *((intOrPtr*)(_t107 + 0x14));
				 *_t111 = _t65;
				L100290D0();
				 *_t111 = _t107;
				L100290D0();
				return _t65;
			}

0x10012853
0x10012856
0x1001285e
0x10012860
0x10012870
0x10012873
0x10012876
0x10012877
0x1001287a
0x1001287f
0x10012870
0x10012884
0x10012889
0x10012894
0x10012896
0x100128a0
0x100128a3
0x100128a6
0x100128a7
0x100128aa
0x100128af
0x100128a0
0x100128b4
0x100128b9
0x100128c4
0x100128c6
0x100128d0
0x100128d3
0x100128d6
0x100128d7
0x100128da
0x100128df
0x100128d0
0x100128e4
0x100128e9
0x100128f4
0x100128f6
0x10012900
0x10012900
0x10012907
0x1001290a
0x1001290b
0x1001290e
0x10012913
0x10012917
0x10012900
0x1001291c
0x10012921
0x1001292c
0x1001292e
0x10012930
0x10012930
0x10012937
0x1001293b
0x1001293e
0x1001293f
0x10012942
0x10012947
0x1001294b
0x1001294f
0x10012930
0x10012954
0x10012959
0x1001295b
0x1001295f
0x10012963
0x10012968
0x1001296c
0x1001296c
0x10012970
0x10012976
0x1001297a
0x1001297d
0x10012989
0x1001298c
0x10012998
0x1001299b
0x100129a4
0x100129a7
0x100129ac
0x100129ac
0x100129b0
0x100129b6
0x100129b9
0x100129c5
0x100129c8
0x100129d4
0x100129d7
0x100129e0
0x100129e3
0x100129e3
0x100129eb
0x100129ee
0x100129f6
0x100129f9
0x10012a01
0x10012a04
0x10012a09
0x10012a0c
0x10012a0c
0x10012a13
0x10012a16
0x10012a1e
0x10012a21
0x10012a29
0x10012a2c
0x10012a31
0x10012a34
0x10012a34
0x10012a3b
0x10012a3e
0x10012a46
0x10012a49
0x10012a4e
0x10012a51
0x10012a54
0x10012a59
0x10012a5c
0x10012a68

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c5c0080483c316d8fb3254759ed7aa0dc5a53fbde58ff4e0ccf9ebadb92cac
Instruction ID: c3f6ecf513ba740120e9a0fe32152a8751e6e1c522ce6fff76888c91f6e7b3cc
Opcode Fuzzy Hash: a8c5c0080483c316d8fb3254759ed7aa0dc5a53fbde58ff4e0ccf9ebadb92cac
Instruction Fuzzy Hash: 166184B8A047098FC754EFA9D0D1A1AF7F0FF54290F51891CE4998B312D671F895CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10011D20 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10011D20(signed int* _a4, intOrPtr* _a8, signed int _a12) {
				signed char* _v32;
				signed int* _v36;
				signed char _v48;
				void* _v52;
				void* _v56;
				int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int** _v76;
				signed char _v80;
				signed int* _v84;
				signed int* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t155;
				signed int** _t165;
				signed int* _t167;
				signed int* _t168;
				int _t170;
				signed int _t172;
				signed int* _t178;
				int _t186;
				signed char _t188;
				signed char* _t191;
				signed int _t193;
				signed int** _t194;
				void* _t195;
				signed int* _t200;
				intOrPtr* _t201;
				signed int* _t202;
				signed char _t205;
				void* _t218;
				intOrPtr* _t220;
				intOrPtr _t222;
				signed int** _t223;
				signed char _t224;
				intOrPtr _t225;
				signed int* _t226;
				signed int _t229;
				int _t231;
				short* _t232;
				signed int* _t237;
				signed int* _t238;
				signed char* _t240;
				int _t242;
				signed char* _t243;
				signed short* _t245;
				intOrPtr* _t247;
				intOrPtr* _t248;
				signed int* _t249;
				void* _t251;
				signed int** _t252;

				_t252 = _t251 - 0x4c;
				_t248 = _a8;
				if(_t248 == 0) {
					L23:
					return 0;
				} else {
					_t193 = 0;
					_t220 = _t248;
					_v72 = _a12 & 0x00000008;
					_v68 = _a12 & 0x00000040;
					_v64 = _a12 & 0x00000004;
					if( *_t220 > 0) {
						while(1) {
							_t194 =  *((intOrPtr*)(_t220 + 4)) + _t193 * 8;
							if(_t194 == 0) {
								goto L23;
							}
							_t237 =  *_t194;
							_v36 = 0;
							_t226 = _t194[1];
							_t249 =  *_a4;
							_v32 = 0;
							if(_v72 == 0) {
								if(_t226 == 0) {
									goto L5;
								} else {
									 *_t252 = _t226;
									_a8 = _t220;
									_t191 = E100292E0(_t194, _t226, _t237, _t249);
									_t220 = _a8;
									_v32 = _t191;
									if(_t237 != 0) {
										goto L6;
									} else {
										goto L26;
									}
								}
							} else {
								_v32 = _t226;
								L5:
								if(_t237 == 0) {
									L26:
									_t155 = _t249;
									_t195 = 0xffffffea;
									goto L27;
								} else {
									L6:
									_v76 = 0;
									if(_v68 == 0) {
										_v88 = _t237;
										 *_t252 = _t249;
										_a8 = _t220;
										_v80 = _a12;
										_v84 = 0;
										_t165 = E100110D0();
										_t220 = _a8;
										_v76 = _t165;
									}
									if(_v64 == 0) {
										 *_t252 = _t237;
										_a8 = _t220;
										_t167 = E100292E0(_t194, _t226, _t237, _t249);
										_t220 = _a8;
										_v36 = _t167;
										_t238 = _t167;
										if(_t249 == 0) {
											goto L34;
										} else {
											if(_t167 == 0) {
												goto L11;
											} else {
												goto L9;
											}
										}
									} else {
										_v36 = _t237;
										if(_t249 == 0) {
											L34:
											 *_t252 = 8;
											_a8 = _t220;
											_t168 = E10029100();
											_t238 = _v36;
											_t249 = _t168;
											 *_a4 = _t249;
											if(_t249 == 0) {
												L36:
												_t155 = _t249;
												_t195 = 0xfffffff4;
												L27:
												if(_t155 != 0) {
													goto L12;
												}
												goto L13;
											} else {
												_t220 = _a8;
												if(_t238 != 0) {
													goto L9;
												} else {
													goto L36;
												}
											}
										} else {
											L9:
											_t170 = _v32;
											_v60 = _t170;
											if(_t226 == 0 || _t170 != 0) {
												if(_v76 == 0) {
													_t172 =  *_t249;
													if(_v60 == 0) {
														goto L40;
													} else {
														_a8 = _t220;
														_v84 = 8;
														_v88 = _t172 + 1;
														 *_t252 = _a4;
														_t178 = E10029010();
														_t220 = _a8;
														_t200 = _t178;
														if(_t178 == 0) {
															goto L11;
														} else {
															_a4 = _t178;
															_t172 =  *_t249;
															goto L20;
														}
													}
												} else {
													if((_a12 & 0x00000010) != 0) {
														 *_t252 = _t238;
														_a8 = _t220;
														L100290D0();
														 *_t252 = _v32;
														L100290D0();
														_t220 = _a8;
														goto L22;
													} else {
														_t202 = _v76[1];
														if(_v60 == 0 || (_a12 & 0x00000020) == 0) {
															 *_t252 = _t202;
															_a8 = _t220;
															L100290D0();
															_t222 = _a8;
															L19:
															_a8 = _t222;
															 *_t252 =  *_v76;
															L100290D0();
															_t229 =  *_t249;
															_t200 = _a4;
															_t223 = _v76;
															_t41 = _t229 - 1; // 0x3
															_t172 = _t41;
															 *_t249 = _t172;
															 *_t223 =  *(_t200 + _t172 * 8);
															_t223[1] =  *(_t200 + 4 + _t172 * 8);
															_t220 = _a8;
															L20:
															_t240 = _v32;
															if(_t240 == 0) {
																L40:
																if(_t172 == 0) {
																	_a8 = _t220;
																	 *_t252 =  &_a4;
																	E100290E0();
																	 *_t252 = _a4;
																	E100290E0();
																	_t220 = _a8;
																}
																_a8 = _t220;
																 *_t252 =  &_v36;
																E100290E0();
																_t220 = _a8;
															} else {
																_t201 = _t200 + _t172 * 8;
																 *((intOrPtr*)(_t201 + 4)) = _t240;
																 *_t201 = _v36;
																 *_t249 = _t172 + 1;
															}
															L22:
															_t193 = (_t194 -  *((intOrPtr*)(_t220 + 4)) >> 3) + 1;
															if( *_t220 > _t193) {
																continue;
															} else {
																goto L23;
															}
														} else {
															 *_t252 = _t202;
															_a8 = _t220;
															_v56 = _t202;
															_t242 = strlen(??);
															 *_t252 = _v60;
															_t186 = strlen(??);
															 *_t252 = _v56;
															_t231 = _t186;
															_t91 = _t186 + 1; // 0x1
															_v88 = _t242 + _t91;
															_t188 = E10028DA0();
															if(_t188 == 0) {
																goto L11;
															} else {
																_t93 = _t231 + 1; // 0x1
																_v60 = _t93;
																_t224 = _t188 + _t242;
																_t243 = _v32;
																_t205 = _t224;
																_v48 = _t224;
																_v56 = _t224;
																_t225 = _a8;
																_v52 = _t243;
																if(_v60 >= 8) {
																	if((_t205 & 0x00000001) != 0) {
																		 *_v48 =  *_t243 & 0x000000ff;
																		_v60 = _t231;
																		_v56 = _v56 + 1;
																		_v52 = _v52 + 1;
																	}
																	if((_v56 & 0x00000002) != 0) {
																		_t245 = _v52;
																		_t232 = _v56;
																		 *_t232 =  *_t245 & 0x0000ffff;
																		_t138 = _t232 + 2; // 0x4
																		_v56 = _t138;
																		_v60 = _v60 - 2;
																		_v52 =  &(_t245[1]);
																	}
																	if((_v56 & 0x00000004) != 0) {
																		_t247 = _v52;
																		_t218 = _v56 + 4;
																		 *((intOrPtr*)(_t218 - 4)) =  *_t247;
																		_v56 = _t218;
																		_v60 = _v60 - 4;
																		_v52 = _t247 + 4;
																	}
																}
																_a8 = _t225;
																_v48 = _t188;
																memcpy(_v56, _v52, _v60);
																_t252 =  &(_t252[3]);
																 *_t252 =  &_v32;
																E100290E0();
																_t222 = _a8;
																_v32 = _v48;
																goto L19;
															}
														}
													}
												}
											} else {
												L11:
												_t155 = _t249;
												_t195 = 0xfffffff4;
												L12:
												if( *_t155 == 0) {
													 *_t252 =  &(_t155[1]);
													E100290E0();
													 *_t252 = _a4;
													E100290E0();
												}
												L13:
												 *_t252 = _v36;
												L100290D0();
												 *_t252 = _v32;
												L100290D0();
												return _t195;
											}
										}
									}
								}
							}
							goto L53;
						}
					}
					goto L23;
				}
				L53:
			}

0x10011d24
0x10011d27
0x10011d2d
0x10011eb0
0x10011ebb
0x10011d33
0x10011d37
0x10011d39
0x10011d3e
0x10011d49
0x10011d56
0x10011d5a
0x10011d60
0x10011d63
0x10011d68
0x00000000
0x00000000
0x10011d74
0x10011d76
0x10011d7a
0x10011d7d
0x10011d81
0x10011d8b
0x10011ec2
0x00000000
0x10011ec8
0x10011ec8
0x10011ecb
0x10011ecf
0x10011ed6
0x10011eda
0x10011ede
0x00000000
0x00000000
0x00000000
0x00000000
0x10011ede
0x10011d91
0x10011d91
0x10011d95
0x10011d97
0x10011ee4
0x10011ee4
0x10011ee6
0x00000000
0x10011d9d
0x10011d9d
0x10011d9f
0x10011da9
0x10011f30
0x10011f38
0x10011f3b
0x10011f3f
0x10011f45
0x10011f49
0x10011f4e
0x10011f52
0x10011f52
0x10011db5
0x10011f00
0x10011f03
0x10011f07
0x10011f0e
0x10011f12
0x10011f16
0x10011f18
0x00000000
0x10011f1a
0x10011f1c
0x00000000
0x10011f22
0x00000000
0x10011f22
0x10011f1c
0x10011dbb
0x10011dbb
0x10011dc1
0x10011f80
0x10011f80
0x10011f87
0x10011f8b
0x10011f90
0x10011f94
0x10011f9c
0x10011f9e
0x10011fac
0x10011fac
0x10011fae
0x10011eeb
0x10011eed
0x00000000
0x10011ef3
0x00000000
0x10011fa0
0x10011fa2
0x10011fa6
0x00000000
0x00000000
0x00000000
0x00000000
0x10011fa6
0x10011dc7
0x10011dc7
0x10011dc7
0x10011dcd
0x10011dd1
0x10011e16
0x10011fc4
0x10011fc9
0x00000000
0x10011fcb
0x10011fcb
0x10011fd5
0x10011fd9
0x10011fe0
0x10011fe3
0x10011fe8
0x10011fee
0x10011ff0
0x00000000
0x10011ff6
0x10011ff6
0x10011ff9
0x00000000
0x10011ff9
0x10011ff0
0x10011e1c
0x10011e21
0x100120f0
0x100120f3
0x100120f7
0x10012100
0x10012103
0x10012108
0x00000000
0x10011e27
0x10011e31
0x10011e34
0x10011e41
0x10011e44
0x10011e48
0x10011e4d
0x10011e51
0x10011e51
0x10011e5b
0x10011e5e
0x10011e63
0x10011e66
0x10011e69
0x10011e6d
0x10011e6d
0x10011e70
0x10011e7a
0x10011e7c
0x10011e7f
0x10011e83
0x10011e83
0x10011e89
0x10012008
0x1001200a
0x10012028
0x1001202f
0x10012032
0x1001203b
0x1001203e
0x10012043
0x10012043
0x1001200c
0x10012014
0x10012017
0x1001201c
0x10011e8f
0x10011e93
0x10011e97
0x10011e9a
0x10011e9c
0x10011e9c
0x10011e9f
0x10011ea7
0x10011eaa
0x00000000
0x00000000
0x00000000
0x00000000
0x10012050
0x10012050
0x10012053
0x10012057
0x10012060
0x10012066
0x10012069
0x10012072
0x10012075
0x10012077
0x1001207b
0x1001207f
0x10012086
0x00000000
0x1001208c
0x1001208c
0x1001208f
0x10012093
0x10012096
0x1001209f
0x100120a1
0x100120a5
0x100120a9
0x100120ad
0x100120b1
0x1001211b
0x10012157
0x10012159
0x10012162
0x1001216b
0x1001216b
0x10012122
0x10012171
0x10012175
0x1001217c
0x1001217f
0x10012182
0x10012189
0x1001218e
0x1001218e
0x10012129
0x1001212b
0x10012135
0x10012138
0x1001213b
0x10012142
0x10012147
0x10012147
0x10012129
0x100120b3
0x100120bb
0x100120c7
0x100120c7
0x100120cd
0x100120d0
0x100120d9
0x100120dd
0x00000000
0x100120dd
0x10012086
0x10011e34
0x10011e21
0x10011dd7
0x10011dd7
0x10011dd7
0x10011dd9
0x10011dde
0x10011de2
0x10011f63
0x10011f66
0x10011f6f
0x10011f72
0x10011f72
0x10011de8
0x10011dec
0x10011def
0x10011df8
0x10011dfb
0x10011e09
0x10011e09
0x10011dd1
0x10011dc1
0x10011db5
0x10011d97
0x00000000
0x10011d8b
0x10011d60
0x00000000
0x10011d5a
0x00000000

APIs

mv_strdup.A649 ref: 10011ECF
mv_strdup.A649 ref: 10011F07
mv_dict_get.A649 ref: 10011F49
mv_mallocz.A649 ref: 10011F8B

Strings

, xrefs: 10011E36

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strdup$mv_dict_getmv_mallocz
String ID:
API String ID: 3834523185-3916222277
Opcode ID: f30a2ccdc57a5dc09484d862070b881fff98bdf4c5b3196019a84854b3ce5ba3
Instruction ID: 17e11810d8b0030fce721e696df50892c7dce502bccf2b88fff91ce3398c2909
Opcode Fuzzy Hash: f30a2ccdc57a5dc09484d862070b881fff98bdf4c5b3196019a84854b3ce5ba3
Instruction Fuzzy Hash: 03D1F2B4A083458FC744CF69D18065AFBE1FF88794F558A2DF8889B311E730E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10015F80 Relevance: 36.2, APIs: 24, Instructions: 178COMMON

Download Yara Rule

APIs

mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 1001603A
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016049
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016058
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016067
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016073
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016095
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160A4
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160B3
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160C2
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160CE
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160E5
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160F4
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016100
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016136
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016145
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016154
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016163
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 1001616F
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016182
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016191
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100161A0
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100161AF
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100161BB

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep
String ID:
API String ID: 437317722-0
Opcode ID: 5c3c76a77b3cc9be8d065bdaa285b16517c5011c89063ecc6306e3f2f9a94ae8
Instruction ID: 8e2cc1e6cd781278eb051083a295c0c8be92a9d549cfdc69074061dcae3e52f5
Opcode Fuzzy Hash: 5c3c76a77b3cc9be8d065bdaa285b16517c5011c89063ecc6306e3f2f9a94ae8
Instruction Fuzzy Hash: D771C4B96087058FC704DF64D48191ABBE1FF88254F458A6EE8889F316D735E982CF92

Uniqueness

Uniqueness Score: -1.00%

Function 10011210 Relevance: 30.2, APIs: 20, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10011210(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, signed int _a4, signed int _a8, void* _a12, signed int _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v32;
				void* _v36;
				int _v48;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _t94;
				signed int* _t95;
				signed int _t101;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				int _t108;
				int _t109;
				int _t111;
				signed int* _t118;
				int _t122;
				signed int _t123;
				int _t126;
				signed int _t127;
				signed int* _t130;
				int _t133;
				signed int _t134;
				void _t136;
				signed int _t138;
				void* _t142;
				signed int _t146;
				void* _t147;
				signed int _t149;
				signed int _t150;
				int _t153;
				void* _t154;
				signed int* _t157;
				signed int* _t158;

				_v8 = __edi;
				_v16 = __ebx;
				_t138 = _a16;
				_v12 = __esi;
				_t146 = _a8;
				_v4 = __ebp;
				_t118 =  *_a4;
				_v36 = 0;
				_v32 = 0;
				if((_t138 & 0x00000008) == 0) {
					if(_a12 == 0) {
						goto L2;
					}
					 *_t158 = _a12;
					_v32 = E100292E0(_t118, _t138, _t146, __ebp);
					if(_t146 != 0) {
						goto L3;
					}
					goto L22;
				} else {
					_v32 = _a12;
					L2:
					if(_t146 == 0) {
						L22:
						_t147 = 0xffffffea;
						L23:
						if(_t118 == 0) {
							L10:
							 *_t158 = _v36;
							L100290D0();
							 *_t158 = _v32;
							L100290D0();
							L11:
							return _t147;
						}
						L9:
						if( *_t118 == 0) {
							 *_t158 =  &(_t118[1]);
							E100290E0();
							 *_t158 = _a4;
							E100290E0();
						}
						goto L10;
					}
					L3:
					_t157 = 0;
					if((_t138 & 0x00000040) == 0) {
						_v64 = _t138;
						_v68 = 0;
						_v72 = _t146;
						 *_t158 = _t118;
						_t157 = E100110D0();
					}
					if((_t138 & 0x00000004) == 0) {
						 *_t158 = _t146;
						_t94 = E100292E0(_t118, _t138, _t146, _t157);
						_v36 = _t94;
						_t149 = _t94;
						if(_t118 == 0) {
							goto L29;
						}
						if(_t94 == 0) {
							goto L8;
						}
						goto L6;
					} else {
						_v36 = _t146;
						if(_t118 == 0) {
							L29:
							 *_t158 = 8;
							_t95 = E10029100();
							_t149 = _v36;
							_t118 = _t95;
							 *_a4 = _t118;
							if(_t118 == 0 || _t149 == 0) {
								_t147 = 0xfffffff4;
								goto L23;
							} else {
								goto L6;
							}
						}
						L6:
						_t122 = _v32;
						if(_a12 == 0 || _t122 != 0) {
							if(_t157 == 0) {
								_t150 =  *_t118;
								if(_t122 == 0) {
									L37:
									if(_t150 == 0) {
										 *_t158 =  &(_t118[1]);
										E100290E0();
										 *_t158 = _a4;
										E100290E0();
									}
									_t147 = 0;
									 *_t158 =  &_v36;
									E100290E0();
									goto L11;
								}
								_v68 = 8;
								_v72 = _t150 + 1;
								 *_t158 = _t118[1];
								_t101 = E10029010();
								_t123 = _t101;
								if(_t101 == 0) {
									goto L8;
								}
								_t118[1] = _t101;
								_t150 =  *_t118;
								L18:
								_t102 = _v32;
								if(_t102 == 0) {
									goto L37;
								}
								_t130 = _t123 + _t150 * 8;
								_t130[1] = _t102;
								 *_t130 = _v36;
								 *_t118 = _t150 + 1;
								_t147 = 0;
								goto L11;
							}
							if((_t138 & 0x00000010) != 0) {
								 *_t158 = _t149;
								_t147 = 0;
								L100290D0();
								 *_t158 = _v32;
								L100290D0();
								goto L11;
							}
							_t104 = _a4;
							if(_t122 == 0 || (_t138 & 0x00000020) == 0) {
								 *_t158 = _t104;
								L100290D0();
								goto L17;
							} else {
								 *_t158 = _t104;
								_v48 = _t122;
								_t108 = strlen(??);
								 *_t158 = _v48;
								_t153 = _t108;
								_t109 = strlen(??);
								 *_t158 = _t104;
								_v48 = _t109;
								_t63 = _t109 + 1; // 0x1
								_v72 = _t153 + _t63;
								_t111 = E10028DA0();
								if(_t111 == 0) {
									goto L8;
								}
								_t133 = _v48;
								_t142 = _t111 + _t153;
								_t154 = _v32;
								_t126 = _t133 + 1;
								if(_t126 >= 8) {
									if((_t142 & 0x00000001) != 0) {
										_t127 =  *_t154 & 0x000000ff;
										_t142 = _t142 + 1;
										_t154 = _t154 + 1;
										 *(_t142 - 1) = _t127;
										_t126 = _t133;
									}
									if((_t142 & 0x00000002) != 0) {
										_t134 =  *_t154 & 0x0000ffff;
										_t142 = _t142 + 2;
										_t154 = _t154 + 2;
										_t126 = _t126 - 2;
										 *(_t142 - 2) = _t134;
									}
									if((_t142 & 0x00000004) != 0) {
										_t136 =  *_t154;
										_t142 = _t142 + 4;
										_t154 = _t154 + 4;
										_t126 = _t126 - 4;
										 *(_t142 - 4) = _t136;
									}
								}
								_v48 = _t111;
								memcpy(_t142, _t154, _t126);
								_t158 =  &(_t158[3]);
								 *_t158 =  &_v32;
								E100290E0();
								_v32 = _v48;
								L17:
								 *_t158 =  *_t157;
								L100290D0();
								_t106 =  *_t118;
								_t123 = _t118[1];
								_t31 = _t106 - 1; // -1
								_t150 = _t31;
								 *_t118 = _t150;
								 *_t157 =  *(_t123 + _t150 * 8);
								_a4 =  *(_t123 + 4 + _t150 * 8);
								goto L18;
							}
						} else {
							L8:
							_t147 = 0xfffffff4;
							goto L9;
						}
					}
				}
			}

0x10011213
0x1001121b
0x1001121f
0x10011223
0x10011227
0x1001122b
0x1001122f
0x10011233
0x1001123f
0x10011243
0x10011346
0x00000000
0x00000000
0x10011350
0x1001135a
0x1001135e
0x00000000
0x00000000
0x00000000
0x10011249
0x1001124d
0x10011251
0x10011253
0x10011364
0x10011364
0x10011369
0x1001136b
0x1001129e
0x100112a2
0x100112a5
0x100112ae
0x100112b1
0x100112b6
0x100112cb
0x100112cb
0x10011294
0x10011298
0x10011413
0x10011416
0x1001141f
0x10011422
0x10011422
0x00000000
0x10011298
0x10011259
0x10011259
0x10011261
0x100113a0
0x100113a6
0x100113aa
0x100113ae
0x100113b6
0x100113b6
0x1001126d
0x10011380
0x10011383
0x1001138a
0x1001138e
0x10011390
0x00000000
0x00000000
0x10011394
0x00000000
0x00000000
0x00000000
0x10011273
0x10011273
0x10011279
0x100113c0
0x100113c0
0x100113c7
0x100113cc
0x100113d0
0x100113d8
0x100113da
0x100113e4
0x00000000
0x00000000
0x00000000
0x00000000
0x100113da
0x1001127f
0x10011283
0x10011289
0x100112d2
0x10011432
0x10011434
0x10011468
0x1001146a
0x100114fb
0x100114fe
0x10011507
0x1001150a
0x1001150a
0x10011474
0x10011476
0x10011479
0x00000000
0x10011479
0x1001143c
0x10011440
0x10011447
0x1001144a
0x10011451
0x10011453
0x00000000
0x00000000
0x10011459
0x1001145c
0x1001131e
0x1001131e
0x10011324
0x00000000
0x00000000
0x1001132a
0x10011332
0x10011335
0x10011337
0x10011339
0x00000000
0x10011339
0x100112de
0x100113f0
0x100113f3
0x100113f5
0x100113fe
0x10011401
0x00000000
0x10011401
0x100112e6
0x100112e9
0x100112f4
0x100112f7
0x00000000
0x10011488
0x10011488
0x1001148d
0x10011491
0x1001149a
0x1001149d
0x1001149f
0x100114a4
0x100114a9
0x100114ad
0x100114b1
0x100114b5
0x100114bc
0x00000000
0x00000000
0x100114c2
0x100114c6
0x100114c9
0x100114cd
0x100114d3
0x1001151e
0x10011540
0x10011543
0x10011544
0x10011545
0x10011548
0x10011548
0x10011526
0x1001154c
0x1001154f
0x10011552
0x10011555
0x10011558
0x10011558
0x1001152e
0x10011530
0x10011532
0x10011535
0x10011538
0x1001153b
0x1001153b
0x1001152e
0x100114d5
0x100114dd
0x100114dd
0x100114df
0x100114e2
0x100114eb
0x100112fc
0x100112ff
0x10011302
0x10011307
0x10011309
0x1001130c
0x1001130c
0x1001130f
0x10011318
0x1001131b
0x00000000
0x1001131b
0x1001128f
0x1001128f
0x1001128f
0x00000000
0x1001128f
0x10011289
0x1001126d

APIs

mv_strdup.A649 ref: 10011353
mv_strdup.A649 ref: 10011383
mv_dict_get.A649 ref: 100113B1
mv_mallocz.A649 ref: 100113C7

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_strdup$mv_dict_getmv_mallocz
String ID:
API String ID: 3834523185-0
Opcode ID: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction ID: 56232f5dd71c1c11c53de360d97ca929451fd6b060f0d926ddb83f3af19d46ac
Opcode Fuzzy Hash: 92e61786e18b3758c0339e56a8e0c00a76c00a96181e52d74e44f6f1d6311550
Instruction Fuzzy Hash: 2E9127B5A087158FC754DF68C08065EBBE1EF98790F52892DED999B340E770E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001A6C0 Relevance: 28.8, APIs: 19, Instructions: 325
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A6C0(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t251;
				signed int _t259;
				void* _t262;
				signed int* _t263;
				void* _t264;
				void* _t269;
				signed int _t275;
				void* _t278;
				signed int _t290;
				signed int _t291;
				void _t293;
				void* _t294;
				signed int _t307;
				signed int _t308;
				int _t311;
				signed int _t315;
				int _t321;
				void* _t323;
				int _t324;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t333;
				signed int _t335;
				void _t337;
				void* _t338;
				signed char* _t340;
				void* _t341;
				signed short* _t342;
				void _t343;
				signed int _t344;
				void* _t345;
				void* _t346;
				void** _t347;

				_t345 = __eax;
				_t347 = _t346 - 0x4c;
				_t347[8] = __ecx;
				 *((intOrPtr*)(__eax + 0x54)) =  *((intOrPtr*)(__edx + 0x54));
				 *((intOrPtr*)(__eax + 0x5c)) =  *((intOrPtr*)(__edx + 0x5c));
				 *((intOrPtr*)(__eax + 0x60)) =  *((intOrPtr*)(__edx + 0x60));
				 *((intOrPtr*)(__eax + 0x58)) =  *((intOrPtr*)(__edx + 0x58));
				 *((intOrPtr*)(__eax + 0x130)) =  *((intOrPtr*)(__edx + 0x130));
				 *((intOrPtr*)(__eax + 0x134)) =  *((intOrPtr*)(__edx + 0x134));
				 *((intOrPtr*)(__eax + 0x138)) =  *((intOrPtr*)(__edx + 0x138));
				 *((intOrPtr*)(__eax + 0x68)) =  *((intOrPtr*)(__edx + 0x68));
				 *((intOrPtr*)(__eax + 0x6c)) =  *((intOrPtr*)(__edx + 0x6c));
				 *((intOrPtr*)(__eax + 0x13c)) =  *((intOrPtr*)(__edx + 0x13c));
				 *((intOrPtr*)(__eax + 0x160)) =  *((intOrPtr*)(__edx + 0x160));
				 *((intOrPtr*)(__eax + 0x164)) =  *((intOrPtr*)(__edx + 0x164));
				 *((intOrPtr*)(__eax + 0x90)) =  *((intOrPtr*)(__edx + 0x90));
				 *((intOrPtr*)(__eax + 0x94)) =  *((intOrPtr*)(__edx + 0x94));
				 *((intOrPtr*)(__eax + 0x98)) =  *((intOrPtr*)(__edx + 0x98));
				 *((intOrPtr*)(__eax + 0x9c)) =  *((intOrPtr*)(__edx + 0x9c));
				 *((intOrPtr*)(__eax + 0xa8)) =  *((intOrPtr*)(__edx + 0xa8));
				 *((intOrPtr*)(__eax + 0x70)) =  *((intOrPtr*)(__edx + 0x70));
				 *((intOrPtr*)(__eax + 0x74)) =  *((intOrPtr*)(__edx + 0x74));
				 *((intOrPtr*)(__eax + 0x8c)) =  *((intOrPtr*)(__edx + 0x8c));
				 *((intOrPtr*)(__eax + 0x108)) =  *((intOrPtr*)(__edx + 0x108));
				 *((intOrPtr*)(__eax + 0x10c)) =  *((intOrPtr*)(__edx + 0x10c));
				 *((intOrPtr*)(__eax + 0x124)) =  *((intOrPtr*)(__edx + 0x124));
				 *((intOrPtr*)(__eax + 0x110)) =  *((intOrPtr*)(__edx + 0x110));
				 *((intOrPtr*)(__eax + 0x114)) =  *((intOrPtr*)(__edx + 0x114));
				 *((intOrPtr*)(__eax + 0x78)) =  *((intOrPtr*)(__edx + 0x78));
				 *((intOrPtr*)(__eax + 0x7c)) =  *((intOrPtr*)(__edx + 0x7c));
				 *((intOrPtr*)(__eax + 0xa0)) =  *((intOrPtr*)(__edx + 0xa0));
				 *((intOrPtr*)(__eax + 0xa4)) =  *((intOrPtr*)(__edx + 0xa4));
				_t347[6] = __edx;
				_t304 =  *(__edx + 0x100);
				_t289 =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x88)) =  *((intOrPtr*)(__edx + 0x88));
				 *(__eax + 0x100) =  *(__edx + 0x100);
				 *(__eax + 0x104) =  *(__edx + 0x104);
				 *((intOrPtr*)(__eax + 0x80)) =  *((intOrPtr*)(__edx + 0x80));
				 *((intOrPtr*)(__eax + 0x84)) =  *((intOrPtr*)(__edx + 0x84));
				 *((intOrPtr*)(__eax + 0xe8)) =  *((intOrPtr*)(__edx + 0xe8));
				 *((intOrPtr*)(__eax + 0x11c)) =  *((intOrPtr*)(__edx + 0x11c));
				 *((intOrPtr*)(__eax + 0xf0)) =  *((intOrPtr*)(__edx + 0xf0));
				 *((intOrPtr*)(__eax + 0xf4)) =  *((intOrPtr*)(__edx + 0xf4));
				 *((intOrPtr*)(__eax + 0xf8)) =  *((intOrPtr*)(__edx + 0xf8));
				 *((intOrPtr*)(__eax + 0xec)) =  *((intOrPtr*)(__edx + 0xec));
				 *((intOrPtr*)(__eax + 0xfc)) =  *((intOrPtr*)(__edx + 0xfc));
				_t347[2] = 0;
				_t347[1] =  *(__edx + 0x118);
				 *_t347 = __eax + 0x118;
				E10011D20();
				_t321 = _t347[6];
				if( *((intOrPtr*)(_t321 + 0xe4)) <= 0) {
					L31:
					_t347[6] = _t321;
					_t347[1] =  *(_t321 + 0x12c);
					 *_t347 = _t345 + 0x12c;
					_t290 = E1000A480(_t289, _t326, _t334, _t345);
					_t347[1] =  *(_t347[6] + 0x140);
					 *_t347 = _t345 + 0x140;
					return E1000A480(_t290, _t326, _t334, _t345) | _t290;
				} else {
					_t347[6] = 0;
					do {
						_t334 = _t347[6];
						_t289 =  *( *((intOrPtr*)(_t321 + 0xe0)) + _t347[6] * 4);
						_t326 =  *_t289;
						if(_t326 != 0 ||  *((intOrPtr*)(_t321 + 0x44)) ==  *((intOrPtr*)(_t345 + 0x44)) &&  *((intOrPtr*)(_t321 + 0x48)) ==  *((intOrPtr*)(_t345 + 0x48))) {
							if(_t347[8] != 0) {
								_t347[0xa] = _t321;
								 *_t347 =  *(_t289 + 8);
								_t251 = E10009DC0(_t289, _t304, _t326, _t334);
								_t347[0xf] = _t251;
								_t335 = _t251;
								if(_t251 == 0) {
									L19:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t335);
									if( *(_t345 + 0xe4) > 0) {
										_t291 = 0;
										do {
											_t327 =  *(_t345 + 0xe0) + _t291 * 4;
											_t291 = _t291 + 1;
											_t337 =  *_t327;
											_t338 = _t337 + 0xc;
											 *_t347 = _t337 + 0x10;
											E1000A000(_t291, _t338);
											 *_t347 = _t338;
											E10011CC0();
											 *_t347 = _t327;
											E100290E0();
										} while (_t291 <  *(_t345 + 0xe4));
									}
									goto L22;
								} else {
									_t259 =  *(_t345 + 0xe4);
									if(_t259 > 0x1ffffffe) {
										goto L19;
									} else {
										_t347[1] = 4 + _t259 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t262 = E10028DA0();
										if(_t262 == 0) {
											goto L19;
										} else {
											 *(_t345 + 0xe0) = _t262;
											 *_t347 = 0x14;
											_t263 = E10029100();
											if(_t263 == 0) {
												goto L19;
											} else {
												_t263[4] = _t335;
												_t323 =  *(_t335 + 4);
												 *_t263 = _t326;
												_t263[2] =  *(_t335 + 8);
												_t307 =  *(_t345 + 0xe4);
												_t263[1] = _t323;
												_t347[0xb] = _t323;
												 *(_t345 + 0xe4) = _t307 + 1;
												 *( *(_t345 + 0xe0) + _t307 * 4) = _t263;
												_t340 =  *(_t289 + 4);
												_t347[7] =  *(_t289 + 8);
												_t330 = _t323;
												_t324 = _t347[0xa];
												_t347[9] = _t340;
												if(_t347[7] >= 8) {
													if((_t330 & 0x00000001) != 0) {
														_t308 =  *_t340 & 0x000000ff;
														_t330 = _t330 + 1;
														_t347[0xa] = _t308;
														 *(_t330 - 1) = _t308;
														_t347[7] = _t347[7] - 1;
														_t347[9] = _t347[9] + 1;
														if((_t330 & 0x00000002) != 0) {
															goto L34;
														}
													} else {
														if((_t330 & 0x00000002) != 0) {
															L34:
															_t342 = _t347[9];
															_t330 = _t330 + 2;
															 *((short*)(_t330 - 2)) =  *_t342 & 0x0000ffff;
															_t347[7] = _t347[7] - 2;
															_t347[9] =  &(_t342[1]);
														}
													}
													if((_t330 & 0x00000004) != 0) {
														_t341 = _t347[9];
														_t330 = _t330 + 4;
														 *(_t330 - 4) =  *_t341;
														_t347[7] = _t347[7] - 4;
														_t347[9] = _t341 + 4;
													}
												}
												_t334 = _t347[9];
												_t311 = _t347[7];
												_t264 = memcpy(_t330, _t334, _t311);
												_t347 =  &(_t347[3]);
												_t326 = _t334 + _t311 + _t311;
												goto L8;
											}
										}
									}
								}
							} else {
								_t347[7] = _t321;
								 *_t347 =  *(_t289 + 0x10);
								_t269 = E10009FC0(_t289, _t304);
								_t343 =  *_t289;
								_t347[0xf] = _t269;
								_t332 = _t269;
								if(_t269 == 0) {
									L23:
									 *_t347 =  &(_t347[0xf]);
									E1000A000(_t289, _t343);
									if( *(_t345 + 0xe4) > 0) {
										_t344 = _t347[8];
										do {
											_t333 =  *(_t345 + 0xe0) + _t344 * 4;
											_t344 = _t344 + 1;
											_t293 =  *_t333;
											_t294 = _t293 + 0xc;
											 *_t347 = _t293 + 0x10;
											E1000A000(_t294, _t344);
											 *_t347 = _t294;
											E10011CC0();
											 *_t347 = _t333;
											E100290E0();
										} while (_t344 <  *(_t345 + 0xe4));
									}
									L22:
									 *(_t345 + 0xe4) = 0;
									 *_t347 = _t345 + 0xe0;
									E100290E0();
									return 0xfffffff4;
								} else {
									_t275 =  *(_t345 + 0xe4);
									if(_t275 > 0x1ffffffe) {
										goto L23;
									} else {
										_t347[1] = 4 + _t275 * 4;
										 *_t347 =  *(_t345 + 0xe0);
										_t278 = E10028DA0();
										if(_t278 == 0) {
											goto L23;
										} else {
											 *(_t345 + 0xe0) = _t278;
											 *_t347 = 0x14;
											_t264 = E10029100();
											if(_t264 == 0) {
												goto L23;
											} else {
												 *(_t264 + 0x10) = _t332;
												_t324 = _t347[7];
												 *((intOrPtr*)(_t264 + 4)) =  *((intOrPtr*)(_t332 + 4));
												 *_t264 = _t343;
												_t334 =  *(_t345 + 0xe0);
												 *((intOrPtr*)(_t264 + 8)) =  *((intOrPtr*)(_t332 + 8));
												_t315 =  *(_t345 + 0xe4);
												_t326 = _t315 + 1;
												 *(_t345 + 0xe4) = _t315 + 1;
												 *( *(_t345 + 0xe0) + _t315 * 4) = _t264;
												L8:
												_t347[7] = _t324;
												_t347[2] = 0;
												_t304 =  *(_t289 + 0xc);
												 *_t347 = _t264 + 0xc;
												_t347[1] =  *(_t289 + 0xc);
												E10011D20();
												_t321 = _t347[7];
												goto L9;
											}
										}
									}
								}
							}
						} else {
							goto L9;
						}
						goto L35;
						L9:
						_t347[6] = _t347[6] + 1;
					} while ( *((intOrPtr*)(_t321 + 0xe4)) > _t347[6]);
					goto L31;
				}
				L35:
			}

0x1001a6c1
0x1001a6c6
0x1001a6c9
0x1001a6d6
0x1001a6dc
0x1001a6e2
0x1001a6e8
0x1001a6f1
0x1001a6fd
0x1001a709
0x1001a715
0x1001a71e
0x1001a727
0x1001a733
0x1001a739
0x1001a73f
0x1001a751
0x1001a75d
0x1001a769
0x1001a775
0x1001a781
0x1001a78a
0x1001a793
0x1001a79f
0x1001a7ab
0x1001a7b7
0x1001a7bd
0x1001a7c6
0x1001a7cf
0x1001a7d8
0x1001a7e1
0x1001a7e7
0x1001a7f3
0x1001a7f7
0x1001a7fd
0x1001a803
0x1001a80f
0x1001a815
0x1001a81b
0x1001a827
0x1001a833
0x1001a83f
0x1001a84b
0x1001a857
0x1001a863
0x1001a86f
0x1001a87b
0x1001a883
0x1001a88d
0x1001a897
0x1001a89a
0x1001a89f
0x1001a8ab
0x1001ab88
0x1001ab88
0x1001ab92
0x1001ab9c
0x1001aba8
0x1001abb0
0x1001abba
0x1001abcb
0x1001a8b1
0x1001a8b3
0x1001a9b3
0x1001a9b9
0x1001a9bd
0x1001a9c0
0x1001a9c4
0x1001a9dc
0x1001a8c0
0x1001a8c7
0x1001a8ca
0x1001a8cf
0x1001a8d5
0x1001a8d7
0x1001aa80
0x1001aa84
0x1001aa87
0x1001aa94
0x1001aa96
0x1001aa98
0x1001aa9e
0x1001aaa1
0x1001aaa2
0x1001aaa7
0x1001aaaa
0x1001aaad
0x1001aab2
0x1001aab5
0x1001aaba
0x1001aabd
0x1001aac2
0x1001aa98
0x00000000
0x1001a8dd
0x1001a8dd
0x1001a8e8
0x00000000
0x1001a8ee
0x1001a8f5
0x1001a8ff
0x1001a902
0x1001a909
0x00000000
0x1001a90f
0x1001a90f
0x1001a915
0x1001a91c
0x1001a923
0x00000000
0x1001a929
0x1001a929
0x1001a92f
0x1001a932
0x1001a93a
0x1001a93d
0x1001a943
0x1001a946
0x1001a94d
0x1001a956
0x1001a959
0x1001a95c
0x1001a960
0x1001a962
0x1001a96b
0x1001a96f
0x1001ab46
0x1001abd0
0x1001abd3
0x1001abd4
0x1001abd8
0x1001abdf
0x1001abea
0x1001abee
0x00000000
0x00000000
0x1001ab4c
0x1001ab52
0x1001ac00
0x1001ac00
0x1001ac04
0x1001ac0a
0x1001ac11
0x1001ac16
0x1001ac16
0x1001ab52
0x1001ab5e
0x1001ab64
0x1001ab68
0x1001ab6d
0x1001ab73
0x1001ab78
0x1001ab78
0x1001ab5e
0x1001a975
0x1001a979
0x1001a97d
0x1001a97d
0x1001a97d
0x00000000
0x1001a97d
0x1001a923
0x1001a909
0x1001a8e8
0x1001a9e2
0x1001a9e2
0x1001a9e9
0x1001a9ec
0x1001a9f1
0x1001a9f3
0x1001a9f9
0x1001a9fb
0x1001aaf0
0x1001aaf4
0x1001aaf7
0x1001ab04
0x1001ab06
0x1001ab0a
0x1001ab10
0x1001ab13
0x1001ab14
0x1001ab19
0x1001ab1c
0x1001ab1f
0x1001ab24
0x1001ab27
0x1001ab2c
0x1001ab2f
0x1001ab34
0x1001ab3c
0x1001aaca
0x1001aad2
0x1001aad8
0x1001aadb
0x1001aaec
0x1001aa01
0x1001aa01
0x1001aa0c
0x00000000
0x1001aa12
0x1001aa19
0x1001aa23
0x1001aa26
0x1001aa2d
0x00000000
0x1001aa33
0x1001aa33
0x1001aa39
0x1001aa40
0x1001aa47
0x00000000
0x1001aa4d
0x1001aa4d
0x1001aa53
0x1001aa57
0x1001aa5d
0x1001aa5f
0x1001aa65
0x1001aa68
0x1001aa6e
0x1001aa71
0x1001aa77
0x1001a97f
0x1001a97f
0x1001a988
0x1001a98c
0x1001a98f
0x1001a992
0x1001a996
0x1001a99b
0x00000000
0x1001a99b
0x1001aa47
0x1001aa2d
0x1001aa0c
0x1001a9fb
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a99f
0x1001a99f
0x1001a9a7
0x00000000
0x1001a9b3
0x00000000

APIs

mv_dict_copy.A649 ref: 1001A89A
mv_dict_copy.A649 ref: 1001A996
mv_buffer_ref.A649 ref: 1001A9EC
mv_realloc.A649 ref: 1001AA26
mv_mallocz.A649 ref: 1001AA40
mv_buffer_replace.A649 ref: 1001AB9F
mv_buffer_replace.A649 ref: 1001ABBD

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_replacemv_dict_copy$mv_buffer_refmv_malloczmv_realloc
String ID:
API String ID: 1780483662-0
Opcode ID: 3861e8adcd179e933f9009bb7fa2dda5d09e50d5a5c7a36caa6a21cb84e0f4c5
Instruction ID: 4f31049026451c5eff94bb509f486bba90e5ec7b997a8c78013bd9afd2acced3
Opcode Fuzzy Hash: 3861e8adcd179e933f9009bb7fa2dda5d09e50d5a5c7a36caa6a21cb84e0f4c5
Instruction Fuzzy Hash: 3EF1C3B49043468FCB64CF29C5807D9BBE1FF49350F458A6EE9899B312D730A984CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1000FDB0 Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E1000FDB0(intOrPtr __ebx, signed int _a4) {
				intOrPtr _v4;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				char* _v60;
				char* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _t77;

				_v4 = __ebx;
				_t77 = _a4;
				if(_t77 > 7) {
					_v40 = 0x182;
					_v44 = "libavutil/crc.c";
					_v48 = 0x100b31c2;
					L28:
					E10026560(0, 0, "Assertion %s failed at %s:%d\n");
					abort();
					L29:
					_v40 = 0x152;
					_v44 = "libavutil/crc.c";
					_v48 = "av_crc_init(av_crc_table[AV_CRC_16_ANSI_LE], 1, 16, 0xA001, sizeof(av_crc_table[AV_CRC_16_ANSI_LE])) >= 0";
					goto L28;
				}
				_v16 = 0;
				_v48 = 0;
				_v52 =  &_v16;
				_v56 = 0;
				switch( *((intOrPtr*)(_t77 * 4 +  &M100B31C4))) {
					case 0:
						_v60 = 0x100cf25c;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 7;
							__edx = 8;
							__eax = 0x100cf260;
							if(E1000FAE0(0x100cf260, 7, 8) < 0) {
								_v56 = 0x14b;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_8_ATM], 0, 8, 0x07, sizeof(av_crc_table[AV_CRC_8_ATM])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf25c;
						__edx = 0;
						__ecx = 0;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 1:
						_v60 = 0x100cf254;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0x8005;
							__edx = 0x10;
							__eax = 0x100d0260;
							if(E1000FAE0(0x100d0260, 0x8005, 0x10) < 0) {
								_v56 = 0x14d;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_16_ANSI], 0, 16, 0x8005, sizeof(av_crc_table[AV_CRC_16_ANSI])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf254;
						__edx = 0;
						__ecx = 0;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 2:
						_v60 = 0x100cf250;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0x1021;
							__edx = 0x10;
							__eax = 0x100d1260;
							if(E1000FAE0(0x100d1260, 0x1021, 0x10) < 0) {
								_v56 = 0x14e;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_16_CCITT], 0, 16, 0x1021, sizeof(av_crc_table[AV_CRC_16_CCITT])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf250;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 3:
						_v60 = 0x100cf248;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__edx = _v32;
						if(_v32 != 0) {
							__ecx = 0x4c11db7;
							__edx = 0x20;
							__eax = 0x100d2260;
							if(E1000FAE0(0x100d2260, 0x4c11db7, 0x20) < 0) {
								_v56 = 0x150;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_32_IEEE], 0, 32, 0x04C11DB7, sizeof(av_crc_table[AV_CRC_32_IEEE])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf248;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 4:
						_v60 = 0x100cf244;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0xedb88320;
							__edx = 0x20;
							__eax = 0x100d3260;
							if(E1000FA00(0x100d3260, 0xedb88320) < 0) {
								_v56 = 0x151;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_32_IEEE_LE], 1, 32, 0xEDB88320, sizeof(av_crc_table[AV_CRC_32_IEEE_LE])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf244;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 5:
						_v60 = 0x100cf240;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__ecx = _v32;
						if(_v32 != 0) {
							__ecx = 0xa001;
							__edx = 0x10;
							__eax = 0x100d4260;
							if(E1000FA00(0x100d4260, 0xa001) < 0) {
								goto L29;
							}
						}
						 *__esp = 0x100cf240;
						__eax = 0;
						__edx = 0;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						goto L5;
					case 6:
						_v60 = 0x100cf24c;
						__imp__InitOnceBeginInitialize();
						_t84 =  &_v60 - 0x10;
						if(_v32 != 0 && E1000FAE0(0x100d5260, 0x864cfb, 0x18) < 0) {
							_v56 = 0x14f;
							_v60 = "libavutil/crc.c";
							_v64 = "av_crc_init(av_crc_table[AV_CRC_24_IEEE], 0, 24, 0x864CFB, sizeof(av_crc_table[AV_CRC_24_IEEE])) >= 0";
							goto L28;
						}
						 *_t84 = 0x100cf24c;
						_v68 = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						goto L5;
					case 7:
						_v60 = 0x100cf258;
						__imp__InitOnceBeginInitialize();
						__esp = __esp - 0x10;
						__eax = _v32;
						if(_v32 != 0) {
							__ecx = 0x1d;
							__edx = 8;
							__eax = 0x100d6260;
							if(E1000FAE0(0x100d6260, 0x1d, 8) < 0) {
								_v56 = 0x14c;
								_v60 = "libavutil/crc.c";
								_v64 = "av_crc_init(av_crc_table[AV_CRC_8_EBU], 0, 8, 0x1D, sizeof(av_crc_table[AV_CRC_8_EBU])) >= 0";
								goto L28;
							}
						}
						 *__esp = 0x100cf258;
						__eax = 0;
						_v68 = 0;
						__eax = 0;
						_v72 = 0;
						__imp__InitOnceComplete();
						__esp = __esp - 0xc;
						L5:
						return (_t77 << 0xc) + 0x100cf260;
				}
			}

0x1000fdb3
0x1000fdb7
0x1000fdbe
0x100100b1
0x100100b9
0x100100c1
0x100100c9
0x100100da
0x100100df
0x100100e4
0x100100e4
0x100100ec
0x100100f4
0x00000000
0x100100f4
0x1000fdc6
0x1000fdcc
0x1000fdd4
0x1000fdda
0x1000fdde
0x00000000
0x1000fea8
0x1000feaf
0x1000feb5
0x1000feb8
0x1000febe
0x1000fec0
0x1000fec5
0x1000feca
0x1000fed6
0x1001016c
0x10010174
0x1001017c
0x00000000
0x1001017c
0x1000fed6
0x1000fedc
0x1000fee3
0x1000fee5
0x1000fee7
0x1000feeb
0x1000feef
0x1000fef5
0x00000000
0x00000000
0x1000ff00
0x1000ff07
0x1000ff0d
0x1000ff10
0x1000ff16
0x1000ff18
0x1000ff1d
0x1000ff22
0x1000ff2e
0x1001014f
0x10010157
0x1001015f
0x00000000
0x1001015f
0x1000ff2e
0x1000ff34
0x1000ff3b
0x1000ff3d
0x1000ff3f
0x1000ff43
0x1000ff47
0x1000ff4d
0x00000000
0x00000000
0x1000ff58
0x1000ff5f
0x1000ff65
0x1000ff68
0x1000ff6e
0x1000ff70
0x1000ff75
0x1000ff7a
0x1000ff86
0x10010132
0x1001013a
0x10010142
0x00000000
0x10010142
0x1000ff86
0x1000ff8c
0x1000ff93
0x1000ff95
0x1000ff99
0x1000ff9b
0x1000ff9f
0x1000ffa5
0x00000000
0x00000000
0x1000ffb0
0x1000ffb7
0x1000ffbd
0x1000ffc0
0x1000ffc6
0x1000ffc8
0x1000ffcd
0x1000ffd2
0x1000ffde
0x10010118
0x10010120
0x10010128
0x00000000
0x10010128
0x1000ffde
0x1000ffe4
0x1000ffeb
0x1000ffed
0x1000fff1
0x1000fff3
0x1000fff7
0x1000fffd
0x00000000
0x00000000
0x10010008
0x1001000f
0x10010015
0x10010018
0x1001001e
0x10010020
0x10010025
0x1001002a
0x10010036
0x100100fe
0x10010106
0x1001010e
0x00000000
0x1001010e
0x10010036
0x1001003c
0x10010043
0x10010045
0x10010049
0x1001004b
0x1001004f
0x10010055
0x00000000
0x00000000
0x10010060
0x10010067
0x1001006d
0x10010070
0x10010076
0x10010078
0x1001007d
0x10010082
0x1001008e
0x00000000
0x00000000
0x1001008e
0x10010090
0x10010097
0x10010099
0x1001009b
0x1001009f
0x100100a3
0x100100a9
0x00000000
0x00000000
0x1000fde8
0x1000fdef
0x1000fdf5
0x1000fdfe
0x100101a6
0x100101ae
0x100101b6
0x00000000
0x100101b6
0x1000fe1c
0x1000fe27
0x1000fe2b
0x1000fe2f
0x00000000
0x00000000
0x1000fe50
0x1000fe57
0x1000fe5d
0x1000fe60
0x1000fe66
0x1000fe68
0x1000fe6d
0x1000fe72
0x1000fe7e
0x10010189
0x10010191
0x10010199
0x00000000
0x10010199
0x1000fe7e
0x1000fe84
0x1000fe8b
0x1000fe8d
0x1000fe91
0x1000fe93
0x1000fe97
0x1000fe9d
0x1000fe38
0x1000fe48
0x00000000

APIs

InitOnceBeginInitialize.KERNEL32 ref: 1000FDEF
InitOnceComplete.KERNEL32 ref: 1000FE2F
InitOnceBeginInitialize.KERNEL32 ref: 1000FE57
InitOnceComplete.KERNEL32 ref: 1000FE97
InitOnceBeginInitialize.KERNEL32 ref: 1000FEAF
InitOnceComplete.KERNEL32 ref: 1000FEEF
InitOnceBeginInitialize.KERNEL32 ref: 1000FF07
InitOnceComplete.KERNEL32 ref: 1000FF47
InitOnceBeginInitialize.KERNEL32 ref: 1000FF5F
InitOnceComplete.KERNEL32 ref: 1000FF9F
InitOnceBeginInitialize.KERNEL32 ref: 1000FFB7
InitOnceComplete.KERNEL32 ref: 1000FFF7
InitOnceBeginInitialize.KERNEL32 ref: 1001000F
InitOnceComplete.KERNEL32 ref: 1001004F
InitOnceBeginInitialize.KERNEL32 ref: 10010067
InitOnceComplete.KERNEL32 ref: 100100A3
mv_log.A649 ref: 100100DA
abort.MSVCRT ref: 100100DF

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitOnce$BeginCompleteInitialize$abortmv_log
String ID:
API String ID: 3291523196-0
Opcode ID: 2b47c2bf3e3fa6c795a3dc23ffaf2896f32faa1e7336acce23502dd64e08b7d6
Instruction ID: aeed45a4e90bad649361631328d9bf363d386ce5facdec37279137bd03f57fef
Opcode Fuzzy Hash: 2b47c2bf3e3fa6c795a3dc23ffaf2896f32faa1e7336acce23502dd64e08b7d6
Instruction Fuzzy Hash: 429105746093819FD340EF69C54822EBBE1FF85340F81C92DE899CB614DBB9C5449B53

Uniqueness

Uniqueness Score: -1.00%

Function 10015D21 Relevance: 27.1, APIs: 18, Instructions: 116COMMON

Download Yara Rule

APIs

mv_mallocz.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015D33
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DA4
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DB3
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DC2
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DD1
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DDD
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015DFF
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E0E
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E1D
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E2C
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E38
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E5A
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E69
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E78
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E87
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015E93
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EAA
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EB6
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EE9
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015EF8
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F07
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F16
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F22
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F35
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F44
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F53
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F62
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,10015FA3), ref: 10015F6E

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_mallocz
String ID:
API String ID: 83030161-0
Opcode ID: cedd425efbf2f9177d794371f5334c4b88e835c2cfef34e4e6e27e8324e12137
Instruction ID: 0ff1b914b972770665bab29417398d322990ddb109f90b5d6908dac23094119d
Opcode Fuzzy Hash: cedd425efbf2f9177d794371f5334c4b88e835c2cfef34e4e6e27e8324e12137
Instruction Fuzzy Hash: 01518EB85087058FC344EF65C08191ABBE1FF88355F55CA5DE8985B305D735EA86CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100202B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 171COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.A649 ref: 10020395
mv_log.A649 ref: 100203B3
mv_log.A649 ref: 100203D6
mv_log.A649 ref: 100203FD

Strings

Unknown surface type: %lu, xrefs: 100203E8
Failed to open device handle, xrefs: 10020522
Unsupported pixel format: %s, xrefs: 100203A1
NV12, xrefs: 1002040C
Error creating an internal frame pool, xrefs: 100203C6
P010, xrefs: 100204BE

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_get_pix_fmt_name
String ID: Error creating an internal frame pool$Failed to open device handle$NV12$P010$Unknown surface type: %lu$Unsupported pixel format: %s
API String ID: 2830795485-4196069199
Opcode ID: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction ID: dbfc9fc73534cf50ff89b72e71a8ef33aba9b4af1470f45bc046c89c466e1acb
Opcode Fuzzy Hash: 7e434e73dff374732bf92a6c6b461502dd5c9fdd604f663b4050518d1b8bf5f6
Instruction Fuzzy Hash: 3371C2B46087459FC750DF29D58460ABBE1FF88300F91C96EF9998B356E774E840DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001ADF0 Relevance: 25.9, APIs: 17, Instructions: 360
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1001ADF0() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t155;
				void* _t160;
				signed int _t163;
				signed int _t164;
				signed int _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				signed int _t176;
				signed int _t182;
				signed int _t188;
				signed int _t198;
				signed int _t199;
				signed int _t207;
				signed int _t210;
				signed int _t211;
				void* _t212;
				void* _t213;
				signed int _t214;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t233;
				signed int _t235;
				signed int _t239;
				void* _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t247;
				signed int _t250;
				signed int _t252;
				signed int _t253;
				signed int _t260;
				signed int _t266;
				signed int _t267;
				void* _t268;
				signed int _t269;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t275;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t280;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				void* _t293;
				void* _t294;
				signed int* _t295;

				_t295 = _t294 - 0x5c;
				_t235 = _t295[0x1c];
				_t155 =  *(_t235 + 0x50);
				if(_t155 < 0) {
					L62:
					_t252 = 0xffffffea;
					goto L19;
				} else {
					_t237 =  *(_t235 + 0x44);
					if( *(_t235 + 0x44) <= 0) {
						L3:
						if( *(_t235 + 0x4c) <= 0) {
							goto L62;
						} else {
							_t284 = _t235 + 0x148;
							 *_t295 = _t284;
							if(E1000EC10() != 0 || ( *(_t235 + 0xb4) |  *(_t235 + 0xb0)) != 0 ||  *(_t235 + 0x120) > 0) {
								 *_t295 =  *(_t235 + 0x50);
								_t160 = E1003CB70();
								_t269 =  *(_t235 + 0x14c);
								_t275 = _t160;
								if(_t269 != 0) {
									L21:
									 *(_t235 + 0x120) = _t269;
									__eflags =  *(_t235 + 0x148) != 1;
									if( *(_t235 + 0x148) != 1) {
										_t253 = 0;
										_t163 = 0;
									} else {
										_t253 =  *(_t235 + 0x150);
										_t163 =  *(_t235 + 0x154);
									}
								} else {
									_t163 =  *(_t235 + 0xb4);
									_t253 =  *(_t235 + 0xb0);
									_t237 = _t163 | _t253;
									if((_t163 | _t253) != 0) {
										_t295[1] = _t253;
										_t295[2] = _t163;
										 *_t295 = _t284;
										E1000D1B0();
										_t269 =  *(_t235 + 0x14c);
										goto L21;
									} else {
										_t269 =  *(_t235 + 0x120);
										 *(_t235 + 0x148) = 0;
										 *(_t235 + 0x14c) = _t269;
									}
								}
								 *(_t235 + 0xb4) = _t163;
								_t164 =  *(_t235 + 0x20);
								 *(_t235 + 0xb0) = _t253;
								if(_t275 != 0) {
									__eflags = _t164;
									if(_t164 == 0) {
										_t295[4] = _t295[0x1d];
										_t295[3] =  *(_t235 + 0x50);
										_t295[1] = _t269;
										_t295[2] =  *(_t235 + 0x4c);
										 *_t295 = _t235 + 0x20;
										_t169 = E1003CB90(_t235, _t253, _t269, _t275);
										__eflags = _t169;
										_t252 = _t169;
										if(_t169 >= 0) {
											goto L24;
										} else {
											goto L19;
										}
									} else {
										L24:
										__eflags = _t269 - 8;
										if(_t269 <= 8) {
											 *(_t235 + 0x40) = _t235;
											__eflags = _t269;
											if(_t269 > 0) {
												goto L67;
											} else {
												goto L34;
											}
										} else {
											 *_t295 = _t269;
											_t280 = _t269 - 8;
											_t295[1] = 4;
											 *(_t235 + 0x40) = E100291F0();
											_t295[1] = 4;
											 *_t295 = _t280;
											_t182 = E100291F0();
											_t237 =  *(_t235 + 0x40);
											__eflags =  *(_t235 + 0x40);
											 *(_t235 + 0xd8) = _t182;
											if( *(_t235 + 0x40) == 0) {
												L70:
												 *_t295 = _t235 + 0x40;
												E100290E0();
												 *_t295 = _t235 + 0xd8;
												E100290E0();
												goto L18;
											} else {
												__eflags = _t182;
												if(_t182 == 0) {
													goto L70;
												} else {
													 *(_t235 + 0xdc) = _t280;
													_t164 =  *(_t235 + 0x20);
													goto L13;
												}
											}
										}
									}
								} else {
									if(_t164 == 0) {
										_t295[4] = _t295[0x1d];
										_t295[3] =  *(_t235 + 0x50);
										_t295[1] = _t269;
										_t295[2] =  *(_t235 + 0x4c);
										 *_t295 = _t235 + 0x20;
										_t188 = E1003CB90(_t235, _t253, _t269, _t275);
										__eflags = _t188;
										_t252 = _t188;
										if(_t188 < 0) {
											goto L19;
										} else {
											 *(_t235 + 0x40) = _t235;
											_t269 = 1;
											L67:
											_t164 =  *(_t235 + 0x20);
											goto L13;
										}
									} else {
										 *(_t235 + 0x40) = _t235;
										_t269 = 1;
										L13:
										_t285 = 0;
										_t277 =  <=  ? _t269 : 8;
										while(1) {
											 *_t295 = _t164;
											_t170 = E10009DC0(_t235, _t237, _t269, _t277);
											 *((intOrPtr*)(_t235 + 0xb8 + _t285 * 4)) = _t170;
											if(_t170 == 0) {
												break;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											 *((intOrPtr*)(_t235 + _t285 * 4)) = _t171;
											 *((intOrPtr*)( *(_t235 + 0x40) + _t285 * 4)) = _t171;
											_t285 = _t285 + 1;
											__eflags = _t285 - _t277;
											if(_t285 >= _t277) {
												__eflags = _t269 - 8;
												_t295[0xb] = _t269 - 8;
												if(_t269 <= 8) {
													L34:
													__eflags = 0;
													return 0;
												} else {
													_t278 =  *(_t235 + 0xd8);
													_t286 = 0;
													while(1) {
														_t270 = _t286 * 4;
														_t279 = _t278 + _t270;
														 *_t295 =  *(_t235 + 0x20);
														 *_t279 = E10009DC0(_t235, _t237, _t270, _t279);
														_t278 =  *(_t235 + 0xd8);
														_t176 =  *(_t278 + _t270);
														__eflags = _t176;
														if(_t176 == 0) {
															break;
														}
														_t237 =  *(_t176 + 4);
														_t286 = _t286 + 1;
														__eflags = _t295[0xb] - _t286;
														 *( *(_t235 + 0x40) + _t270 + 0x20) =  *(_t176 + 4);
														if(_t295[0xb] == _t286) {
															goto L34;
														} else {
															continue;
														}
														goto L71;
													}
													break;
												}
											} else {
												_t164 =  *(_t235 + 0x20);
												continue;
											}
											goto L71;
										}
										E1001A460(_t235);
										L18:
										_t252 = 0xfffffff4;
										goto L19;
									}
								}
							} else {
								goto L62;
							}
						}
					} else {
						_t257 =  *(_t235 + 0x48);
						if( *(_t235 + 0x48) > 0) {
							 *_t295 = _t155;
							__eflags = E10034790();
							if(__eflags == 0) {
								goto L62;
							} else {
								_t295[3] = 0;
								_t295[2] = 0;
								_t295[1] =  *(_t235 + 0x48);
								 *_t295 =  *(_t235 + 0x44);
								_t198 = E100221C0(_t235, _t257, _t268, _t274, _t283, __eflags);
								__eflags = _t198;
								_t252 = _t198;
								if(_t198 >= 0) {
									_t199 =  *(_t235 + 0x20);
									__eflags = _t199;
									if(__eflags != 0) {
										L48:
										_t295[0xc] = _t199;
										_t295[0xd] =  *(_t235 + 0x24);
										_t295[0xe] =  *(_t235 + 0x28);
										_t295[0xf] =  *(_t235 + 0x2c);
										_t272 =  *(_t235 + 0x48) + 0x0000001f & 0xffffffe0;
										_t295[3] =  &(_t295[0xc]);
										_t295[2] = _t272;
										_t295[1] =  *(_t235 + 0x50);
										 *_t295 =  &(_t295[0x10]);
										_t207 = E100219B0(_t235, _t272, _t274, _t283, __eflags);
										__eflags = _t207;
										_t252 = _t207;
										if(_t207 >= 0) {
											_t239 = _t295[0x10];
											__eflags = _t295[0x1d] - 0x20;
											_t209 =  >=  ? _t295[0x1d] : 0x20;
											_t210 = ( >=  ? _t295[0x1d] : 0x20) * 4;
											__eflags = 0x7fffffdf - _t239;
											if(0x7fffffdf < _t239) {
												goto L62;
											} else {
												_t240 = _t239 + _t210;
												_t211 = _t295[0x11];
												__eflags = 0x7fffffff - _t240 - _t211;
												if(0x7fffffff - _t240 < _t211) {
													goto L62;
												} else {
													_t212 = _t211 + _t240;
													_t241 = _t295[0x12];
													_t293 = 0x7fffffff - _t212;
													__eflags = 0x7fffffff - _t241;
													if(0x7fffffff < _t241) {
														goto L62;
													} else {
														_t213 = _t212 + _t241;
														_t242 = _t295[0x13];
														__eflags = 0x7fffffff - _t213 - _t242;
														if(0x7fffffff - _t213 < _t242) {
															goto L62;
														} else {
															 *_t295 = _t242 + _t213;
															_t214 = E10009DC0(_t235, _t242 + _t213, _t272, 0x20);
															 *(_t235 + 0xb8) = _t214;
															__eflags = _t214;
															if(_t214 == 0) {
																_t260 = 0xfffffff4;
																goto L69;
															} else {
																_t295[4] = _t235 + 0x20;
																_t295[2] = _t272;
																_t295[3] =  *(_t214 + 4);
																 *_t295 = _t235;
																_t295[1] =  *(_t235 + 0x50);
																_t219 = E10021AF0(_t235, _t272, 0x20, _t293);
																__eflags = _t219;
																_t260 = _t219;
																if(_t219 < 0) {
																	L69:
																	_t295[0xb] = _t260;
																	E1001A460(_t235);
																	_t252 = _t295[0xb];
																} else {
																	_t220 =  *(_t235 + 4);
																	__eflags = _t220;
																	if(_t220 != 0) {
																		_t225 = _t220 + 0x20;
																		__eflags = _t225;
																		 *(_t235 + 4) = _t225;
																	}
																	_t221 =  *(_t235 + 8);
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *(_t235 + 8) = _t221 + 0x40;
																	}
																	_t222 =  *(_t235 + 0xc);
																	__eflags = _t222;
																	if(_t222 != 0) {
																		_t223 = _t222 + 0x60;
																		__eflags = _t223;
																		 *(_t235 + 0xc) = _t223;
																	}
																	 *(_t235 + 0x40) = _t235;
																	_t252 = 0;
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t283 = 1;
										_t273 = _t235 + 0x20;
										__eflags = _t295[0x1d];
										_t274 =  >  ? _t295[0x1d] : 0x20;
										_t295[0xb] = 0x1f;
										while(1) {
											_t295[2] =  *(_t235 + 0x44) + _t283 - 0x00000001 &  ~_t283;
											 *_t295 = _t273;
											_t295[1] =  *(_t235 + 0x50);
											_t233 = E100215D0(__eflags);
											__eflags = _t233;
											_t252 = _t233;
											if(_t233 < 0) {
												goto L19;
											}
											_t199 =  *(_t235 + 0x20);
											__eflags = _t295[0xb] & _t199;
											if((_t295[0xb] & _t199) != 0) {
												_t283 = _t283 + _t283;
												__eflags = _t283 - _t274;
												if(__eflags > 0) {
													goto L44;
												} else {
													continue;
												}
											} else {
												__eflags = _t199;
												if(__eflags != 0) {
													L44:
													_t244 =  *(_t235 + 0x24);
													_t266 =  ~_t274;
													_t199 = _t274 + _t199 - 0x00000001 & _t266;
													 *(_t235 + 0x20) = _t199;
													__eflags = _t244;
													if(__eflags != 0) {
														 *(_t235 + 0x24) = _t274 + _t244 - 0x00000001 & _t266;
														_t247 =  *(_t235 + 0x28);
														__eflags = _t247;
														if(__eflags != 0) {
															 *(_t235 + 0x28) = _t274 + _t247 - 0x00000001 & _t266;
															_t250 =  *(_t235 + 0x2c);
															__eflags = _t250;
															if(__eflags != 0) {
																_t267 = _t266 & _t274 + _t250 - 0x00000001;
																__eflags = _t267;
																 *(_t235 + 0x2c) = _t267;
															}
														}
													}
												}
												goto L48;
											}
											goto L19;
										}
									}
								}
							}
							L19:
							return _t252;
						} else {
							goto L3;
						}
					}
				}
				L71:
			}

0x1001adf4
0x1001adf7
0x1001adfb
0x1001ae00
0x1001b23d
0x1001b23d
0x00000000
0x1001ae06
0x1001ae06
0x1001ae0b
0x1001ae18
0x1001ae1d
0x00000000
0x1001ae23
0x1001ae23
0x1001ae29
0x1001ae33
0x1001ae54
0x1001ae57
0x1001ae5c
0x1001ae64
0x1001ae66
0x1001af2e
0x1001af2e
0x1001af3a
0x1001af3b
0x1001b030
0x1001b032
0x1001af41
0x1001af41
0x1001af47
0x1001af47
0x1001ae6c
0x1001ae6c
0x1001ae72
0x1001ae7a
0x1001ae7c
0x1001af18
0x1001af1c
0x1001af20
0x1001af23
0x1001af28
0x00000000
0x1001ae82
0x1001ae82
0x1001ae8a
0x1001ae90
0x1001ae90
0x1001ae7c
0x1001ae96
0x1001ae9e
0x1001aea1
0x1001aea7
0x1001af58
0x1001af5a
0x1001b254
0x1001b25b
0x1001b262
0x1001b266
0x1001b26d
0x1001b270
0x1001b275
0x1001b277
0x1001b279
0x00000000
0x1001b27f
0x00000000
0x1001b27f
0x1001af60
0x1001af60
0x1001af60
0x1001af63
0x1001b019
0x1001b01c
0x1001b01e
0x00000000
0x00000000
0x00000000
0x00000000
0x1001af69
0x1001af69
0x1001af6c
0x1001af74
0x1001af82
0x1001af85
0x1001af89
0x1001af8c
0x1001af91
0x1001af94
0x1001af96
0x1001af9c
0x1001b2e0
0x1001b2e9
0x1001b2ec
0x1001b2f1
0x1001b2f4
0x00000000
0x1001afa2
0x1001afa2
0x1001afa4
0x00000000
0x1001afaa
0x1001afaa
0x1001afb0
0x00000000
0x1001afb0
0x1001afa4
0x1001af9c
0x1001af63
0x1001aead
0x1001aeaf
0x1001b28c
0x1001b293
0x1001b29a
0x1001b29e
0x1001b2a5
0x1001b2a8
0x1001b2ad
0x1001b2af
0x1001b2b1
0x00000000
0x1001b2b7
0x1001b2b7
0x1001b2ba
0x1001b2bf
0x1001b2bf
0x00000000
0x1001b2bf
0x1001aeb5
0x1001aeb5
0x1001aeb8
0x1001aebd
0x1001aec2
0x1001aec6
0x1001aee8
0x1001aee8
0x1001aeeb
0x1001aef0
0x1001aef9
0x00000000
0x00000000
0x1001aed0
0x1001aed6
0x1001aed9
0x1001aedc
0x1001aedd
0x1001aedf
0x1001afc3
0x1001afc6
0x1001afca
0x1001b024
0x1001b027
0x1001b02f
0x1001afcc
0x1001afcc
0x1001afd2
0x1001aff1
0x1001aff4
0x1001affb
0x1001affd
0x1001b005
0x1001b007
0x1001b00d
0x1001b010
0x1001b012
0x00000000
0x00000000
0x1001afe0
0x1001afe3
0x1001afe7
0x1001afeb
0x1001afef
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001afef
0x00000000
0x1001b014
0x1001aee5
0x1001aee5
0x00000000
0x1001aee5
0x00000000
0x1001aedf
0x1001aefd
0x1001af02
0x1001af02
0x00000000
0x1001af02
0x1001aeaf
0x00000000
0x00000000
0x00000000
0x1001ae33
0x1001ae0d
0x1001ae0d
0x1001ae12
0x1001b040
0x1001b048
0x1001b04a
0x00000000
0x1001b050
0x1001b052
0x1001b058
0x1001b05f
0x1001b066
0x1001b069
0x1001b06e
0x1001b070
0x1001b072
0x1001b078
0x1001b07b
0x1001b07d
0x1001b121
0x1001b121
0x1001b128
0x1001b12f
0x1001b136
0x1001b144
0x1001b147
0x1001b14b
0x1001b152
0x1001b15a
0x1001b15d
0x1001b162
0x1001b164
0x1001b166
0x1001b171
0x1001b17a
0x1001b180
0x1001b187
0x1001b190
0x1001b192
0x00000000
0x1001b198
0x1001b198
0x1001b19a
0x1001b1a2
0x1001b1a4
0x00000000
0x1001b1aa
0x1001b1aa
0x1001b1ac
0x1001b1b2
0x1001b1b4
0x1001b1b6
0x00000000
0x1001b1bc
0x1001b1bc
0x1001b1be
0x1001b1c4
0x1001b1c6
0x00000000
0x1001b1c8
0x1001b1ca
0x1001b1cd
0x1001b1d2
0x1001b1d8
0x1001b1da
0x1001b2c7
0x00000000
0x1001b1e0
0x1001b1e3
0x1001b1ea
0x1001b1ee
0x1001b1f5
0x1001b1f8
0x1001b1fc
0x1001b201
0x1001b203
0x1001b205
0x1001b2cc
0x1001b2cc
0x1001b2d2
0x1001b2d7
0x1001b20b
0x1001b20b
0x1001b20e
0x1001b210
0x1001b212
0x1001b212
0x1001b214
0x1001b214
0x1001b217
0x1001b21a
0x1001b21c
0x1001b221
0x1001b221
0x1001b224
0x1001b227
0x1001b229
0x1001b22e
0x1001b22e
0x1001b230
0x1001b230
0x1001b233
0x1001b236
0x1001b236
0x1001b205
0x1001b1da
0x1001b1c6
0x1001b1b6
0x1001b1a4
0x1001b192
0x1001b083
0x1001b08c
0x1001b091
0x1001b094
0x1001b096
0x1001b09e
0x1001b0ae
0x1001b0ba
0x1001b0c1
0x1001b0c4
0x1001b0c8
0x1001b0cd
0x1001b0cf
0x1001b0d1
0x00000000
0x00000000
0x1001b0d7
0x1001b0da
0x1001b0de
0x1001b0a8
0x1001b0aa
0x1001b0ac
0x00000000
0x00000000
0x00000000
0x00000000
0x1001b0e0
0x1001b0e0
0x1001b0e2
0x1001b0e4
0x1001b0e4
0x1001b0ed
0x1001b0ef
0x1001b0f1
0x1001b0f4
0x1001b0f6
0x1001b0fe
0x1001b101
0x1001b104
0x1001b106
0x1001b10e
0x1001b111
0x1001b114
0x1001b116
0x1001b11c
0x1001b11c
0x1001b11e
0x1001b11e
0x1001b116
0x1001b106
0x1001b0f6
0x00000000
0x1001b0e2
0x00000000
0x1001b0de
0x1001b0ae
0x1001b07d
0x1001b072
0x1001af07
0x1001af10
0x00000000
0x00000000
0x00000000
0x1001ae12
0x1001ae0b
0x00000000

APIs

mv_channel_layout_check.A649 ref: 1001AE2C
mv_sample_fmt_is_planar.A649 ref: 1001AE57
mv_buffer_alloc.A649 ref: 1001AEEB
mv_pix_fmt_desc_get.A649 ref: 1001B043
mv_image_check_size.A649 ref: 1001B069
mv_image_fill_linesizes.A649 ref: 1001B0C8
mv_image_fill_plane_sizes.A649 ref: 1001B15D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_allocmv_channel_layout_checkmv_image_check_sizemv_image_fill_linesizesmv_image_fill_plane_sizesmv_pix_fmt_desc_getmv_sample_fmt_is_planar
String ID:
API String ID: 4186645151-0
Opcode ID: 8ac2ae951e9e117c99fdb1c80981e7178d04aeaa248e9b3bce8de1dcaa7b4838
Instruction ID: d7c315c9dbec08b39786ac2ee7420e369ebdde1d8f2297274312f61b200237b8
Opcode Fuzzy Hash: 8ac2ae951e9e117c99fdb1c80981e7178d04aeaa248e9b3bce8de1dcaa7b4838
Instruction Fuzzy Hash: C1E1D2B4A047058FCB54DF69C58065ABBE1FF88244F1689BEED48CF21AE731E885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001E450 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001E450(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _t213;
				signed int _t214;
				intOrPtr _t215;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t224;
				signed int _t227;
				signed int _t228;
				signed int _t230;
				signed int _t247;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t257;
				void* _t258;
				void* _t259;
				signed int _t261;
				void* _t262;
				void* _t263;
				signed char _t267;
				signed int _t268;
				signed int _t269;
				signed int _t273;
				intOrPtr _t275;
				intOrPtr _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t289;
				signed int _t291;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t304;
				signed short* _t309;
				signed short* _t310;
				int _t314;
				signed int _t324;
				intOrPtr* _t326;
				intOrPtr _t327;
				signed char _t335;
				short* _t336;
				signed char _t337;
				short* _t338;
				signed int _t339;
				signed int _t341;
				char* _t343;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				signed int _t352;
				void* _t353;
				void* _t356;
				signed int _t362;
				signed int _t364;
				signed int _t368;
				signed int _t370;
				signed int _t373;
				signed short* _t374;
				signed short* _t375;
				signed int _t376;
				void* _t378;
				signed int _t381;
				intOrPtr _t382;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				void* _t389;
				intOrPtr* _t390;
				signed int* _t392;
				signed int* _t396;

				_t390 = _t389 - 0x4c;
				 *((intOrPtr*)(_t390 + 0x44)) = __edi;
				 *((intOrPtr*)(_t390 + 0x3c)) = __ebx;
				_t343 =  *(_t390 + 0x54);
				 *((intOrPtr*)(_t390 + 0x48)) = _t382;
				_t289 =  *((intOrPtr*)(_t390 + 0x50));
				 *((intOrPtr*)(_t390 + 0x40)) = __esi;
				 *(_t390 + 0x28) =  *(_t390 + 0x58);
				_t383 =  *(_t289 + 0x50);
				_t362 =  *(_t289 + 0x128);
				 *(_t390 + 0x24) = _t383;
				if(_t343[0x128] == 0) {
					_t213 = _t362;
					goto L83;
				} else {
					__eflags = __esi;
					__edx =  *(__eax + 4);
					if(__esi == 0) {
						__eax = __edi[0x50];
						__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
						if( *((intOrPtr*)(__edx + 0x24)) != __edi[0x50]) {
							goto L91;
						} else {
							 *(__edx + 4) =  *( *(__edx + 4));
							__eax =  *( *( *(__edx + 4)) + 0x50);
							__eflags = __eax;
							if(__eax == 0) {
								goto L91;
							} else {
								goto L79;
							}
						}
					} else {
						__eax =  *(__esi + 4);
						__eflags = __eax - __edx;
						if(__eax == __edx) {
							__ecx =  *(__eax + 0x28);
							__eflags = __edi[0x50] -  *(__eax + 0x28);
							if(__edi[0x50] !=  *(__eax + 0x28)) {
								goto L66;
							} else {
								__eflags =  *((intOrPtr*)(__eax + 0x24)) - __ebp;
								if( *((intOrPtr*)(__eax + 0x24)) != __ebp) {
									goto L66;
								} else {
									goto L89;
								}
							}
						} else {
							L66:
							__ecx =  *(__edx + 4);
							__esp[0xb] = __ecx;
							__ecx = __ecx[0xc];
							__eflags = __ecx;
							if(__ecx == 0) {
								L68:
								__ecx = __edi[0x50];
								__eflags =  *((intOrPtr*)(__edx + 0x24)) - __edi[0x50];
								if( *((intOrPtr*)(__edx + 0x24)) == __edi[0x50]) {
									__esp[0xb] =  *(__esp[0xb]);
									__eax =  *( *(__esp[0xb]) + 0x50);
									__eflags = __eax;
									if(__eax != 0) {
										L79:
										__esp[2] = __edi;
										__ecx = __esp[0xa];
										__esp[1] = __ebx;
										 *__esp = __edx;
										__esp[3] = __esp[0xa];
										__eax =  *__eax();
										__eflags = __eax;
										if(__eax >= 0) {
											goto L76;
										} else {
											__eflags = __eax - 0xffffffd8;
											if(__eax != 0xffffffd8) {
												goto L73;
											} else {
												__eax =  *(__ebx + 0x128);
												L83:
												__eflags = _t213;
												if(_t213 == 0) {
													goto L91;
												} else {
													 *(_t390 + 0x24) =  *(_t289 + 0x50);
													goto L85;
												}
											}
										}
									} else {
										__eax = __esi;
										L85:
										_t215 =  *((intOrPtr*)(_t213 + 4));
										goto L69;
									}
								} else {
									L69:
									__eflags =  *((intOrPtr*)(_t215 + 0x24)) -  *(_t390 + 0x24);
									if( *((intOrPtr*)(_t215 + 0x24)) !=  *(_t390 + 0x24)) {
										L91:
										_t214 = 0xffffffd8;
										goto L76;
									} else {
										_t324 =  *( *((intOrPtr*)( *((intOrPtr*)(_t215 + 4)))) + 0x4c);
										__eflags = _t324;
										if(_t324 == 0) {
											goto L91;
										} else {
											 *(_t390 + 8) = _t343;
											 *((intOrPtr*)(_t390 + 4)) = _t289;
											 *_t390 = _t215;
											 *(_t390 + 0xc) =  *(_t390 + 0x28);
											_t214 =  *_t324();
											__eflags = _t214;
											if(_t214 >= 0) {
												goto L76;
											} else {
												__eflags = _t214 - 0xffffffd8;
												if(_t214 == 0xffffffd8) {
													goto L91;
												} else {
													L73:
													__eflags = _t362;
													if(_t362 == 0) {
														L75:
														 *(_t390 + 0x24) = _t214;
														__eflags = 0;
														 *(_t289 + 0x128) = 0;
														 *_t390 = _t289;
														E1001B300();
														_t214 =  *(_t390 + 0x24);
														 *(_t289 + 0x128) = _t362;
														 *(_t289 + 0x50) = _t383;
														goto L76;
													} else {
														__eflags =  *(_t289 + 0x128) - _t362;
														if( *(_t289 + 0x128) != _t362) {
															 *((intOrPtr*)(_t390 + 0x14)) = 0x358;
															__eflags = 0;
															 *((intOrPtr*)(_t390 + 4)) = 0;
															 *_t390 = 0;
															 *(_t390 + 0x10) = "libavutil/hwcontext.c";
															 *(_t390 + 0xc) = "orig_dst_frames == ((void *)0) || orig_dst_frames == dst->hw_frames_ctx";
															 *(_t390 + 8) = "Assertion %s failed at %s:%d\n";
															E10026560();
															abort();
															_push(_t362);
															_push(_t289);
															_t392 = _t390 - 0x34;
															_t219 = _t392[0x10];
															_t291 = _t392[0x11];
															_t364 =  *(_t219 + 4);
															_t326 =  *((intOrPtr*)(_t364 + 4));
															_t306 =  *(_t326 + 0xc);
															__eflags =  *(_t326 + 0xc);
															if( *(_t326 + 0xc) == 0) {
																_t327 =  *_t326;
																_t307 =  *(_t327 + 0x3c);
																__eflags =  *(_t327 + 0x3c);
																if( *(_t327 + 0x3c) == 0) {
																	_t220 = 0xffffffd8;
																	goto L103;
																} else {
																	__eflags =  *(_t364 + 0x1c);
																	if( *(_t364 + 0x1c) == 0) {
																		_t220 = 0xffffffea;
																		goto L103;
																	} else {
																		 *_t392 = _t219;
																		_t221 = E10009FC0(_t291, _t307);
																		 *(_t291 + 0x128) = _t221;
																		__eflags = _t221;
																		if(_t221 == 0) {
																			goto L102;
																		} else {
																			_t392[1] = _t291;
																			 *_t392 = _t364;
																			_t224 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)))) + 0x3c))();
																			__eflags = _t224;
																			if(_t224 < 0) {
																				_t392[7] = _t224;
																				 *_t392 = _t291 + 0x128;
																				E1000A000(_t291 + 0x128, _t364);
																				_t220 = _t392[7];
																				goto L103;
																			} else {
																				 *(_t291 + 0x40) = _t291;
																				__eflags = 0;
																				return 0;
																			}
																		}
																	}
																}
															} else {
																 *((intOrPtr*)(_t291 + 0x50)) =  *((intOrPtr*)(_t364 + 0x24));
																 *_t392 = _t219;
																_t227 = E10009FC0(_t291, _t306);
																 *(_t291 + 0x128) = _t227;
																__eflags = _t227;
																if(_t227 == 0) {
																	L102:
																	_t220 = 0xfffffff4;
																	goto L103;
																} else {
																	_t228 = E1001AC40(_t291, _t343, _t364);
																	_t392[0xb] = _t228;
																	__eflags = _t228;
																	if(_t228 == 0) {
																		goto L102;
																	} else {
																		_t392[1] = _t228;
																		_t392[2] = 0;
																		_t230 =  *( *((intOrPtr*)(_t364 + 4)) + 0xc);
																		 *_t392 = _t230;
																		L96();
																		__eflags = _t230;
																		if(_t230 < 0) {
																			L109:
																			_t392[7] = _t230;
																			 *_t392 =  &(_t392[0xb]);
																			E1001ADB0(_t291);
																			return _t392[7];
																		} else {
																			 *_t392 = _t291;
																			_t392[2] =  *( *((intOrPtr*)(_t364 + 4)) + 0x10);
																			_t392[1] = _t392[0xb];
																			_t230 = E1001E450(_t291, _t343, _t364);
																			__eflags = _t230;
																			if(_t230 == 0) {
																				goto L109;
																			} else {
																				_t392[3] = _t230;
																				_t392[7] = _t230;
																				_t392[1] = 0x10;
																				_t392[2] = "Failed to map frame into derived frame context: %d.\n";
																				 *_t392 = _t364;
																				E10026560();
																				 *_t392 =  &(_t392[0xb]);
																				E1001ADB0("Failed to map frame into derived frame context: %d.\n");
																				_t220 = _t392[7];
																				L103:
																				return _t220;
																			}
																		}
																	}
																}
															}
														} else {
															goto L75;
														}
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = __ecx[4] - __eax;
								if(__ecx[4] == __eax) {
									L89:
									__eax = __edi[0xb8];
									__eflags = __eax;
									if(__eax == 0) {
										 *__esp = __edx;
										__ecx = "Invalid mapping found when attempting unmap.\n";
										__ebx = 0x10;
										__esp[2] = "Invalid mapping found when attempting unmap.\n";
										__esp[1] = 0x10;
										E10026560() = 0xffffffea;
										L76:
										return _t214;
									} else {
										__esi =  *(__eax + 4);
										__eax = E1001B300(__ebx);
										__edi = __esp[0x11];
										__ebp = __esp[0x12];
										__eax =  *__esi;
										__esp[0x14] = __ebx;
										__esi = __esp[0x10];
										__ebx = __esp[0xf];
										__esp[0x15] = __eax;
										__esp =  &(__esp[0x13]);
										_push(_t383);
										_push(_t343);
										_push(_t362);
										_t396 = _t390 - 0x1c;
										_t297 = _t396[0xd];
										_t385 = _t396[0xc];
										_t345 = _t297 + 0x148;
										 *((intOrPtr*)(_t385 + 0x50)) =  *((intOrPtr*)(_t297 + 0x50));
										 *((intOrPtr*)(_t385 + 0x44)) =  *((intOrPtr*)(_t297 + 0x44));
										 *((intOrPtr*)(_t385 + 0x48)) =  *((intOrPtr*)(_t297 + 0x48));
										 *((intOrPtr*)(_t385 + 0x4c)) =  *((intOrPtr*)(_t297 + 0x4c));
										 *(_t385 + 0x120) =  *(_t297 + 0x120);
										 *(_t385 + 0xb4) =  *(_t297 + 0xb4);
										 *(_t385 + 0xb0) =  *(_t297 + 0xb0);
										 *_t396 = _t345;
										if(E1000EC10(_t289) == 0) {
											_t283 =  *(_t297 + 0xb4);
											_t341 =  *(_t297 + 0xb0);
											if((_t283 | _t341) != 0) {
												_t396[2] = _t283;
												_t396[1] = _t341;
												 *_t396 = _t385 + 0x148;
												E1000D1B0();
											} else {
												 *(_t385 + 0x14c) =  *(_t297 + 0x120);
												 *(_t385 + 0x148) = 0;
											}
										}
										_t308 = 0;
										_t247 = E1001A6C0(_t385, 0, _t297, 0);
										_t368 = _t247;
										if(_t247 < 0) {
											L20:
											E1001A460(_t385);
											return _t368;
										} else {
											 *_t396 = _t345;
											if(E1000EC10() != 0) {
												_t396[1] = _t345;
												 *_t396 = _t385 + 0x148;
												_t253 = E1000D340();
												__eflags = _t253;
												_t368 = _t253;
												if(_t253 < 0) {
													goto L20;
												} else {
													_t254 =  *(_t297 + 0xb8);
													__eflags = _t254;
													if(_t254 != 0) {
														goto L7;
													} else {
														goto L33;
													}
												}
											} else {
												_t254 =  *(_t297 + 0xb8);
												if(_t254 == 0) {
													L33:
													 *_t396 = _t385;
													_t396[1] = 0;
													_t281 = E1001ADF0();
													__eflags = _t281;
													_t368 = _t281;
													if(_t281 < 0) {
														goto L20;
													} else {
														_t396[1] = _t297;
														 *_t396 = _t385;
														_t282 = E1001B8D0();
														__eflags = _t282;
														_t368 = _t282;
														if(_t282 < 0) {
															goto L20;
														} else {
															goto L35;
														}
													}
												} else {
													L7:
													_t370 = 0;
													L9:
													while(1) {
														if(_t254 == 0) {
															L11:
															_t370 = _t370 + 1;
															if(_t370 != 8) {
																_t254 =  *(_t297 + 0xb8 + _t370 * 4);
																continue;
															} else {
																if( *((intOrPtr*)(_t297 + 0xd8)) == 0) {
																	L22:
																	_t255 =  *(_t297 + 0x128);
																	__eflags = _t255;
																	if(_t255 == 0) {
																		L24:
																		__eflags =  *(_t297 + 0x40) - _t297;
																		if( *(_t297 + 0x40) == _t297) {
																			 *(_t385 + 0x40) = _t385;
																			goto L38;
																		} else {
																			_t352 =  *(_t385 + 0x14c);
																			_t368 = 0xffffffea;
																			__eflags = _t352;
																			if(_t352 == 0) {
																				goto L20;
																			} else {
																				_t396[1] = _t352;
																				 *_t396 = 4;
																				_t267 = E10028EC0();
																				 *(_t385 + 0x40) = _t267;
																				__eflags = _t267;
																				if(_t267 == 0) {
																					goto L19;
																				} else {
																					_t314 = _t352 * 4;
																					_t378 =  *(_t297 + 0x40);
																					_t353 = _t267;
																					__eflags = _t314 - 8;
																					if(_t314 >= 8) {
																						__eflags = _t267 & 0x00000001;
																						if((_t267 & 0x00000001) != 0) {
																							_t268 =  *_t378 & 0x000000ff;
																							_t353 = _t353 + 1;
																							_t378 = _t378 + 1;
																							_t314 = _t314 - 1;
																							 *(_t353 - 1) = _t268;
																						}
																						__eflags = _t353 & 0x00000002;
																						if((_t353 & 0x00000002) != 0) {
																							_t269 =  *_t378 & 0x0000ffff;
																							_t353 = _t353 + 2;
																							_t378 = _t378 + 2;
																							_t314 = _t314 - 2;
																							 *(_t353 - 2) = _t269;
																						}
																						__eflags = _t353 & 0x00000004;
																						if((_t353 & 0x00000004) == 0) {
																							goto L28;
																						} else {
																							_t356 = _t353 + 4;
																							 *(_t356 - 4) =  *_t378;
																							memcpy(_t356, _t378 + 4, _t314 - 4);
																							_t396 =  &(_t396[3]);
																							goto L38;
																						}
																						L50:
																						_t338 = _t337 + _t262;
																						_t375 = _t374 + _t262;
																						_t263 = 0;
																						__eflags = _t349 & 0x00000002;
																						if((_t349 & 0x00000002) != 0) {
																							 *_t338 =  *_t375 & 0x0000ffff;
																							_t263 = 2;
																						}
																						__eflags = _t349 & 0x00000001;
																						if((_t349 & 0x00000001) == 0) {
																							L35:
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							_t376 = 0;
																							 *((char*)(_t338 + _t263)) =  *(_t375 + _t263) & 0x000000ff;
																						}
																						return _t376;
																						goto L113;
																					} else {
																						L28:
																						memcpy(_t353, _t378, _t314);
																						_t396 =  &(_t396[3]);
																					}
																					L38:
																					__eflags = _t385 & 0x00000001;
																					_t335 = _t385;
																					_t309 = _t297;
																					_t347 = 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t335 = _t385 + 1;
																						_t347 = 0x1f;
																						_t309 = _t297 + 1;
																						 *_t385 =  *_t297 & 0x000000ff;
																					}
																					__eflags = _t335 & 0x00000002;
																					if((_t335 & 0x00000002) != 0) {
																						_t257 =  *_t309 & 0x0000ffff;
																						_t335 = _t335 + 2;
																						_t309 =  &(_t309[1]);
																						_t347 = _t347 - 2;
																						 *(_t335 - 2) = _t257;
																					}
																					_t396[0xd] = _t297;
																					_t258 = 0;
																					_t373 = _t347 & 0xfffffffc;
																					__eflags = _t373;
																					do {
																						 *(_t335 + _t258) =  *(_t309 + _t258);
																						_t258 = _t258 + 4;
																						__eflags = _t258 - _t373;
																					} while (_t258 < _t373);
																					_t336 = _t335 + _t258;
																					_t310 = _t309 + _t258;
																					_t300 = _t396[0xd];
																					_t259 = 0;
																					__eflags = _t347 & 0x00000002;
																					if((_t347 & 0x00000002) != 0) {
																						 *_t336 =  *_t310 & 0x0000ffff;
																						_t259 = 2;
																					}
																					__eflags = _t347 & 0x00000001;
																					if((_t347 & 0x00000001) != 0) {
																						 *((char*)(_t336 + _t259)) =  *(_t310 + _t259) & 0x000000ff;
																					}
																					__eflags = _t385 & 0x00000001;
																					_t349 = 0x20;
																					_t337 = _t385 + 0x20;
																					_t374 = _t300 + 0x20;
																					if((_t385 & 0x00000001) != 0) {
																						_t337 = _t385 + 0x21;
																						_t349 = 0x1f;
																						_t374 = _t300 + 0x21;
																						 *(_t385 + 0x20) =  *(_t300 + 0x20) & 0x000000ff;
																					}
																					__eflags = _t337 & 0x00000002;
																					if((_t337 & 0x00000002) != 0) {
																						_t261 =  *_t374 & 0x0000ffff;
																						_t337 = _t337 + 2;
																						_t374 =  &(_t374[1]);
																						_t349 = _t349 - 2;
																						 *(_t337 - 2) = _t261;
																					}
																					_t262 = 0;
																					_t302 = _t349 & 0xfffffffc;
																					__eflags = _t302;
																					do {
																						 *(_t337 + _t262) =  *(_t374 + _t262);
																						_t262 = _t262 + 4;
																						__eflags = _t262 - _t302;
																					} while (_t262 < _t302);
																					goto L50;
																				}
																			}
																		}
																	} else {
																		 *_t396 = _t255;
																		_t273 = E10009FC0(_t297, _t308);
																		 *(_t385 + 0x128) = _t273;
																		__eflags = _t273;
																		if(_t273 == 0) {
																			goto L19;
																		} else {
																			goto L24;
																		}
																	}
																} else {
																	_t308 = 4;
																	_t396[1] = 4;
																	 *_t396 =  *(_t297 + 0xdc);
																	_t275 = E100291F0();
																	 *((intOrPtr*)(_t385 + 0xd8)) = _t275;
																	if(_t275 == 0) {
																		goto L19;
																	} else {
																		_t339 =  *(_t297 + 0xdc);
																		 *(_t385 + 0xdc) = _t339;
																		if(_t339 <= 0) {
																			goto L22;
																		} else {
																			_t396[0xc] = _t385;
																			_t388 = _t297;
																			_t304 = 0;
																			while(1) {
																				_t381 = _t304 * 4;
																				 *_t396 =  *( *((intOrPtr*)(_t388 + 0xd8)) + _t381);
																				 *((intOrPtr*)(_t275 + _t381)) = E10009FC0(_t304, _t308);
																				_t275 =  *((intOrPtr*)(_t396[0xc] + 0xd8));
																				if( *((intOrPtr*)(_t275 + _t381)) == 0) {
																					break;
																				}
																				_t304 = _t304 + 1;
																				__eflags =  *((intOrPtr*)(_t388 + 0xdc)) - _t304;
																				if( *((intOrPtr*)(_t388 + 0xdc)) <= _t304) {
																					_t297 = _t388;
																					_t385 = _t396[0xc];
																					goto L22;
																				} else {
																					continue;
																				}
																				goto L113;
																			}
																			_t385 = _t396[0xc];
																			goto L19;
																		}
																	}
																}
															}
														} else {
															 *_t396 = _t254;
															_t280 = E10009FC0(_t297, _t308);
															 *((intOrPtr*)(_t385 + 0xb8 + _t370 * 4)) = _t280;
															if(_t280 == 0) {
																L19:
																_t368 = 0xfffffff4;
																goto L20;
															} else {
																goto L11;
															}
														}
														goto L113;
													}
												}
											}
										}
									}
								} else {
									goto L68;
								}
							}
						}
					}
				}
				L113:
			}

0x1001e450
0x1001e453
0x1001e45b
0x1001e45f
0x1001e463
0x1001e467
0x1001e46b
0x1001e46f
0x1001e479
0x1001e47c
0x1001e484
0x1001e488
0x1001e5a0
0x00000000
0x1001e48e
0x1001e48e
0x1001e490
0x1001e493
0x1001e550
0x1001e553
0x1001e556
0x00000000
0x1001e55c
0x1001e55f
0x1001e561
0x1001e564
0x1001e566
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e566
0x1001e499
0x1001e499
0x1001e49c
0x1001e49e
0x1001e5b8
0x1001e5bb
0x1001e5be
0x00000000
0x1001e5c4
0x1001e5c4
0x1001e5c7
0x00000000
0x00000000
0x00000000
0x00000000
0x1001e5c7
0x1001e4a4
0x1001e4a4
0x1001e4a4
0x1001e4a7
0x1001e4ab
0x1001e4ae
0x1001e4b0
0x1001e4bb
0x1001e4bb
0x1001e4be
0x1001e4c1
0x1001e61e
0x1001e620
0x1001e623
0x1001e625
0x1001e56c
0x1001e56c
0x1001e570
0x1001e574
0x1001e578
0x1001e57b
0x1001e57f
0x1001e581
0x1001e583
0x00000000
0x1001e585
0x1001e585
0x1001e588
0x00000000
0x1001e58e
0x1001e58e
0x1001e5a2
0x1001e5a2
0x1001e5a4
0x00000000
0x1001e5a6
0x1001e5a9
0x00000000
0x1001e5a9
0x1001e5a4
0x1001e588
0x1001e62b
0x1001e62b
0x1001e5ad
0x1001e5ad
0x00000000
0x1001e5ad
0x1001e4c7
0x1001e4c7
0x1001e4cb
0x1001e4ce
0x1001e610
0x1001e610
0x00000000
0x1001e4d4
0x1001e4d9
0x1001e4dc
0x1001e4de
0x00000000
0x1001e4e4
0x1001e4e4
0x1001e4ec
0x1001e4f0
0x1001e4f3
0x1001e4f7
0x1001e4f9
0x1001e4fb
0x00000000
0x1001e4fd
0x1001e4fd
0x1001e500
0x00000000
0x1001e506
0x1001e506
0x1001e506
0x1001e508
0x1001e516
0x1001e516
0x1001e51a
0x1001e51c
0x1001e522
0x1001e525
0x1001e52a
0x1001e52e
0x1001e534
0x00000000
0x1001e50a
0x1001e50a
0x1001e510
0x1001e656
0x1001e65e
0x1001e660
0x1001e664
0x1001e667
0x1001e66f
0x1001e677
0x1001e67f
0x1001e684
0x1001e690
0x1001e691
0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a6
0x1001e6a8
0x1001e760
0x1001e762
0x1001e765
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76c
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e77e
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e791
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79b
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c2
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d3
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e4
0x1001e6e7
0x1001e6ea
0x1001e6ef
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e711
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4
0x00000000
0x00000000
0x00000000
0x1001e510
0x1001e508
0x1001e500
0x1001e4fb
0x1001e4de
0x1001e4ce
0x1001e4b2
0x1001e4b2
0x1001e4b5
0x1001e5d0
0x1001e5d0
0x1001e5d6
0x1001e5d8
0x1001e632
0x1001e635
0x1001e63a
0x1001e63f
0x1001e643
0x1001e64c
0x1001e537
0x1001e54a
0x1001e5da
0x1001e5da
0x1001e5e0
0x1001e5e5
0x1001e5e9
0x1001e5ed
0x1001e5ef
0x1001e5f3
0x1001e5f7
0x1001e5fb
0x1001e5ff
0x1001bc40
0x1001bc41
0x1001bc42
0x1001bc44
0x1001bc47
0x1001bc4b
0x1001bc52
0x1001bc5e
0x1001bc64
0x1001bc6a
0x1001bc70
0x1001bc79
0x1001bc85
0x1001bc8b
0x1001bc91
0x1001bc9b
0x1001bc9d
0x1001bca3
0x1001bcad
0x1001be70
0x1001be7a
0x1001be7e
0x1001be81
0x1001bcb3
0x1001bcb9
0x1001bcc1
0x1001bcc1
0x1001bcad
0x1001bcc7
0x1001bccd
0x1001bcd4
0x1001bcd6
0x1001bdb8
0x1001bdba
0x1001bdc8
0x1001bcdc
0x1001bcdc
0x1001bce6
0x1001be40
0x1001be4a
0x1001be4d
0x1001be52
0x1001be54
0x1001be56
0x00000000
0x1001be5c
0x1001be5c
0x1001be62
0x1001be64
0x00000000
0x1001be6a
0x00000000
0x1001be6a
0x1001be64
0x1001bcec
0x1001bcec
0x1001bcf4
0x1001be90
0x1001be90
0x1001be95
0x1001be99
0x1001be9e
0x1001bea0
0x1001bea2
0x00000000
0x1001bea8
0x1001bea8
0x1001beac
0x1001beaf
0x1001beb4
0x1001beb6
0x1001beb8
0x00000000
0x00000000
0x00000000
0x00000000
0x1001beb8
0x1001bcfa
0x1001bcfa
0x1001bcfa
0x00000000
0x1001bd07
0x1001bd09
0x1001bd22
0x1001bd22
0x1001bd26
0x1001bd00
0x00000000
0x1001bd28
0x1001bd30
0x1001bdd6
0x1001bdd6
0x1001bddc
0x1001bdde
0x1001bdf2
0x1001bdf2
0x1001bdf5
0x1001bed0
0x00000000
0x1001bdfb
0x1001bdfb
0x1001be01
0x1001be06
0x1001be08
0x00000000
0x1001be0a
0x1001be0a
0x1001be0e
0x1001be15
0x1001be1a
0x1001be1d
0x1001be1f
0x00000000
0x1001be21
0x1001be21
0x1001be28
0x1001be2b
0x1001be2d
0x1001be30
0x1001bf96
0x1001bf98
0x1001c033
0x1001c036
0x1001c037
0x1001c038
0x1001c039
0x1001c039
0x1001bf9e
0x1001bfa4
0x1001c01e
0x1001c021
0x1001c024
0x1001c027
0x1001c02a
0x1001c02a
0x1001bfa6
0x1001bfac
0x00000000
0x1001bfb2
0x1001bfb4
0x1001bfbd
0x1001bfc0
0x1001bfc0
0x00000000
0x1001bfc0
0x1001bf66
0x1001bf66
0x1001bf68
0x1001bf6a
0x1001bf6c
0x1001bf72
0x1001bf77
0x1001bf7a
0x1001bf7a
0x1001bf7f
0x1001bf82
0x1001bebe
0x1001bebe
0x1001bebe
0x1001bf88
0x1001bf8c
0x1001bf8e
0x1001bf8e
0x1001bec9
0x00000000
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001bed3
0x1001bed3
0x1001bed9
0x1001bedb
0x1001bedd
0x1001bee2
0x1001bfdf
0x1001bfe2
0x1001bfe7
0x1001bfea
0x1001bfea
0x1001bee8
0x1001beeb
0x1001bfc7
0x1001bfca
0x1001bfcd
0x1001bfd0
0x1001bfd3
0x1001bfd3
0x1001bef1
0x1001bef7
0x1001bef9
0x1001bef9
0x1001befc
0x1001beff
0x1001bf02
0x1001bf05
0x1001bf05
0x1001bf09
0x1001bf0b
0x1001bf0d
0x1001bf11
0x1001bf13
0x1001bf19
0x1001bf1e
0x1001bf21
0x1001bf21
0x1001bf26
0x1001bf29
0x1001bf2f
0x1001bf2f
0x1001bf32
0x1001bf38
0x1001bf3d
0x1001bf40
0x1001bf43
0x1001c00b
0x1001c00e
0x1001c013
0x1001c016
0x1001c016
0x1001bf49
0x1001bf4c
0x1001bff2
0x1001bff5
0x1001bff8
0x1001bffb
0x1001bffe
0x1001bffe
0x1001bf54
0x1001bf56
0x1001bf56
0x1001bf59
0x1001bf5c
0x1001bf5f
0x1001bf62
0x1001bf62
0x00000000
0x1001bf59
0x1001be1f
0x1001be08
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde8
0x1001bdee
0x1001bdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdf0
0x1001bd36
0x1001bd36
0x1001bd3b
0x1001bd45
0x1001bd48
0x1001bd4d
0x1001bd55
0x00000000
0x1001bd57
0x1001bd57
0x1001bd5d
0x1001bd65
0x00000000
0x1001bd67
0x1001bd67
0x1001bd6d
0x1001bd6f
0x1001bd81
0x1001bd81
0x1001bd94
0x1001bd9c
0x1001bda2
0x1001bdad
0x00000000
0x00000000
0x1001bd78
0x1001bd79
0x1001bd7f
0x1001bdd0
0x1001bdd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd7f
0x1001bdaf
0x00000000
0x1001bdaf
0x1001bd65
0x1001bd55
0x1001bd30
0x1001bd0b
0x1001bd0b
0x1001bd0e
0x1001bd13
0x1001bd1c
0x1001bdb3
0x1001bdb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd1c
0x00000000
0x1001bd09
0x1001bd07
0x1001bcf4
0x1001bce6
0x1001bcd6
0x00000000
0x00000000
0x00000000
0x1001e4b5
0x1001e4b0
0x1001e49e
0x1001e493
0x00000000

APIs

mv_frame_unref.A649 ref: 1001E525
mv_frame_unref.A649 ref: 1001E5E0

Strings

Invalid mapping found when attempting unmap., xrefs: 1001E635
Failed to map frame into derived frame context: %d., xrefs: 1001E71D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_frame_unref
String ID: Failed to map frame into derived frame context: %d.$Invalid mapping found when attempting unmap.
API String ID: 3522828444-968520014
Opcode ID: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction ID: 1d7c3b7aca9d3417cd3ea7e1bcd086570995cae0267e84f3f0b04429ecccd582
Opcode Fuzzy Hash: a8cee79f1116f489e9366e10ea9b5597fa9099dcfd39c1eecab353edc7ebc651
Instruction Fuzzy Hash: F991A0B4A09B418FC744DF29C58051EBBE1FF88794F55896DE8998B351E730ED81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10016E20 Relevance: 24.2, APIs: 16, Instructions: 216COMMON

Download Yara Rule

APIs

mv_mallocz.A649(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10015A46), ref: 10016ECF

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz
String ID:
API String ID: 1901900789-0
Opcode ID: 40e0cf562a0071f9dc5f60a77791aa902c3b778344a031c4d2f98e0414a738cf
Instruction ID: 13e5eefe00db1cdb9800247d3b825a770095c54a3de7ec042f648aaaeb7e8216
Opcode Fuzzy Hash: 40e0cf562a0071f9dc5f60a77791aa902c3b778344a031c4d2f98e0414a738cf
Instruction Fuzzy Hash: 13814BB96087058FC301DF75D88051AFBE1EF88344F458A6EE8989B316E735E9C2CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10010320 Relevance: 22.7, APIs: 15, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E10010320(intOrPtr* _a4) {
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				signed int _t100;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				signed int _t139;
				signed int _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				signed int _t172;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t199;
				void* _t200;
				intOrPtr* _t201;

				_t188 = 0x100b3200;
				_t201 = _t200 - 0x2c;
				_v40 = 0;
				_t189 = _a4;
				while(1) {
					_v40 = _v40 + 1;
					_t188 = _t188 + 0x40;
					if(_v40 == 0x17) {
						break;
					}
					_t6 = _t188 + 0x10; // 0x1000ffb0
					if( *_t6 == 0) {
						continue;
					} else {
						_t9 = _t188 + 0x10; // 0x1000ffb0
						_t10 = _t188 + 0x14; // 0x10010008
						_t172 =  *_t10;
						 *_t201 =  *((intOrPtr*)(_t189 + 0x10));
						_v56 =  *((intOrPtr*)(_t189 + 0x14));
						_v52 =  *_t9;
						_v48 = _t172;
						_t97 = E10035A10( *((intOrPtr*)(_t189 + 0x14)), _t188, _t189);
						_t147 = _t172;
						_t14 = _t188 + 0x1c; // 0x1000fde8
						_t192 =  <  ? _t97 :  ~_t97;
						_t15 = _t188 + 0x18; // 0x10010060
						_v48 =  *_t14;
						_v52 =  *_t15;
						_t174 =  *((intOrPtr*)(_t189 + 0x1c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x18));
						_v56 = _t174;
						_t100 = E10035A10(_t147, _t188, _t189);
						 *_t201 =  <  ? _t97 :  ~_t97;
						_v56 = _t147;
						_v48 = _t174;
						_t102 =  <  ? _t100 :  ~_t100;
						_v52 =  <  ? _t100 :  ~_t100;
						_t148 = E10035990(_t147, _t189);
						_t24 = _t188 + 0x20; // 0x1000fe50
						_t25 = _t188 + 0x24; // 0x0
						_v52 =  *_t24;
						_v48 =  *_t25;
						_t176 =  *((intOrPtr*)(_t189 + 0x24));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x20));
						_v56 = _t176;
						_t106 = E10035A10(_t148, _t188, _t189);
						 *_t201 = _t148;
						_v56 = _t174;
						_v48 = _t176;
						_t108 =  <  ? _t106 :  ~_t106;
						_v52 =  <  ? _t106 :  ~_t106;
						_t149 = E10035990(_t148, _t189);
						_t34 = _t188 + 0x28; // 0x0
						_t35 = _t188 + 0x2c; // 0x0
						_v52 =  *_t34;
						_v48 =  *_t35;
						_t178 =  *((intOrPtr*)(_t189 + 0x2c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x28));
						_v56 = _t178;
						_t112 = E10035A10(_t149, _t188, _t189);
						 *_t201 = _t149;
						_v56 = _t176;
						_v48 = _t178;
						_t114 =  <  ? _t112 :  ~_t112;
						_v52 =  <  ? _t112 :  ~_t112;
						_t150 = E10035990(_t149, _t189);
						_t44 = _t188 + 0x30; // 0x0
						_t45 = _t188 + 0x34; // 0x0
						_v52 =  *_t44;
						_v48 =  *_t45;
						_t180 =  *((intOrPtr*)(_t189 + 0x34));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x30));
						_v56 = _t180;
						_t118 = E10035A10(_t150, _t188, _t189);
						 *_t201 = _t150;
						_v56 = _t178;
						_v48 = _t180;
						_t120 =  <  ? _t118 :  ~_t118;
						_v52 =  <  ? _t118 :  ~_t118;
						_t151 = E10035990(_t150, _t189);
						_t54 = _t188 + 0x38; // 0x0
						_t55 = _t188 + 0x3c; // 0x0
						_v52 =  *_t54;
						_v48 =  *_t55;
						_t182 =  *((intOrPtr*)(_t189 + 0x3c));
						 *_t201 =  *((intOrPtr*)(_t189 + 0x38));
						_v56 = _t182;
						_t124 = E10035A10(_t151, _t188, _t189);
						 *_t201 = _t151;
						_v56 = _t180;
						_v48 = _t182;
						_t126 =  <  ? _t124 :  ~_t124;
						_v52 =  <  ? _t124 :  ~_t124;
						_t152 = E10035990(_t151, _t189);
						_t64 = _t188 + 4; // 0x1000fea8
						_v52 =  *_t188;
						_v48 =  *_t64;
						_t184 =  *(_t189 + 4);
						 *_t201 =  *_t189;
						_v56 = _t184;
						_t130 = E10035A10(_t152, _t188, _t189);
						 *_t201 = _t152;
						_v56 = _t182;
						_v48 = _t184;
						_t132 =  <  ? _t130 :  ~_t130;
						_v52 =  <  ? _t130 :  ~_t130;
						_t153 = E10035990(_t152, _t189);
						_t72 = _t188 + 8; // 0x1000ff00
						_t73 = _t188 + 0xc; // 0x1000ff58
						_v52 =  *_t72;
						_v48 =  *_t73;
						_t186 =  *(_t189 + 0xc);
						 *_t201 =  *((intOrPtr*)(_t189 + 8));
						_v56 = _t186;
						_t136 = E10035A10(_t153, _t188, _t189);
						 *_t201 = _t153;
						_v56 = _t184;
						_v48 = _t186;
						_t138 =  <  ? _t136 :  ~_t136;
						_v52 =  <  ? _t136 :  ~_t136;
						_t139 = E10035990(_t153, _t189);
						_v36 = _t186;
						_t154 = _t139;
						_t199 = _t186;
						_v32 = _t186 >> 0x1f;
						_t187 = 0x3e8 * _t154 >> 0x20;
						asm("sbb edx, [esp+0x1c]");
						if((_t187 | 0x000003e8 * _t154 - _v36) != 0) {
							_t158 = (_v32 ^ _t187) >> 0x0000001f | 0x00000001;
							goto L7;
						} else {
							if(_t199 != 0) {
								continue;
							} else {
								if(_t154 == 0) {
									L8:
									return _v40;
								} else {
									_t158 = _t154 >> 0x1f;
									L7:
									if(_t158 + 1 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
						}
					}
					L11:
				}
				_v40 = 2;
				return _v40;
				goto L11;
			}

0x10010324
0x1001032b
0x1001032e
0x10010332
0x10010340
0x10010340
0x10010344
0x1001034e
0x00000000
0x00000000
0x10010354
0x10010359
0x00000000
0x1001035b
0x10010361
0x10010364
0x10010364
0x10010367
0x1001036a
0x1001036e
0x10010372
0x10010376
0x1001037d
0x1001037f
0x10010384
0x10010387
0x1001038a
0x1001038e
0x10010395
0x10010398
0x1001039b
0x1001039f
0x100103a4
0x100103a7
0x100103ab
0x100103b3
0x100103b6
0x100103bf
0x100103c3
0x100103c6
0x100103c9
0x100103cd
0x100103d4
0x100103d7
0x100103da
0x100103de
0x100103e3
0x100103e6
0x100103ea
0x100103f2
0x100103f5
0x100103fe
0x10010402
0x10010405
0x10010408
0x1001040c
0x10010413
0x10010416
0x10010419
0x1001041d
0x10010422
0x10010425
0x10010429
0x10010431
0x10010434
0x1001043d
0x10010441
0x10010444
0x10010447
0x1001044b
0x10010452
0x10010455
0x10010458
0x1001045c
0x10010461
0x10010464
0x10010468
0x10010470
0x10010473
0x1001047c
0x10010480
0x10010483
0x10010486
0x1001048a
0x10010491
0x10010494
0x10010497
0x1001049b
0x100104a0
0x100104a3
0x100104a7
0x100104af
0x100104b2
0x100104bb
0x100104c1
0x100104c4
0x100104c8
0x100104ce
0x100104d1
0x100104d4
0x100104d8
0x100104dd
0x100104e0
0x100104e4
0x100104ec
0x100104ef
0x100104f8
0x100104fc
0x100104ff
0x10010502
0x10010506
0x1001050d
0x10010510
0x10010513
0x10010517
0x1001051c
0x1001051f
0x10010523
0x1001052b
0x1001052e
0x10010532
0x10010537
0x1001053b
0x10010542
0x10010544
0x1001054d
0x10010553
0x1001055b
0x10010591
0x00000000
0x1001055d
0x1001055f
0x00000000
0x10010565
0x10010567
0x10010576
0x10010581
0x10010569
0x10010569
0x1001056c
0x10010570
0x00000000
0x00000000
0x00000000
0x00000000
0x10010570
0x10010567
0x1001055f
0x1001055b
0x00000000
0x10010359
0x100105a5
0x100105b4
0x00000000

APIs

mv_sub_q.A649 ref: 10010376
mv_sub_q.A649 ref: 1001039F
mv_add_q.A649 ref: 100103BA
mv_sub_q.A649 ref: 100103DE
mv_add_q.A649 ref: 100103F9
mv_sub_q.A649 ref: 1001041D
mv_add_q.A649 ref: 10010438
mv_sub_q.A649 ref: 1001045C
mv_add_q.A649 ref: 10010477
mv_sub_q.A649 ref: 1001049B
mv_add_q.A649 ref: 100104B6

Part of subcall function 10035990: mv_reduce.A649(?,?), ref: 100359E9

mv_sub_q.A649 ref: 100104D8

Part of subcall function 10035A10: mv_reduce.A649(?), ref: 10035A81

mv_add_q.A649 ref: 100104F3
mv_sub_q.A649 ref: 10010517
mv_add_q.A649 ref: 10010532

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sub_q$mv_add_q$mv_reduce
String ID:
API String ID: 416313997-0
Opcode ID: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction ID: 2bd5eacdd0496173cebd80a3581587597599a29e230854eb82bb207fe0e5f862
Opcode Fuzzy Hash: fd26de4a70a645a75b6084fdddd25abeecc13d0e1f18b84e77e2c88ea45aa38b
Instruction Fuzzy Hash: 0281A1B4A08B069FC748DF6AD18051AFBE1FF88211F50C92EE59DC7721E670E8519F82

Uniqueness

Uniqueness Score: -1.00%

Function 10021D1B Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E10021D1B(signed int __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t98;
				signed int _t103;
				void* _t117;
				signed int _t121;
				signed int _t125;
				signed int _t129;
				signed int _t133;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;
				signed int _t143;
				signed int _t144;
				void* _t148;
				signed int _t159;
				signed int _t163;
				signed int* _t165;
				void* _t170;
				signed int _t172;
				signed int _t174;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				void* _t183;
				signed char _t184;
				signed int _t190;
				void* _t191;
				signed int _t192;
				signed int _t194;
				void* _t195;
				void* _t197;
				signed int* _t198;
				signed int _t210;

				_t174 = __edx;
				_t198 = _t197 - 0x5c;
				_t165 = _t198[0x1d];
				_t194 = _t198[0x1e];
				_t192 = _t198[0x21];
				 *_t198 = _t198[0x20];
				_t98 = E10034790();
				_t198[0xb] = _t98;
				_t201 = _t98;
				if(_t98 == 0) {
					L29:
					_t195 = 0xffffffea;
					goto L17;
				} else {
					_t198[1] = _t194;
					_t198[0x11] = 0;
					_t198[0x12] = 0;
					_t198[2] = 0;
					 *_t198 = 0xffffffff;
					_t198[0x10] = 0x100b6c20;
					_t103 = E10021480(_t201);
					asm("cdq");
					asm("sbb edi, edx");
					if(0 >= _t103) {
						_t174 = (0 << 0x00000020 | _t194) << 3;
						_t103 = _t194 << 3;
					}
					_t198[8] = _t103 + 0x400;
					_t105 = _t198[0x1f];
					asm("adc edx, 0x0");
					_t198[9] = _t174;
					if((_t198[0x1f] & 0xffffff00 | _t105 <= 0x00000000 | _t174 & 0xffffff00 | _t194 <= 0x00000000) != 0) {
						L28:
						_t198[3] = _t194;
						_t198[4] = _t198[0x1f];
						_t198[2] = "Picture size %ux%u is invalid\n";
						_t198[1] = 0x10;
						 *_t198 =  &(_t198[0x10]);
						E10026560();
						goto L29;
					}
					asm("sbb ecx, edx");
					if(0x7ffffffe < _t198[8]) {
						goto L28;
					}
					asm("sbb edi, edx");
					if(0x7ffffffe < (_t198[0x1f] + 0x80) * _t198[8]) {
						goto L28;
					}
					if(_t192 > 7) {
						_t163 = _t194 + 0x00000007 & 0xfffffff8;
						_t210 = _t163;
						_t194 = _t163;
					}
					_t198[2] = _t194;
					 *_t198 = _t165;
					_t198[1] = _t198[0x20];
					_t117 = E100215D0(_t210);
					_t211 = _t117;
					_t195 = _t117;
					if(_t117 < 0) {
						L17:
						return _t195;
					} else {
						_t180 =  ~_t192;
						_t121 =  *_t165 + _t192 - 0x00000001 & _t180;
						 *_t165 = _t121;
						_t198[0xc] = _t121;
						_t125 = _t165[1] + _t192 - 0x00000001 & _t180;
						_t165[1] = _t125;
						_t198[0xd] = _t125;
						_t129 = _t165[2] + _t192 - 0x00000001 & _t180;
						_t165[2] = _t129;
						_t198[0xe] = _t129;
						_t133 = _t165[3] + _t192 - 0x00000001 & _t180;
						_t165[3] = _t133;
						_t198[0xf] = _t133;
						_t198[3] =  &(_t198[0xc]);
						_t198[2] = _t198[0x1f];
						_t198[1] = _t198[0x20];
						 *_t198 =  &(_t198[0x10]);
						_t138 = E100219B0(_t165, 0, _t192, _t195, _t211);
						_t195 = _t138;
						if(_t138 < 0) {
							goto L17;
						}
						_t140 = _t192 + _t198[0x10];
						if(_t140 < 0) {
							goto L29;
						}
						_t141 = _t140 + _t198[0x11];
						if(_t141 < 0) {
							goto L29;
						}
						_t142 = _t141 + _t198[0x12];
						if(_t142 < 0) {
							goto L29;
						}
						_t143 = _t142 + _t198[0x13];
						if(_t143 < 0) {
							goto L29;
						}
						 *_t198 = _t143;
						_t144 = E10028D50();
						_t190 = _t144;
						if(_t144 == 0) {
							_t195 = 0xfffffff4;
							goto L17;
						}
						_t198[3] = _t144;
						_t198[4] = _t165;
						_t198[2] = _t198[0x1f];
						_t198[1] = _t198[0x20];
						 *_t198 = _t198[0x1c];
						_t148 = E10021AF0(_t165, _t190, _t192, _t195);
						_t195 = _t148;
						if(_t148 < 0) {
							 *_t198 = _t190;
							L100290D0();
							goto L17;
						}
						if(( *(_t198[0xb] + 8) & 0x00000002) != 0) {
							_t181 =  *(_t198[0x1c] + 4);
							 *_t198 = _t181;
							_t198[1] = _t198[0x20];
							_t198[8] = _t181;
							E10021BF0();
							__eflags = _t192 - 3;
							_t182 = _t198[8];
							if(_t192 <= 3) {
								_t198[2] = "Formats with a palette require a minimum alignment of 4\n";
								_t198[1] = 0x10;
								 *_t198 = 0;
								E10026560();
								 *_t198 = _t190;
								L100290D0();
								goto L29;
							}
							__eflags = _t182;
							if(_t182 != 0) {
								_t170 =  *(_t198[0x1c]);
								_t183 = _t182 - _t170;
								_t159 = _t198[0x1f] *  *_t165;
								__eflags = _t183 - _t159;
								if(_t183 > _t159) {
									_t191 = _t170 + _t159;
									_t184 = _t183 - _t159;
									__eflags = _t184 - 8;
									if(_t184 >= 8) {
										__eflags = _t191 & 0x00000001;
										if((_t191 & 0x00000001) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 1;
											_t191 = _t191 + 1;
										}
										__eflags = _t191 & 0x00000002;
										if((_t191 & 0x00000002) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 2;
											_t191 = _t191 + 2;
										}
										__eflags = _t191 & 0x00000004;
										if((_t191 & 0x00000004) != 0) {
											 *_t191 = 0;
											_t184 = _t184 - 4;
											_t191 = _t191 + 4;
										}
										_t172 = _t184 >> 2;
										_t184 = _t184 & 0x00000003;
										memset(_t191, 0, _t172 << 2);
										_t198 =  &(_t198[3]);
										_t191 = _t191 + _t172;
									}
									__eflags = _t184 & 0x00000004;
									if((_t184 & 0x00000004) != 0) {
										 *_t191 = 0;
										_t191 = _t191 + 4;
										__eflags = _t191;
									}
									__eflags = _t184 & 0x00000002;
									if((_t184 & 0x00000002) != 0) {
										 *_t191 = 0;
										_t191 = _t191 + 2;
										__eflags = _t191;
									}
									__eflags = _t184 & 0x00000001;
									if((_t184 & 0x00000001) != 0) {
										 *_t191 = 0;
									}
								}
							}
						}
						goto L17;
					}
				}
			}

0x10021d1b
0x10021d24
0x10021d2e
0x10021d32
0x10021d36
0x10021d3d
0x10021d40
0x10021d45
0x10021d49
0x10021d4b
0x10021fca
0x10021fca
0x00000000
0x10021d51
0x10021d51
0x10021d5c
0x10021d62
0x10021d68
0x10021d6c
0x10021d73
0x10021d79
0x10021d7e
0x10021d81
0x10021d83
0x10021d89
0x10021d8d
0x10021d8d
0x10021d95
0x10021d99
0x10021d9d
0x10021da0
0x10021db0
0x10021fa0
0x10021fa0
0x10021fa8
0x10021fb1
0x10021fba
0x10021fc2
0x10021fc5
0x00000000
0x10021fc5
0x10021dca
0x10021dcc
0x00000000
0x00000000
0x10021df0
0x10021df2
0x00000000
0x00000000
0x10021dfb
0x10021e00
0x10021e00
0x10021e03
0x10021e03
0x10021e05
0x10021e10
0x10021e13
0x10021e17
0x10021e1c
0x10021e1e
0x10021e20
0x10021f0d
0x10021f16
0x10021e26
0x10021e2a
0x10021e2f
0x10021e31
0x10021e33
0x10021e3d
0x10021e3f
0x10021e42
0x10021e4c
0x10021e4e
0x10021e51
0x10021e5b
0x10021e5d
0x10021e60
0x10021e68
0x10021e70
0x10021e7b
0x10021e83
0x10021e86
0x10021e8d
0x10021e8f
0x00000000
0x00000000
0x10021e93
0x10021e97
0x00000000
0x00000000
0x10021e9d
0x10021ea1
0x00000000
0x00000000
0x10021ea7
0x10021eab
0x00000000
0x00000000
0x10021eb1
0x10021eb5
0x00000000
0x00000000
0x10021ebb
0x10021ebe
0x10021ec5
0x10021ec7
0x10022057
0x00000000
0x10022057
0x10021ecd
0x10021ed5
0x10021ed9
0x10021ee4
0x10021eec
0x10021eef
0x10021ef6
0x10021ef8
0x10021fd8
0x10021fdb
0x00000000
0x10021fdb
0x10021f0b
0x10021f24
0x10021f2e
0x10021f31
0x10021f35
0x10021f39
0x10021f3e
0x10021f41
0x10021f45
0x10022030
0x1002203a
0x10022042
0x10022045
0x1002204a
0x1002204d
0x00000000
0x1002204d
0x10021f4b
0x10021f4d
0x10021f55
0x10021f5b
0x10021f5d
0x10021f60
0x10021f62
0x10021f64
0x10021f67
0x10021f69
0x10021f6c
0x10021fe5
0x10021feb
0x1002200e
0x10022011
0x10022012
0x10022012
0x10021fed
0x10021ff3
0x10022023
0x10022028
0x1002202b
0x1002202b
0x10021ff5
0x10021ffb
0x10022015
0x1002201b
0x1002201e
0x1002201e
0x10022001
0x10022004
0x10022007
0x10022007
0x10022007
0x10022007
0x10021f6e
0x10021f71
0x10021f73
0x10021f79
0x10021f79
0x10021f79
0x10021f7c
0x10021f7f
0x10021f81
0x10021f86
0x10021f86
0x10021f86
0x10021f89
0x10021f8c
0x10021f92
0x10021f92
0x10021f8c
0x10021f62
0x10021f4d
0x00000000
0x10021f0b
0x10021e20

APIs

mv_pix_fmt_desc_get.A649 ref: 10021D40
mv_image_get_linesize.A649 ref: 10021D79

Part of subcall function 10021480: mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_image_fill_linesizes.A649(?), ref: 10021E17
mv_image_fill_plane_sizes.A649(?), ref: 10021E86
mv_malloc.A649(?), ref: 10021EBE
mv_image_fill_pointers.A649(?), ref: 10021EEF

Part of subcall function 10021AF0: mv_image_fill_plane_sizes.A649 ref: 10021B60

mvpriv_set_systematic_pal2.A649(?), ref: 10021F39

Strings

Picture size %ux%u is invalid, xrefs: 10021FAC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_fill_plane_sizesmv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_pointersmv_image_get_linesizemv_mallocmvpriv_set_systematic_pal2
String ID: Picture size %ux%u is invalid
API String ID: 3240037220-1963597007
Opcode ID: 574e90375cf03746090cfd7489147908b0e327d57a3207fb59d9762587078854
Instruction ID: 75724d5c9aa8a60a427d3ad0c57d91caac8602455a4ae7804d88bed8b19d8b50
Opcode Fuzzy Hash: 574e90375cf03746090cfd7489147908b0e327d57a3207fb59d9762587078854
Instruction Fuzzy Hash: D891597AA087458FC390CF28D58175ABBE2FFD8240F55893DE9A8C7355E735E8408B42

Uniqueness

Uniqueness Score: -1.00%

Function 10015FBC Relevance: 21.1, APIs: 14, Instructions: 95COMMON

Download Yara Rule

APIs

mv_mallocz.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10015FCB
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 1001603A
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016049
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016058
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016067
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016073
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016095
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160A4
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160B3
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160C2
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160CE
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160E5
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100160F4
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016100
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016136
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016145
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016154
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016163
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 1001616F
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016182
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 10016191
mv_expr_free.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100161A0
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100161AF
mv_freep.A649(?,?,?,?,?,?,?,?,?,?,?,00000028,?,?,1001651D), ref: 100161BB

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_expr_free$mv_freep$mv_mallocz
String ID:
API String ID: 83030161-0
Opcode ID: 3b24a442fa85c7a5211f28804c5bfb4764f84ff1624734bbd85c042f45668a17
Instruction ID: 2a0944b5d2e0ef0c5ec6856f4575aaa66d704943b04bba9ad3f40f9d202125e9
Opcode Fuzzy Hash: 3b24a442fa85c7a5211f28804c5bfb4764f84ff1624734bbd85c042f45668a17
Instruction Fuzzy Hash: 05418CB85087058FC344DF65C48092ABBE1FF88354F55CA6DE8885B316D735E986CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C86C Relevance: 19.7, APIs: 13, Instructions: 170COMMON

Download Yara Rule

APIs

mv_ripemd_init.A649 ref: 1001C8DE
mv_ripemd_init.A649 ref: 1001C8F6
mv_ripemd_init.A649 ref: 1001C90E
mv_ripemd_init.A649 ref: 1001C926
mv_sha_init.A649 ref: 1001C93E
mv_sha_init.A649 ref: 1001C95E
mv_sha_init.A649 ref: 1001C97E
mv_sha512_init.A649 ref: 1001C99E
mv_sha512_init.A649 ref: 1001C9BE
mv_sha512_init.A649 ref: 1001C9DE
mv_sha512_init.A649 ref: 1001C9FE
mv_adler32_update.A649 ref: 1001CA46
mv_crc.A649 ref: 1001CAD5

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_ripemd_initmv_sha512_init$mv_sha_init$mv_adler32_updatemv_crc
String ID:
API String ID: 2533704273-0
Opcode ID: 7dfe43ddf184354279a9cfb6bce1d72b9b5632fd3a0ac15d1ed897435091824e
Instruction ID: 81be35c2d3478b69f6a46af8973115dae999a106fbb0fdf16beba8e4a87a0fd4
Opcode Fuzzy Hash: 7dfe43ddf184354279a9cfb6bce1d72b9b5632fd3a0ac15d1ed897435091824e
Instruction Fuzzy Hash: 45717DB4909B00DFC754DF68C18491ABBE0FF8D358F1489AEE9898B321D734D981EB56

Uniqueness

Uniqueness Score: -1.00%

Function 1001A460 Relevance: 19.6, APIs: 13, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1001A460(signed char __eax) {
				void* __ebx;
				void* __esi;
				void* _t68;
				intOrPtr _t74;
				signed char _t79;
				signed char _t82;
				char* _t83;
				intOrPtr _t85;
				signed int _t86;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				signed int _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t99;
				intOrPtr* _t100;

				_t79 = __eax;
				_t100 = _t99 - 0x1c;
				if( *((intOrPtr*)(__eax + 0xe4)) > 0) {
					_t89 = 0;
					do {
						_t98 =  *((intOrPtr*)(__eax + 0xe0)) + _t89 * 4;
						_t89 = _t89 + 1;
						_t95 =  *_t98;
						_t96 = _t95 + 0xc;
						 *_t100 = _t95 + 0x10;
						E1000A000(__eax, _t96);
						 *_t100 = _t96;
						E10011CC0();
						 *_t100 = _t98;
						E100290E0();
					} while (_t89 <  *((intOrPtr*)(_t79 + 0xe4)));
				}
				_t90 = _t79 + 0xb8;
				 *((intOrPtr*)(_t79 + 0xe4)) = 0;
				 *_t100 = _t79 + 0xe0;
				_t85 = _t79 + 0xd8;
				E100290E0();
				do {
					 *_t100 = _t90;
					_t90 = _t90 + 4;
					E1000A000(_t79, _t90);
				} while (_t85 != _t90);
				if( *((intOrPtr*)(_t79 + 0xdc)) > 0) {
					_t94 = 0;
					do {
						_t74 =  *((intOrPtr*)(_t79 + 0xd8)) + _t94 * 4;
						_t94 = _t94 + 1;
						 *_t100 = _t74;
						E1000A000(_t79, _t94);
					} while (_t94 <  *((intOrPtr*)(_t79 + 0xdc)));
				}
				 *_t100 = _t85;
				E100290E0();
				 *_t100 = _t79 + 0x118;
				E10011CC0();
				 *_t100 = _t79 + 0x128;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x12c;
				E1000A000(_t79, _t90);
				 *_t100 = _t79 + 0x140;
				E1000A000(_t79, _t90);
				if( *(_t79 + 0x40) != _t79) {
					 *_t100 = _t79 + 0x40;
					E100290E0();
				}
				_t86 = 0x168;
				 *_t100 = _t79 + 0x148;
				E1000D270();
				_t82 = _t79;
				if((_t79 & 0x00000001) != 0) {
					 *_t79 = 0;
					_t82 = _t79 + 1;
					_t86 = 0x167;
					if((_t82 & 0x00000002) == 0) {
						goto L12;
					} else {
						goto L20;
					}
					L14:
					_t83 = _t82 + _t68;
					if((_t86 & 0x00000004) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 4;
					}
					if((_t86 & 0x00000002) != 0) {
						 *_t83 = 0;
						_t83 = _t83 + 2;
					}
					if((_t86 & 0x00000001) != 0) {
						 *_t83 = 0;
					}
					 *((intOrPtr*)(_t79 + 0x100)) = 0;
					 *((intOrPtr*)(_t79 + 0xf4)) = 2;
					 *((intOrPtr*)(_t79 + 0x70)) = 0;
					 *((intOrPtr*)(_t79 + 0x74)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x68)) = 0;
					 *((intOrPtr*)(_t79 + 0x6c)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x104)) = 0x80000000;
					 *((intOrPtr*)(_t79 + 0x108)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x10c)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x124)) = 0xffffffff;
					 *((intOrPtr*)(_t79 + 0x7c)) = 1;
					 *((intOrPtr*)(_t79 + 0x54)) = 1;
					 *((intOrPtr*)(_t79 + 0x60)) = 1;
					 *((intOrPtr*)(_t79 + 0x50)) = 0xffffffff;
					 *(_t79 + 0x40) = _t79;
					 *((intOrPtr*)(_t79 + 0xf0)) = 2;
					 *((intOrPtr*)(_t79 + 0xf8)) = 2;
					return 2;
				} else {
					if((_t82 & 0x00000002) != 0) {
						L20:
						 *_t82 = 0;
						_t86 = _t86 - 2;
						_t82 = _t82 + 2;
					}
				}
				L12:
				_t68 = 0;
				_t92 = _t86 & 0xfffffff8;
				do {
					 *((intOrPtr*)(_t82 + _t68)) = 0;
					 *((intOrPtr*)(_t82 + _t68 + 4)) = 0;
					_t68 = _t68 + 8;
				} while (_t68 < _t92);
				goto L14;
			}

0x1001a464
0x1001a466
0x1001a471
0x1001a473
0x1001a480
0x1001a486
0x1001a489
0x1001a48a
0x1001a490
0x1001a493
0x1001a496
0x1001a49b
0x1001a49e
0x1001a4a3
0x1001a4a6
0x1001a4ab
0x1001a480
0x1001a4b3
0x1001a4bb
0x1001a4c7
0x1001a4ca
0x1001a4d0
0x1001a4e0
0x1001a4e0
0x1001a4e3
0x1001a4e6
0x1001a4eb
0x1001a4f7
0x1001a4f9
0x1001a500
0x1001a506
0x1001a509
0x1001a50a
0x1001a50d
0x1001a512
0x1001a500
0x1001a51a
0x1001a51d
0x1001a528
0x1001a52b
0x1001a536
0x1001a539
0x1001a544
0x1001a547
0x1001a552
0x1001a555
0x1001a55d
0x1001a562
0x1001a565
0x1001a565
0x1001a570
0x1001a575
0x1001a578
0x1001a582
0x1001a584
0x1001a668
0x1001a66b
0x1001a66e
0x1001a676
0x00000000
0x00000000
0x00000000
0x00000000
0x1001a5a8
0x1001a5a8
0x1001a5b0
0x1001a6a5
0x1001a6ab
0x1001a6ab
0x1001a5bc
0x1001a698
0x1001a69d
0x1001a69d
0x1001a5c5
0x1001a690
0x1001a690
0x1001a5d2
0x1001a5e2
0x1001a5f2
0x1001a603
0x1001a60a
0x1001a611
0x1001a618
0x1001a61e
0x1001a624
0x1001a62a
0x1001a630
0x1001a637
0x1001a63e
0x1001a645
0x1001a64c
0x1001a64f
0x1001a655
0x1001a662
0x1001a58a
0x1001a58d
0x1001a680
0x1001a680
0x1001a685
0x1001a688
0x1001a688
0x1001a58d
0x1001a593
0x1001a595
0x1001a597
0x1001a59a
0x1001a59a
0x1001a59d
0x1001a5a1
0x1001a5a4
0x00000000

APIs

mv_dict_free.A649 ref: 1001A49E
mv_freep.A649 ref: 1001A4A6
mv_buffer_unref.A649 ref: 1001A496

Part of subcall function 1000A000: mv_freep.A649 ref: 1000A01E

mv_freep.A649 ref: 1001A4D0
mv_buffer_unref.A649 ref: 1001A4E6
mv_buffer_unref.A649 ref: 1001A50D
mv_freep.A649 ref: 1001A51D
mv_dict_free.A649 ref: 1001A52B
mv_buffer_unref.A649 ref: 1001A539
mv_buffer_unref.A649 ref: 1001A547
mv_buffer_unref.A649 ref: 1001A555
mv_freep.A649 ref: 1001A565
mv_channel_layout_uninit.A649 ref: 1001A578

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_unref$mv_freep$mv_dict_free$mv_channel_layout_uninit
String ID:
API String ID: 1735483532-0
Opcode ID: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction ID: e5137f4a5bc7018b3bf66a3982d40490682209c4fe07239027ca6129b2817d8d
Opcode Fuzzy Hash: b1f051f397a595c89fd00aa7c4bdbf0e8165c123e935fbb0ada5b3fbc138a149
Instruction Fuzzy Hash: 66516BB19046068BDB10DF28C48178A77E5FF45364F0A46BADC989F38AD774E8C5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000C640 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C650
memcmp.MSVCRT ref: 1000C6F4

Strings

mono, xrefs: 1000C6B0

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: memcmpstrlen
String ID: mono
API String ID: 3108337309-2381334079
Opcode ID: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction ID: 18b6b574f71558c9a9b0b92199a84ecc10b2be927aad7e864a8dbdfaab720d03
Opcode Fuzzy Hash: 961e4d7430c6ee58c8d49aecf6a6276b133ce91f2d562b03286109f610fa6c8a
Instruction Fuzzy Hash: 62713A74A083598FD354DF25C48491EBBE2FFC8384F51892DE88997319DB34E9458F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001E7F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.A649 ref: 1001E9EE
mv_log.A649 ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_pix_fmt_namemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 3418758923-379977042
Opcode ID: 9b272a863b8c87bc50828a51ff6e70bc1a94dffcb6cd8086de82a19a6494632f
Instruction ID: a270e7ec8c0c912217b56fd727a34e093eb2c836343d1efa160e437917b73519
Opcode Fuzzy Hash: 9b272a863b8c87bc50828a51ff6e70bc1a94dffcb6cd8086de82a19a6494632f
Instruction Fuzzy Hash: 9F61B3746087858FD750DF69C480A0EF7E5FF88354F568A6DE998DB311E670EC818B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1D0 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

mv_realloc.A649 ref: 1000A231
mv_mallocz.A649 ref: 1000A24B
mv_mallocz.A649 ref: 1000A284
mv_freep.A649 ref: 1000A2DA
mv_realloc.A649 ref: 1000A344
mv_realloc.A649 ref: 1000A36B
mv_mallocz.A649 ref: 1000A385
mv_mallocz.A649 ref: 1000A3BC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_realloc$mv_freep
String ID:
API String ID: 3944475926-0
Opcode ID: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction ID: 0671ab7339bb216cd2d01b0f004d479de4b058bf66c6df6044412f8339b3df2e
Opcode Fuzzy Hash: a6fa4d2bae3b4a2bda0a35254eb544c858f4501f780d02fc74c31e633d2e6906
Instruction Fuzzy Hash: 937104B48087018FE714DF25C18471AFBE0FF86380F568A6DE9898B365D775E980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001E690 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E1001E690(intOrPtr _a4, char _a8) {
				char _v16;
				intOrPtr _v32;
				intOrPtr _v48;
				char* _v52;
				char _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				char _t46;
				intOrPtr _t49;
				char _t58;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr* _t73;

				_t73 = _t72 - 0x34;
				_t37 = _a4;
				_t58 = _a8;
				_t71 =  *((intOrPtr*)(_t37 + 4));
				_t63 =  *((intOrPtr*)(_t71 + 4));
				_t61 =  *((intOrPtr*)(_t63 + 0xc));
				if( *((intOrPtr*)(_t63 + 0xc)) == 0) {
					_t64 =  *_t63;
					_t62 =  *((intOrPtr*)(_t64 + 0x3c));
					if( *((intOrPtr*)(_t64 + 0x3c)) == 0) {
						_t38 = 0xffffffd8;
						goto L7;
					} else {
						if( *((intOrPtr*)(_t71 + 0x1c)) == 0) {
							_t38 = 0xffffffea;
							goto L7;
						} else {
							 *_t73 = _t37;
							_t39 = E10009FC0(_t58, _t62);
							 *((intOrPtr*)(_t58 + 0x128)) = _t39;
							if(_t39 == 0) {
								goto L6;
							} else {
								_v56 = _t58;
								 *_t73 = _t71;
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)))) + 0x3c))();
								if(_t42 < 0) {
									_v32 = _t42;
									 *_t73 = _t58 + 0x128;
									E1000A000(_t58 + 0x128, _t71);
									_t38 = _v32;
									goto L7;
								} else {
									 *((intOrPtr*)(_t58 + 0x40)) = _t58;
									return 0;
								}
							}
						}
					}
				} else {
					 *((intOrPtr*)(_t58 + 0x50)) =  *((intOrPtr*)(_t71 + 0x24));
					 *_t73 = _t37;
					_t45 = E10009FC0(_t58, _t61);
					 *((intOrPtr*)(_t58 + 0x128)) = _t45;
					if(_t45 == 0) {
						L6:
						_t38 = 0xfffffff4;
						goto L7;
					} else {
						_t46 = E1001AC40(_t58, _t70, _t71);
						_v16 = _t46;
						if(_t46 == 0) {
							goto L6;
						} else {
							_v56 = _t46;
							_v52 = 0;
							 *_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0xc));
							_t49 = E1001E690();
							if(_t49 < 0) {
								L13:
								_v32 = _t49;
								 *_t73 =  &_v16;
								E1001ADB0(_t58);
								return _v32;
							} else {
								 *_t73 = _t58;
								_v52 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 4)) + 0x10));
								_v56 = _v16;
								_t49 = E1001E450(_t58, _t70, _t71);
								if(_t49 == 0) {
									goto L13;
								} else {
									_v48 = _t49;
									_v32 = _t49;
									_v56 = 0x10;
									_v52 = "Failed to map frame into derived frame context: %d.\n";
									 *_t73 = _t71;
									E10026560();
									 *_t73 =  &_v16;
									E1001ADB0("Failed to map frame into derived frame context: %d.\n");
									_t38 = _v32;
									L7:
									return _t38;
								}
							}
						}
					}
				}
			}

0x1001e692
0x1001e695
0x1001e699
0x1001e69d
0x1001e6a0
0x1001e6a3
0x1001e6a8
0x1001e760
0x1001e762
0x1001e767
0x1001e7e5
0x00000000
0x1001e769
0x1001e76e
0x1001e7db
0x00000000
0x1001e770
0x1001e770
0x1001e773
0x1001e778
0x1001e780
0x00000000
0x1001e782
0x1001e787
0x1001e78b
0x1001e78e
0x1001e793
0x1001e7c0
0x1001e7ca
0x1001e7cd
0x1001e7d2
0x00000000
0x1001e795
0x1001e795
0x1001e79f
0x1001e79f
0x1001e793
0x1001e780
0x1001e76e
0x1001e6ae
0x1001e6b1
0x1001e6b4
0x1001e6b7
0x1001e6bc
0x1001e6c4
0x1001e750
0x1001e750
0x00000000
0x1001e6ca
0x1001e6ca
0x1001e6cf
0x1001e6d5
0x00000000
0x1001e6d7
0x1001e6d7
0x1001e6dd
0x1001e6e7
0x1001e6ea
0x1001e6f1
0x1001e7a0
0x1001e7a0
0x1001e7a8
0x1001e7ab
0x1001e7b9
0x1001e6f7
0x1001e6fd
0x1001e700
0x1001e708
0x1001e70c
0x1001e713
0x00000000
0x1001e719
0x1001e719
0x1001e722
0x1001e72b
0x1001e72f
0x1001e733
0x1001e736
0x1001e73f
0x1001e742
0x1001e747
0x1001e755
0x1001e75a
0x1001e75a
0x1001e713
0x1001e6f1
0x1001e6d5
0x1001e6c4

APIs

mv_frame_alloc.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6CA

Part of subcall function 1001AC40: mv_malloc.A649 ref: 1001AC56

mv_hwframe_get_buffer.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6EA

Part of subcall function 1001E690: mv_hwframe_map.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E70C
Part of subcall function 1001E690: mv_log.A649 ref: 1001E736
Part of subcall function 1001E690: mv_frame_free.A649 ref: 1001E742

mv_buffer_ref.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6B7

Part of subcall function 10009FC0: mv_mallocz.A649 ref: 10009FD2

mv_buffer_ref.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E773

Strings

Failed to map frame into derived frame context: %d., xrefs: 1001E71D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_frame_allocmv_frame_freemv_hwframe_get_buffermv_hwframe_mapmv_logmv_mallocmv_mallocz
String ID: Failed to map frame into derived frame context: %d.
API String ID: 2770197599-2491951210
Opcode ID: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction ID: c8a7df340d6dcafb776f8cd3ae8b96b8e9686aa7a819e798d3a2729e9b2e2ff4
Opcode Fuzzy Hash: 9c42f20b11d269895efbb2d602614c3a18f3d43235624fe558127838406e54b0
Instruction Fuzzy Hash: 6541E5786097418FE740DF29D58095FBBE0FF88350F05896DE8998B355E734E8818B82

Uniqueness

Uniqueness Score: -1.00%

Function 100099E1 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100099E1(void* __eax, void* __ebx, void* __edx, void* __esi, signed int _a4, char* _a8) {
				void* _t23;

				_t23 = __eax;
				__eflags = __edx;
				if(__edx == 0) {
					do {
						__eflags = __al - 0x3c;
						if(__eflags == 0) {
							 *__esp = __esi;
							__eax = 0x100af50e;
							__edx = 0x100af500;
							_a8 = 0x100af50e;
							_a4 = 0x100af500;
							__eax = E100089C0();
						} else {
							if(__eflags <= 0) {
								__eflags = __al - 0x26;
								if(__al == 0x26) {
									 *__esp = __esi;
									__eax = 0x100af508;
									_a8 = 0x100af508;
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
								} else {
									__eflags = __al - 0x27;
									if(__al != 0x27) {
										goto L22;
									} else {
										 *__esp = __esi;
										__eax = 0x100af500;
										_a8 = "&apos;";
										_a4 = 0x100af500;
										__eax = E100089C0();
									}
								}
							} else {
								__eflags = __al - 0x3e;
								if(__al != 0x3e) {
									L22:
									__edx = __al;
									__esi = E100086F0(__esi, __al);
								} else {
									 *__esp = __esi;
									_a8 = 0x100af513;
									_a4 = 0x100af500;
									__eax = E100089C0();
								}
							}
						}
						__eax =  *(__ebx + 1) & 0x000000ff;
						__ebx = __ebx + 1;
						__eflags = __al;
					} while (__al != 0);
				} else {
					do {
						__dl = __al;
						__dl = __al - 0x22;
						__eflags = __dl - 0x1c;
						if(__dl > 0x1c) {
							L14:
							__edx = __al;
							__esi = E100086F0(__esi, __al);
						} else {
							__edx = __dl & 0x000000ff;
							switch( *((intOrPtr*)((__dl & 0x000000ff) * 4 +  &M100AF530))) {
								case 0:
									 *__esp = __esi;
									__eax = "&quot;";
									_a8 = "&quot;";
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 1:
									goto L14;
								case 2:
									 *__esp = __esi;
									__eax = 0x100af508;
									_a8 = 0x100af508;
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 3:
									 *__esp = __esi;
									__eax = "&apos;";
									_a8 = "&apos;";
									__eax = 0x100af500;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 4:
									 *__esp = __esi;
									_a8 = 0x100af50e;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
								case 5:
									 *__esp = __esi;
									__edx = 0x100af513;
									_a8 = 0x100af513;
									_a4 = 0x100af500;
									__eax = E100089C0();
									goto L15;
							}
						}
						L15:
						__eax =  *(__ebx + 1) & 0x000000ff;
						__ebx = __ebx + 1;
						__eflags = __al;
					} while (__al != 0);
				}
				return _t23;
			}

0x100099e1
0x100099e8
0x100099ea
0x10009a4d
0x10009a4d
0x10009a4f
0x10009c10
0x10009c13
0x10009c18
0x10009c1d
0x10009c21
0x10009c25
0x10009a55
0x10009a55
0x10009a10
0x10009a12
0x10009c30
0x10009c33
0x10009c38
0x10009c3c
0x10009c41
0x10009c45
0x10009a18
0x10009a18
0x10009a1a
0x00000000
0x10009a20
0x10009a20
0x10009a28
0x10009a2d
0x10009a31
0x10009a35
0x10009a35
0x10009a1a
0x10009a57
0x10009a57
0x10009a60
0x10009b90
0x10009b90
0x10009b95
0x10009a66
0x10009a66
0x10009a73
0x10009a77
0x10009a7b
0x10009a7b
0x10009a60
0x10009a55
0x10009a40
0x10009a44
0x10009a45
0x10009a45
0x100099f0
0x100099f0
0x100099f0
0x100099f2
0x100099f5
0x100099f8
0x10009a88
0x10009a88
0x10009a8d
0x100099fe
0x100099fe
0x10009a01
0x00000000
0x10009b17
0x10009b1a
0x10009b1f
0x10009b23
0x10009b28
0x10009b2c
0x00000000
0x00000000
0x00000000
0x00000000
0x10009aa4
0x10009aa7
0x10009aac
0x10009ab0
0x10009ab5
0x10009ab9
0x00000000
0x00000000
0x10009af8
0x10009afb
0x10009b00
0x10009b04
0x10009b09
0x10009b0d
0x00000000
0x00000000
0x10009adc
0x10009ae9
0x10009aed
0x10009af1
0x00000000
0x00000000
0x10009ac0
0x10009ac3
0x10009acd
0x10009ad1
0x10009ad5
0x00000000
0x00000000
0x10009a01
0x10009a92
0x10009a92
0x10009a96
0x10009a97
0x10009a97
0x10009a9f
0x10009869

APIs

mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009A7B
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009AB9
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009AD5
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009AF1
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009B0D
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009B2C

Strings

<, xrefs: 10009ADF
>, xrefs: 10009AC3
&, xrefs: 10009AA7
", xrefs: 10009B1A
', xrefs: 10009AFB

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: &$'$>$<$"
API String ID: 3083893021-87953025
Opcode ID: b6ed54fa2430d4727933e5420d63455ec3df606a843a78192178217f34b32b16
Instruction ID: 8e5b0ad7770d728874d8b890f391dfc0befd8e9e6221b6722be08452d9dad11f
Opcode Fuzzy Hash: b6ed54fa2430d4727933e5420d63455ec3df606a843a78192178217f34b32b16
Instruction Fuzzy Hash: 02111270908B51DFD710DFA9904026EBBD1FB81780F54C81EE6D587285EA39D940D783

Uniqueness

Uniqueness Score: -1.00%

Function 1001BC40 Relevance: 16.8, APIs: 11, Instructions: 283
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E1001BC40() {
				void* __ebx;
				signed int _t113;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t123;
				void* _t124;
				void* _t125;
				signed int _t127;
				void* _t128;
				void* _t129;
				signed char _t133;
				signed int _t134;
				signed int _t135;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t154;
				signed int _t156;
				signed int _t158;
				signed int _t159;
				signed short* _t161;
				signed short* _t162;
				int _t166;
				signed char _t174;
				short* _t175;
				signed char _t176;
				short* _t177;
				signed int _t178;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				void* _t187;
				void* _t190;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed short* _t200;
				signed short* _t201;
				signed int _t202;
				void* _t203;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				void* _t209;
				signed int* _t210;

				_t210 = _t209 - 0x1c;
				_t154 = _t210[0xd];
				_t207 = _t210[0xc];
				_t181 = _t154 + 0x148;
				 *((intOrPtr*)(_t207 + 0x50)) =  *((intOrPtr*)(_t154 + 0x50));
				 *((intOrPtr*)(_t207 + 0x44)) =  *((intOrPtr*)(_t154 + 0x44));
				 *((intOrPtr*)(_t207 + 0x48)) =  *((intOrPtr*)(_t154 + 0x48));
				 *((intOrPtr*)(_t207 + 0x4c)) =  *((intOrPtr*)(_t154 + 0x4c));
				 *(_t207 + 0x120) =  *(_t154 + 0x120);
				 *(_t207 + 0xb4) =  *(_t154 + 0xb4);
				 *(_t207 + 0xb0) =  *(_t154 + 0xb0);
				 *_t210 = _t181;
				if(E1000EC10() == 0) {
					_t149 =  *(_t154 + 0xb4);
					_t180 =  *(_t154 + 0xb0);
					if((_t149 | _t180) != 0) {
						_t210[2] = _t149;
						_t210[1] = _t180;
						 *_t210 = _t207 + 0x148;
						E1000D1B0();
					} else {
						 *(_t207 + 0x14c) =  *(_t154 + 0x120);
						 *(_t207 + 0x148) = 0;
					}
				}
				_t160 = 0;
				_t113 = E1001A6C0(_t207, 0, _t154, 0);
				_t195 = _t113;
				if(_t113 < 0) {
					L19:
					E1001A460(_t207);
					return _t195;
				} else {
					 *_t210 = _t181;
					if(E1000EC10() != 0) {
						_t210[1] = _t181;
						 *_t210 = _t207 + 0x148;
						_t119 = E1000D340();
						__eflags = _t119;
						_t195 = _t119;
						if(_t119 < 0) {
							goto L19;
						} else {
							_t120 =  *(_t154 + 0xb8);
							__eflags = _t120;
							if(_t120 != 0) {
								goto L6;
							} else {
								goto L32;
							}
						}
					} else {
						_t120 =  *(_t154 + 0xb8);
						if(_t120 == 0) {
							L32:
							 *_t210 = _t207;
							_t210[1] = 0;
							_t147 = E1001ADF0();
							__eflags = _t147;
							_t195 = _t147;
							if(_t147 < 0) {
								goto L19;
							} else {
								_t210[1] = _t154;
								 *_t210 = _t207;
								_t148 = E1001B8D0();
								__eflags = _t148;
								_t195 = _t148;
								if(_t148 < 0) {
									goto L19;
								} else {
									goto L34;
								}
							}
						} else {
							L6:
							_t196 = 0;
							L8:
							while(1) {
								if(_t120 == 0) {
									L10:
									_t196 = _t196 + 1;
									if(_t196 != 8) {
										_t120 =  *(_t154 + 0xb8 + _t196 * 4);
										continue;
									} else {
										if( *((intOrPtr*)(_t154 + 0xd8)) == 0) {
											L21:
											_t121 =  *(_t154 + 0x128);
											__eflags = _t121;
											if(_t121 == 0) {
												L23:
												__eflags =  *(_t154 + 0x40) - _t154;
												if( *(_t154 + 0x40) == _t154) {
													 *(_t207 + 0x40) = _t207;
													goto L37;
												} else {
													_t186 =  *(_t207 + 0x14c);
													_t195 = 0xffffffea;
													__eflags = _t186;
													if(_t186 == 0) {
														goto L19;
													} else {
														_t210[1] = _t186;
														 *_t210 = 4;
														_t133 = E10028EC0();
														 *(_t207 + 0x40) = _t133;
														__eflags = _t133;
														if(_t133 == 0) {
															goto L18;
														} else {
															_t166 = _t186 * 4;
															_t203 =  *(_t154 + 0x40);
															_t187 = _t133;
															__eflags = _t166 - 8;
															if(_t166 >= 8) {
																__eflags = _t133 & 0x00000001;
																if((_t133 & 0x00000001) != 0) {
																	_t134 =  *_t203 & 0x000000ff;
																	_t187 = _t187 + 1;
																	_t203 = _t203 + 1;
																	_t166 = _t166 - 1;
																	 *(_t187 - 1) = _t134;
																}
																__eflags = _t187 & 0x00000002;
																if((_t187 & 0x00000002) != 0) {
																	_t135 =  *_t203 & 0x0000ffff;
																	_t187 = _t187 + 2;
																	_t203 = _t203 + 2;
																	_t166 = _t166 - 2;
																	 *(_t187 - 2) = _t135;
																}
																__eflags = _t187 & 0x00000004;
																if((_t187 & 0x00000004) == 0) {
																	goto L27;
																} else {
																	_t190 = _t187 + 4;
																	 *(_t190 - 4) =  *_t203;
																	memcpy(_t190, _t203 + 4, _t166 - 4);
																	_t210 =  &(_t210[3]);
																	goto L37;
																}
																L49:
																_t177 = _t176 + _t128;
																_t201 = _t200 + _t128;
																_t129 = 0;
																__eflags = _t184 & 0x00000002;
																if((_t184 & 0x00000002) != 0) {
																	 *_t177 =  *_t201 & 0x0000ffff;
																	_t129 = 2;
																}
																__eflags = _t184 & 0x00000001;
																if((_t184 & 0x00000001) == 0) {
																	L34:
																	_t202 = 0;
																	__eflags = 0;
																} else {
																	_t202 = 0;
																	 *((char*)(_t177 + _t129)) =  *(_t201 + _t129) & 0x000000ff;
																}
																return _t202;
																goto L63;
															} else {
																L27:
																memcpy(_t187, _t203, _t166);
																_t210 =  &(_t210[3]);
															}
															L37:
															__eflags = _t207 & 0x00000001;
															_t174 = _t207;
															_t161 = _t154;
															_t182 = 0x20;
															if((_t207 & 0x00000001) != 0) {
																_t174 = _t207 + 1;
																_t182 = 0x1f;
																_t161 = _t154 + 1;
																 *_t207 =  *_t154 & 0x000000ff;
															}
															__eflags = _t174 & 0x00000002;
															if((_t174 & 0x00000002) != 0) {
																_t123 =  *_t161 & 0x0000ffff;
																_t174 = _t174 + 2;
																_t161 =  &(_t161[1]);
																_t182 = _t182 - 2;
																 *(_t174 - 2) = _t123;
															}
															_t210[0xd] = _t154;
															_t124 = 0;
															_t199 = _t182 & 0xfffffffc;
															__eflags = _t199;
															do {
																 *(_t174 + _t124) =  *(_t161 + _t124);
																_t124 = _t124 + 4;
																__eflags = _t124 - _t199;
															} while (_t124 < _t199);
															_t175 = _t174 + _t124;
															_t162 = _t161 + _t124;
															_t156 = _t210[0xd];
															_t125 = 0;
															__eflags = _t182 & 0x00000002;
															if((_t182 & 0x00000002) != 0) {
																 *_t175 =  *_t162 & 0x0000ffff;
																_t125 = 2;
															}
															__eflags = _t182 & 0x00000001;
															if((_t182 & 0x00000001) != 0) {
																 *((char*)(_t175 + _t125)) =  *(_t162 + _t125) & 0x000000ff;
															}
															__eflags = _t207 & 0x00000001;
															_t184 = 0x20;
															_t176 = _t207 + 0x20;
															_t200 = _t156 + 0x20;
															if((_t207 & 0x00000001) != 0) {
																_t176 = _t207 + 0x21;
																_t184 = 0x1f;
																_t200 = _t156 + 0x21;
																 *(_t207 + 0x20) =  *(_t156 + 0x20) & 0x000000ff;
															}
															__eflags = _t176 & 0x00000002;
															if((_t176 & 0x00000002) != 0) {
																_t127 =  *_t200 & 0x0000ffff;
																_t176 = _t176 + 2;
																_t200 =  &(_t200[1]);
																_t184 = _t184 - 2;
																 *(_t176 - 2) = _t127;
															}
															_t128 = 0;
															_t158 = _t184 & 0xfffffffc;
															__eflags = _t158;
															do {
																 *(_t176 + _t128) =  *(_t200 + _t128);
																_t128 = _t128 + 4;
																__eflags = _t128 - _t158;
															} while (_t128 < _t158);
															goto L49;
														}
													}
												}
											} else {
												 *_t210 = _t121;
												_t139 = E10009FC0(_t154, _t160);
												 *(_t207 + 0x128) = _t139;
												__eflags = _t139;
												if(_t139 == 0) {
													goto L18;
												} else {
													goto L23;
												}
											}
										} else {
											_t160 = 4;
											_t210[1] = 4;
											 *_t210 =  *(_t154 + 0xdc);
											_t141 = E100291F0();
											 *((intOrPtr*)(_t207 + 0xd8)) = _t141;
											if(_t141 == 0) {
												goto L18;
											} else {
												_t178 =  *(_t154 + 0xdc);
												 *(_t207 + 0xdc) = _t178;
												if(_t178 <= 0) {
													goto L21;
												} else {
													_t210[0xc] = _t207;
													_t208 = _t154;
													_t159 = 0;
													while(1) {
														_t206 = _t159 * 4;
														 *_t210 =  *( *((intOrPtr*)(_t208 + 0xd8)) + _t206);
														 *((intOrPtr*)(_t141 + _t206)) = E10009FC0(_t159, _t160);
														_t141 =  *((intOrPtr*)(_t210[0xc] + 0xd8));
														if( *((intOrPtr*)(_t141 + _t206)) == 0) {
															break;
														}
														_t159 = _t159 + 1;
														__eflags =  *((intOrPtr*)(_t208 + 0xdc)) - _t159;
														if( *((intOrPtr*)(_t208 + 0xdc)) <= _t159) {
															_t154 = _t208;
															_t207 = _t210[0xc];
															goto L21;
														} else {
															continue;
														}
														goto L63;
													}
													_t207 = _t210[0xc];
													goto L18;
												}
											}
										}
									}
								} else {
									 *_t210 = _t120;
									_t146 = E10009FC0(_t154, _t160);
									 *((intOrPtr*)(_t207 + 0xb8 + _t196 * 4)) = _t146;
									if(_t146 == 0) {
										L18:
										_t195 = 0xfffffff4;
										goto L19;
									} else {
										goto L10;
									}
								}
								goto L63;
							}
						}
					}
				}
				L63:
			}

0x1001bc44
0x1001bc47
0x1001bc4b
0x1001bc52
0x1001bc5e
0x1001bc64
0x1001bc6a
0x1001bc70
0x1001bc79
0x1001bc85
0x1001bc8b
0x1001bc91
0x1001bc9b
0x1001bc9d
0x1001bca3
0x1001bcad
0x1001be70
0x1001be7a
0x1001be7e
0x1001be81
0x1001bcb3
0x1001bcb9
0x1001bcc1
0x1001bcc1
0x1001bcad
0x1001bcc7
0x1001bccd
0x1001bcd4
0x1001bcd6
0x1001bdb8
0x1001bdba
0x1001bdc8
0x1001bcdc
0x1001bcdc
0x1001bce6
0x1001be40
0x1001be4a
0x1001be4d
0x1001be52
0x1001be54
0x1001be56
0x00000000
0x1001be5c
0x1001be5c
0x1001be62
0x1001be64
0x00000000
0x1001be6a
0x00000000
0x1001be6a
0x1001be64
0x1001bcec
0x1001bcec
0x1001bcf4
0x1001be90
0x1001be90
0x1001be95
0x1001be99
0x1001be9e
0x1001bea0
0x1001bea2
0x00000000
0x1001bea8
0x1001bea8
0x1001beac
0x1001beaf
0x1001beb4
0x1001beb6
0x1001beb8
0x00000000
0x00000000
0x00000000
0x00000000
0x1001beb8
0x1001bcfa
0x1001bcfa
0x1001bcfa
0x00000000
0x1001bd07
0x1001bd09
0x1001bd22
0x1001bd22
0x1001bd26
0x1001bd00
0x00000000
0x1001bd28
0x1001bd30
0x1001bdd6
0x1001bdd6
0x1001bddc
0x1001bdde
0x1001bdf2
0x1001bdf2
0x1001bdf5
0x1001bed0
0x00000000
0x1001bdfb
0x1001bdfb
0x1001be01
0x1001be06
0x1001be08
0x00000000
0x1001be0a
0x1001be0a
0x1001be0e
0x1001be15
0x1001be1a
0x1001be1d
0x1001be1f
0x00000000
0x1001be21
0x1001be21
0x1001be28
0x1001be2b
0x1001be2d
0x1001be30
0x1001bf96
0x1001bf98
0x1001c033
0x1001c036
0x1001c037
0x1001c038
0x1001c039
0x1001c039
0x1001bf9e
0x1001bfa4
0x1001c01e
0x1001c021
0x1001c024
0x1001c027
0x1001c02a
0x1001c02a
0x1001bfa6
0x1001bfac
0x00000000
0x1001bfb2
0x1001bfb4
0x1001bfbd
0x1001bfc0
0x1001bfc0
0x00000000
0x1001bfc0
0x1001bf66
0x1001bf66
0x1001bf68
0x1001bf6a
0x1001bf6c
0x1001bf72
0x1001bf77
0x1001bf7a
0x1001bf7a
0x1001bf7f
0x1001bf82
0x1001bebe
0x1001bebe
0x1001bebe
0x1001bf88
0x1001bf8c
0x1001bf8e
0x1001bf8e
0x1001bec9
0x00000000
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001be36
0x1001bed3
0x1001bed3
0x1001bed9
0x1001bedb
0x1001bedd
0x1001bee2
0x1001bfdf
0x1001bfe2
0x1001bfe7
0x1001bfea
0x1001bfea
0x1001bee8
0x1001beeb
0x1001bfc7
0x1001bfca
0x1001bfcd
0x1001bfd0
0x1001bfd3
0x1001bfd3
0x1001bef1
0x1001bef7
0x1001bef9
0x1001bef9
0x1001befc
0x1001beff
0x1001bf02
0x1001bf05
0x1001bf05
0x1001bf09
0x1001bf0b
0x1001bf0d
0x1001bf11
0x1001bf13
0x1001bf19
0x1001bf1e
0x1001bf21
0x1001bf21
0x1001bf26
0x1001bf29
0x1001bf2f
0x1001bf2f
0x1001bf32
0x1001bf38
0x1001bf3d
0x1001bf40
0x1001bf43
0x1001c00b
0x1001c00e
0x1001c013
0x1001c016
0x1001c016
0x1001bf49
0x1001bf4c
0x1001bff2
0x1001bff5
0x1001bff8
0x1001bffb
0x1001bffe
0x1001bffe
0x1001bf54
0x1001bf56
0x1001bf56
0x1001bf59
0x1001bf5c
0x1001bf5f
0x1001bf62
0x1001bf62
0x00000000
0x1001bf59
0x1001be1f
0x1001be08
0x1001bde0
0x1001bde0
0x1001bde3
0x1001bde8
0x1001bdee
0x1001bdf0
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bdf0
0x1001bd36
0x1001bd36
0x1001bd3b
0x1001bd45
0x1001bd48
0x1001bd4d
0x1001bd55
0x00000000
0x1001bd57
0x1001bd57
0x1001bd5d
0x1001bd65
0x00000000
0x1001bd67
0x1001bd67
0x1001bd6d
0x1001bd6f
0x1001bd81
0x1001bd81
0x1001bd94
0x1001bd9c
0x1001bda2
0x1001bdad
0x00000000
0x00000000
0x1001bd78
0x1001bd79
0x1001bd7f
0x1001bdd0
0x1001bdd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd7f
0x1001bdaf
0x00000000
0x1001bdaf
0x1001bd65
0x1001bd55
0x1001bd30
0x1001bd0b
0x1001bd0b
0x1001bd0e
0x1001bd13
0x1001bd1c
0x1001bdb3
0x1001bdb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001bd1c
0x00000000
0x1001bd09
0x1001bd07
0x1001bcf4
0x1001bce6
0x00000000

APIs

mv_channel_layout_check.A649 ref: 1001BC94
mv_channel_layout_check.A649 ref: 1001BCDF
mv_buffer_ref.A649 ref: 1001BD0E
mv_calloc.A649 ref: 1001BD48
mv_buffer_ref.A649 ref: 1001BD97
mv_channel_layout_from_mask.A649 ref: 1001BE81

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_refmv_channel_layout_check$mv_callocmv_channel_layout_from_mask
String ID:
API String ID: 217990561-0
Opcode ID: 1e1b2be178534d09f3809dd0d7333aeb9c5539d81d1e8131270f189a167b3022
Instruction ID: a7629d8e8dda3d5a431b7117ebde44a71cccd742558e4ac7197543dafc7bd42b
Opcode Fuzzy Hash: 1e1b2be178534d09f3809dd0d7333aeb9c5539d81d1e8131270f189a167b3022
Instruction Fuzzy Hash: 23B17875A04B968BCB60CF29C8817AA7BE1EF49350F164579ED88CF346E734D881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000A720 Relevance: 16.7, APIs: 11, Instructions: 173COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A72E
mv_mallocz.A649 ref: 1000A7D5
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A808
mv_mallocz.A649 ref: 1000A890
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A8C4

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Releasemv_mallocz$Acquire
String ID:
API String ID: 2881747546-0
Opcode ID: e68bda1cf1dcc83a9c629bb4ba2d6cebfd630f8bebdd504c642d2b33e51082ff
Instruction ID: d1cc2579b1c102c58a024c2dc6685eb9d016c090d03debdddd743aed40a40bb7
Opcode Fuzzy Hash: e68bda1cf1dcc83a9c629bb4ba2d6cebfd630f8bebdd504c642d2b33e51082ff
Instruction Fuzzy Hash: 0C6126B49087058FE714DF25C48171BBBE1EF85380F12866DE8998B35ADB74E981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001CBC0 Relevance: 16.7, APIs: 11, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1001CBC0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp, intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v91;
				signed int _v92;
				void* _v104;
				signed int _t61;
				signed int _t64;
				void* _t66;
				void _t68;
				intOrPtr _t72;
				signed char _t73;
				int _t76;
				signed int _t79;
				intOrPtr* _t81;
				void* _t83;
				void* _t86;
				void* _t89;
				intOrPtr _t92;

				_v16 = __ebx;
				_t81 = _a4;
				_v4 = __ebp;
				_t72 = _a12;
				_v12 = __esi;
				_v8 = __edi;
				_t61 =  *(_t81 + 4);
				_t92 =  *((intOrPtr*)(0x100b6004 + _t61 * 8));
				if(_t61 > 0xe) {
					L15:
					_t89 =  &_v92;
					L3:
					_t83 = _a8;
					_t76 =  <=  ? _t72 : _t92;
					if(_t76 >= 8) {
						L8:
						if((_t83 & 0x00000001) != 0) {
							_t89 =  &_v91;
							_t76 = _t76 - 1;
							 *_t83 = _v92 & 0x000000ff;
							_t83 = _a8 + 1;
						}
						if((_t83 & 0x00000002) != 0) {
							_t64 =  *_t89 & 0x0000ffff;
							_t83 = _t83 + 2;
							_t89 = _t89 + 2;
							_t76 = _t76 - 2;
							 *(_t83 - 2) = _t64;
						}
						if((_t83 & 0x00000004) != 0) {
							_t68 =  *_t89;
							_t83 = _t83 + 4;
							_t89 = _t89 + 4;
							_t76 = _t76 - 4;
							 *(_t83 - 4) = _t68;
						}
					}
					L4:
					memcpy(_t83, _t89, _t76);
					if(_t92 < _t72) {
						_t66 = _a8;
						_t73 = _t72 - _t92;
						_t86 = _t66 + _t92;
						if(_t73 >= 8) {
							if((_t86 & 0x00000001) != 0) {
								 *_t86 = 0;
								_t73 = _t73 - 1;
								_t86 = _t86 + 1;
							}
							if((_t86 & 0x00000002) != 0) {
								 *_t86 = 0;
								_t73 = _t73 - 2;
								_t86 = _t86 + 2;
							}
							if((_t86 & 0x00000004) != 0) {
								 *_t86 = 0;
								_t73 = _t73 - 4;
								_t86 = _t86 + 4;
							}
							_t79 = _t73 >> 2;
							_t73 = _t73 & 0x00000003;
							_t66 = memset(_t86, 0, _t79 << 2);
							_t86 = _t86 + _t79;
						}
						if((_t73 & 0x00000004) != 0) {
							 *_t86 = 0;
							_t86 = _t86 + 4;
						}
						if((_t73 & 0x00000002) != 0) {
							 *_t86 = 0;
							_t86 = _t86 + 2;
						}
						if((_t73 & 0x00000001) != 0) {
							 *_t86 = 0;
						}
					}
					return _t66;
				}
				switch( *((intOrPtr*)(_t61 * 4 +  &M100B5EF8))) {
					case 0:
						__esi =  &_v92;
						E100289F0( *__edx,  &_v92);
						goto L3;
					case 1:
						__esi =  &_v92;
						E1002A800( *__edx,  &_v92);
						goto L3;
					case 2:
						__esi =  &_v92;
						E1003C6E0( *__edx,  &_v92);
						__ecx =  <=  ? __ebx : __ebp;
						__edi = _a8;
						__eflags = ( <=  ? __ebx : __ebp) - 8;
						if(( <=  ? __ebx : __ebp) < 8) {
							goto L4;
						} else {
							goto L8;
						}
					case 3:
						__esi =  &_v92;
						E10041410( *__edx,  &_v92);
						goto L3;
					case 4:
						_t89 =  &_v92;
						_v104 = _t89;
						 *_t94 =  *_t81;
						E1004C4C0();
						goto L3;
					case 5:
						__esi =  &_v92;
						asm("bswap eax");
						_v92 =  !( *(__edx + 0xc));
						goto L3;
					case 6:
						asm("bswap eax");
						_v92 =  *(__edx + 0xc);
						goto L15;
				}
			}

0x1001cbc3
0x1001cbc7
0x1001cbcb
0x1001cbcf
0x1001cbd3
0x1001cbd7
0x1001cbdb
0x1001cbe1
0x1001cbe8
0x1001cce1
0x1001cce1
0x1001cc10
0x1001cc14
0x1001cc18
0x1001cc1e
0x1001cc70
0x1001cc76
0x1001cdbd
0x1001cdc1
0x1001cdc2
0x1001cdc8
0x1001cdc8
0x1001cc82
0x1001cda0
0x1001cda3
0x1001cda6
0x1001cda9
0x1001cdac
0x1001cdac
0x1001cc8e
0x1001cc90
0x1001cc92
0x1001cc95
0x1001cc98
0x1001cc9b
0x1001cc9b
0x1001cc8e
0x1001cc20
0x1001cc20
0x1001cc24
0x1001cd30
0x1001cd34
0x1001cd39
0x1001cd3c
0x1001cd76
0x1001cdf0
0x1001cdf3
0x1001cdf4
0x1001cdf4
0x1001cd7e
0x1001cde0
0x1001cde5
0x1001cde8
0x1001cde8
0x1001cd86
0x1001cdd0
0x1001cdd6
0x1001cdd9
0x1001cdd9
0x1001cd8c
0x1001cd8f
0x1001cd92
0x1001cd92
0x1001cd92
0x1001cd41
0x1001cd43
0x1001cd49
0x1001cd49
0x1001cd4f
0x1001cd51
0x1001cd56
0x1001cd56
0x1001cd5c
0x1001cd62
0x1001cd62
0x1001cd5c
0x1001cc3d
0x1001cc3d
0x1001cbee
0x00000000
0x1001ccf0
0x1001ccfd
0x00000000
0x00000000
0x1001cd10
0x1001cd1d
0x00000000
0x00000000
0x1001cc40
0x1001cc4d
0x1001cc56
0x1001cc59
0x1001cc5d
0x1001cc60
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001cca0
0x1001ccad
0x00000000
0x00000000
0x1001cbf8
0x1001cbfc
0x1001cc02
0x1001cc05
0x00000000
0x00000000
0x1001ccc3
0x1001ccc9
0x1001cccb
0x00000000
0x00000000
0x1001ccdb
0x1001ccdd
0x00000000
0x00000000

APIs

mv_sha512_final.A649 ref: 1001CC05
mv_ripemd_final.A649 ref: 1001CC4D
mv_sha_final.A649 ref: 1001CCAD
mv_md5_final.A649 ref: 1001CCFD
mv_murmur3_final.A649 ref: 1001CD1D
mv_sha512_final.A649 ref: 1001CEE5
mv_base64_encode.A649 ref: 1001CF08
mv_ripemd_final.A649 ref: 1001CF6D
mv_sha_final.A649 ref: 1001CF8D
mv_md5_final.A649 ref: 1001CFAD
mv_murmur3_final.A649 ref: 1001CFCD

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_md5_finalmv_murmur3_finalmv_ripemd_finalmv_sha512_finalmv_sha_final$mv_base64_encode
String ID:
API String ID: 2245914800-0
Opcode ID: 62bff0bfa5fda6f057751ef9358ee1ed2e520e05b5b39d291601a4f433c69b85
Instruction ID: eab164d01422db32363519a412dd3cb370dfb3174abfeab388949418a0586d85
Opcode Fuzzy Hash: 62bff0bfa5fda6f057751ef9358ee1ed2e520e05b5b39d291601a4f433c69b85
Instruction Fuzzy Hash: D961F4B9909755CFD710EF24C48065EB7E1FF88700F52882EEA999B311D374E989CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10092440 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10092440() {
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				void* _t90;
				signed int _t91;
				void* _t97;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				char* _t129;
				void* _t131;
				signed int* _t132;

				_t132 = _t131 - 0x3c;
				_t125 = _t132[0x14];
				if(_t132[0x15] != 0) {
					_t63 = _t132[0x15];
					 *_t63 = _t125;
				}
				if(_t132[0x16] == 1) {
					L29:
					L100A0678();
					 *_t63 = 0x21;
					goto L30;
				} else {
					if(_t132[0x16] <= 0x24) {
						while(1) {
							_t65 =  *_t125;
							 *_t132 = _t65;
							_t87 = _t65;
							L100A0738();
							if(_t65 == 0) {
								break;
							}
							_t125 = _t125 + 1;
						}
						_t120 = _t87;
						_t88 = _t65;
						_t6 = _t120 - 0x2b; // -43
						_t66 = _t120;
						if((_t6 & 0x000000fd) == 0) {
							_t66 =  *(_t125 + 1) & 0x000000ff;
							_t125 = _t125 + 1;
						}
						if(_t132[0x16] != 0) {
							if(_t132[0x16] != 0x10 || _t66 != 0x30) {
								goto L11;
							} else {
								if(( *(_t125 + 1) & 0xdf) == 0x58) {
									goto L34;
								} else {
									_t132[9] = 0x10;
									_t129 = _t125 + 1;
									_t68 = 0;
									goto L16;
								}
							}
						} else {
							_t132[0x16] = 0xa;
							if(_t66 == 0x30) {
								if(( *(_t125 + 1) & 0xdf) != 0x58) {
									_t132[9] = 8;
									_t132[0x16] = 8;
									goto L45;
								} else {
									L34:
									_t66 =  *(_t125 + 2) & 0x000000ff;
									_t132[0x16] = 0x10;
									_t125 = _t125 + 2;
									goto L11;
								}
							} else {
								L11:
								_t128 = _t66;
								if(_t128 - 0x30 <= 9) {
									_t132[9] = _t132[0x16];
									L45:
									_t68 = _t66 - 0x30;
									goto L15;
								} else {
									 *_t132 = _t128;
									L100A0740();
									if(_t66 != 0) {
										_t68 = _t128 - 0x37;
										_t132[9] = _t132[0x16];
										goto L15;
									} else {
										 *_t132 = _t128;
										L100A0730();
										if(_t66 == 0) {
											L30:
											_t64 = 0;
											goto L31;
										} else {
											_t68 = _t128 - 0x57;
											_t132[9] = _t132[0x16];
											L15:
											_t129 = _t125 + 1;
											if(_t68 >= _t132[9]) {
												goto L30;
											} else {
												L16:
												_t69 = _t132[0x16];
												_t132[0xa] = _t88;
												_t126 = _t68;
												_t132[6] = _t69;
												_t132[7] = _t69 >> 0x1f;
												_t71 = _t120;
												_t121 = _t68 >> 0x1f;
												_t132[0xb] = _t71;
												while(1) {
													_t89 =  *_t129;
													_t35 = _t89 - 0x30; // -96
													_t97 = _t35;
													if(_t97 <= 9) {
														goto L17;
													}
													 *_t132 = _t89;
													L100A0740();
													if(_t71 == 0) {
														 *_t132 = _t89;
														L100A0730();
														if(_t71 != 0) {
															_t90 = _t89 - 0x57;
															goto L18;
														}
													} else {
														_t90 = _t89 - 0x37;
														L18:
														if(_t90 < _t132[9]) {
															 *_t132 = 0xffffffff;
															_t132[1] = 0x7fffffff;
															_t132[2] = _t132[6];
															_t132[3] = _t132[7];
															_t71 = E10091900() + 2;
															asm("adc edx, 0x0");
															asm("sbb edx, edi");
															if(_t71 < _t126) {
																_t132[0xa] = 1;
															} else {
																_t84 = _t126;
																_t71 = _t84 * _t132[0x16];
																_t121 = (_t84 * _t132[0x16] >> 0x20) + _t132[7] * _t126 + _t132[0x16] * _t121;
																_t126 = _t71 + _t90;
																asm("adc edi, ebx");
															}
															_t129 = _t129 + 1;
															continue;
														}
													}
													_t91 = _t132[0xa];
													_t132[7] = _t121;
													_t132[6] = _t126;
													_t122 = _t132[0xb] & 0x000000ff;
													if(_t132[0x15] != 0) {
														 *(_t132[0x15]) = _t129;
													}
													if(_t122 == 0x2d) {
														asm("sbb eax, ebp");
														if(0 < _t132[6] || _t91 != 0) {
															L100A0678();
															 *0x80000000 = 0x22;
															_t64 = 0;
														} else {
															_t64 =  ~(_t132[6]);
															asm("adc edx, 0x0");
														}
														goto L31;
													} else {
														_t64 = _t132[6];
														if(_t132[7] < 0 || _t91 != 0) {
															L100A0678();
															 *_t64 = 0x22;
															return 0xffffffff;
														} else {
															L31:
															return _t64;
														}
													}
													goto L51;
													L17:
													_t90 = _t97;
													goto L18;
												}
											}
										}
									}
								}
							}
						}
					} else {
						goto L29;
					}
				}
				L51:
			}

0x10092444
0x1009244b
0x10092451
0x10092453
0x10092457
0x10092457
0x1009245e
0x100925f0
0x100925f0
0x100925f5
0x00000000
0x10092464
0x10092469
0x10092473
0x10092473
0x10092476
0x10092479
0x1009247b
0x10092482
0x00000000
0x00000000
0x10092470
0x10092470
0x10092484
0x10092486
0x10092488
0x1009248b
0x10092493
0x10092495
0x10092499
0x10092499
0x100924a2
0x100925c5
0x00000000
0x100925d3
0x100925dc
0x00000000
0x100925de
0x100925de
0x100925e6
0x100925e9
0x00000000
0x100925e9
0x100925dc
0x100924a8
0x100924a8
0x100924b2
0x1009262a
0x10092718
0x10092720
0x00000000
0x10092630
0x10092630
0x10092630
0x10092634
0x1009263c
0x00000000
0x1009263c
0x100924b8
0x100924b8
0x100924b8
0x100924c1
0x100926d4
0x100926d8
0x100926db
0x00000000
0x100924c7
0x100924c7
0x100924ca
0x100924d1
0x10092614
0x10092617
0x00000000
0x100924d7
0x100924d7
0x100924da
0x100924e1
0x100925fb
0x100925fb
0x00000000
0x100924e7
0x100924eb
0x100924ee
0x100924f8
0x100924fc
0x10092501
0x00000000
0x10092507
0x10092507
0x1009250b
0x1009250f
0x10092516
0x10092518
0x1009251f
0x10092523
0x10092525
0x10092527
0x1009259a
0x1009259a
0x1009259e
0x1009259e
0x100925a4
0x00000000
0x00000000
0x100925a6
0x100925a9
0x100925b0
0x10092658
0x1009265b
0x10092662
0x100926c0
0x00000000
0x100926c0
0x100925b6
0x100925b6
0x10092532
0x10092538
0x10092546
0x1009254d
0x10092555
0x10092559
0x10092562
0x10092565
0x1009256a
0x1009256c
0x10092648
0x10092572
0x10092582
0x10092584
0x1009258c
0x10092593
0x10092595
0x10092595
0x10092597
0x00000000
0x10092597
0x10092538
0x10092668
0x1009266c
0x10092670
0x10092674
0x1009267b
0x10092681
0x10092681
0x10092687
0x100926f9
0x100926fb
0x10092701
0x1009270b
0x10092711
0x1009272a
0x10092732
0x10092734
0x10092737
0x00000000
0x10092689
0x1009268d
0x10092693
0x1009269d
0x100926a7
0x100926b9
0x100925ff
0x100925ff
0x10092606
0x10092606
0x10092693
0x00000000
0x10092530
0x10092530
0x00000000
0x10092530
0x1009259a
0x10092501
0x100924e1
0x100924d1
0x100924c1
0x100924b2
0x1009246b
0x00000000
0x1009246b
0x10092469
0x00000000

APIs

isspace.MSVCRT ref: 1009247B
isupper.MSVCRT ref: 100924CA
islower.MSVCRT ref: 100924DA
isupper.MSVCRT ref: 100925A9
_errno.MSVCRT ref: 100925F0

Strings

$, xrefs: 10092464

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: isupper$_errnoislowerisspace
String ID: $
API String ID: 4095548146-3993045852
Opcode ID: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction ID: bf1127f437a700fe79d2786272533d695bbcf864f17e232e7603132a75f37682
Opcode Fuzzy Hash: 86157aabf5dcf11647465d89481f5db1467bac492865d6203d8e1a1173ce975d
Instruction Fuzzy Hash: A171A0746087868FC300CF68C88065EFBE2EFC9394F15492DF8998B791E674D845AB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001EDD3 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1001EDD3(intOrPtr _a4) {
				intOrPtr _v40;
				signed char _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr* _v128;
				intOrPtr _v132;
				intOrPtr* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				char* _v152;
				char _v156;
				intOrPtr _v160;
				char* _v164;
				intOrPtr _v168;
				void* __ebx;
				intOrPtr _t80;
				signed int _t81;
				intOrPtr _t84;
				void* _t85;
				intOrPtr* _t92;
				intOrPtr _t93;
				intOrPtr _t107;
				signed char _t108;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr* _t126;
				void* _t132;
				intOrPtr* _t133;

				_t133 = _t132 - 0x8c;
				_t107 = _a4;
				_t126 =  *((intOrPtr*)(_t107 + 0x10));
				_v128 =  *((intOrPtr*)( *((intOrPtr*)(_t107 + 0xc)) + 0xc));
				_v136 =  *((intOrPtr*)( *((intOrPtr*)(_t107 + 4)) + 4));
				_t80 =  *((intOrPtr*)(_t107 + 0x28));
				if(_t80 == 0x17) {
					_t81 = 0;
					goto L10;
				} else {
					if(_t80 == 0x9f) {
						_t81 = 1;
						goto L10;
					} else {
						if(_t80 == 0x1c) {
							_t81 = 2;
							goto L10;
						} else {
							if(_t80 == 0xc4) {
								_t81 = 3;
								goto L10;
							} else {
								if(_t80 == 0xd0) {
									_t81 = 4;
									goto L10;
								} else {
									if(_t80 == 0) {
										_t81 = 5;
										L10:
										_t113 =  *((intOrPtr*)(0x100b6660 + _t81 * 8));
										_t108 =  *(_t126 + 4);
										_v132 =  *((intOrPtr*)(_t126 + 8));
										 *((intOrPtr*)(_v136 + 8)) = _t113;
										_t83 =  *((intOrPtr*)(_t107 + 0x20));
										_v92 = 0;
										_v80 = 0;
										_v100 = _t113;
										_v88 = 0;
										_v96 = 1;
										_t115 =  *_t126;
										_v116 =  *((intOrPtr*)(_t107 + 0x2c));
										_v104 = _t83;
										_v112 =  *((intOrPtr*)(_t107 + 0x30));
										_v108 = 1;
										_v84 = _t108;
										_v76 = _v132;
										if(_t115 == 0) {
											if((_t108 & 0x00000020) != 0 || _t83 == 0) {
												goto L15;
											} else {
												_t92 =  *_v128;
												_v144 = _t126;
												_v148 = 0;
												_v152 =  &_v116;
												_v156 = _t92;
												_t93 =  *((intOrPtr*)( *_t92 + 0x14))();
												_t133 = _t133 - 0x10;
												if(_t93 < 0) {
													_v160 = _t93;
													_v164 = "Could not create the texture (%lx)\n";
													_v168 = 0x10;
													 *_t133 = _t107;
													E10026560();
													_t85 = 0xb1b4b1ab;
													goto L8;
												} else {
													_t83 =  *((intOrPtr*)(_t107 + 0x20));
													goto L15;
												}
											}
										} else {
											_v152 =  &_v72;
											_v156 = _t115;
											 *((intOrPtr*)( *_t115 + 0x28))();
											_t133 = _t133 - 8;
											if(_v124 != _v80 || _v120 != _v76 || _v108 != _v64) {
												E10026560(_t107, 0x10, "User-provided texture has mismatching parameters\n");
												goto L7;
											} else {
												_t83 = _v68;
												 *((intOrPtr*)(_t107 + 0x20)) = _v68;
												 *(_t126 + 4) = _v48;
												 *((intOrPtr*)(_t126 + 8)) = _v40;
												L15:
												_t84 = E10028DE0(0, _t83, 8);
												 *((intOrPtr*)(_t126 + 0xc)) = _t84;
												if(_t84 == 0) {
													L28:
													_t85 = 0xfffffff4;
													goto L8;
												} else {
													 *_v136 =  *((intOrPtr*)(_t107 + 0x20));
													_v144 = 0;
													 *((intOrPtr*)( *((intOrPtr*)(_t107 + 4)) + 8)) = E1000A590(_t107, 8, _t107, 0x1001f3c0);
													if( *((intOrPtr*)( *((intOrPtr*)(_t107 + 4)) + 8)) == 0) {
														goto L28;
													} else {
														return 0;
													}
												}
											}
										}
									} else {
										E10026560(_t107, 0x10, "Unsupported pixel format: %s\n", E10034450(_t80));
										L7:
										_t85 = 0xffffffea;
										L8:
										return _t85;
									}
								}
							}
						}
					}
				}
			}

0x1001ede4
0x1001edea
0x1001edf4
0x1001edfa
0x1001ee04
0x1001ee08
0x1001ee0e
0x1001ee80
0x00000000
0x1001ee10
0x1001ee15
0x1001eff8
0x00000000
0x1001ee1b
0x1001ee1e
0x1001f002
0x00000000
0x1001ee24
0x1001ee29
0x1001f00c
0x00000000
0x1001ee2f
0x1001ee34
0x1001f016
0x00000000
0x1001ee3a
0x1001ee3c
0x1001f020
0x1001ee90
0x1001ee95
0x1001eea0
0x1001eea3
0x1001eea9
0x1001eeac
0x1001eeaf
0x1001eeb5
0x1001eebc
0x1001eec5
0x1001eecc
0x1001eed0
0x1001eed2
0x1001eeda
0x1001eede
0x1001eee7
0x1001eeed
0x1001eef1
0x1001eef5
0x1001efc3
0x00000000
0x1001efc9
0x1001efd3
0x1001efd7
0x1001efdb
0x1001efdf
0x1001efe3
0x1001efe6
0x1001efe9
0x1001efee
0x1001f053
0x1001f057
0x1001f05f
0x1001f067
0x1001f06a
0x1001f06f
0x00000000
0x1001eff0
0x1001eff0
0x00000000
0x1001eff0
0x1001efee
0x1001eefb
0x1001ef01
0x1001ef05
0x1001ef08
0x1001ef0b
0x1001ef16
0x1001f03f
0x00000000
0x1001ef38
0x1001ef38
0x1001ef40
0x1001ef43
0x1001ef4a
0x1001ef4d
0x1001ef61
0x1001ef66
0x1001ef6b
0x1001f049
0x1001f049
0x00000000
0x1001ef71
0x1001ef80
0x1001ef84
0x1001ef9c
0x1001efa7
0x00000000
0x1001efad
0x1001efb9
0x1001efb9
0x1001efa7
0x1001ef6b
0x1001ef16
0x1001ee42
0x1001ee63
0x1001ee68
0x1001ee68
0x1001ee6d
0x1001ee77
0x1001ee77
0x1001ee3c
0x1001ee34
0x1001ee29
0x1001ee1e
0x1001ee15

APIs

mv_get_pix_fmt_name.A649 ref: 1001EE45
mv_log.A649 ref: 1001EE63
mv_realloc_f.A649 ref: 1001EF61
mv_buffer_pool_init2.A649 ref: 1001EF97

Strings

Could not create the texture (%lx), xrefs: 1001F057
Unsupported pixel format: %s, xrefs: 1001EE51
User-provided texture has mismatching parameters, xrefs: 1001F02D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_pool_init2mv_get_pix_fmt_namemv_logmv_realloc_f
String ID: Could not create the texture (%lx)$Unsupported pixel format: %s$User-provided texture has mismatching parameters
API String ID: 2711572445-2713259832
Opcode ID: 61522124965e7a70bcebdc6bea7493d2fd4525d62fe2246ab6ae2aa39c44ee0d
Instruction ID: 6e4f5ef8983291c51a841fcbf1f78f5fcdc40949d936ea548a3686936fced655
Opcode Fuzzy Hash: 61522124965e7a70bcebdc6bea7493d2fd4525d62fe2246ab6ae2aa39c44ee0d
Instruction Fuzzy Hash: 2D71D1B4A087418FD750CF29D58061ABBE1FF88754F51892EE899CB351E735EC81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10019966 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 100199A3
mv_malloc.A649 ref: 100199AE
mv_log.A649 ref: 10019A78

Part of subcall function 10092340: strlen.MSVCRT ref: 10092352
Part of subcall function 10092340: _errno.MSVCRT ref: 10092370

_errno.MSVCRT ref: 10019A21
mv_log.A649 ref: 10019A4E
mv_freep.A649 ref: 10019A56

Strings

/tmp/%sXXXXXX, xrefs: 100199C1
ff_tempfile: Cannot open temporary file %s, xrefs: 10019A45
./%sXXXXXX, xrefs: 100199FC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errnomv_logstrlen$mv_freepmv_malloc
String ID: ./%sXXXXXX$/tmp/%sXXXXXX$ff_tempfile: Cannot open temporary file %s
API String ID: 3823847272-2791948529
Opcode ID: 0e5122a1a59482f1391c41e450b50fc8713657fea74dc0bdb0a868fd5e12b82b
Instruction ID: 5c9e7e740aff64d54265a733c7371d0aa756a9e571cecda85a31403e97ce6f1f
Opcode Fuzzy Hash: 0e5122a1a59482f1391c41e450b50fc8713657fea74dc0bdb0a868fd5e12b82b
Instruction Fuzzy Hash: 58317BB89097419FC740DF29C18161AFBE0FF88650F91896EE9D99B310E735E9858F82

Uniqueness

Uniqueness Score: -1.00%

Function 10009130 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 272
stringCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E10009130() {
				int _t86;
				void* _t91;
				void* _t93;
				signed char _t99;
				void* _t111;
				signed char _t113;
				void* _t114;
				void* _t118;
				signed char _t119;
				void* _t121;
				int _t122;
				void* _t123;
				unsigned int _t124;
				unsigned int _t125;
				signed int _t126;
				void* _t130;
				void* _t131;
				int _t132;
				void* _t136;
				signed char _t139;
				signed char _t141;
				void* _t142;
				void* _t143;
				signed int _t144;
				int _t145;
				void* _t147;
				signed int _t148;
				signed int _t151;
				int _t153;
				signed int _t154;
				void _t158;
				void* _t159;
				char* _t161;
				void** _t162;
				void* _t165;
				void* _t166;
				void** _t167;
				void*** _t168;

				_t86 = _t168[0x111];
				_t167 = _t168[0x110];
				if( *_t86 == 0) {
					L40:
					return _t86;
				} else {
					_t118 = _t167[2];
					while(1) {
						_t145 = _t167[1];
						_t88 =  <=  ? _t145 : _t118;
						_t121 = _t118 - ( <=  ? _t145 : _t118);
						if(_t121 != 0) {
							goto L15;
						}
						 *_t168 = _t168[0x111];
						_t9 = strlen(??) + 1; // 0x1
						_t159 = _t9;
						L11:
						_t124 = _t167[3];
						if(_t124 == _t118 || _t145 >= _t118) {
							L22:
							_t95 =  <=  ? _t118 : _t145;
							_t119 = _t118 - ( <=  ? _t118 : _t145);
							if(_t119 > 0x3ff) {
								L26:
								_t139 = _t119;
								_t147 =  *_t167 + _t145;
								if(_t119 >= 8) {
									if((_t147 & 0x00000001) != 0) {
										 *_t147 = 0x21;
										_t139 = _t119 - 1;
										_t147 = _t147 + 1;
									}
									if((_t147 & 0x00000002) != 0) {
										 *_t147 = 0x2121;
										_t139 = _t139 - 2;
										_t147 = _t147 + 2;
									}
									if((_t147 & 0x00000004) != 0) {
										 *_t147 = 0x21212121;
										_t139 = _t139 - 4;
										_t147 = _t147 + 4;
									}
									_t125 = _t139;
									_t139 = _t139 & 0x00000003;
									_t126 = _t125 >> 2;
									memset(_t147, 0x21212121, _t126 << 2);
									_t168 =  &(_t168[3]);
									_t147 = _t147 + _t126;
									if((_t139 & 0x00000004) == 0) {
										goto L29;
									} else {
										goto L28;
									}
									goto L40;
								} else {
									if((_t139 & 0x00000004) != 0) {
										L28:
										 *_t147 = 0x21212121;
										_t147 = _t147 + 4;
									}
								}
								L29:
								if((_t139 & 0x00000002) != 0) {
									 *_t147 = 0x2121;
									_t147 = _t147 + 2;
								}
								if((_t139 & 0x00000001) != 0) {
									 *_t147 = 0x21;
								}
								_t161 = "[truncated strftime output]";
								_t99 =  <=  ? _t119 : 0x1b;
								_t141 =  *_t167 + _t167[1];
								if(0x1b >= 4) {
									if((_t141 & 0x00000001) != 0) {
										_t141 = _t141 + 1;
										_t161 = "truncated strftime output]";
										_t99 = _t99 - 1;
										 *((char*)(_t141 - 1)) = "[truncated strftime output]" & 0x000000ff;
									}
									if((_t141 & 0x00000002) != 0) {
										_t148 =  *_t161 & 0x0000ffff;
										_t141 = _t141 + 2;
										_t161 =  &(_t161[2]);
										_t99 = _t99 - 2;
										 *(_t141 - 2) = _t148;
									}
									if(_t99 >= 4) {
										_t168[7] = _t99;
										_t131 = 0;
										_t151 = _t99 & 0xfffffffc;
										do {
											 *(_t141 + _t131) = _t161[_t131];
											_t131 = _t131 + 4;
										} while (_t131 < _t151);
										_t99 = _t168[7];
										_t141 = _t141 + _t131;
										_t161 =  &(_t161[_t131]);
									}
								}
								_t130 = 0;
								if((_t99 & 0x00000002) != 0) {
									_t130 = 2;
									 *_t141 =  *_t161 & 0x0000ffff;
								}
								if((_t99 & 0x00000001) != 0) {
									 *((char*)(_t141 + _t130)) = _t161[_t130] & 0x000000ff;
								}
								_t142 = _t167[1];
								_t102 =  >  ? _t119 : 0xfffffffa - _t142;
								_t86 = ( >  ? _t119 : 0xfffffffa - _t142) + _t142;
								_t136 = _t167[2];
								_t167[1] = 0xfffffffa;
								if(_t136 != 0) {
									L39:
									_t138 =  >  ? _t86 : _t136 - 1;
									_t93 =  *_t167;
									 *((char*)(_t93 + ( >  ? _t86 : _t136 - 1))) = 0;
									return _t93;
								}
								goto L40;
							} else {
								_t162 =  &(_t168[8]);
								 *_t168 = _t162;
								_t168[3] = _t168[0x112];
								_t168[2] = _t168[0x111];
								_t86 = 0x400;
								_t168[1] = 0x400;
								L100A07D0();
								if(0x400 != 0) {
									_t168[2] = _t162;
									_t168[1] = 0x100af500;
									 *_t168 = _t167;
									return E100089C0();
								} else {
									if(_t119 != 0) {
										_t145 = _t167[1];
										goto L26;
									}
									goto L40;
								}
							}
						} else {
							_t110 =  >  ? _t159 : 0xfffffffe - _t145;
							_t111 = _t145 + ( >  ? _t159 : 0xfffffffe - _t145) + 1;
							if(_t124 >> 1 >= _t118) {
								_t118 = _t118 + _t118;
							} else {
								_t118 = _t124;
							}
							if(_t118 < _t111) {
								_t115 =  <=  ? _t124 : _t111;
								_t118 =  <=  ? _t124 : _t111;
							}
							_t165 =  *_t167;
							_t168[1] = _t118;
							if(_t165 ==  &(_t167[4])) {
								 *_t168 = 0;
								_t113 = E10028DA0();
								if(_t113 == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								 *_t168 = _t165;
								_t113 = E10028DA0();
								if(_t113 == 0) {
									L21:
									_t118 = _t167[2];
									_t145 = _t167[1];
									goto L22;
								} else {
									if(_t165 == 0) {
										L19:
										_t153 = _t167[1];
										_t143 = _t113;
										_t166 =  *_t167;
										_t132 = _t153 + 1;
										_t168[7] = _t166;
										if(_t132 >= 8) {
											if((_t113 & 0x00000001) != 0) {
												_t144 =  *_t166 & 0x000000ff;
												_t132 = _t153;
												_t166 = _t166 + 1;
												 *_t113 = _t144;
												_t82 = _t113 + 1; // 0x1
												_t143 = _t82;
											}
											if((_t143 & 0x00000002) != 0) {
												_t154 =  *_t166 & 0x0000ffff;
												_t143 = _t143 + 2;
												_t166 = _t166 + 2;
												_t132 = _t132 - 2;
												 *(_t143 - 2) = _t154;
											}
											if((_t143 & 0x00000004) != 0) {
												_t158 =  *_t166;
												_t143 = _t143 + 4;
												_t166 = _t166 + 4;
												_t132 = _t132 - 4;
												 *(_t143 - 4) = _t158;
											}
										}
										_t114 = memcpy(_t143, _t166, _t132);
										_t168 =  &(_t168[3]);
									}
									 *_t167 = _t114;
									_t167[2] = _t118;
									continue;
								}
							}
						}
						goto L66;
						L15:
						_t168[1] = _t121;
						_t168[7] = _t121;
						_t168[3] = _t168[0x112];
						_t168[2] = _t168[0x111];
						_t91 =  *_t167;
						 *_t168 = _t91 + _t145;
						L100A07D0();
						if(_t91 != 0) {
							_t122 = _t167[1];
							_t92 =  <=  ? 0xfffffffa - _t122 : _t91;
							_t136 = _t167[2];
							_t86 = ( <=  ? 0xfffffffa - _t122 : _t91) + _t122;
							_t167[1] = _t86;
							if(_t136 != 0) {
								goto L39;
							}
							goto L40;
						} else {
							_t123 = _t168[7];
							_t159 = 0x7fffffff;
							_t145 = _t167[1];
							_t118 = _t167[2];
							if(_t123 <= 0x3fffffff) {
								_t159 = _t123 + _t123;
							}
							goto L11;
						}
						goto L66;
					}
				}
				L66:
			}

0x1000913a
0x10009141
0x1000914b
0x10009377
0x10009377
0x10009151
0x10009151
0x1000919d
0x1000919d
0x100091a6
0x100091a9
0x100091ab
0x00000000
0x00000000
0x100091b4
0x100091bc
0x100091bc
0x100091bf
0x100091bf
0x100091c4
0x10009287
0x1000928b
0x1000928e
0x10009296
0x100092d6
0x100092d9
0x100092db
0x100092e0
0x100093f6
0x100094c6
0x100094c9
0x100094cc
0x100094cc
0x10009402
0x100094b6
0x100094bb
0x100094be
0x100094be
0x1000940e
0x100094a5
0x100094ab
0x100094ae
0x100094ae
0x10009414
0x10009416
0x10009419
0x10009421
0x10009421
0x10009421
0x10009426
0x00000000
0x1000942c
0x00000000
0x1000942c
0x00000000
0x100092e6
0x100092e9
0x100092eb
0x100092eb
0x100092f1
0x100092f1
0x100092e9
0x100092f4
0x100092f7
0x100092f9
0x100092fe
0x100092fe
0x10009304
0x10009306
0x10009306
0x10009311
0x1000931b
0x1000931e
0x10009323
0x100093b3
0x100094ee
0x100094ef
0x100094f4
0x100094f5
0x100094f5
0x100093bc
0x100094d2
0x100094d5
0x100094d8
0x100094db
0x100094de
0x100094de
0x100093c5
0x100093cb
0x100093d1
0x100093d3
0x100093d6
0x100093d9
0x100093dc
0x100093df
0x100093e3
0x100093e7
0x100093e9
0x100093e9
0x100093c5
0x10009329
0x1000932d
0x10009332
0x10009337
0x10009337
0x1000933c
0x10009342
0x10009342
0x10009345
0x10009351
0x10009354
0x10009356
0x10009359
0x1000935e
0x10009360
0x10009363
0x10009366
0x10009369
0x00000000
0x10009369
0x00000000
0x10009298
0x1000929f
0x100092a3
0x100092a6
0x100092b1
0x100092b5
0x100092ba
0x100092be
0x100092c5
0x10009460
0x10009469
0x1000946d
0x1000947f
0x100092cb
0x100092cd
0x100092d3
0x00000000
0x100092d3
0x00000000
0x100092cd
0x100092c5
0x100091d2
0x100091db
0x100091e2
0x100091e8
0x10009160
0x100091ee
0x100091ee
0x100091ee
0x10009164
0x10009168
0x1000916b
0x1000916b
0x1000916d
0x10009173
0x10009179
0x10009250
0x10009257
0x1000925e
0x00000000
0x00000000
0x00000000
0x00000000
0x1000917f
0x1000917f
0x10009182
0x10009189
0x10009281
0x10009281
0x10009284
0x00000000
0x1000918f
0x10009191
0x10009260
0x10009260
0x10009263
0x10009265
0x10009268
0x1000926b
0x10009272
0x10009382
0x10009495
0x10009498
0x1000949a
0x1000949b
0x1000949d
0x1000949d
0x1000949d
0x1000938b
0x10009480
0x10009483
0x10009486
0x10009489
0x1000948c
0x1000948c
0x10009394
0x1000939a
0x1000939c
0x1000939f
0x100093a2
0x100093a5
0x100093a5
0x10009394
0x1000927a
0x1000927a
0x1000927a
0x10009197
0x1000919a
0x00000000
0x1000919a
0x10009189
0x10009179
0x00000000
0x100091f8
0x100091f8
0x10009203
0x10009207
0x10009212
0x10009216
0x1000921b
0x1000921e
0x10009225
0x10009438
0x10009444
0x10009447
0x1000944a
0x1000944c
0x10009451
0x00000000
0x10009457
0x00000000
0x1000922b
0x1000922b
0x1000922f
0x10009234
0x10009237
0x10009240
0x10009246
0x10009246
0x00000000
0x10009240
0x00000000
0x10009225
0x1000919d
0x00000000

APIs

mv_realloc.A649 ref: 10009182
strlen.MSVCRT ref: 100091B7
strftime.MSVCRT ref: 1000921E

Strings

!!!!, xrefs: 1000941C
[truncated strftime output], xrefs: 10009311

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_reallocstrftimestrlen
String ID: !!!!$[truncated strftime output]
API String ID: 709960874-1743851734
Opcode ID: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction ID: 6237faa146818e252d6bc5810784fdb2c70fb651bac13d65fe422c41695cf2e5
Opcode Fuzzy Hash: d5bbf64755c465b92655ce73a4e1a41950866e2796eda1fbafdbb6a7e4c7dd5d
Instruction Fuzzy Hash: 40A19071A042429FE715CF28C98539E77E2EF843D0F268528ED898B399E735DE45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10092740 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 1009277B
isupper.MSVCRT ref: 100927CA
islower.MSVCRT ref: 100927DA
isupper.MSVCRT ref: 100928B9
_errno.MSVCRT ref: 10092900

Strings

$, xrefs: 10092764

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: isupper$_errnoislowerisspace
String ID: $
API String ID: 4095548146-3993045852
Opcode ID: be9900f16ef8ba6dd7badc9de842b1b9b2026b697452fe85c3562d42e694471b
Instruction ID: e6fe0532defbc5c939969159b76f19bdcb6dcf227e53754754f51ab417db1434
Opcode Fuzzy Hash: be9900f16ef8ba6dd7badc9de842b1b9b2026b697452fe85c3562d42e694471b
Instruction Fuzzy Hash: 91619074A0C3858BC704CF68C48021EFBE6EFC9354F154A2DF8D99B391D674D945AB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001FEA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

mv_pix_fmt_count_planes.A649 ref: 1001FEB8
mv_mallocz.A649 ref: 1001FF24
mv_image_fill_pointers.A649 ref: 1001FFC6
mv_log.A649 ref: 1002005F

Strings

Unable to lock DXVA2 surface, xrefs: 10020025
Error getting a surface description, xrefs: 10020046

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_fill_pointersmv_logmv_malloczmv_pix_fmt_count_planes
String ID: Error getting a surface description$Unable to lock DXVA2 surface
API String ID: 3966133200-1717708846
Opcode ID: 28e59d6481748342c7d568e33cdece0c84b2b28fb8438d439cfa974509fd1266
Instruction ID: 9b671f7b6b0aa002ea76b440e070bdb56073e2fbbdb80e22d34e42bc171be86a
Opcode Fuzzy Hash: 28e59d6481748342c7d568e33cdece0c84b2b28fb8438d439cfa974509fd1266
Instruction Fuzzy Hash: 3E5113B49093459FD380DF28D58466EBBE0FF89294F51892EF889CB311EB75D881CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.A649 ref: 1000C308
mv_bprintf.A649 ref: 1000C330

Strings

NONE, xrefs: 1000C327
USR%d, xrefs: 1000C37C
AMBI%d, xrefs: 1000C394

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 2490314137-3656852315
Opcode ID: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction ID: 0a946672120a056d3661d42bdbf04e5838db89b9617306f254fc419f9ddf239a
Opcode Fuzzy Hash: 43d24e6ab82ebdc785fe14ad5c403714f51aa5fcf9dbfb0c2afa0a7af5774545
Instruction Fuzzy Hash: 41117FB4919745CBE314EF28C480A5EB7E0FF84380F51C92EF68897254C334AA419B93

Uniqueness

Uniqueness Score: -1.00%

Function 1000C470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.A649 ref: 1000C4A8
mv_bprintf.A649 ref: 1000C4D0

Strings

user %d, xrefs: 1000C51C
none, xrefs: 1000C4C7
ambisonic ACN %d, xrefs: 1000C534

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 2490314137-4180635230
Opcode ID: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction ID: b6a1bd800e9813b9dae9be9b31ba14f11150b02b1f0a339f321a001e9bfab4f6
Opcode Fuzzy Hash: b66278b44bd33978a7099e039c8c5aff353fdb60d4a10324e67c31c1774a271f
Instruction Fuzzy Hash: B71172B4909B558BE320DF24C48096EB7E0FF847C4F51881EF5D887289D334A981DB93

Uniqueness

Uniqueness Score: -1.00%

Function 1001B8D0 Relevance: 13.8, APIs: 9, Instructions: 250COMMON

Download Yara Rule

APIs

mv_channel_layout_check.A649 ref: 1001B920
mv_sample_fmt_is_planar.A649 ref: 1001B942
mv_channel_layout_check.A649 ref: 1001B9B7
mv_hwframe_transfer_data.A649 ref: 1001BAE3

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_check$mv_hwframe_transfer_datamv_sample_fmt_is_planar
String ID:
API String ID: 1553998843-0
Opcode ID: f8e0577820c34def32d1422a324ff24156c3b988a6c372e5998705135d458380
Instruction ID: f6c570e5edcbfd583988d1bef83990bd6572ade0c752e77674d16c7ce7beac5b
Opcode Fuzzy Hash: f8e0577820c34def32d1422a324ff24156c3b988a6c372e5998705135d458380
Instruction Fuzzy Hash: 39A12174604B458BD758DF26C0C162BBBE2FFC4694F158A2DD9998F719E730E882CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10006BF0 Relevance: 13.6, APIs: 9, Instructions: 111
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E10006BF0(signed char* _a4, signed char* _a8, signed char* _a12) {
				intOrPtr _v1044;
				intOrPtr _v1048;
				char _v1052;
				char _v1056;
				int _v1072;
				int _v1076;
				signed char _v1077;
				int _v1092;
				signed char* _v1096;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t38;
				int _t39;
				int _t42;
				signed int _t63;
				signed char _t66;
				signed char _t70;
				signed char* _t72;
				signed char* _t73;
				signed char* _t74;
				void* _t75;
				signed char** _t76;

				_t64 = 1;
				_t76 = _t75 - 0x43c;
				_v1056 = 0;
				_t73 = _a8;
				_t74 = _a4;
				 *_t76 = _a12;
				_t38 = strlen(??);
				 *_t76 = _t73;
				_v1076 = _t38;
				_t39 = strlen(??);
				_v1092 = 0xffffffff;
				_v1096 = 1;
				_v1072 = _t39;
				 *_t76 =  &_v1052;
				E10008880(1, _t72, _t73, _t74);
				while(1) {
					L1:
					_t66 =  *_t73 & 0x000000ff;
					if(_t66 == 0) {
						goto L13;
					}
					_v1077 = _t66;
					_t72 = _t74;
					do {
						_t63 = _v1077 & 0x000000ff;
						_t64 = 0;
						L5:
						L5:
						if(_t63 - 0x61 <= 0x19) {
							_t63 = _t63 ^ 0x00000020;
						}
						_t70 = _t72[_t64];
						_t66 = _t70;
						if(_t70 - 0x61 <= 0x19) {
							_t66 = _t66 ^ 0x00000020;
						}
						if(_t63 == _t66) {
							goto L4;
						}
						goto L10;
						L4:
						_t64 = _t64 + 1;
						_t63 = _t73[_t64] & 0x000000ff;
						if(_t63 == 0) {
							L15:
							_v1096 = _t74;
							_v1092 = _t72 - _t74;
							 *_t76 =  &_v1052;
							E10008F30();
							_t74 =  &(_t72[_v1072]);
							_v1092 = _v1076;
							_v1096 = _a12;
							 *_t76 =  &_v1052;
							E10008F30();
							goto L1;
						}
						goto L5;
						L10:
						_t72 =  &(_t72[1]);
					} while ( *((char*)(_t72 - 1)) != 0);
					L11:
					 *_t76 = _t74;
					_t42 = strlen(??);
					_v1096 = _t74;
					_v1092 = _t42;
					 *_t76 =  &_v1052;
					E10008F30();
					if(_v1048 < _v1044) {
						_v1096 =  &_v1056;
						 *_t76 =  &_v1052;
						E10009690(_t64, _t66, _t72, _t73);
						return _v1056;
					} else {
						_v1096 = 0;
						 *_t76 =  &_v1052;
						E10009690(_t64, _t66, _t72, _t73);
						return _v1056;
					}
					L13:
					if(_t74 == 0) {
						goto L11;
					}
					_t72 = _t74;
					goto L15;
				}
			}

0x10006bf6
0x10006bfb
0x10006c01
0x10006c0c
0x10006c13
0x10006c1a
0x10006c1d
0x10006c22
0x10006c25
0x10006c29
0x10006c33
0x10006c37
0x10006c3b
0x10006c43
0x10006c46
0x10006c50
0x10006c50
0x10006c50
0x10006c55
0x00000000
0x00000000
0x10006c5b
0x10006c5f
0x10006c70
0x10006c70
0x10006c75
0x00000000
0x10006c89
0x10006c92
0x10006c94
0x10006c94
0x10006c96
0x10006c9a
0x10006ca2
0x10006ca4
0x10006ca4
0x10006ca9
0x00000000
0x00000000
0x00000000
0x10006c80
0x10006c80
0x10006c81
0x10006c87
0x10006d00
0x10006d00
0x10006d08
0x10006d10
0x10006d13
0x10006d1c
0x10006d23
0x10006d2e
0x10006d36
0x10006d39
0x00000000
0x10006d39
0x00000000
0x10006cab
0x10006cab
0x10006cac
0x10006cb2
0x10006cb2
0x10006cb5
0x10006cba
0x10006cbe
0x10006cc6
0x10006cc9
0x10006cd6
0x10006d47
0x10006d4f
0x10006d52
0x10006d65
0x10006cd8
0x10006cda
0x10006ce2
0x10006ce5
0x10006cf8
0x10006cf8
0x10006cf9
0x10006cfb
0x00000000
0x00000000
0x10006cfd
0x00000000
0x10006cfd

APIs

strlen.MSVCRT ref: 10006C1D
strlen.MSVCRT ref: 10006C29
mv_bprint_init.A649 ref: 10006C46
strlen.MSVCRT ref: 10006CB5
mv_bprint_append_data.A649 ref: 10006CC9
mv_bprint_finalize.A649 ref: 10006CE5
mv_bprint_append_data.A649 ref: 10006D13
mv_bprint_append_data.A649 ref: 10006D39

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datastrlen$mv_bprint_finalizemv_bprint_init
String ID:
API String ID: 2033710158-0
Opcode ID: c75fb5924f894ba4483cb1fed9dd5a9c3a05b6220e4dd600efed29985aea0871
Instruction ID: 42836de37e77625fd418e7d33d9f749e16b1385b304d1157b5356f99b9815009
Opcode Fuzzy Hash: c75fb5924f894ba4483cb1fed9dd5a9c3a05b6220e4dd600efed29985aea0871
Instruction Fuzzy Hash: B44138B49087459FE750DF38C4806AFBBE5FF89384F50892EF5D897205DA30AA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001D9C7 Relevance: 13.6, APIs: 9, Instructions: 94COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 1001DA1D
mv_mallocz.A649 ref: 1001DA33
mv_mallocz.A649 ref: 1001DA5B
mv_buffer_create.A649 ref: 1001DA96

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_create
String ID:
API String ID: 1175948233-0
Opcode ID: 028876c209a2f6272c3a1e44d774f3533f879f65c73cba0ca4f21e26c5e21f54
Instruction ID: 849500c822bf6b696b1704ba9b1f22616bdb6bfa3fe8b08525af4e57d421eeed
Opcode Fuzzy Hash: 028876c209a2f6272c3a1e44d774f3533f879f65c73cba0ca4f21e26c5e21f54
Instruction Fuzzy Hash: 7641A4746087458FD740EF29C48061AFBF4FF89384F85892EE9989B302E735E991CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1002EA50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strspn.MSVCRT ref: 1002EA6D
strspn.MSVCRT ref: 1002EAB7
strchr.MSVCRT ref: 1002EAD5
mv_malloc.A649(?,?,?,?,?,?,?,?,?,?,100B1ACF,100B1B86,00000000,?,1000DF13), ref: 1002EAED
mv_get_token.A649 ref: 1002EB1F

Strings

, xrefs: 1002EA51, 1002EAAE

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strspn$mv_get_tokenmv_mallocstrchr
String ID:
API String ID: 3092951656-596783616
Opcode ID: 1efd8e0203b858cb551177276c3cdd41e9dbd20d7b0ea5897e6cd4ad688bf225
Instruction ID: 7d3cccaf8280e9c67c13f7f37f4b658f555d9abbec639c74300896e523aabc58
Opcode Fuzzy Hash: 1efd8e0203b858cb551177276c3cdd41e9dbd20d7b0ea5897e6cd4ad688bf225
Instruction Fuzzy Hash: 8541BB759083858FCB11CF78958026BBBE5EF85344F81492EED9A87341E734ED06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10020E29 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

mv_log.A649 ref: 10020C18
GetModuleFileNameW.KERNEL32 ref: 10020E3F
mv_realloc_array.A649 ref: 10020E84
wcsrchr.MSVCRT ref: 10020FFC
mv_realloc_array.A649 ref: 10021034
wcscpy.MSVCRT ref: 1002104E

Strings

Failed to load DXVA2 library, xrefs: 10020BFC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_realloc_array$FileModuleNamemv_logwcscpywcsrchr
String ID: Failed to load DXVA2 library
API String ID: 3336537647-3958603366
Opcode ID: 6232e1b5e35bd46b5432fb069330a20666dd03cee3513b52b09f4f256d7c03d9
Instruction ID: 51577ab4d4543c89bcf45958d25ddcc1a73c0c49edaf80f3f1784978f1cc2000
Opcode Fuzzy Hash: 6232e1b5e35bd46b5432fb069330a20666dd03cee3513b52b09f4f256d7c03d9
Instruction Fuzzy Hash: ED11E8B5A097058FD350EF68E58071EBAE5FF88244F91883EF8CCC7251E67998859B42

Uniqueness

Uniqueness Score: -1.00%

Function 10020D56 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

mv_log.A649 ref: 10020B82
wcslen.MSVCRT ref: 10020D6C
GetModuleFileNameW.KERNEL32 ref: 10020D8F
mv_realloc_array.A649 ref: 10020DD4

Strings

Failed to load D3D9 library, xrefs: 10020B66

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleNamemv_logmv_realloc_arraywcslen
String ID: Failed to load D3D9 library
API String ID: 1109209711-1791602735
Opcode ID: cefe114e5fa9ee3732a92ee88a9083760b229326b03410c2d41583192a2c5dd6
Instruction ID: ede25121fb53f583ffa3cd6bddd5d5abcd4f06a7718a8138fff089a389c97c26
Opcode Fuzzy Hash: cefe114e5fa9ee3732a92ee88a9083760b229326b03410c2d41583192a2c5dd6
Instruction Fuzzy Hash: 5611B0B59097548FD750DF68E48074EFAE0EF88354F91882EF9CC97201E779A941DB82

Uniqueness

Uniqueness Score: -1.00%

Function 10020E0B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

mv_log.A649 ref: 10020C18
wcslen.MSVCRT ref: 10020E1E
GetModuleFileNameW.KERNEL32 ref: 10020E3F
mv_realloc_array.A649 ref: 10020E84

Strings

Failed to load DXVA2 library, xrefs: 10020BFC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleNamemv_logmv_realloc_arraywcslen
String ID: Failed to load DXVA2 library
API String ID: 1109209711-3958603366
Opcode ID: caa220611896e099629ee825504d56322bd30883596ec03cce50ca05abdeeecc
Instruction ID: efe441553f36b2bfbc4a0af33d893d1b0b4f9b0516fcd8424c0e804ed1213d9b
Opcode Fuzzy Hash: caa220611896e099629ee825504d56322bd30883596ec03cce50ca05abdeeecc
Instruction Fuzzy Hash: 6B01C8B59087448FD710DF64E48175EFAE1EF88344F92892EF9CC97201D7799981DB42

Uniqueness

Uniqueness Score: -1.00%

Function 10002670 Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

mv_samples_get_buffer_size.A649 ref: 1000269F
mv_mallocz.A649 ref: 100026B3
mv_sample_fmt_is_planar.A649(?), ref: 100026DC
mv_calloc.A649(?), ref: 100026F5
mv_fifo_alloc2.A649(?), ref: 10002736
mv_fifo_freep2.A649(?), ref: 10002761
mv_freep.A649(?), ref: 1000276E

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_fifo_alloc2mv_fifo_freep2mv_freepmv_malloczmv_sample_fmt_is_planarmv_samples_get_buffer_size
String ID:
API String ID: 3721653357-0
Opcode ID: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction ID: e2c14ad1b6a78883c2eba2dd48e6cbb770f894d0147dffab9e861290766f1c48
Opcode Fuzzy Hash: 6a25a427b3a7cd424786be72b2dc5f3278f13d1d67c199b93a466af71cd06fba
Instruction Fuzzy Hash: 34311AB86087068FD700DF6AD58061AFBE4FF88394F51892EE99CC7211E774E855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001D220 Relevance: 12.1, APIs: 8, Instructions: 71COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 1001D230
mv_sha512_alloc.A649 ref: 1001D273
mv_sha512_alloc.A649 ref: 1001D2BB
mv_md5_alloc.A649 ref: 1001D2EB
mv_sha_alloc.A649 ref: 1001D31B
mv_sha_alloc.A649 ref: 1001D34B
mv_sha_alloc.A649 ref: 1001D37B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_sha_alloc$mv_sha512_alloc$mv_malloczmv_md5_alloc
String ID:
API String ID: 1780169607-0
Opcode ID: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction ID: c35801f6e3b9458600ddf5c5e3e107538d07f14f20f18202b00d36dbdc320db3
Opcode Fuzzy Hash: 50135c56b61823b36176c8843c5ea436513e172120641a91292998debd03ff9b
Instruction Fuzzy Hash: C731E5B4116350CED740EF50D548A86BAE0FF00354FA7C5A9D61A4F222C7BED584DBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1001E360 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 1001E381
mv_frame_alloc.A649 ref: 1001E390

Part of subcall function 1001AC40: mv_malloc.A649 ref: 1001AC56

mv_frame_ref.A649 ref: 1001E3A6

Part of subcall function 1001BC40: mv_channel_layout_check.A649 ref: 1001BC94
Part of subcall function 1001BC40: mv_channel_layout_check.A649 ref: 1001BCDF
Part of subcall function 1001BC40: mv_buffer_ref.A649 ref: 1001BD0E
Part of subcall function 1001BC40: mv_calloc.A649 ref: 1001BD48
Part of subcall function 1001BC40: mv_buffer_ref.A649 ref: 1001BD97

mv_buffer_ref.A649 ref: 1001E3B4

Part of subcall function 10009FC0: mv_mallocz.A649 ref: 10009FD2

mv_buffer_create.A649 ref: 1001E3ED

Part of subcall function 10009E60: mv_mallocz.A649 ref: 10009E86
Part of subcall function 10009E60: mv_mallocz.A649 ref: 10009EBF

mv_buffer_unref.A649 ref: 1001E413
mv_frame_free.A649 ref: 1001E41B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_ref$mv_channel_layout_check$mv_buffer_createmv_buffer_unrefmv_callocmv_frame_allocmv_frame_freemv_frame_refmv_malloc
String ID:
API String ID: 2471893243-0
Opcode ID: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction ID: e44850cc1d663ee6b079855d6d5ccf767aeb5a2a45f4db7414dc8b10b7331849
Opcode Fuzzy Hash: 50673311061d5e9090930dd3f83a2bf224b626f2df663858ce286107a4d00b9a
Instruction Fuzzy Hash: EA21B3745087458FD780EF29C58021EFBE0EF89350F51892DFA988B346EB74E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10022AF0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 355COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.A649 ref: 10022B47
mv_image_get_linesize.A649 ref: 10022D4C

Part of subcall function 1008E660: mv_get_cpu_flags.A649(?,?,?,?,?,?,00000000,?,10022D28), ref: 1008E66D

mv_log.A649 ref: 10022FBB
abort.MSVCRT ref: 10022FC0

Strings

av_image_get_linesize failed, xrefs: 10022E52
Assertion %s failed at %s:%d, xrefs: 10022FAA

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_get_cpu_flagsmv_image_get_linesizemv_logmv_pix_fmt_desc_get
String ID: Assertion %s failed at %s:%d$av_image_get_linesize failed
API String ID: 1727888755-2525362290
Opcode ID: 521952d2bfeaf7539681baa95d9a0bdccdef9f37f348fc110fe0561dd1b48a75
Instruction ID: 6d036607613c62424ae81a283923c390e7ec525f1d66d728904b830f7b258f3c
Opcode Fuzzy Hash: 521952d2bfeaf7539681baa95d9a0bdccdef9f37f348fc110fe0561dd1b48a75
Instruction Fuzzy Hash: 33E17775A08351AFC350CFA8D58061AFBF1FF88354F96896EE8899B311D375E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10022610 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.A649 ref: 10022691
mv_image_get_linesize.A649 ref: 1002282F
mv_log.A649 ref: 10022AC0
abort.MSVCRT ref: 10022AC5

Strings

av_image_get_linesize failed, xrefs: 10022A16
Assertion %s failed at %s:%d, xrefs: 10022AB1

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_image_get_linesizemv_logmv_pix_fmt_desc_get
String ID: Assertion %s failed at %s:%d$av_image_get_linesize failed
API String ID: 1423692287-2525362290
Opcode ID: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction ID: a2789ba4896ffccc60d1fb11a9358e28422a5f1174f25c27da114458ab982159
Opcode Fuzzy Hash: 3ba8b928b0e2e591675b6da61631b884aeed625d3802fe22cac3d10d96b15f9a
Instruction Fuzzy Hash: 59D1AC75A093519FC354CF68D080A2AFBF1FF88354F96896DE8899B311E735E981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001CA08 Relevance: 10.7, APIs: 7, Instructions: 224COMMON

Download Yara Rule

APIs

mv_adler32_update.A649 ref: 1001CA46
mv_crc.A649 ref: 1001CAD5
mv_sha512_final.A649 ref: 1001CC05
mv_ripemd_final.A649 ref: 1001CC4D
mv_sha_final.A649 ref: 1001CCAD
mv_md5_final.A649 ref: 1001CCFD
mv_murmur3_final.A649 ref: 1001CD1D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_adler32_updatemv_crcmv_md5_finalmv_murmur3_finalmv_ripemd_finalmv_sha512_finalmv_sha_final
String ID:
API String ID: 1982440126-0
Opcode ID: a9ad34ebcd672ef8afbff8b37ce41210a7bcda49580a41f031ae13a1041f691d
Instruction ID: 147de84c151e2a988c5c51c1c484b65881f102cf05035e95a5f216c6dda06235
Opcode Fuzzy Hash: a9ad34ebcd672ef8afbff8b37ce41210a7bcda49580a41f031ae13a1041f691d
Instruction Fuzzy Hash: F0911AB5A09706CFC710CF28C18060ABBE0FF89344F65896DE98D9B321D334E985DB96

Uniqueness

Uniqueness Score: -1.00%

Function 10023180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.A649 ref: 1002319F
mv_image_get_linesize.A649 ref: 100231D4

Part of subcall function 10021480: mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_image_fill_linesizes.A649(?), ref: 10023268
mv_image_fill_plane_sizes.A649(?), ref: 100232CB

Strings

Picture size %ux%u is invalid, xrefs: 1002331F

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_get_linesize
String ID: Picture size %ux%u is invalid
API String ID: 3680373976-1963597007
Opcode ID: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction ID: 42873512ec11e61a891db32c639e21bb7bc2094a7c171237446aa949f8b4b16f
Opcode Fuzzy Hash: 07e5c2be4807f6978617a4492a07696999ca7ae4d9d795ec3814173b8ca04270
Instruction Fuzzy Hash: 80513576A083418BC384CF69D88064EBBE2EFC8750F55CA3EE598C7350EA75DA448B42

Uniqueness

Uniqueness Score: -1.00%

Function 100121A0 Relevance: 10.6, APIs: 7, Instructions: 119COMMON

Download Yara Rule

APIs

mv_strdup.A649 ref: 1001221F
mv_bprint_init.A649 ref: 1001225D
mv_bprint_escape.A649 ref: 100122B3
mv_bprint_append_data.A649 ref: 100122CC
mv_bprint_escape.A649 ref: 100122EE
mv_bprint_finalize.A649 ref: 1001231B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_escape$mv_bprint_append_datamv_bprint_finalizemv_bprint_initmv_strdup
String ID:
API String ID: 806756221-0
Opcode ID: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction ID: 1123dba4393114ef0ad0658bdbc6ab6a3ceb4212d851131ba1441c628290b326
Opcode Fuzzy Hash: 55f0c84e98da42de065d76c2acb9437629b6bfeb986306e9a32b1f14191fa22a
Instruction Fuzzy Hash: 8C4114B55093449BC360CF28C08025ABBE5FF85394F55892EE9988B341E636EA95CB46

Uniqueness

Uniqueness Score: -1.00%

Function 1000E950 Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON

Download Yara Rule

APIs

mv_channel_from_string.A649 ref: 1000E993
strchr.MSVCRT ref: 1000E9C4
mv_strlcpy.A649 ref: 1000E9EF
mv_channel_from_string.A649 ref: 1000EA01
strcmp.MSVCRT ref: 1000EA3D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_from_string$mv_strlcpystrchrstrcmp
String ID:
API String ID: 1821482347-0
Opcode ID: 5ce235384a62128bb730ed29545a141e1c22fd50a2d3fedd0eec4bd7515d1792
Instruction ID: 91c5a6e0a1255d2b0d9764647b30d267e30255839a2f84cd078a58f26ad91a2a
Opcode Fuzzy Hash: 5ce235384a62128bb730ed29545a141e1c22fd50a2d3fedd0eec4bd7515d1792
Instruction Fuzzy Hash: E1418F75A087858BEB50DF28C48054EBBE4FF89794F114A2DF8D4A7296D370ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001A8BC Relevance: 10.6, APIs: 7, Instructions: 112COMMON

Download Yara Rule

APIs

mv_buffer_alloc.A649 ref: 1001A8CA

Part of subcall function 10009DC0: mv_malloc.A649 ref: 10009DDC
Part of subcall function 10009DC0: mv_mallocz.A649 ref: 10009DF2
Part of subcall function 10009DC0: mv_mallocz.A649 ref: 10009E25

mv_realloc.A649 ref: 1001A902

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_mallocz.A649 ref: 1001A91C
mv_dict_copy.A649 ref: 1001A996
mv_buffer_ref.A649 ref: 1001A9EC
mv_realloc.A649 ref: 1001AA26
mv_mallocz.A649 ref: 1001AA40
mv_buffer_unref.A649 ref: 1001AA87
mv_buffer_unref.A649 ref: 1001AAAD
mv_dict_free.A649 ref: 1001AAB5
mv_freep.A649 ref: 1001AABD
mv_freep.A649 ref: 1001AADB

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_unrefmv_freepmv_realloc$_aligned_reallocmv_buffer_allocmv_buffer_refmv_dict_copymv_dict_freemv_malloc
String ID:
API String ID: 3654835198-0
Opcode ID: 0bf41d1fdf1a0d08d43b0fab588065db97ebe82ea24d02b71fa17c9d9ea0863f
Instruction ID: 2ff58008ff79fef770ec364c302c24b01e6a414989e191337692d11d052fa45a
Opcode Fuzzy Hash: 0bf41d1fdf1a0d08d43b0fab588065db97ebe82ea24d02b71fa17c9d9ea0863f
Instruction Fuzzy Hash: E651E674904342CFCB14CF19C58069ABBE1FF89390F46896EE98A9B351E770E981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10006940 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10006950
mv_malloc.A649 ref: 10006959
strspn.MSVCRT ref: 10006980
strspn.MSVCRT ref: 100069C1

Strings

, xrefs: 10006973, 10006A73

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strspn$mv_mallocstrlen
String ID:
API String ID: 1916163187-596783616
Opcode ID: 6d443ae11f2d914a5227319bcfeb12270d11b8b479f6cc4a7ac6a66c55ffb6ff
Instruction ID: cedbecd3a87d8b5a4725ffb42990fb526c0b4fb3d9c1c657b53cfd1c5efe5fcf
Opcode Fuzzy Hash: 6d443ae11f2d914a5227319bcfeb12270d11b8b479f6cc4a7ac6a66c55ffb6ff
Instruction Fuzzy Hash: 6041623460C3958BDB11DF65888025ABBE6EF8B6C0F55845DF8C56B306C235AE48CF93

Uniqueness

Uniqueness Score: -1.00%

Function 10092340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10092352
_errno.MSVCRT ref: 10092370
rand.MSVCRT ref: 100923D0
_sopen.MSVCRT ref: 10092416
_errno.MSVCRT ref: 10092424

Strings

XXXX, xrefs: 10092368

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$_sopenrandstrlen
String ID: XXXX
API String ID: 1081397658-1518373315
Opcode ID: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction ID: 5ba2c4e2c30cf57021d4c67dc99ab4cf3299af9f9df0caf2ec803c7fcbdd4207
Opcode Fuzzy Hash: 82e0733fef7f5bb36d99413f1072fc2f656cde989d35784bfb4da4dbfebec7eb
Instruction Fuzzy Hash: A62137B190934A9FC704EF24889015E7BE4EF86394F11C92DF4998B291D6399A49DB81

Uniqueness

Uniqueness Score: -1.00%

Function 10015280 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3341382007b4f288515fcb2de4aecaaceece02503954b21535afbf4360ef563f
Instruction ID: de9d21ec3dcb04bf58176d0cda4a676ee11502cea914c5bc95d0a4ddd44589f3
Opcode Fuzzy Hash: 3341382007b4f288515fcb2de4aecaaceece02503954b21535afbf4360ef563f
Instruction Fuzzy Hash: 1121A7B8A08706CFC744DF29D09191AB7F1FF94281F558969E8808F305E732D985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1000F8F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 1000F8F7
GetProcessAffinityMask.KERNEL32 ref: 1000F910
mv_log.A649 ref: 1000F99A

Strings

overriding to %d logical cores, xrefs: 1000F981
detected %d logical cores, xrefs: 1000F9B4

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Process$AffinityCurrentMaskmv_log
String ID: detected %d logical cores$overriding to %d logical cores
API String ID: 4261380130-3421371979
Opcode ID: 59ef6a107ec3cdb46dd4167b638c4726428b6cb03edb44507d23a229c6465c65
Instruction ID: 655d1004639110147f1915e1f3dd4d32bf395fc4964a2075afa2b445a2896311
Opcode Fuzzy Hash: 59ef6a107ec3cdb46dd4167b638c4726428b6cb03edb44507d23a229c6465c65
Instruction Fuzzy Hash: 0E2142B5B197019BD304DF29C88030ABBE2EBC8250F48C93DF888C7759E638D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001D820 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

mv_buffer_pool_uninit.A649 ref: 1001D83B

Part of subcall function 1000A650: AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
Part of subcall function 1000A650: mv_freep.A649 ref: 1000A69C
Part of subcall function 1000A650: ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

mv_buffer_unref.A649 ref: 1001D872
mv_buffer_unref.A649 ref: 1001D881
mv_freep.A649 ref: 1001D890
mv_freep.A649 ref: 1001D8A2
mv_freep.A649 ref: 1001D8B1
mv_freep.A649 ref: 1001D8BD

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$ExclusiveLockmv_buffer_unref$AcquireReleasemv_buffer_pool_uninit
String ID:
API String ID: 3286761627-0
Opcode ID: ce86d33006e2883c2f07b557f8b7dc23eb80ab62c5c85b3ca20994ce710f1ba1
Instruction ID: c2c7fff8f9affbfaa43353b1796216bc37b5074c3dd7c6f1f2ea0825a5865995
Opcode Fuzzy Hash: ce86d33006e2883c2f07b557f8b7dc23eb80ab62c5c85b3ca20994ce710f1ba1
Instruction Fuzzy Hash: 081186B86086018FDB04EF69D5C5A1AF7F1EF84240F46CD5DE8948B306D635E885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1000C220 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

mv_bprintf.A649 ref: 1000C27B
mv_bprintf.A649 ref: 1000C298
mv_bprintf.A649 ref: 1000C2B8

Strings

NONE, xrefs: 1000C247
USR%d, xrefs: 1000C28C
AMBI%d, xrefs: 1000C2AC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: AMBI%d$NONE$USR%d
API String ID: 3083893021-3656852315
Opcode ID: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction ID: 215f8c01a0ebe083e3755320398acc4362dbfeb093f1504df316b337c640c054
Opcode Fuzzy Hash: 79c1b8cc5645a9667c6a0867682904637ac744c720650d4db15b242002d3a8e6
Instruction Fuzzy Hash: 16012CB8909B418BD304EF28848052EBAE1FF84284FD48A6DE4CC87755E639DA409B83

Uniqueness

Uniqueness Score: -1.00%

Function 1000C3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

mv_bprintf.A649 ref: 1000C41B
mv_bprintf.A649 ref: 1000C438
mv_bprintf.A649 ref: 1000C458

Strings

user %d, xrefs: 1000C42C
none, xrefs: 1000C3E7
ambisonic ACN %d, xrefs: 1000C44C

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: ambisonic ACN %d$none$user %d
API String ID: 3083893021-4180635230
Opcode ID: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction ID: 324eb216ddd130d516033ba78e4077f7499b10045cf144ab3190435d7abd8d01
Opcode Fuzzy Hash: 9c8de8448e6615b8fa7c2115a21e64c0d84a2e4daa03812f1183ed2e3bd7c657
Instruction Fuzzy Hash: 77012CB8D09B418BD304EF28908152DBAE1FFC4288FD4CA6DE4CC87355E639DA408B53

Uniqueness

Uniqueness Score: -1.00%

Function 1001B039 Relevance: 9.2, APIs: 6, Instructions: 164COMMON

Download Yara Rule

APIs

mv_pix_fmt_desc_get.A649 ref: 1001B043
mv_image_check_size.A649 ref: 1001B069

Part of subcall function 100221C0: mv_image_get_linesize.A649 ref: 10022203

mv_image_fill_linesizes.A649 ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.A649 ref: 1001B15D
mv_buffer_alloc.A649 ref: 1001B1CD
mv_image_fill_pointers.A649 ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_pix_fmt_desc_get$mv_buffer_allocmv_image_check_sizemv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_image_get_linesize
String ID:
API String ID: 566543421-0
Opcode ID: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction ID: 4992ce4e1065cc46e00ece35f003ee7f574db56b11f2f258b44564899a0fbe5b
Opcode Fuzzy Hash: 8bdd919ebcf96b38ab9bf70343630153b1bf13f81f3e3c8d122ca7593c126649
Instruction Fuzzy Hash: 4561E7B5A08B018FCB44DF69D59065ABBE1FF88240F16897DE949CB315E735E844CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1001C210 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

mv_buffer_is_writable.A649 ref: 1001C24C
mv_buffer_is_writable.A649 ref: 1001C27C
mv_channel_layout_copy.A649 ref: 1001C30C
mv_hwframe_get_buffer.A649 ref: 1001C336
mv_frame_copy.A649 ref: 1001C348

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_is_writable$mv_channel_layout_copymv_frame_copymv_hwframe_get_buffer
String ID:
API String ID: 1431812533-0
Opcode ID: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction ID: 9aa00ebb7c7a901d7ff1af15f7d5cd17a7e62451d1a9c752bdbd2b923dfe8871
Opcode Fuzzy Hash: f51d21cc51dcd08a1813b896c01dc70d91b05fa0b1bcabd5a0f2eceed2e49e57
Instruction Fuzzy Hash: F0514A75A047169FD354CF79C880B9AF7E4FF88350F018A2AE999CB301E734E9948B91

Uniqueness

Uniqueness Score: -1.00%

Function 10090D70 Relevance: 9.1, APIs: 6, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 10090D9F
vfprintf.MSVCRT ref: 10090DBF
abort.MSVCRT ref: 10090DC4
VirtualQuery.KERNEL32 ref: 10090E5B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID:
API String ID: 2513968241-0
Opcode ID: e17759b3fb2837557a8b365765238414b278e3dec190b4c7fa76bc060ff69d89
Instruction ID: df2d4e1fd157290d0ee2fcec052a5d80a6cec2ab82355e25c391395788c49f3d
Opcode Fuzzy Hash: e17759b3fb2837557a8b365765238414b278e3dec190b4c7fa76bc060ff69d89
Instruction Fuzzy Hash: B95145B5909711CFC700DF69C88965ABBF0FF84354F55892CE98C8B229E738E845DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10001020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,10001281,?,?,?,?,?,?,100013AE), ref: 10001057
_amsg_exit.MSVCRT ref: 10001086

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction ID: 2785d9bf782298c98c7f05eb770d18c25c91c74859540191a5f4291f5604d36f
Opcode Fuzzy Hash: 32c44298f69c23ec634c9dcdada737d11102db2f3ca822c9fd713eb8b7c401c5
Instruction Fuzzy Hash: D031DE70609291CBF341DF69C9C838A77E0EB843D4F11842DED888B65CD7B9D980CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000E173 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 1000DF70
mv_channel_layout_from_mask.A649 ref: 1000E046
mv_freep.A649 ref: 1000E17B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_layout_from_maskmv_freepstrcmp
String ID:
API String ID: 3576703362-0
Opcode ID: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction ID: f14a3d27c2c21489c07e4dbc689c5fec37a1484687acd34e25a8149a501b133e
Opcode Fuzzy Hash: 820ae5dd8703ee1a0e668245ce805bc40d27f1a58968503d90ea3e7159de7ad7
Instruction Fuzzy Hash: 45312535A083819FE340EF25D48062FBBE1EF84394F52992EF98997314D671EC40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1001CE80 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

mv_sha512_final.A649 ref: 1001CEE5
mv_base64_encode.A649 ref: 1001CF08
mv_ripemd_final.A649 ref: 1001CF6D
mv_sha_final.A649 ref: 1001CF8D
mv_md5_final.A649 ref: 1001CFAD
mv_murmur3_final.A649 ref: 1001CFCD

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_base64_encodemv_md5_finalmv_murmur3_finalmv_ripemd_finalmv_sha512_finalmv_sha_final
String ID:
API String ID: 3586822813-0
Opcode ID: 4101db7e34960757e44d2dfc33322d73538906df7eaf8f8be57ad6a3014d0b03
Instruction ID: de0395dc53552d2177952a3504994e5d57c179e5c7521f1451b6bd6638056f3b
Opcode Fuzzy Hash: 4101db7e34960757e44d2dfc33322d73538906df7eaf8f8be57ad6a3014d0b03
Instruction Fuzzy Hash: BD31E379919755CFD720EF18C480A5EFBE1FB88700F51891EE988A7311D334E9898B93

Uniqueness

Uniqueness Score: -1.00%

Function 10011B29 Relevance: 9.0, APIs: 6, Instructions: 27COMMON

Download Yara Rule

APIs

mv_freep.A649 ref: 10011AE6
mv_freep.A649 ref: 10011AF2
mv_freep.A649 ref: 10011B36
mv_freep.A649 ref: 10011B42

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: 4dad41aface1bf4d8e8f6d457dcfae7240ecd57a1cb0b23708a07321ea9591c0
Instruction ID: d62fb898b935cc63bf9da65a74de6d4b5ecaebda1c704ba131891dd3b15b5cb6
Opcode Fuzzy Hash: 4dad41aface1bf4d8e8f6d457dcfae7240ecd57a1cb0b23708a07321ea9591c0
Instruction Fuzzy Hash: 28F05F795097089FCB40EFB4E0C5A9DB7F4EF44294F854D2AF8D487201E635E544CA52

Uniqueness

Uniqueness Score: -1.00%

Function 10022061 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

mv_image_get_linesize.A649 ref: 100220C7

Part of subcall function 10021480: mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_log.A649 ref: 10022171
mv_log.A649(?), ref: 100221AE

Strings

Picture size %ux%u is invalid, xrefs: 10022154
Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it, xrefs: 1002219E

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log$mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u exceeds specified max pixel count %lld, see the documentation if you wish to increase it$Picture size %ux%u is invalid
API String ID: 1737039923-91635712
Opcode ID: 54d24d788e18d8ea4c466eabd4131f5e9fbc720227a3fc9df816d3be53757df9
Instruction ID: d1011bfbbf7dbf5d13950a67888087e963138b3faade39ec3db9adc7e097331a
Opcode Fuzzy Hash: 54d24d788e18d8ea4c466eabd4131f5e9fbc720227a3fc9df816d3be53757df9
Instruction Fuzzy Hash: 9441D0B5A083549FC340CF69C48060AFBE1FBD8750F958A2EF9A8D3350E774E9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 1000C582
strcmp.MSVCRT ref: 1000C5B0
strtol.MSVCRT ref: 1000C5DA

Strings

AMBI, xrefs: 1000C561

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcmpstrncmpstrtol
String ID: AMBI
API String ID: 155133989-3084986980
Opcode ID: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction ID: 080b42f47ecb1617c9eeb941eeb6b1a796e462e2a98a72bb2a37a4396a6a9be9
Opcode Fuzzy Hash: 96e8e9c81ed7be6940826c680e1056b1b9812cca35e7cd8c36495b4e89374ce8
Instruction Fuzzy Hash: 6A21BEB5A0C7858FF350CF2898C064FBAD0EB492D1F11893EF989C7355E235E8858B82

Uniqueness

Uniqueness Score: -1.00%

Function 10012370 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strftime.MSVCRT ref: 100123EF
mv_strlcatf.A649 ref: 10012429
mv_dict_set.A649 ref: 1001244D

Strings

.%06dZ, xrefs: 10012419
%Y-%m-%dT%H:%M:%S, xrefs: 100123D6

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrftime
String ID: %Y-%m-%dT%H:%M:%S$.%06dZ
API String ID: 3046200060-930656424
Opcode ID: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction ID: 4200585820eefb0ad3589c066a71afa0f6c055d7c0249a28ce441d2d822c6705
Opcode Fuzzy Hash: 8265bdb7039045fb43de9663fc535b0ddd795e0ba8767e98d08ad63409ae019d
Instruction Fuzzy Hash: 3F21B0B5A093419FD350DF29E58069BBBE0FB88354F51C92EF89CC7301E638D8849B82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D5CB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

mv_bprintf.A649 ref: 1000D617
mv_bprintf.A649 ref: 1000D64E
mv_bprintf.A649 ref: 1000D678
mv_bprintf.A649 ref: 1000D715
mv_bprintf.A649 ref: 1000D7EB
mv_bprintf.A649 ref: 1000D814
mv_bprintf.A649 ref: 1000D84A
mv_bprintf.A649 ref: 1000D86F
mv_bprintf.A649 ref: 1000D8CE

Strings

NONE, xrefs: 1000D60B
@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s$NONE
API String ID: 3083893021-9228147
Opcode ID: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction ID: 7566f4ee250c6b1008f1cbc21f7ab5f057a1ffbd92fde749fdda637f05722331
Opcode Fuzzy Hash: 42121a472de4cb58ea8b3f161935e652dd00ef3bbb3abb2b6736c95388f2513a
Instruction Fuzzy Hash: 8C114C75909B1A8BE720EF18C58006EF7E1FB443D4F55891EE889A7219D731EC94CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 100199F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 10092340: strlen.MSVCRT ref: 10092352
Part of subcall function 10092340: _errno.MSVCRT ref: 10092370

_errno.MSVCRT ref: 10019A21
mv_log.A649 ref: 10019A4E
mv_freep.A649 ref: 10019A56

Strings

ff_tempfile: Cannot open temporary file %s, xrefs: 10019A45
./%sXXXXXX, xrefs: 100199FC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$mv_freepmv_logstrlen
String ID: ./%sXXXXXX$ff_tempfile: Cannot open temporary file %s
API String ID: 3408331932-3725816632
Opcode ID: 9ea466ec382f632922ab7edcfa4757c4d1ebebccac8452957cd71096d89945a6
Instruction ID: 32628fa2dfbfa7f9f07bbe3c009a9960c5743f995751c964622c37dae3a8a88e
Opcode Fuzzy Hash: 9ea466ec382f632922ab7edcfa4757c4d1ebebccac8452957cd71096d89945a6
Instruction Fuzzy Hash: 79017E789097519FC744DF29C18151ABBE1FF88740F91885EF9C99B310D739E9458F82

Uniqueness

Uniqueness Score: -1.00%

Function 100194D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 100194D8
mv_strerror.A649 ref: 100194FE

Part of subcall function 10013B30: mv_strlcpy.A649 ref: 10013B71

mv_log.A649 ref: 1001951B
_close.MSVCRT ref: 10019523

Strings

Error occurred in fstat(): %s, xrefs: 1001950B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _close_errnomv_logmv_strerrormv_strlcpy
String ID: Error occurred in fstat(): %s
API String ID: 1199337903-68092211
Opcode ID: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction ID: dfd730866d5ba72d1ec682aa82f713c85e766a8eb03f77e440fb808261e44811
Opcode Fuzzy Hash: fedef3c115d41d530a9bfdcd0bfafda126d4511fd0f21c34fa7b612a76f75a20
Instruction Fuzzy Hash: A3F092B4819755DFC310DF14C48425EFBE4FF84700F51881EE5D997321DB78A9459B86

Uniqueness

Uniqueness Score: -1.00%

Function 10017E00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 15COMMON

Download Yara Rule

APIs

mv_log.A649(?,?,?,?,?,?,?,?,?,?,100186B9,?,?,00000000,?,?), ref: 10017E34
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,100186B9,?,?,00000000,?,?), ref: 10017E39

Strings

libavutil/fifo.c, xrefs: 10017E11
cur_size >= size, xrefs: 10017E1A
Assertion %s failed at %s:%d, xrefs: 10017E0C

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d$cur_size >= size$libavutil/fifo.c
API String ID: 2075109169-1865016996
Opcode ID: 329440a94f8c7a99fb07f7034f266a86e60b7f15998dd5fe1bc22234d625c871
Instruction ID: 9999096a437dec4bbf9d25340c9771322b9005185c0e92fffbd912ccd442c005
Opcode Fuzzy Hash: 329440a94f8c7a99fb07f7034f266a86e60b7f15998dd5fe1bc22234d625c871
Instruction Fuzzy Hash: 31E0E2B89093448FC384DF29D50030EBAE0EF88301F80882DF0C8D7304EB38C8408B42

Uniqueness

Uniqueness Score: -1.00%

Function 10090F30 Relevance: 7.7, APIs: 5, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8dc7368cd86c9528538011aadef89097d7993b0b3ed0ff7d6836d5fe8019bf
Instruction ID: a493eb98b1fd049c191c284f361dd5554a341132bf5ca138699a178d8bab818f
Opcode Fuzzy Hash: 9e8dc7368cd86c9528538011aadef89097d7993b0b3ed0ff7d6836d5fe8019bf
Instruction Fuzzy Hash: 9791A976A002669FCB10DF68C98078EB7F0FF84390F01826AED4CAB359D335B9459B91

Uniqueness

Uniqueness Score: -1.00%

Function 10007100 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10007126
strchr.MSVCRT ref: 1000715B
strncmp.MSVCRT ref: 10007200
strlen.MSVCRT ref: 1000724B

Strings

-, xrefs: 10007232

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strchrstrncmp
String ID: -
API String ID: 2264528763-2547889144
Opcode ID: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction ID: 5f1f2dd0eab5bc6f8befd7c2bb33942bdc2d6399c7dfe7216c1ccb09edde324b
Opcode Fuzzy Hash: f0f04a066c244188fbca6ac71b0a1930aa93ce774d345eeea5f276fcbf092cf4
Instruction Fuzzy Hash: 6F318075A0C3558FEB50DA78949026EBBE1FF893C4F05492DF9C8D7245D278D9068B82

Uniqueness

Uniqueness Score: -1.00%

Function 1001E82C Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

mv_image_check_size.A649 ref: 1001E85A
mv_calloc.A649 ref: 1001E8B9
mv_frame_alloc.A649 ref: 1001E924
mv_frame_free.A649 ref: 1001E96B
mv_freep.A649 ref: 1001E97C
mv_get_pix_fmt_name.A649 ref: 1001E9EE
mv_log.A649 ref: 1001EA15

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_frame_allocmv_frame_freemv_freepmv_get_pix_fmt_namemv_image_check_sizemv_log
String ID:
API String ID: 473889652-0
Opcode ID: f8cf93a28b677fe8d6aa97792fd6637bea7d0f1a55816fad0b8c7aac0eef2079
Instruction ID: 0916db3863c180832e99ce082f3c0ba9a657d34c2ea2780525ffec91a203d69c
Opcode Fuzzy Hash: f8cf93a28b677fe8d6aa97792fd6637bea7d0f1a55816fad0b8c7aac0eef2079
Instruction Fuzzy Hash: 6D410674A047468FD750DF69C480A0AF7E5FF88354F56896DE989DB321EB30EC818B81

Uniqueness

Uniqueness Score: -1.00%

Function 1001EA29 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

next.A649 ref: 1001EA70
mv_buffer_ref.A649 ref: 1001EAA3
mv_buffer_ref.A649 ref: 1001EB1B
mv_buffer_unref.A649 ref: 1001EB3C

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_buffer_unrefnext
String ID:
API String ID: 588746049-0
Opcode ID: 833f2c8fdc6b300ab755a53dc17123c133499747ecb7eecc8e51741b32f1caa7
Instruction ID: 751943b98e383c0230b5a4328860fa5e181b1208b3e1621c22d10bc7de1e2c1b
Opcode Fuzzy Hash: 833f2c8fdc6b300ab755a53dc17123c133499747ecb7eecc8e51741b32f1caa7
Instruction Fuzzy Hash: 39419F78A097518FC744DF29C180A1AFBE1FF89350F568A6DE8999B355D730EC81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A480 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 1000A4BA
mv_freep.A649 ref: 1000A4E8
mv_freep.A649 ref: 1000A541

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz
String ID:
API String ID: 2455733640-0
Opcode ID: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction ID: 3b99154a913b274524c08becb6f728f5f8244ec0eeb4226c169e02ad570783d9
Opcode Fuzzy Hash: 57be5cbf1da16da54839bca519b4bd6de1be08dc8cda019c43820ae6256fb6b0
Instruction Fuzzy Hash: 1131B074908B01CFD760DF25C581A1AB7F0FF89391B568A5DEC999B319D730E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10012049 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1001205B
strlen.MSVCRT ref: 10012069
mv_realloc.A649 ref: 1001207F

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.A649 ref: 100120D0

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction ID: 9bf475a18fd4cb1c0505352b53a299a598f586f68b75c8a149e966f8cd1839f1
Opcode Fuzzy Hash: 76a04085e64d47384e2e2ce00772daf36afdae989b4b3b42e904556264258d40
Instruction Fuzzy Hash: 0031CDB99087058FC744CF29C18045AFBE1FF88718F558A6EE889AB310D731EA45CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001BE6C Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

mv_channel_layout_from_mask.A649 ref: 1001BE81

Part of subcall function 1001A6C0: mv_dict_copy.A649 ref: 1001A89A

mv_channel_layout_check.A649 ref: 1001BCDF
mv_buffer_ref.A649 ref: 1001BD0E

Part of subcall function 10009FC0: mv_mallocz.A649 ref: 10009FD2

mv_calloc.A649 ref: 1001BD48
mv_buffer_ref.A649 ref: 1001BD97
mv_channel_layout_copy.A649 ref: 1001BE4D
mv_frame_get_buffer.A649 ref: 1001BE99
mv_frame_copy.A649 ref: 1001BEAF

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_ref$mv_callocmv_channel_layout_checkmv_channel_layout_copymv_channel_layout_from_maskmv_dict_copymv_frame_copymv_frame_get_buffermv_mallocz
String ID:
API String ID: 2436353080-0
Opcode ID: c8f401e25c937fc34a8e388f6819b8bf213ab7e640fef61046aee9f8c8a63dea
Instruction ID: cf133659f4afb4c0eb52d0029f6858f40d2049adfe0f6a1ba95026f0bdf35e92
Opcode Fuzzy Hash: c8f401e25c937fc34a8e388f6819b8bf213ab7e640fef61046aee9f8c8a63dea
Instruction Fuzzy Hash: 2C217C74A04B568BDB54DF68D48079AB7E0EF48350F16843AED48DF306EB30E8808B91

Uniqueness

Uniqueness Score: -1.00%

Function 1000A650 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 1000A66C
mv_freep.A649 ref: 1000A69C
ReleaseSRWLockExclusive.KERNEL32 ref: 1000A6AB

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$AcquireReleasemv_freep
String ID:
API String ID: 2444013405-0
Opcode ID: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction ID: c3c698d3df7831113588d9bdc2aa75e8a835319d0c3e7d0db2d9c6c4417e318c
Opcode Fuzzy Hash: d869766378f18830eaedbb65d13c15c11a69b80f9d160b7f9c0174b365de840b
Instruction Fuzzy Hash: 7B21D6B5608701CFD700EF25D5C491ABBF4EF85280F06C969E8898B31AD731E885CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10012239 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

mv_bprint_init.A649 ref: 1001225D
mv_bprint_escape.A649 ref: 100122B3
mv_bprint_append_data.A649 ref: 100122CC
mv_bprint_escape.A649 ref: 100122EE
mv_bprint_finalize.A649 ref: 1001231B
mv_bprint_append_data.A649 ref: 1001234B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprint_init
String ID:
API String ID: 3283265872-0
Opcode ID: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction ID: 90910876c942d1fbafe524e13dc9732c176e9ecd8d18a9c8de127334b5e1fd1f
Opcode Fuzzy Hash: 40e4fae6fe95c9ae0cafae5e4cfbe44df76d706b7c6edfb7b55f5239210fc438
Instruction Fuzzy Hash: 6121DDB59197059FC350DF28C18025AFBE1FF88354F51892EE99D87351E736E982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011483 Relevance: 7.6, APIs: 5, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10011491
strlen.MSVCRT ref: 1001149F
mv_realloc.A649 ref: 100114B5

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_freep.A649 ref: 100114E2

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_aligned_reallocmv_freepmv_realloc
String ID:
API String ID: 895301365-0
Opcode ID: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction ID: 4ab28d8c1afc1d5d21c0288313e81dd6decefd2b0a989d53a21eca3f7d4547be
Opcode Fuzzy Hash: d1a8473bf65fe5948635b3fdb6a704e42311342a774be7d21ac7218014880f97
Instruction Fuzzy Hash: 2F21AEB8908316CFCB54DF28C08095AB7E5FF89344F558A5DE999AB301D731EA46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100A01C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 100A01D9
_unlock.MSVCRT ref: 100A0201
calloc.MSVCRT ref: 100A024F

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction ID: 8fe92059074c50cb47f0fafd9c3e369871995c2eed6e667d345993090a648f63
Opcode Fuzzy Hash: 0688a122be4117893fb3ece507c896a8d7c3e445b4a648a9370480a80a91a21a
Instruction Fuzzy Hash: A81149B1604305CFDB80DFA8C48475ABBE0EF88340F15C6A9E888CF245EB74D840CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1001232B Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

mv_bprint_escape.A649 ref: 100122B3

Part of subcall function 10009730: mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_append_data.A649 ref: 100122CC
mv_bprint_escape.A649 ref: 100122EE
mv_bprint_finalize.A649 ref: 1001231B
mv_bprint_append_data.A649 ref: 1001234B

Part of subcall function 10008F30: mv_realloc.A649 ref: 10008F73

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_append_datamv_bprint_escape$mv_bprint_finalizemv_bprintfmv_realloc
String ID:
API String ID: 1942445456-0
Opcode ID: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction ID: 403ebcfaa7f6bf6d2df9c5cc3f9910434a712b72dc8362acc2447b37bc06364c
Opcode Fuzzy Hash: 5e9e0b7bf5f3d5346bbbc040ec1caf168d6988dfb1b18155a4329e28a55b4eeb
Instruction Fuzzy Hash: 752199B59183019FD360DF29C08069AFBE1FB89348F50892EE58CC7301E736E981CB46

Uniqueness

Uniqueness Score: -1.00%

Function 10020F16 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 10020F38
mv_realloc_array.A649 ref: 10020F74
wcscpy.MSVCRT ref: 10020F96
GetSystemDirectoryW.KERNEL32 ref: 100210E6
mv_realloc_array.A649 ref: 10021113
GetSystemDirectoryW.KERNEL32 ref: 1002112F
wcscpy.MSVCRT ref: 10021159

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: DirectorySystemmv_realloc_arraywcscpy$wcsrchr
String ID:
API String ID: 3771663757-0
Opcode ID: 105bd481a30dcf4f2f80f008e55c880d995a66a1a926a1f327f51552fc62e23b
Instruction ID: ffd80dabb6c0bb2010d5947fcac406cacdece12d91f3b7981332ae5aec6bf27d
Opcode Fuzzy Hash: 105bd481a30dcf4f2f80f008e55c880d995a66a1a926a1f327f51552fc62e23b
Instruction Fuzzy Hash: 5A21C274A087059FC780DF78C58065BFBE0EF88340F91882EA888D7201EA75E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10010F70 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 10010F94
mv_buffer_create.A649 ref: 10010FDA

Part of subcall function 10009E60: mv_mallocz.A649 ref: 10009E86
Part of subcall function 10009E60: mv_mallocz.A649 ref: 10009EBF

mv_frame_new_side_data_from_buf.A649 ref: 10010FFB

Part of subcall function 1001B750: mv_realloc.A649(?,?,?,00000000,10011000), ref: 1001B782
Part of subcall function 1001B750: mv_mallocz.A649(?,?,?,00000000,10011000), ref: 1001B798

mv_freep.A649 ref: 10011017
mv_buffer_unref.A649 ref: 1001102F

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_buffer_createmv_buffer_unrefmv_frame_new_side_data_from_bufmv_freepmv_realloc
String ID:
API String ID: 4079258015-0
Opcode ID: 235f74f1b44870dcad6a23e18708240b359a34fdbdf4156107dcae340f404938
Instruction ID: 90488c3b318ad132dd90a0ab416cd05b92887db60067ff87fa18cc2b813c593e
Opcode Fuzzy Hash: 235f74f1b44870dcad6a23e18708240b359a34fdbdf4156107dcae340f404938
Instruction Fuzzy Hash: 6F11D4B1D087118FD744DF39D58469ABBE5EF8C380F06893EE8C8DB251E675D9808B82

Uniqueness

Uniqueness Score: -1.00%

Function 10020FE1 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 10020FFC
mv_realloc_array.A649 ref: 10021034
wcscpy.MSVCRT ref: 1002104E
GetSystemDirectoryW.KERNEL32 ref: 100211A5
mv_realloc_array.A649 ref: 100211CE
GetSystemDirectoryW.KERNEL32 ref: 100211E6
wcscpy.MSVCRT ref: 10021215

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: DirectorySystemmv_realloc_arraywcscpy$wcsrchr
String ID:
API String ID: 3771663757-0
Opcode ID: 8a644e096492864477e5f71b1901ec8f41f9c0f9e06a4381a7f60f21251f72b8
Instruction ID: 7533a157dc124900f5d4f6bbd21d510ae95ac742790c4cbb40c0884018f11468
Opcode Fuzzy Hash: 8a644e096492864477e5f71b1901ec8f41f9c0f9e06a4381a7f60f21251f72b8
Instruction Fuzzy Hash: 9111B3B4A087059FD740DF78D58565ABBE0FF88384F91892EE9C8C7341EA75D940CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10009DC0 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

mv_malloc.A649 ref: 10009DDC
mv_mallocz.A649 ref: 10009DF2
mv_mallocz.A649 ref: 10009E25
mv_freep.A649 ref: 10009E55

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$mv_freepmv_malloc
String ID:
API String ID: 1213213188-0
Opcode ID: b3348c7cbf53dd59cb46d7918af22b3d6d5ec5eab1e580142c4b14d34cb90cf9
Instruction ID: 61e6e3019f6d22858814eed3066cc18376ee6b6952274d578c1963b104500367
Opcode Fuzzy Hash: b3348c7cbf53dd59cb46d7918af22b3d6d5ec5eab1e580142c4b14d34cb90cf9
Instruction Fuzzy Hash: 5011A5B45083418FD340DF26C18561AFBE4FF48784F46895EE8889B262D779D944CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1001D7A0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

mv_buffer_unref.A649 ref: 1001D7D9
mv_freep.A649 ref: 1001D7E8
mv_freep.A649 ref: 1001D7FA
mv_freep.A649 ref: 1001D809
mv_freep.A649 ref: 1001D815

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_buffer_unref
String ID:
API String ID: 1375661620-0
Opcode ID: b5ec8d363419cb92d8bdb1f38329e2028d6a2324dcebd7ef3df8143324761c55
Instruction ID: d52695f6b373eec4d5e7979f8718589b80dc3da3b7455b83048969c7455da62b
Opcode Fuzzy Hash: b5ec8d363419cb92d8bdb1f38329e2028d6a2324dcebd7ef3df8143324761c55
Instruction Fuzzy Hash: 7B0172B86086058FDB00EF79C485A1AF7F1FF84244F46CD6DE8948B316E634E885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011A87 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

mv_freep.A649 ref: 10011A5F
mv_freep.A649 ref: 10011A6B
mv_mallocz.A649 ref: 10011A97
mv_freep.A649 ref: 10011AE6
mv_freep.A649 ref: 10011AF2
mv_freep.A649 ref: 10011B36
mv_freep.A649 ref: 10011B42

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz
String ID:
API String ID: 2455733640-0
Opcode ID: 9def39ab8334334498dc92bc04231888fb56c78b9717c776b78c351b1b7e14d5
Instruction ID: 578f6a72ff247b37d94199203e366b17b36adcd36fb23e3b004727b24c0878f9
Opcode Fuzzy Hash: 9def39ab8334334498dc92bc04231888fb56c78b9717c776b78c351b1b7e14d5
Instruction Fuzzy Hash: 9201B6756097489FC740EFB9D481B5AB7E4FF44290F81582DF89897241E771E884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7D9 Relevance: 7.5, APIs: 5, Instructions: 36stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 1000C7E0
strtol.MSVCRT ref: 1000C804
_errno.MSVCRT ref: 1000C80B
_errno.MSVCRT ref: 1000C822
_errno.MSVCRT ref: 1000C848

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _errno$strtol
String ID:
API String ID: 3596500743-0
Opcode ID: 7ebbe4887208d3a811f5f7b53f87de9f50cb6efb863a80ebecaab125b7496197
Instruction ID: 4b89768cd935a08b72e57307d992163ee312e19cf8de062bdca3011805c3dd3e
Opcode Fuzzy Hash: 7ebbe4887208d3a811f5f7b53f87de9f50cb6efb863a80ebecaab125b7496197
Instruction Fuzzy Hash: 6A01C47490931A8FD784DF65C48861BBBE1FF84754F15C82DE989C7324EB34E9048B45

Uniqueness

Uniqueness Score: -1.00%

Function 1001DAB6 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 1001DA5B
mv_buffer_create.A649 ref: 1001DA96
mv_mallocz.A649 ref: 1001DAC3
mv_freep.A649 ref: 1001DAE3
mv_freep.A649 ref: 1001DAF2
mv_freep.A649 ref: 1001DB01
mv_freep.A649 ref: 1001DB0D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_mallocz$mv_buffer_create
String ID:
API String ID: 4029081030-0
Opcode ID: f558445e92d8f344a2b19d652df6b51a7bb5d3f7c9784a62d422961d597e1fb7
Instruction ID: 4deaf3c84f864011dd216728e7cc8d893d65b08eedd0c3209068fda1f16a16bb
Opcode Fuzzy Hash: f558445e92d8f344a2b19d652df6b51a7bb5d3f7c9784a62d422961d597e1fb7
Instruction Fuzzy Hash: 820142795087048FCB00EF24D48565AB7F0EF88288F858D2DEDD8A7302E635F955CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10022FE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

mv_image_get_linesize.A649 ref: 10023044

Part of subcall function 10021480: mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

mv_image_fill_linesizes.A649(?), ref: 100230D2

Strings

Picture size %ux%u is invalid, xrefs: 10023155

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_fill_linesizesmv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u is invalid
API String ID: 547003755-1963597007
Opcode ID: b7815f9c8b9b9599fc1a2767f3cc0223f0d047d52c71f6fd5b7e8a952618f54f
Instruction ID: 6f385a6c0c4f90c275c2b7e4e0ec3bfa9a3580d3697536e0377db7d5402eebcc
Opcode Fuzzy Hash: b7815f9c8b9b9599fc1a2767f3cc0223f0d047d52c71f6fd5b7e8a952618f54f
Instruction Fuzzy Hash: B4410476A097508FC354CF29D88064ABBE2FFC8654F55CA2EF9A8CB350E634D8418F42

Uniqueness

Uniqueness Score: -1.00%

Function 1001F3B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

mv_log.A649 ref: 1001F4EF

Part of subcall function 1001F080: mv_mallocz.A649 ref: 1001F0A0
Part of subcall function 1001F080: mv_realloc_f.A649 ref: 1001F0DD
Part of subcall function 1001F080: mv_buffer_create.A649 ref: 1001F128

Strings

Could not create the texture (%lx), xrefs: 1001F504
Static surface pool size exceeded., xrefs: 1001F4DB

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_createmv_logmv_malloczmv_realloc_f
String ID: Could not create the texture (%lx)$Static surface pool size exceeded.
API String ID: 22886632-350389734
Opcode ID: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction ID: d0ee2a216646596517f8e2272bb6c8791eb02a2e11f7fe46a603028adb549b45
Opcode Fuzzy Hash: 12dea1e201e8f5d438329ade5418983e4152c6497013e786b6b6d990fad55280
Instruction Fuzzy Hash: 5C4188B5A087419FC744DF29C58061ABBE1FF88700F51896EF8999B316E774E984CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000D684 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

mv_bprintf.A649 ref: 1000D64E
mv_bprintf.A649 ref: 1000D678
mv_bprintf.A649 ref: 1000D715

Strings

@%s, xrefs: 1000D642

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: @%s
API String ID: 3083893021-2921637043
Opcode ID: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction ID: bde4f2789606c19ab050fa63e9045ae12eeb8ea4b86e9135c35405d0853ffa6a
Opcode Fuzzy Hash: c4bd400a84f836f8168436f958854a5664bfff359e734bd969f61d6a5558c79a
Instruction Fuzzy Hash: 89215A759097068BE310EF19C48026EF7E1FF88394F12892EE88897315E731ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10009A08 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009A35
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009A7B
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C25
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C45

Strings

>, xrefs: 10009A69
', xrefs: 10009A23

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: '$>
API String ID: 3083893021-1996891769
Opcode ID: 1aeedeae98a5987040bddea5af0af90760674b431017039b4982ef1ed2b4652a
Instruction ID: bc6627f18e32ee5202192b1056a4cb19888092f8efc788239e6f4bef1ea5dc2b
Opcode Fuzzy Hash: 1aeedeae98a5987040bddea5af0af90760674b431017039b4982ef1ed2b4652a
Instruction Fuzzy Hash: DCF05430C18B55CAD710EF64805037AB7D1EB463C0F818C0EE6D55B249C734A882C797

Uniqueness

Uniqueness Score: -1.00%

Function 10009784 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097AD
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C05
mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 10009C65

Strings

>, xrefs: 100097E9
&, xrefs: 1000979B

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprintf
String ID: &$>
API String ID: 3083893021-624094588
Opcode ID: f6f8d3d5fc7b62e55630e6ba9b01de786338a4dbd923bb065a803ba8d4e77ea4
Instruction ID: 827a1dd9a6b26f0f52677796166c22f358f1b9d0e9bb7a9b4a6d704745ef5d9f
Opcode Fuzzy Hash: f6f8d3d5fc7b62e55630e6ba9b01de786338a4dbd923bb065a803ba8d4e77ea4
Instruction Fuzzy Hash: B6F03071C08B55CADB50EFA485503AAB7E5EB453D0F81480EE5DA9B249CB34FC86C782

Uniqueness

Uniqueness Score: -1.00%

Function 1000F9A9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

mv_log.A649 ref: 1000F99A
mv_log.A649 ref: 1000F9D1

Strings

overriding to %d logical cores, xrefs: 1000F981
detected %d logical cores, xrefs: 1000F9B4

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_log
String ID: detected %d logical cores$overriding to %d logical cores
API String ID: 2418673259-3421371979
Opcode ID: 90275b86c17e776038138dcba82a00c85a429c764d9a65a8049d4f95b16cdb34
Instruction ID: 2ad4cfbc9a9c4dbb4345db51cabf0ecaf158a2bd4eab2b52301dfa895f4142c7
Opcode Fuzzy Hash: 90275b86c17e776038138dcba82a00c85a429c764d9a65a8049d4f95b16cdb34
Instruction Fuzzy Hash: C3F06CB4A08741AFD340DF1AC59071BBBE4EF88740F80882EE59887355D638E9459F86

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0A4 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

mv_image_fill_linesizes.A649 ref: 1001B0C8

Part of subcall function 100215D0: mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,1001B0CD), ref: 100215E6

mv_image_fill_plane_sizes.A649 ref: 1001B15D
mv_buffer_alloc.A649 ref: 1001B1CD
mv_image_fill_pointers.A649 ref: 1001B1FC

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_allocmv_image_fill_linesizesmv_image_fill_plane_sizesmv_image_fill_pointersmv_pix_fmt_desc_get
String ID:
API String ID: 2879504290-0
Opcode ID: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction ID: 7a3e12a9aca585330d458c3661a5f2850fdcc4197d16b6054e58506080106dfe
Opcode Fuzzy Hash: 104ea71f64bcf6d5fcf77d597bbab15b8274068533c11a176288c866d61d2df4
Instruction Fuzzy Hash: 1F51F8B5608B018FCB48DF69D59066ABBE1FF88240F1589BDE949CB319E731E844CB41

Uniqueness

Uniqueness Score: -1.00%

Function 1001ABCC Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

mv_dict_copy.A649 ref: 1001A996
mv_buffer_ref.A649 ref: 1001A9EC
mv_realloc.A649 ref: 1001AA26
mv_mallocz.A649 ref: 1001AA40

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_buffer_refmv_dict_copymv_malloczmv_realloc
String ID:
API String ID: 2487838726-0
Opcode ID: 341fc402060be86a2fcd2e9fc1e8ffea4b64613a0575fdde9eba9ad236ef5339
Instruction ID: 752c63dab16079834bcce617f1b516c7b3c7acad474eb666f68a373bd45cded8
Opcode Fuzzy Hash: 341fc402060be86a2fcd2e9fc1e8ffea4b64613a0575fdde9eba9ad236ef5339
Instruction Fuzzy Hash: 7741F675908382CFC718CF25C18065AB7E1FF89354F46896DE99AAB351E730E985CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100A02F0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 100A0342
MultiByteToWideChar.KERNEL32 ref: 100A0385

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction ID: 7d595e0308f4db80fc988514bbf5ff759a63fd2ee38edf780f56cffaa40d1ea8
Opcode Fuzzy Hash: ff6f7197c44d7e7dccd4158c33b178a144c6c1fe7609a9ede9ad65282b7dc5a0
Instruction Fuzzy Hash: 3D31F4B1509351CFDB40DF69D48420ABBE0FF8A354F05896DF9D48B290E3B6DA48CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001F080 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

mv_mallocz.A649 ref: 1001F0A0
mv_realloc_f.A649 ref: 1001F0DD

Part of subcall function 10028DE0: _aligned_realloc.MSVCRT ref: 10028E11

mv_buffer_create.A649 ref: 1001F128

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _aligned_reallocmv_buffer_createmv_malloczmv_realloc_f
String ID:
API String ID: 2794559729-0
Opcode ID: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction ID: c869ac9f6eaa7e77a9466fdee6e8f712de869673a1390132f44f2bab79372784
Opcode Fuzzy Hash: 26fbe21ab545ebdd34baa87320ddca8e1bb2c4f4deb69b9881e6a88837f94b66
Instruction Fuzzy Hash: 8031ACB4A08701DFC300DF29C58051AFBF1FF98250F568A6EE9889B321D771E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1001E8EB Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

mv_hwframe_get_buffer.A649 ref: 1001E901

Part of subcall function 1001E690: mv_buffer_ref.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6B7
Part of subcall function 1001E690: mv_frame_alloc.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E6CA
Part of subcall function 1001E690: mv_hwframe_map.A649(?,?,?,?,?,?,?,?,?,?,?,00000000,1001C33B), ref: 1001E70C
Part of subcall function 1001E690: mv_log.A649 ref: 1001E736
Part of subcall function 1001E690: mv_frame_free.A649 ref: 1001E742

mv_frame_alloc.A649 ref: 1001E924

Part of subcall function 1001AC40: mv_malloc.A649 ref: 1001AC56

mv_frame_free.A649 ref: 1001E96B
mv_freep.A649 ref: 1001E97C
mv_freep.A649 ref: 1001E9BB
mv_freep.A649 ref: 1001E9DA

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep$mv_frame_allocmv_frame_free$mv_buffer_refmv_hwframe_get_buffermv_hwframe_mapmv_logmv_malloc
String ID:
API String ID: 2206481229-0
Opcode ID: 79c8d88cebc22737386eaed7f45d38e3b8102e0589b1ed1e7bc540e175b26d4a
Instruction ID: 29f5c0114d75d8e24f10f0d659d02582b2a633f1d5fed070b3d3b165e5742c48
Opcode Fuzzy Hash: 79c8d88cebc22737386eaed7f45d38e3b8102e0589b1ed1e7bc540e175b26d4a
Instruction Fuzzy Hash: EB21E4756087558FD780DF29C880A4EF7E4FF88354F468969F988EB221EB70ED858B41

Uniqueness

Uniqueness Score: -1.00%

Function 100027B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

mv_fifo_can_read.A649 ref: 100027C7
mv_fifo_can_write.A649 ref: 100027D6
mv_samples_get_buffer_size.A649 ref: 100027FF
mv_fifo_grow2.A649 ref: 10002833

Part of subcall function 10017F70: mv_realloc_array.A649(?,?,?,?,?,?,?,?,?,?,?,?,?,?,10002838), ref: 10017FAE

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_fifo_can_readmv_fifo_can_writemv_fifo_grow2mv_realloc_arraymv_samples_get_buffer_size
String ID:
API String ID: 78108474-0
Opcode ID: 16ee73bcc62b132f1e54a42e7e71ebc810354682a887e12c02217443e12b8a1b
Instruction ID: ce1007827096595f26e8808010e9ccaaa56d4b232a4da4f197e7c45d59299025
Opcode Fuzzy Hash: 16ee73bcc62b132f1e54a42e7e71ebc810354682a887e12c02217443e12b8a1b
Instruction Fuzzy Hash: 7811E378A093559FD700DF69D58094ABBE4FF88394F01892DFD88CB314E774E9458B92

Uniqueness

Uniqueness Score: -1.00%

Function 10009D20 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 10009D2F
ReleaseSRWLockExclusive.KERNEL32 ref: 10009D43
mv_freep.A649 ref: 10009D8C
mv_freep.A649 ref: 10009DB2

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExclusiveLockmv_freep$AcquireRelease
String ID:
API String ID: 3724862848-0
Opcode ID: ac4210530bb79ecd5549b874ce9c7899e433265b2d2bca190b16abdc6e9280a1
Instruction ID: 89e4f59d669a14a487a12db1f0054bb5833f42878af0183c7ab0729c06348047
Opcode Fuzzy Hash: ac4210530bb79ecd5549b874ce9c7899e433265b2d2bca190b16abdc6e9280a1
Instruction Fuzzy Hash: 8E11C6B55087008FD750EF25D4C595ABBF4EF88280B05C96AE8898B31AD330E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001B7E0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

mv_buffer_alloc.A649(?,?,?,?,?,?,?,?,1001284A), ref: 1001B7F0

Part of subcall function 10009DC0: mv_malloc.A649 ref: 10009DDC
Part of subcall function 10009DC0: mv_mallocz.A649 ref: 10009DF2
Part of subcall function 10009DC0: mv_mallocz.A649 ref: 10009E25

mv_realloc.A649(?,?,?,?,?,?,?,?,1001284A), ref: 1001B820

Part of subcall function 10028DA0: _aligned_realloc.MSVCRT ref: 10028DCB

mv_mallocz.A649(?,?,?,?,?,?,?,?,1001284A), ref: 1001B836
mv_buffer_unref.A649(?,?,?,?,?,?,?,?,1001284A), ref: 1001B87F

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_mallocz$_aligned_reallocmv_buffer_allocmv_buffer_unrefmv_mallocmv_realloc
String ID:
API String ID: 547404713-0
Opcode ID: b90091ae49065f10d06a1fd9b8fc383fcac2e01a729e366898664da81a12ee34
Instruction ID: e7377a26eb348f0c440ff820f9fbcfd740b0c451e73ef676c70969cbd66757a6
Opcode Fuzzy Hash: b90091ae49065f10d06a1fd9b8fc383fcac2e01a729e366898664da81a12ee34
Instruction Fuzzy Hash: 9F1128B49087418FD750DF25D48068AFBE4FF48290F55896EE99A8B311EB30E881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000E9B1 Relevance: 6.0, APIs: 4, Instructions: 49stringCOMMON

Download Yara Rule

APIs

mv_channel_from_string.A649 ref: 1000E993
strchr.MSVCRT ref: 1000E9C4
mv_strlcpy.A649 ref: 1000E9EF

Part of subcall function 100066E0: strlen.MSVCRT ref: 10006726

mv_channel_from_string.A649 ref: 1000EA01

Part of subcall function 1000C560: strncmp.MSVCRT ref: 1000C582
Part of subcall function 1000C560: strcmp.MSVCRT ref: 1000C5B0

strcmp.MSVCRT ref: 1000EA3D
mv_channel_from_string.A649 ref: 1000EA58
strcmp.MSVCRT ref: 1000EAA6

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_channel_from_stringstrcmp$mv_strlcpystrchrstrlenstrncmp
String ID:
API String ID: 886603963-0
Opcode ID: 0fde597ea2d2a868a062513256da9a0e3adcd654dbaa0f8bd4eedef3508a2cf5
Instruction ID: ab047ed8c5c67f14b30489f267a71008d769542088324d4ae8bf220018853c7c
Opcode Fuzzy Hash: 0fde597ea2d2a868a062513256da9a0e3adcd654dbaa0f8bd4eedef3508a2cf5
Instruction Fuzzy Hash: 7E113AB46087458FDB40DF28C58025ABBE5FF88780F118D2DE5C8EB255E274ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10007050 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

mv_bprint_init.A649 ref: 10007076
mv_bprint_escape.A649 ref: 100070AA

Part of subcall function 10009730: mv_bprintf.A649(?,?,?,?,?,?,?,?,?,?,100070AF), ref: 100097FB

mv_bprint_finalize.A649 ref: 100070C7

Part of subcall function 10009690: mv_realloc.A649(?,?,?,?,?,?,10006D57), ref: 100096C9

mv_bprint_finalize.A649 ref: 100070F1

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_finalize$mv_bprint_escapemv_bprint_initmv_bprintfmv_realloc
String ID:
API String ID: 2707718180-0
Opcode ID: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction ID: 7786e306f37471b19b8e033861bf3e046f7241f8be26b7eb16500715b45264db
Opcode Fuzzy Hash: 8fcf3987ad7d05698dc9ea44ca5edbe39d28e2b760c260b832d1773102fd6b80
Instruction Fuzzy Hash: 9F116DB4A093408BD360DF28C18065EBBE0BF88254F908E2DBA9C87345E635A944CB06

Uniqueness

Uniqueness Score: -1.00%

Function 1001140B Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

mv_freep.A649 ref: 10011416
mv_freep.A649 ref: 10011422

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction ID: 289599a6c336a5d98a65091fe60646c07369103d16afa4f254b85444868d10c6
Opcode Fuzzy Hash: b8978aa5356de5e0d0452b52506a000fc5e3e76e5db4869c3fd5d98213d9114f
Instruction Fuzzy Hash: 86E079795087188FC600EB68948191AB7F0EB89284F854C1DE9C4A7302D675E940CA82

Uniqueness

Uniqueness Score: -1.00%

Function 10011F5B Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

mv_freep.A649 ref: 10011F66
mv_freep.A649 ref: 10011F72

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_freep
String ID:
API String ID: 2373662943-0
Opcode ID: f8fc146036cb00885b852fdec3245bf7fdb9a0a962d144318cad36fd717223d3
Instruction ID: d9a4d2dbd9e83a2e7868b3149525c1e38438f06903ad82f1f1aa41129a95f0ff
Opcode Fuzzy Hash: f8fc146036cb00885b852fdec3245bf7fdb9a0a962d144318cad36fd717223d3
Instruction Fuzzy Hash: 44E07EBAA097088FDB00ABB8A48695DB7E0EA94295F854C2EF8C897301D635E444CA42

Uniqueness

Uniqueness Score: -1.00%

Function 10012B04 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5aa71881a64f70d77756a4d906f696ddf0c26aa6188da43a8be3433a807ac1
Instruction ID: 6e8554d19d49bcaf2218d741f46d42886b2146b860ccc89e8a21172d2929ddf4
Opcode Fuzzy Hash: 9a5aa71881a64f70d77756a4d906f696ddf0c26aa6188da43a8be3433a807ac1
Instruction Fuzzy Hash: 98E0AEB85087088FC700EFA494C151AB7E0FF88244F86086CA98867302C678E955CB62

Uniqueness

Uniqueness Score: -1.00%

Function 100997D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 10099851

Strings

NaN, xrefs: 100997D1

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 398facde90d3158e8c562ce5a90c2f8271193d3b0513a851222c672f3db81691
Instruction ID: efb825897de6c10b198cf50540e6450b8c187f7e27a86bc41c00ac793e9681bb
Opcode Fuzzy Hash: 398facde90d3158e8c562ce5a90c2f8271193d3b0513a851222c672f3db81691
Instruction Fuzzy Hash: B6410771A052168BDB14CF1DC484796B7E1EF86754B2AC2A9DC8C8F24AD732EC42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10022390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

Assertion %s failed at %s:%d, xrefs: 100224BA

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_cpu_flags
String ID: Assertion %s failed at %s:%d
API String ID: 185405932-2766368343
Opcode ID: 6c1046a228a6480c7155eb2475d82291d57ca262918e156c95d3f1e11567d0db
Instruction ID: 9000e0a9215e96f19705fc5f92f59cb8436bb03ac98e3bf4af9b514e39ffaf03
Opcode Fuzzy Hash: 6c1046a228a6480c7155eb2475d82291d57ca262918e156c95d3f1e11567d0db
Instruction Fuzzy Hash: 454112B5A08381AFC740DF94D58051EFBF1FF88740F91891DE99997300D7BAEA858B42

Uniqueness

Uniqueness Score: -1.00%

Function 100224F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

mv_log.A649 ref: 100225E1
abort.MSVCRT ref: 100225E6

Strings

Assertion %s failed at %s:%d, xrefs: 100225D0

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: abortmv_log
String ID: Assertion %s failed at %s:%d
API String ID: 2075109169-2766368343
Opcode ID: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction ID: 11814923a7bf7540ef128da13c98316d9c3b81b6007f7c64051ac5900c87ea26
Opcode Fuzzy Hash: 96ccb67a9ced400229960c739ff5e4974aafcccf3633072cb66a9d878579e67e
Instruction Fuzzy Hash: 5C318D75A08B219BC708CF90E5A452EFBF1EFC1750FD1841CE98957200D77A9984CB82

Uniqueness

Uniqueness Score: -1.00%

Function 100221C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

mv_image_get_linesize.A649 ref: 10022203

Part of subcall function 10021480: mv_pix_fmt_desc_get.A649(?,?,?,?,?,?,?,?,?,?,00000000,?,100B6C20,00000000,10022208), ref: 10021496

Strings

Picture size %ux%u is invalid, xrefs: 1002228D

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_image_get_linesizemv_pix_fmt_desc_get
String ID: Picture size %ux%u is invalid
API String ID: 645864070-1963597007
Opcode ID: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction ID: c32bc821c07fb99167277532678e70ae68b76ab36c526d85f24e74df5a32105a
Opcode Fuzzy Hash: 0946b3bcac33ba6fca7acdb6ca24e0fe7ad52919dc498f119e2a3142e05806b9
Instruction Fuzzy Hash: C7215E75A083559FC704CF69C48020EFBE1FBC8710F958A2EF9A897350D7B5E9048B46

Uniqueness

Uniqueness Score: -1.00%

Function 1001EC37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

mv_malloc_array.A649 ref: 1001EC62
mv_malloc_array.A649 ref: 1001ECF1

Strings

, xrefs: 1001ECAE

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_malloc_array
String ID:
API String ID: 721214216-3916222277
Opcode ID: 870dbfee76fb6ea410a07dd43b2f43c5e043816628ad292f733b3740436d6b15
Instruction ID: 32942169306f562450531b280b43a1f2aea99f4b2aad1f75c52e4dfc89a656a7
Opcode Fuzzy Hash: 870dbfee76fb6ea410a07dd43b2f43c5e043816628ad292f733b3740436d6b15
Instruction Fuzzy Hash: E6213DB5508341DFD700DF29D940A4EBBE5EF89314F128A2DE8988B3A0D735E946CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1000C461 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

mv_bprint_init_for_buffer.A649 ref: 1000C4A8
mv_bprintf.A649 ref: 1000C4D0

Strings

none, xrefs: 1000C4C7

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_bprint_init_for_buffermv_bprintf
String ID: none
API String ID: 2490314137-2140143823
Opcode ID: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction ID: a25a21bf0bbbab6eb8dd7b885bea08568b6db38ddaeda7311d16c5a577b3c9a6
Opcode Fuzzy Hash: fb99da9c4718ad6228832967d969a5fa7994f6f45e19e41f4cd0f504848537d0
Instruction Fuzzy Hash: 910186B4904B568BD720DF24D880B9BB3E4FFC4384F52492DEA9853245D330BD858B93

Uniqueness

Uniqueness Score: -1.00%

Function 1001E814 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

mv_image_check_size.A649 ref: 1001E85A
mv_calloc.A649 ref: 1001E8B9
mv_frame_alloc.A649 ref: 1001E924
mv_frame_free.A649 ref: 1001E96B
mv_freep.A649 ref: 1001E97C
mv_get_pix_fmt_name.A649 ref: 1001E9EE
mv_log.A649 ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_callocmv_frame_allocmv_frame_freemv_freepmv_get_pix_fmt_namemv_image_check_sizemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 473889652-379977042
Opcode ID: 61d72b4d4c2e0655fcbe5d0e6275bddd9b2c6f8c5749a3447ccd53c07b7555cd
Instruction ID: 4d1730ca70439439150dc69e2c3e69577fa63277b803d74fdee23c8a3be9cec6
Opcode Fuzzy Hash: 61d72b4d4c2e0655fcbe5d0e6275bddd9b2c6f8c5749a3447ccd53c07b7555cd
Instruction Fuzzy Hash: 56F01978608B418FC710DF28C58051EBBE0EB49720F518A59EAA99B395DB34EC80DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10012408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

mv_strlcatf.A649 ref: 10012429

Part of subcall function 100067F0: strlen.MSVCRT ref: 1000680A

mv_dict_set.A649 ref: 1001244D

Strings

.%06dZ, xrefs: 10012419

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_dict_setmv_strlcatfstrlen
String ID: .%06dZ
API String ID: 1014950348-3752268379
Opcode ID: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction ID: 95eb8ff42823485582616919598dcae06947ee25e4005e9b3a20f874dc0564a5
Opcode Fuzzy Hash: 112283aaecfa77c8f98fb54c5a0ced329aef4e4efddc2c3c9d6336029b181351
Instruction Fuzzy Hash: DAE04EB5908740AFD714DF29E48175ABBE0FB88354F51C82EB49C97306D63898418B46

Uniqueness

Uniqueness Score: -1.00%

Function 1001E9E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

mv_get_pix_fmt_name.A649 ref: 1001E9EE
mv_log.A649 ref: 1001EA15

Strings

The hardware pixel format '%s' is not supported by the device type '%s', xrefs: 1001EA03

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: mv_get_pix_fmt_namemv_log
String ID: The hardware pixel format '%s' is not supported by the device type '%s'
API String ID: 3418758923-379977042
Opcode ID: 9acddc70278920a8564941c31df27ba7a0e7fc59086f033b698efc274c7c1271
Instruction ID: 98625666b53d28444c75af3f67f2f98a31866d598749bf3d445dd6f07a753de0
Opcode Fuzzy Hash: 9acddc70278920a8564941c31df27ba7a0e7fc59086f033b698efc274c7c1271
Instruction Fuzzy Hash: F5E042B8908B549FC710DF28C58021EBBE0FF49310F418D6EB5E89B345DB78E8809B82

Uniqueness

Uniqueness Score: -1.00%

Function 1009E930 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,1009EA51), ref: 1009E957
InitializeCriticalSection.KERNEL32(?,?,?,?,1009EA51), ref: 1009E994
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1009EA51), ref: 1009E9A0
EnterCriticalSection.KERNEL32(?,?,?,?,1009EA51), ref: 1009E9C8

Memory Dump Source

Source File: 00000003.00000002.362097987.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.362092389.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362182581.00000000100AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362187920.00000000100AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362214933.00000000101DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362222259.00000000101DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362228247.00000000101E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.362330093.00000000101FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 6d7cb76a33c7ff52e3c20d3557546a483749ef247c9b03b5c1a43ee48ccd6991
Instruction ID: 2827083f6f63268f309b51e4ebd767515f6521e82171fb4f92c076014813b677
Opcode Fuzzy Hash: 6d7cb76a33c7ff52e3c20d3557546a483749ef247c9b03b5c1a43ee48ccd6991
Instruction Fuzzy Hash: 7811A5B08051928EE740FB28D8CD15A77E6EB00390F450869DC4AC3659E679DD84D793

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A649.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8f19ee7b9cb685ec4f932734c39820e11122c2_82810a17_0fc75884\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8f19ee7b9cb685ec4f932734c39820e11122c2_82810a17_160b5807\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8f19ee7b9cb685ec4f932734c39820e11122c2_82810a17_1c57599d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f0f3252944ac8494bc49a1f9f213cb75e7a9fcf9_82810a17_174f57b9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A40.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2ACD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C74.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C93.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CD2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CF2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F7E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER40E6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4145.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D78.tmp.dmp

Windows Analysis Report
A649.dll